Environment
Novell Identity Manager Nsure Identity Manager 2.0
Novell Identity Manager Identity Manager 3.0
Novell Identity Manager Remote Loader
Situation
This document presents the information required to configure eDirectory and Identity Manager for use in a Windows Cluster Services environment. This document assumes a working knowledge of Windows Cluster Services configuration and administration and a working knowledge of eDirectory and Identity Manager installation and configuration procedures.
eDirectory and Identity Manager store state and configuration information in files on an NTFS hard drive. In order to cluster Identity Manager this state and configuration data must be shared between cluster nodes. Accordingly, the Windows Cluster Resource Group used to contain the eDirectory (or Remote Loader) service must contain a shared disk. In addition, the Resource Group must contain an IP address on which eDirectory and Identity Manager will respond to client requests.
Resolution
Clustering eDirectory and Identity Manager
The basic tasks which must be completed to cluster eDirectory and Identity Manager on Windows are:
- Install eDirectory and Identity Manager on the primary cluster node
- Install eDirectory and Identity manager on the other cluster nodes.
- Copy server-specific NICI data from the primary cluster node to the other cluster nodes
- Configure the eDirectory service in the Cluster Resource Group.
Install the Software on the Cluster Primary Node
1 Create a Windows Cluster Resource Group containing a shared IP address and a shared disk.
2 On the primary node (the node currently hosting the target resource group) perform the following:
2.1 Execute the eDirectory installation program.
2.2 The installation program will install Licensing and NICI and will then reboot the server. The reboot will cause the cluster resource group to move to the other cluster server.
2.3 After the reboot completes, before continuing the eDirectory installation, move the cluster group back to the primary node.
2.4 Complete the eDirectory installation program noting the following:
2.2 The installation program will install Licensing and NICI and will then reboot the server. The reboot will cause the cluster resource group to move to the other cluster server.
2.3 After the reboot completes, before continuing the eDirectory installation, move the cluster group back to the primary node.
2.4 Complete the eDirectory installation program noting the following:
- Use [drive]:\Novell\NDS as the installation location where [drive] is the drive letter of the shared storage device.
- Tree information: The cluster will either host a new tree or a server in an existing tree.
- Name the eDirectory server something that reflects the cluster, rather than something that reflects only the current node name.
2.5 Install any current eDirectory patches.
2.6 Adjust the IP addresses on which eDirectory listens for connections, if desired.
2.7 After the eDirectory installation and configuration is complete install Identity Manager, including any current patches.
2.6 Adjust the IP addresses on which eDirectory listens for connections, if desired.
2.7 After the eDirectory installation and configuration is complete install Identity Manager, including any current patches.
Install the Software on the Other Cluster Nodes
3 Move to each of the other cluster nodes and perform the following steps on each node:
3.1 Execute the eDirectory installation program.
3.2 Install eDirectory on the main drive (C:) and create a new, throwaway tree.
3.2 Install eDirectory on the main drive (C:) and create a new, throwaway tree.
3.3 Install any current eDirectory patches.
3.4 Install Identity Manager and any current patches.
3.5 After the above installations are complete, open the Control Panel: Services application. Find the NDS Server entry and stop eDirectory. Change the service start type from automatic to manual.
3.6 Rename the directory %SystemRoot%\System32\Novell\NICI to %SystemRoot%\System32\Novell\NICI.sav
3.4 Install Identity Manager and any current patches.
3.5 After the above installations are complete, open the Control Panel: Services application. Find the NDS Server entry and stop eDirectory. Change the service start type from automatic to manual.
3.6 Rename the directory %SystemRoot%\System32\Novell\NICI to %SystemRoot%\System32\Novell\NICI.sav
Copy Server-Specific NICI Data
4 Move to the primary cluster node and perform the following steps:
4.1 Take ownership of the %SystemRoot%\System32\Novell\NICI\system directory using the administrative account and grant Full Control rights to both the administrative account and the SYSTEM account. This is necessary to copy the directory in the following steps. (See the Changing Ownership and Permissions on the NICI System Directory section below, if necessary).
