Environment
NetIQ Identity Manager 4.0
NetIQ Identity Manager 4.0.1
NetIQ Identity Manager 4.0.2
NetIQ Identity Manager 4.5
Situation
I am using the Microsoft Active Directory (MAD) driver with password sync. I need to move the Remote Loader to another server. What is the process to move the driver?
Resolution
Option 1: Moving the remote loader instance from one DC/member server to another DC/member server and pointing the driver configuration to the new DC/member server.
1. Find a time when there are very few changes to the MAD environment. This is because you will lose any object changes in MAD from the time the original remote loader instance is stopped until the new remote loader instance is started. All eDir changes and MAD password changes during this period will be preserved.
2 . Install the remote loader on the new host. Configure an instance of the MAD driver including SSL certificates, passwords, etc..
3 . Stop the MAD driver and remote loader.
4. If the new Remote Loader machine was a configured Domain Controller for Password Synchronization previously then modify the following registry entry changing it from '0' to '1':HKLM/Software/Novell/PassSync/Driver Machine
5. Launch the "Identity Manager PassSync" control panel applet. Select "Yes" to the prompt asking if this is the server where the MAD driver will run. Click "Add" and select the domain this remote loader instance will manage.
6. On all of the domain controllers change the following registry entry to point to the DNS name of the new remote loader server. No reboot will be required.
HKLM/Software/Novell/PWFilter/Host Names
7. Remove the "DirXML-DriverStorage:" attribute from the MAD driver object in eDirectory using the "other" tab in iManager. This will clear the high-water mark, which is domain controller specific.
8. Change the MAD driver configuration to point to the new remote loader instance and Authentication context if configured.
9. Start the MAD driver and remote loader instance.
Option 2: Moving the remote loader instance on a member server to another member server without changing the Domain Controller that is in the MAD driver configuration.(or from DC to Member Server)
1. Install the remote loader on the new host. Configure an instance of the MAD driver.
2 . Stop the MAD driver and remote loader.
3. Launch the "Identity Manager PassSync" control panel applet. Select "Yes" to the prompt asking if this is the server where the MAD driver will run. Click "Add" and select the domain this remote loader instance will manage.
4. On all of the domain controllers change the following registry key to point to the DNS name of the new remote loader server. No reboot will be required.
6. Start the MAD driver and remote loader instance.
Additional Information
That binary blob is then base64 encoded so that it is possible to handle it in an XDS document, and store it in the DirXML-DriverStorage attribtue. When the driver restarts, this is then used to initiazlize the publisher with the blob value.
It is recommend to delete the DirXML-DriverStorage attribute when rolling to a new domain controller, or when domain controller is restored to make sure that there are no ambiguities about how the blob is handled in AD.
If the blob is presented to a different domain controller, or a domain controller after a restore operation has been applied, AD may elect to void the cookie and replay events from the beginning of time.
As this is not might not be what is wanted, therefor the recommendation to delete the driver state.
Deleting the DirXML-DriverStorage attribute will also cause the dirver to process all changes.