search cancel

How to change the ADS Endpoints hostname and/or clear the failover list of DCs when a DC is decommissioned

book

Article ID: 45113

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

You cannot change the Endpoint Name as that is an alias that is referenced within other objects internally (i.e. Templates, Inclusions, Explore definitions, DNs, etc) but you can update the Host value. So the best thing to do is to keep your existing Endpoint Name and just change the host value to point to the new DC to be used. The below steps can be used to change the host name and/or clear the failover list. This assumes that the AD User ID value is still valid against the new Host value and that you already have the proper SSL certificates configured for the new Host value. Be sure you put proper passwords into the LDIF file for the ID that is used to acquied/communicate to the ADS endpoint system.

Environment

Release: 14.X
Component : IdentityMinder(Identity Manager)

Cause

The ADS Connector provides failover ability. You must make sure you have the System Environment Variable ADS_FAILOVER set to the value of 1 on the Provisioning Manager, Provisioning Server, and Connector Server. This will activate the Refresh DC List and Test Connection buttons in the Provisioning Manager on the acquired ADS endpoint's Failover tab.

Resolution

Stop all but one Java Connector Server and C++ Connector Server

Run the following etautil OR ldapmodify command against the Provisioning Server: 
IMPORTANT: for the etautil command The eTADSprimaryServer and eTADSServerName values need to be the same below:

etautil command:

etautil -u USER -p PWD update 'eTNamespaceName=ActiveDirectory' eTADSDirectory eTADSDirectoryName='My_Endpoint_Name' eTADSprimaryServer='New_Host_Name' eTADSServerName='New_Host_Name' eTADSAuthPwd='password_to_connect_to_ad' eTADSbackupDirs=''

Alternate ldapmodify command:

ldapmodify -h IMPS_HOST -p 20389 -D "eTGlobalUserName=my_user,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -W -f input.ldif 



input.ldif file:

The input.ldif needs to contain the following (you need to replace My_Endpoint_Name, New_Host_Name, and password_to_connect_to_ad with the proper values): 

dn: eTADSDirectoryName=My_Endpoint_Name,eTNamespaceName=ActiveDirectory,dc=im,dc=eta 

changetype: modify 

replace: eTADSprimaryServer 

eTADSprimaryServer: New_Host_Name 

replace: eTADSServerName 

eTADSServerName: New_Host_Name 

replace: eTADSAuthPwd 

eTADSAuthPwd: password_to_connect_to_ad 

delete: eTADSbackupDirs 





Restart the single running Java and C++ Connector Servers 

Hit the Refresh DC list button in the Provisioning Manager on the acquired ADS Endpoint's Failover property page. 

Restart the rest of the Java and C++ Connector Servers 

 



The "USER" for the etautil command or the "eTGlobalUserName=my_user" for the ldapmodify command should be set as the Provisioning Store user.  You can verify this user in the Identity Manager Management Console, under Home › Directories › ProvStore.   
Most environments will use etaadmin as shown below:

 

Additional Information

Note that if you are leaving the Primary DC Host alone and simply need to clear the Backup DC List in order to refresh the list then you would still follow the above steps but you could run the below etautil command instead or use the below input.ldif with the ldapmodify command instead:

 

etautil -u USER -p PWD update 'eTNamespaceName=ActiveDirectory' eTADSDirectory eTADSDirectoryName='My_Endpoint_Name' eTADSbackupDirs=''

 

ldapmodify -h IMPS_HOST -p 20389 -D "eTGlobalUserName=my_user,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -W -f input.ldif 

 

where input.ldif contains the following: 

dn: eTADSDirectoryName=My_Endpoint_Name,eTNamespaceName=ActiveDirectory,dc=im,dc=eta 

changetype: modify 

delete: eTADSbackupDirs

Attachments