Environment
Microsoft Active Directory
Novell Nsure Identity Manager 2.0
Novell Identity Manager 3.0
Novell Nsure Identity Manager 2.0
Novell Identity Manager 3.0
Situation
Multiple domains synchronized from one server with the Remote
Loader. The Password Sync Applet in Control Panel shows
multiple domains.
Passwords intermittently synchronize from one of the multiple domains or do not synchronize from either domain at all.
Passwords intermittently synchronize from one of the multiple domains or do not synchronize from either domain at all.
Resolution
Password Synchronization 2.0 does not at this time support the
synchronizing of passwords to multiple domains from the same remote
loader/server. In order to have two-way synchronization the
Negotiate method of authentication must be used and the server with
the Remote Loader needs to be in the domain to which passwords are
synchronized. For this reason you cannot have multiple
domains' passwords synchronized from the same server.
Having a server be the member of a parent domain is not the same as that server being the member of synchronized child domains. The server must be a member of the specific domain from which passwords are synchronizing for the Negotiate method to work reliably.
Also because of the nature of the Negotiate method only one driver can control RPC through which passwords come from Active Directory. Because of this limitation only one driver at a time will receive multiple passwords though they may be from multiple domains.
To resolve both of the above issues it is required that, when passwords are being synchronized through Identity Manager from Active Directory to eDirectory, the Remote Loader must be on a separate server for each AD domain being synchronized.
Having a server be the member of a parent domain is not the same as that server being the member of synchronized child domains. The server must be a member of the specific domain from which passwords are synchronizing for the Negotiate method to work reliably.
Also because of the nature of the Negotiate method only one driver can control RPC through which passwords come from Active Directory. Because of this limitation only one driver at a time will receive multiple passwords though they may be from multiple domains.
To resolve both of the above issues it is required that, when passwords are being synchronized through Identity Manager from Active Directory to eDirectory, the Remote Loader must be on a separate server for each AD domain being synchronized.