Symantec Identity Manager - How to change the ADS Endpoints hostname and/or clear the failover list of DCs when a DC is decommissioned
Article ID: 45113
Updated On:
Products
Issue/Introduction
You cannot change the Endpoint Name as that is an alias that is referenced within other objects internally (i.e. Templates, Inclusions, Explore definitions, DNs, etc) but you can update the Host value. So the best thing to do is to keep your existing Endpoint Name and just change the host value to point to the new DC to be used.
The below steps can be used to change the host name and/or clear the failover list.
This assumes that the AD User ID value is still valid against the new Host value and that you already have the proper SSL certificates configured for the new Host value.
Be sure you put proper passwords into the LDIF file for the ID that is used to acquire/communicate to the ADS endpoint system.
Environment
Release: 14.X
Component : IdentityMinder(Identity Manager)
Cause
The ADS Connector provides failover ability. You must make sure you have the System Environment Variable ADS_FAILOVER set to the value of 1 on the Provisioning Manager, Provisioning Server, and Connector Server. This will activate the Refresh DC List and Test Connection buttons in the Provisioning Manager on the acquired ADS endpoint's Failover tab.
Resolution
Stop all but one Java Connector Server and C++ Connector Server
Run the following etautil OR ldapmodify command against the Provisioning Server:
IMPORTANT: for the etautil command The eTADSprimaryServer and eTADSServerName values need to be the same below:
etautil command:
etautil -u <USER> -p <password> update 'eTNamespaceName=ActiveDirectory' eTADSDirectory eTADSDirectoryName='<My_Endpoint_Name>' eTADSprimaryServer='<New_Host_Name'> eTADSServerName='<New_Host_Name>' eTADSAuthPwd='<password_to_connect_to_ad<' eTADSbackupDirs=''
Alternate ldapmodify command:
ldapmodify -h <IMPS_HOST> -p 20389 -D "eTGlobalUserName=<my_user>,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -W -f input.ldif
input.ldif file:
The input.ldif needs to contain the following (you need to replace <My_Endpoint_Name>, <New_Host_Name>, and <password_to_connect_to_ad> with the proper values):
dn: eTADSDirectoryName=<My_Endpoint_Nam>,eTNamespaceName=ActiveDirectory,dc=im,dc=eta
changetype: modify
replace: eTADSprimaryServer
eTADSprimaryServer: <New_Host_Name>
-
replace: eTADSServerName
eTADSServerName: <New_Host_Name>
-
replace: eTADSAuthPwd
eTADSAuthPwd: <password_to_connect_to_ad>
-
delete: eTADSbackupDirs
Restart the single running Java and C++ Connector Servers
Hit the Refresh DC list button in the Provisioning Manager on the acquired ADS Endpoint's Failover property page.
Restart the rest of the Java and C++ Connector Servers
The "USER" for the etautil command or the "eTGlobalUserName=<my_user>" for the ldapmodify command should be set as the Provisioning Store user. You can verify this user in the Identity Manager Management Console, under Home › Directories › ProvStore.
Most environments will use etaadmin as shown below:
Additional Information
Note that if you are leaving the Primary DC Host alone and simply need to clear the Backup DC List in order to refresh the list then you would still follow the above steps but you could run the below etautil command instead or use the below input.ldif with the ldapmodify command instead:
etautil -u <USER> -p <PWD> update 'eTNamespaceName=ActiveDirectory' eTADSDirectory eTADSDirectoryName='<My_Endpoint_Name>' eTADSbackupDirs=''
ldapmodify -h <IMPS_HOST> -p 20389 -D "eTGlobalUserName=<my_user>,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -W -f input.ldif
where input.ldif contains the following:
dn: eTADSDirectoryName=<My_Endpoint_Name>,eTNamespaceName=ActiveDirectory,dc=im,dc=eta
changetype: modify
delete: eTADSbackupDirs
Feedback
