How do I set up the Active Directory Connector to achieve failover synchronization in OpenIDM 4.x when there are multiple Domain Controllers?
The purpose of this article is to provide information about setting up the Active Directory® (AD) Connector to achieve failover synchronization in OpenIDM when there are multiple Domain Controllers (DC). This configuration is only applicable to reconciliation not LiveSync.
Archived
This article has been archived and is no longer maintained by ForgeRock.
Setting up the AD Connector
Note
This configuration is not compatible with LiveSync because LiveSync uses the AD changelog; this means it is bound to the DC that it initially connects to and cannot failover to a different DC as this would cause the sync token to become out of sync.
When using the AD Connector for reconciliation, you can set the AD Connector to use the AD Global Catalog to identify a DC to handle requests.
To acheive this, you need to set the following configuration properties in your AD Connector provisioner config file (for example, provisioner.openicf-ad.json), which is located in the /path/to/idm/conf directory: You should not change any other settings in this section.
"configurationProperties" : { "LDAPHostName" : null, "SearchChildDomains" : true, },Setting the LDAPHostName to null means the AD Connector allows the Active Directory Service Interface (ADSI) to choose a valid DC each time a request is made. Setting the SearchChildDomains property to true means the Global Catalog is used for search and query operations only; the Global Catalog is never used for create, update or delete operations.
See Also
Related Training
N/A
Related Issue Tracker IDs
OPENICF-120 (AD connector liveSync feature doesn't support AD DC failover)