Symantec Access Management

 View Only
  • 1.  Data replication between 2 CADIR User store

    Posted Mar 11, 2016 12:54 PM

    Hi All,

     

    We have 2 CA Dir , CADIR1 is our primary user store and CADIR2 IS secondary.

     

    We have over 2million users details. And we see many replication issue, CADIR1 Has correct details but it is not replicating to cadir2

     

    Attributes like cn/mail/postal address.

     

     

    Anyone can please help me is thier any way to get rid of these or anything like compare theses 2 directories?

     

     

    Thanks



  • 2.  Re: Data replication between 2 CADIR User store

    Broadcom Employee
    Posted Mar 11, 2016 02:32 PM

    Palrecha,

     

    Few questions:

     

    Can you confirm the version of each CA directory install on CADIR1 and CADIR2 server?

    dxserver version

     

    Are CADIR1 and CADIR2 both sourcing the same schema files in $dxhome/config/schema directory and in the $dxhome/config/server/dsa.dxi files?

     

    Have you added the knowledge file for CADIR1 to CADIR2 and vice versa and configured the replication.dxg group file for both DSA's?

     

    I would start by increasing the trace levels on your $dxhome/config/logging/dsasourced.dxc file. The available trace parameters are located in the bookshelf here:

    https://support.ca.com/cadocs/0/CA%20Directory%2012%200%20SP14-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?installation.htm

    Look in the section

     

    for the different log options (they can be used in combination separated by a common in the dxc file.

     

    After you set the appropriate trace levels you will get much more output in your $dxhome/log/dsaname_trace.log file so you will not want to leave elevated trace levels running in production or you will fill up disk space quickly.

     

    You can also monitor the trace output by telnet into the console port of the dsa (This is usually 1 port higher then the dsa listen port)

    e.g. if you are on the server of the dsa and the dsa is listening on 3390.

    telnet localhost 3391

     

    From the console this command will get the replication status of the dsa's.

    get dsp;

     

     

    Let me know if this helps.

     

    Thanks,


    Adam Rusniak



  • 3.  Re: Data replication between 2 CADIR User store

    Posted Mar 14, 2016 07:58 PM

    Adam has some great information. The "get dsp;" mentioned above will show that replication is correctly configured including:

    * CADIR1 and CADIR2 have the same prefix set in the knowledge file

    * CADIR1 and CADIR2 have dsa-flags = multi-write

    * CADIR1 and CADIR2 have knowledge of each other

     

    Another thing to check is that CADIR1 and CADIR2 have their .db files are synchronized. This will manifest itself on the primary where the warn log will contain a lot of replication failures (noSuchObject).



  • 4.  Re: Data replication between 2 CADIR User store

    Broadcom Employee
    Posted Mar 14, 2016 09:01 PM

    Thanks Justin!

     

    Palrecha have you been able to make any progress? You are in good hands, Justin has saved me more than once on CA Directory issues!



  • 5.  Re: Data replication between 2 CADIR User store

    Posted Mar 14, 2016 11:34 PM

    Hi Palrecha,

     

    What does Alarm.log say? Does it clearly say anything on "unable to syncronise with peer" or "unable to send datagram"

    We had faced replication issues between CA Directory instances that were cross sites (data centres), there were different configurations such as disp-idle timeout, enabling and analysing traces,

    alarm logs , even some platform level configs.But before that I am interested in knowing what does alarm log say?Also if you do a count of users among both Directory instances is that same?

     

    regards,

    Ashish Ahluwalia