How To

How do I set up the Active Directory Connector to achieve failover synchronization in OpenIDM 4.x when there are multiple Domain Controllers?

Last updated Jan 5, 2021

The purpose of this article is to provide information about setting up the Active Directory® (AD) Connector to achieve failover synchronization in OpenIDM when there are multiple Domain Controllers (DC). This configuration is only applicable to reconciliation not LiveSync.


This article has been archived and is no longer maintained by ForgeRock.

Setting up the AD Connector


This configuration is not compatible with LiveSync because LiveSync uses the AD changelog; this means it is bound to the DC that it initially connects to and cannot failover to a different DC as this would cause the sync token to become out of sync.

When using the AD Connector for reconciliation, you can set the AD Connector to use the AD Global Catalog to identify a DC to handle requests.

To acheive this, you need to set the following configuration properties in your AD Connector provisioner config file (for example, provisioner.openicf-ad.json), which is located in the /path/to/idm/conf directory: You should not change any other settings in this section.

"configurationProperties" : { "LDAPHostName" : null, "SearchChildDomains" : true, },

Setting the LDAPHostName to null means the AD Connector allows the Active Directory Service Interface (ADSI) to choose a valid DC each time a request is made. Setting the SearchChildDomains property to true means the Global Catalog is used for search and query operations only; the Global Catalog is never used for create, update or delete operations.

See Also

Connector Reference › Active Directory Connector

Related Training


Related Issue Tracker IDs

OPENICF-120 (AD connector liveSync feature doesn't support AD DC failover)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.