<div dir="ltr">Ok thanks for the notes, I am going to setup another test DC VM on my workstation and add it to the test domain so I can test it out but it will have to wait until another date as I am trying to get this going before the next semester comes around, I realllyyyyy do not want to have to create another 300 students one at a time in excel then use powershell to import them...<div><br></div><div>I will let you know how it turns out though!</div><div><br></div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 23, 2015 at 1:39 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi Jason,<br>
<br>
this seems to be pretty similar to our configuration. Some notes
below.<br>
<br>
1. To use serverless binding on the AD connector you don't need to
specify the LDAPHostName. In my production resource it's commented:<br>
<br>
<!--<icfcad:LDAPHostName>localhost</icfcad:LDAPHostName>--><br>
<br>
ADSI calls in the connector will discover and use whatever DC is
available. Of course if you wish your CS to use specific DC, you can
use the LDAPHostName resource configuration attribute. This may
influence how soon you see the replicated data in the domain.<br>
<br>
2. On customer machines, connectorserver.ifaddress is set to 0.0.0.0
(default).<br>
<br>
From the midPoint point of view, only ldap.test.local exists and
midPoint connects to 8759 port of the Connector Server service
running on the virtual IP address corresponding to ldap.test.local.<br>
<br>
I confirm that we're also using failover and not balancer.<br>
<br>
Just remember - this customer is using only provisioning and not
LiveSync from AD.<br>
(the following attributes are null for us, because we don't need
them<br>
<icfcad:SyncGlobalCatalogServer>null</icfcad:SyncGlobalCatalogServer><br>
<icfcad:SyncDomainController>null</icfcad:SyncDomainController><br>
)<br>
<br>
<br>
Regards,<br>
Ivan<div><div class="h5"><br>
<br>
<div>On 02/23/2015 08:16 PM, Jason Everling
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Yeah so I am using the serverless binding with the
connector server installed on each DC and if I am getting what
you mean correct, I was imagining it would look something like
this:
<div><br>
</div>
<div>Virtual IP going through Citrix Netscaler: 10.10.20.10
which in DNS is LDAP.TEST.LOCAL<br>
<div><br>
</div>
<div>DC1 - Connector Server Installed using local IP <add
key="connectorserver.ifaddress" value="10.20.10.5" /></div>
<div>DC2- Connector Server Installed using local IP <add
key="connectorserver.ifaddress" value="10.50.10.5" /></div>
<div><br>
</div>
<div><br>
</div>
<div>midPoint Connector Host would use the virtual DNS
ldap.test.local</div>
<div><br>
</div>
<div>
<div><connectorHost xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"></div>
<div> <name>Active Directory</name></div>
<div> <hostname>LDAP.TEST.LOCAL</hostname></div>
<div> <port>8759</port></div>
<div> <sharedSecret>SECRET</sharedSecret></div>
<div></connectorHost></div>
</div>
<div><br>
</div>
<div>AD Resource would use the virtual DNS ldap.test.local<br>
<br>
</div>
<div>
<div>
<icfcad:LDAPHostName>ldap.test.local</icfcad:LDAPHostName></div>
<div>
<icfcad:SearchChildDomains>false</icfcad:SearchChildDomains></div>
<div>
<icfcad:DomainName>test.local</icfcad:DomainName></div>
<div>
<icfcad:SyncGlobalCatalogServer>ldap.test.local</icfcad:SyncGlobalCatalogServer></div>
<div>
<icfcad:SyncDomainController>ldap.test.local</icfcad:SyncDomainController></div>
</div>
<div><br>
</div>
<div>Citrix Netscaler IP would be setup using
Primary/Secondary and NOT load balanced.</div>
<div><br>
</div>
<div>JASON</div>
<div><br>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Feb 23, 2015 at 12:24 PM, Ivan
Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi Jason,<br>
<br>
we have a customer where we provision from midPoint to
Active Directory consisting of multiple domain
controllers. The AD/Exchange connector is making
serverless bind unless you specify IP/hostname. But the
connector server itself is specified by IP/hostname, so if
you want to have failover for connector server, you need
to have proper infrastructure.<br>
<br>
The customer is using this for provisioning, not
synchronization.<br>
<br>
If you are using provisioning to AD, and you can ensure
the machine with connector server is (almost) always
running, the serverless bind should do the trick even if
the DC are restarting (because I suppose at least one is
always up and running).<br>
<br>
Regards,<br>
I.
<div>
<div><br>
<br>
<div>On 02/23/2015 04:42 PM, Jason Everling wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Now that all my resources, Active
Directory, 3 databases, and CSV are syncing
properly, I was thinking about using our AD
virtual ip for failover in midPoint instead of
connecting to only 1 Domain Controller. Midpoint
would connect to the virtual IP and if the primary
domain controller goes down then the 2nd Domain
controller would be used.
<div><br>
</div>
<div>Is this OK to use? The sync task stops in a
failed state if the DC is not reachable and this
way the task would continue to run. Our DCs are
rebooted 1 at a time regularly for updates and
was just wondering if this would work or if
there are any known issues doing this. I know
that I would more than likely need to modify the
site replication time in AD so that user info is
updated more frequently but I could not think of
anything else that could cause an issue.</div>
<div><br>
</div>
<div>JASON</div>
</div>
<br>
</div>
</div>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is
proprietary and confidential; intended for only the
recipient(s) named above and may contain information
that is privileged. You should not retain, copy or use
this e-mail or any attachments for any purpose, or
disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail
are those of the author and do not represent those of
the Baptist School of Health Professions. If you have
received this e-mail in error, or are not the named
recipient(s), you are hereby notified that any review,
dissemination, distribution or copying of this
communication is prohibited by the sender and to do so
might constitute a violation of the Electronic
Communications Privacy Act, 18 U.S.C. section
2510-2521. Please immediately notify the sender and
delete this e-mail and any attachments from your
computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><span><font color="#888888">
</font></span></pre>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above and
may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are those
of the author and do not represent those of the Baptist School
of Health Professions. If you have received this e-mail in
error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or copying
of this communication is prohibited by the sender and to do so
might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
notify the sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div></div></div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>