Symantec Identity Manager - How to change the ADS Endpoints hostname and/or clear the failover list of DCs when a DC is decommissioned
search cancel

Symantec Identity Manager - How to change the ADS Endpoints hostname and/or clear the failover list of DCs when a DC is decommissioned


Article ID: 45113


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite


You cannot change the Endpoint Name as that is an alias that is referenced within other objects internally (i.e. Templates, Inclusions, Explore definitions, DNs, etc) but you can update the Host value. So the best thing to do is to keep your existing Endpoint Name and just change the host value to point to the new DC to be used.
The below steps can be used to change the host name and/or clear the failover list.

This assumes that the AD User ID value is still valid against the new Host value and that you already have the proper SSL certificates configured for the new Host value.
Be sure you put proper passwords into the LDIF file for the ID that is used to acquire/communicate to the ADS endpoint system.


Release: 14.X
Component : IdentityMinder(Identity Manager)


The ADS Connector provides failover ability. You must make sure you have the System Environment Variable ADS_FAILOVER set to the value of 1 on the Provisioning Manager, Provisioning Server, and Connector Server. This will activate the Refresh DC List and Test Connection buttons in the Provisioning Manager on the acquired ADS endpoint's Failover tab.


Stop all but one Java Connector Server and C++ Connector Server

Run the following etautil OR ldapmodify command against the Provisioning Server: 
IMPORTANT: for the etautil command The eTADSprimaryServer and eTADSServerName values need to be the same below:

etautil command:

etautil -u <USER> -p <password> update 'eTNamespaceName=ActiveDirectory' eTADSDirectory eTADSDirectoryName='<My_Endpoint_Name>' eTADSprimaryServer='<New_Host_Name'> eTADSServerName='<New_Host_Name>' eTADSAuthPwd='<password_to_connect_to_ad<' eTADSbackupDirs=''

Alternate ldapmodify command:

ldapmodify -h <IMPS_HOST> -p 20389 -D "eTGlobalUserName=<my_user>,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -W -f input.ldif 

input.ldif file:

The input.ldif needs to contain the following (you need to replace <My_Endpoint_Name>, <New_Host_Name>, and <password_to_connect_to_ad> with the proper values): 

dn: eTADSDirectoryName=<My_Endpoint_Nam>,eTNamespaceName=ActiveDirectory,dc=im,dc=eta 

changetype: modify 

replace: eTADSprimaryServer 

eTADSprimaryServer: <New_Host_Name> 

replace: eTADSServerName 

eTADSServerName: <New_Host_Name> 

replace: eTADSAuthPwd 

eTADSAuthPwd: <password_to_connect_to_ad>

delete: eTADSbackupDirs 

Restart the single running Java and C++ Connector Servers 

Hit the Refresh DC list button in the Provisioning Manager on the acquired ADS Endpoint's Failover property page. 

Restart the rest of the Java and C++ Connector Servers 


The "USER" for the etautil command or the "eTGlobalUserName=<my_user>" for the ldapmodify command should be set as the Provisioning Store user.  You can verify this user in the Identity Manager Management Console, under Home › Directories › ProvStore.   
Most environments will use etaadmin as shown below:


Additional Information

Note that if you are leaving the Primary DC Host alone and simply need to clear the Backup DC List in order to refresh the list then you would still follow the above steps but you could run the below etautil command instead or use the below input.ldif with the ldapmodify command instead:


etautil -u <USER> -p <PWD> update 'eTNamespaceName=ActiveDirectory' eTADSDirectory eTADSDirectoryName='<My_Endpoint_Name>' eTADSbackupDirs=''


ldapmodify -h <IMPS_HOST> -p 20389 -D "eTGlobalUserName=<my_user>,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -W -f input.ldif 


where input.ldif contains the following: 

dn: eTADSDirectoryName=<My_Endpoint_Name>,eTNamespaceName=ActiveDirectory,dc=im,dc=eta 

changetype: modify 

delete: eTADSbackupDirs