4.2 For each of the other cluster nodes perform the following:
4.2 For each of the other cluster nodes perform the following:
4.2.1 Map a drive on the primary node to the secondary node's system drive (typically file:////%3Cmachine_name>\c$)
4.2.2 Copy %SystemRoot%\System32\Novell\NICI from the primary node to the secondary node.
4.2.3 Change the permissions on the newly copied %SystemRoot%\System32\Novell\NICI\system directory to not inherit permissions and to grant the SYSTEM account Full Control rights. See Changing Permissions on the NICI System Directory After Copying section below, if necessary.
4.2.4 If desired, set the ownership and permissions of %SystemRoot%\System32\Novell\NICI\system to the SYSTEM account only. This isn't required for NICI functionality, but may be required by organization security policy.
4.2.2 Copy %SystemRoot%\System32\Novell\NICI from the primary node to the secondary node.
4.2.3 Change the permissions on the newly copied %SystemRoot%\System32\Novell\NICI\system directory to not inherit permissions and to grant the SYSTEM account Full Control rights. See Changing Permissions on the NICI System Directory After Copying section below, if necessary.
4.2.4 If desired, set the ownership and permissions of %SystemRoot%\System32\Novell\NICI\system to the SYSTEM account only. This isn't required for NICI functionality, but may be required by organization security policy.
4.3 If desired, set the ownership and permissions of %SystemRoot%\System32\Novell\NICI\system on the primary node back to the SYSTEM account.
Configure the eDirectory Service in the Cluster Resource Group
4.4 Stop the eDirectory service on the primary node.
4.5 Create a new Resource in the Resource Group to be used for eDirectory
4.7 Verify that eDirectory is running correctly on the primary node.
4.8 Move the the group to a secondary node and verify that eDirectory starts and runs correctly
4.5 Create a new Resource in the Resource Group to be used for eDirectory
- Resource type: Generic Service.
- Dependent on: IP address and shared disk in the Resource Group.
- Service name: NDS Server0.
- No start parameters.
- Registry keys: SYSTEM\CurrentControlSet\Services\NDS Server0
4.7 Verify that eDirectory is running correctly on the primary node.
4.8 Move the the group to a secondary node and verify that eDirectory starts and runs correctly
Clustering the Identity Manager Remote Loader
The basic tasks which must be completed to cluster the Identity Manager Remote Loader (and driver) on Windows are:
- Install and configure the Remote Loader and driver on the primary cluster node to the cluster shared drive.
- Install and configure the Remote Loader instance on the secondary node(s).
- Configure the Remote Loader service in the Cluster Resource Group.
The detailed steps required to install and configure the Remote Loader for use with Windows Cluster Services follow:
Install the Remote Loader on the Cluster Primary Node
1 Create a Windows Cluster Resource Group containing a shared IP address and a shared disk.
2 On the primary node (the node currently hosting the target resource group) perform the following:
3 For each of the other nodes in the cluster, perform the following steps:
Configure the Remote Loader Service in the Cluster Resource Group
4 When finished installing on the other cluster nodes move the Cluster Resource Group back to the primary node.
5 On the primary node, perform the following steps:
6 Move the Cluster Resource Group to each of the other cluster nodes and verify that the Remote Loader service starts correctly.
Changing Ownership and Permissions on the NICI System Directory
The %SystemRoot%\System32\Novell\NICI\system directory is installed owned by the SYSTEM account with only the SYSTEM account having any rights to the directory and contents. In order to copy the directory it is necessary for the administrative account to take ownership of the directory and to grant rights to itself on the directory. The steps necessary to do so are summarized below:
Install the Remote Loader on the Cluster Primary Node
1 Create a Windows Cluster Resource Group containing a shared IP address and a shared disk.
2 On the primary node (the node currently hosting the target resource group) perform the following:
2.1 Execute the Identity Manager installation program and install the Remote Loader and any drivers needed to [drive]:\Novell\RemoteLoader where [drive] is the shared storage driver letter.
