Connector Guides › Connectors Guide › Connecting to Endpoints › Microsoft Active Directory Services Connector › ADS Defaults › Using Failover

Using Failover

IMPORTANT! By default, ADS Failover logic is disabled. If you decide to use Failover, you must be aware of the following Failover behaviors. Otherwise, you will encounter unexpected Failover behaviors. Please review this section carefully.

• If you wish to activate Failover, you must set the environment variable ADS_FAILOVER to 1.

  Note: ADS_FAILOVER should be set on the machine where the C++ Connector Server and ADS connector run, and on the machine where the Provisioning Manager runs.

• The specified server name (the name of the Active Directory server specified on the Endpoint page) should match its fully qualified DNS server name.
• You should consider enabling logging when using Failover. (For more information, see the Endpoint Logging page on the Endpoint property sheet.) With logging enabled, in the event of unexpected behaviors, the logs provide a record of what transpired.
• The Provisioning Server attempts to retrieve the complete list of backup domain controllers from DNS, or you may elect to supply this list manually.

  If DNS is not available or you want to bypass DNS, you may supply a configuration file PS_HOME\data\ads\directory-name.DNS. (A sample DNS-configuration file is provided in the distribution of the file PS_HOME\data\ads\endpoint-name.dns.)

  where endpoint-name is the name of the endpoint that you specified in the Name field on the ADS Server tab of the ADS Endpoint property sheet.

  In order to view the list of domain controllers, select the Failover tab in the Endpoint property sheet. This page provides the list of domain controllers that ADS uses for failover. If there is only one item in the list (the primary server being managed), or failover was not enabled using the ADS_FAILOVER environment variable, then this page is disabled and failover is not operational.

  Whether CA IdentityMinder can determine the list of backup controllers automatically from DNS is heavily dependent on your environment. If this attempt fails, try one of the following suggestions:

  • Run the Provisioning Server in the same domain as the ADS Server.
  • Set the preferred DNS server field on the Provisioning Server correctly.
  • Run the Provisioning server under a domain-administrator account.

  If all of your domain controllers in your enterprise are not listed on the Failover tab, then failover was unable to retrieve the list from DNS. You must manually provide the .dns config file.

  You can run the ADSListSites servername diagnostic utility to determine what information DNS is returning. If a list of sites or servers is returned, then automatic failover is operational. If ADSListSites is not configured for automatic failover, you will have to manually supply the list of domain controllers.

• If you are using SSL, Provisioning Server must be able to connect to all domain controllers listed on the Failover tab of the Endpoint page using SSL. You must configure each of these servers to present a valid acceptable certificate to the Provisioning Server.

  If SSL is used, all the domain controllers associated with a single endpoint must be able to communicate with CA IdentityMinder using SSL. If an SSL connection cannot be established with any one of the domain controllers, then you should not use SSL, or you should omit that domain controller in the .dns configuration file.

• Active Directory guarantees that all changes made on any one domain controller are propagated to all other domain controllers. The time that the propagation occurs is installation-defined.
• You must be aware of the effects of propagation delays.

  For example, if the Provisioning server makes a change to a controller that subsequently goes down, and CA IdentityMinder automatically connects to a backup controller, any changes made earlier may not yet be reflected on the backup because of propagation delays. This can have adverse results.

  That is, if Provisioning Server is communicating with the primary server and encounters a failure, it immediately switches to the secondary server. If the user subsequently creates accounts on the secondary server, and the primary comes back up, ADS reconnects to the primary.

  If Active Directory has not propagated the new accounts from the secondary to the primary controller, you receive a not-found error when you attempt to view the new accounts from CA IdentityMinder. This occurs because the account does not yet exist on the primary server.

  Even more serious is the case in which you proceed to do an Explore (executed on the primary, now that the connection is restored). When Explore fails to find the newly created accounts, it assumes they have been deleted from the target system. Consequently, CA IdentityMinder then deletes the accounts from the repository.

  Note: You may also encounter a situation wherein conflicting changes made on different controllers could cause one of them to be lost.

• There are separate timeouts for the agent and for the Provisioning Manager.

  For example, if the agent timeout value is one minute, and the Provisioning Manager timeout is 90 seconds, when CA IdentityMinder attempts to communicate with a particular controller, it takes a full minute before the agent gives up. If the secondary controller is also down, another minute lapses before the agent declares the backup as down and attempts the tertiary controller. In the meantime, the Provisioning Manager times out and the initial operation fails, although the (tertiary) controller was actually available.

• When you change the order of the controllers on the Failover tab, the changes are only in effect for subsequent connections to the server (for example, a new user logs in, or the original primary controller goes down). However, existing valid connections continue to be used until the background process runs again and attempts a better connection.
• Although you can order the controllers in any desired sequence on the Failover tab, the server always arranges the list so that the primary server (that is, the one used on the Endpoint page) is always first. This prevents an inadvertent connection to an alternate controller during a restart.
• As mentioned previously, a background thread runs periodically to attempt to reestablish existing connections to the more preferred domain-controller. By default, this thread runs every 15 minutes. However, you can change this setting by setting the environment variable ADS_RETRY to the desired number of minutes.