Moving Novell Identity Manager Active Directory Driver To Another AD Host

  • 7000882
  • 09-Jul-2008
  • 24-Jan-2020

Environment

Novell Identity Manager 3.5.1
Novell Identity Manager 3.6
NetIQ Identity Manager 4.0
NetIQ Identity Manager 4.0.1
NetIQ Identity Manager 4.0.2
NetIQ Identity Manager 4.5
Novell Identity Manager - Remote Loader
Novell Identity Manager Driver - Active Directory
Novell Identity Manager - Password Synchronization

Situation

I am using the Microsoft Active Directory (MAD) driver with password sync. I need to move the Remote Loader to another server. What is the process to move the driver?

Resolution

Option 1: Moving the remote loader instance from one DC/member server to another DC/member server and pointing the driver configuration to the new DC/member server.

1. Find a time when there are very few changes to the MAD environment. This is because you will lose any object changes in MAD from the time the original remote loader instance is stopped until the new remote loader instance is started. All eDir changes and MAD password changes during this period will be preserved.

2 . Install the remote loader on the new host. Configure an instance of the MAD driver including SSL certificates, passwords, etc..

3 . Stop the MAD driver and remote loader.

4. If the new Remote Loader machine was a configured Domain Controller for Password Synchronization previously then modify the following registry entry changing it from '0' to '1':

HKLM/Software/Novell/PassSync/Driver Machine

5. Launch the "Identity Manager PassSync" control panel applet. Select "Yes" to the prompt asking if this is the server where the MAD driver will run. Click "Add" and select the domain this remote loader instance will manage.

6. On all of the domain controllers change the following registry entry to point to the DNS name of the new remote loader server. No reboot will be required.

HKLM/Software/Novell/PWFilter/Host Names

7. Remove the "DirXML-DriverStorage:" attribute from the MAD driver object in eDirectory using the "other" tab in iManager. This will clear the high-water mark, which is domain controller specific.

8. Change the MAD driver configuration to point to the new remote loader instance and Authentication context if configured.

9. Start the MAD driver and remote loader instance.


Option 2: Moving the remote loader instance on a member server to another member server without changing the Domain Controller that is in the MAD driver configuration.(or from DC to Member Server)

1. Install the remote loader on the new host. Configure an instance of the MAD driver.

2 . Stop the MAD driver and remote loader.

3. Launch the "Identity Manager PassSync" control panel applet. Select "Yes" to the prompt asking if this is the server where the MAD driver will run. Click "Add" and select the domain this remote loader instance will manage.

4. On all of the domain controllers change the following registry key to point to the DNS name of the new remote loader server. No reboot will be required.

HKLM/Software/Novell/PWFilter/Host Names
 
Note: It is advisable to have only one entry for the Host Names key at any point of time.  If more than one entry is configured, make sure that a valid instance of the Remote Loader/AD Driver is configured on each of the hosts configured. If any of the hosts configured is not available, passwords will be cached for as long as the Time To Live has not expired.
 
5. Change the MAD driver configuration to point to the new remote loader instance.

6. Start the MAD driver and remote loader instance.

Additional Information

ADSI provides an operational property called ADS_DIRSYNC_COOKIE that provides the current high water mark in Active Directory, as a blob of binary data.

That binary blob is then base64 encoded so that it is possible to handle it in an XDS document, and store it in the DirXML-DriverStorage attribtue. When the driver restarts, this is then used to initiazlize the publisher with the blob value.

It is recommend to delete the DirXML-DriverStorage attribute when rolling to a new domain controller, or when domain controller is restored to make sure that there are no ambiguities about how the blob is handled in AD.

If the blob is presented to a different domain controller, or a domain controller after a restore operation has been applied, AD may elect to void the cookie and replay events from the beginning of time.

As this is not might not be what is wanted, therefor the recommendation to delete the driver state.

Deleting the DirXML-DriverStorage attribute will also cause the dirver to process all changes.