2.2 Execute the Remote Loader Console and configure the Remote Loader and driver as a service. Configure the Remote Loader to listen on the cluster shared IP address. Note the name of the Remote Loader configuration file.
2.3 Stop the Remote Loader service if it is running.
Install and Configure the Remote Loader on Other Cluster Nodes2.2 Execute the Remote Loader Console and configure the Remote Loader and driver as a service. Configure the Remote Loader to listen on the cluster shared IP address. Note the name of the Remote Loader configuration file.
2.3 Stop the Remote Loader service if it is running.
3 For each of the other nodes in the cluster, perform the following steps:
3.1 Move the Cluster Resource Group to the cluster node.
3.2 Execute the Identity Manager installation program and install the Remote Loader and any drivers needed to [drive]:\Novell\RemoteLoader where [drive] is the shared storage driver letter.
3.3 Open a command window and change directories to [drive]:\Novell\RemoteLoader3.4 Execute the following:
3.2 Execute the Identity Manager installation program and install the Remote Loader and any drivers needed to [drive]:\Novell\RemoteLoader where [drive] is the shared storage driver letter.
3.3 Open a command window and change directories to [drive]:\Novell\RemoteLoader3.4 Execute the following:
dirxml_remote -config -service install
whereis the name of the configuration file created by the Remote Loader Console when the RL Console was executed on the primary node.
where
Configure the Remote Loader Service in the Cluster Resource Group
4 When finished installing on the other cluster nodes move the Cluster Resource Group back to the primary node.
5 On the primary node, perform the following steps:
5.1 Create a Resource in the Cluster Resource Group for the Remote Loader Service:
5.3 Verify that the Remote Loader service starts correctly.
- Resource type: Generic Service
- Dependent on: IP address and shared disk in the Resource Group.
- Service name: DirXMLRemote
where is the command port number (defaults to 8000). - No start parameters
- Ensure the "Use Network Name for Computer Name" checkbox is selected.
- Registry keys: Software\Novell\DirXML Remote Loader and Software\Novell\RLConsole
5.3 Verify that the Remote Loader service starts correctly.
6 Move the Cluster Resource Group to each of the other cluster nodes and verify that the Remote Loader service starts correctly.
Changing Ownership and Permissions on the NICI System Directory
The %SystemRoot%\System32\Novell\NICI\system directory is installed owned by the SYSTEM account with only the SYSTEM account having any rights to the directory and contents. In order to copy the directory it is necessary for the administrative account to take ownership of the directory and to grant rights to itself on the directory. The steps necessary to do so are summarized below:
- Right-click on the directory %SystemRoot%\System32\Novell\NICI\system and select Properties.
- Select the Security tab and then press the Advanced button.
- Select the Owner tab and highlight the administrative account as the new owner.
- Check the 'Replace owner on subcontainers and objects' box.
- Click OK and Yes until back in the Windows Explorer main window.
- Again right click on the directory %SystemRoot%\System32\Novell\NICI\system and select Properties.
- Select the Security tab and then press the Advanced button.
- Select the Permissions tab and add the administrative account and the SYSTEM account as Permission entries. Give both accounts Full Control.
- Check the 'Replace permission entries' box.
- Click OK and Yes until back in the Windows Explorer main window.
Changing Permissions on the NICI System Directory After Copying
After the %SystemRoot%\System32\Novell\NICI\system directory is copied from the primary node to the secondary node the NICI system directory on the secondary node inherits permissions from its parent directory. This is not desirable and should be changed. The steps necessary to do so are summarized below:
- After the directory copy of the NICI system directory from the primary node to the secondary node has completed, right click on %SystemRoot%\System32\Novell\NICI\system on the secondary node.
- Select Properties, then select the Security tab and click the Advanced button
- Uncheck the 'Allow inheritable permissions from the parent' check box. Click the 'Remove' button in the dialog that next appears.
- Add the administrative account and the SYSTEM account as Permission entries with Full Control rights.
- Check the 'Replace permission entries' box.
- Click OK and Yes until back in the Windows Explorer main window.
