Novell Documentation: Nsure Identity Manager Drivers

Planning Your Installation

You can install the Active Directory driver on either the domain controller or a member server. Before you start the driver installation, determine

Where to install the Active Directory driver shim
How to address security issues

Where To Install the Active Directory Driver and Shim

The Active Directory driver shim must run on one of the supported Windows platforms. However, you don't need to install the DirXML engine on this same machine. Using a Remote Loader, you can separate the engine and the driver shim, allowing you to balance the load on different machines or accommodate corporate directives.

The installation scenario you select determines how the driver shim is installed. If you choose to install the driver shim on the same machine as Identity Manager (where the DirXML engine and the Identity Vault are located), Identity Manager calls the driver shim directly. If you choose to install the driver shim on another machine, you must use the Remote Loader.

The driver itself is installed the same way in each of the scenarios. See Configuring the Active Directory Driver.

Scenario 1

A single Windows domain controller can host Identity Vault, the DirXML engine, and the driver.

This configuration works well for organizations that want to save on hardware costs. It is also the highest-performance configuration because there is no network traffic between Identity Manager and Active Directory.

However, hosting Identity Vault and the DirXML engine on the domain controller increases the overall load on the controller and increases the risk that the controller might fail. Because domain controllers play a critical role in Microsoft networking, many organizations are more concerned about the speed of the domain authentication and the risks associated with a failure on the domain controller than about the cost of additional hardware.

Scenario 2

Active Directory and the driver shim on separate servers

You can install the Identity Vault, the DirXML engine, and the driver on a separate computer from the Active Directory domain controller. This configuration leaves the domain controller free of any Identity Manager software.

This configuration is attractive if corporate policy disallows running the driver on your domain controller.

Scenario 3

You can install the Remote Loader and driver shim on the Active Directory domain controller, but install the Identity Vault and the DirXML engine on a separate server.

Active Directory, the Remote Loader, and driver shim on one server

This configuration is attractive if your Identity Vault and DirXML engine (Identity Manager) installations are on a platform other than one of the supported versions of Windows.

Both Scenario 2 and Scenario 3 configurations eliminate the performance impact of hosting the Identity Vault and the DirXML engine on the domain controller.

Scenario 4

If you have platform requirements and domain controller restrictions in place, you can use a three-server configuration.

This configuration is more complicated to set up, but it accommodates the constraints of some organizations. In this figure, the two Windows servers are member servers of the domain.