The Active Directory driver shim must run on one of the supported Windows platforms. However, you don’t need to install the Metadirectory engine on this same machine. Using a Remote Loader, you can separate the engine and the driver shim, allowing you to balance the load on different machines or accommodate corporate directives.
The installation scenario you select determines how the driver shim is installed. If you choose to install the driver shim on the same machine as Identity Manager (where the Metadirectory engine and the Identity Vault are located), Identity Manager calls the driver shim directly. If you choose to install the driver shim on another machine, you must use the Remote Loader.
The driver itself is installed the same way in each of the scenarios. See Section 5.0, Configuring the Active Directory Driver.
You can install the Active Directory driver on either the domain controller or a member server. Before you start the driver installation, determine where you want to install the driver.
A single Windows domain controller can host the Identity Vault, the Metadirectory engine, and the driver.
Figure 2-1 Scenario 1 - All Components Are on One Server
This configuration works well for organizations that want to save on hardware costs. It is also the highest-performance configuration because there is no network traffic between Identity Manager and Active Directory.
However, hosting Identity Vault and the Metadirectory engine on the domain controller increases the overall load on the controller and increases the risk that the controller might fail. Because domain controllers play a critical role in Microsoft networking, many organizations are more concerned about the speed of the domain authentication and the risks associated with a failure on the domain controller than about the cost of additional hardware.
You can install the Identity Vault, the Metadirectory engine, and the driver on a separate computer from the Active Directory domain controller. This configuration leaves the domain controller free of any Identity Manager software.
Figure 2-2 Scenario 2 - Active Directory and the Driver Shim on Separate Servers
This configuration is attractive if corporate policy disallows running the driver on your domain controller.
You can install the Remote Loader and driver shim on the Active Directory domain controller, but install the Identity Vault and the Metadirectory engine on a separate server.
Figure 2-3 Scenario 3 - Active Directory, the Remote Loader, and Driver Shim on One Server
This configuration is attractive if your Identity Vault and Metadirectory engine (Identity Manager) installations are on a platform other than one of the supported versions of Windows.
Both Scenario 2 and Scenario 3 configurations eliminate the performance impact of hosting the Identity Vault and the Metadirectory engine on the domain controller.
If you have platform requirements and domain controller restrictions in place, you can use a three-server configuration.
Figure 2-4 Scenario 4 - Three-server Configuration
This configuration is more complicated to set up, but it accommodates the constraints of some organizations. In this figure, the two Windows servers are member servers of the domain.