Hi Team ,we are planning to change domain controller AD from older version win server 2008 to newer version windows server 2016 .We wanted to know if there is any dependency with IDM ?Thanks
Hi SudipDepending on the Identity Manager release you are running, please ensure to check the relevant Platform Support Matrix to confirm Microsoft Active Directory 2016 is certified. It is the case, for example, for Identity Manager 14.4 https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/platform-support-matrix/connectors-and-endpoint-types.htmlRegardsRinat
Hi Rinat ,Thanks for your quick response .we have identity manager version 14.3 and we are already planning to upgrade .Also we are currently running active directory on windows server 2008 with IDM .Our team have already Migrated same AD to newer version win server 2016.No we have to check depedency regarding what we need to do in Identity Manager as well as in New AD .
Hi SudipGood to hear you have plans in place to upgrade the soon to be EOS 14.3Without knowing the extent of the change:1. If there is any change to IP and / or credentials - you can follow https://knowledge.broadcom.com/external/article/186271/update-ad-endpoint-password.html to update the details.2. If using SSL, ensure to validate any SSL certificate in use.RegardsRinat
Hi Rinat ,Last time while creating new active directory endpoint we faced issue .
we had to intstall C++ connector server management .Then it worked .Now since we are changing Domain Controller AD this one is also similar case .You did not mention about that so wanted to make sure
Thanks in Advance
Hi SudipIn order to manage an AD endpoint, a CCS has to be installed. This is clearly indicated in the documentation under https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-management-and-governance-connectors/1-0/connectors/microsoft-connectors/microsoft-active-directory-exchange-and-skpye-for-business(lync).html Active Directory connector connects C++ Connector Server (CCS) to Active Directory, Exchange, and Skype for Business (formerly, Lync) servers. This is also mentioned in the Platform Support Matrix under the managed endpointhttps://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/platform-support-matrix/connectors-and-endpoint-types.htmlTherefore having a CCS a basic requirement.RegardsRinat
Enclosing a high level view of the IGA solution components in play for Active Directory and other managed endpoints.
We use this diagram to help outline the data flows through the solution stack, including Active Directory.
The point we want to raise, is besides the C++ connector, if you are using a remote configuration (which is the new default when using the IGA virtual appliance), you may need to adjust configurations/parameters from default values to increase performance and scale to larger transaction loads.
References that may be of value:
Lifecycle of the userPassword in CA Identity Manager & Use of Jmeter for scalability testing
Monitoring Load Balancing of JCS Tier & Refresh Rate
Monitor data flow path for the CA Identity Suite CCS Service to Active Directory
Depending on the release version of the IGA solution and the AD endpoint when you re-acquire an AD endpoint, you may wish to test performance by the embedded authentication by testing with one of three (3) login formats:
Recommend use of openssl s_client to validate the ADS Domain public CA root cert, to ensure it is still correct. If a prior public CA root cert still existing in the MS Windows keystore (certlm.msc), this can impact TLS communication from the C++ server to the MS Windows host(s). Typically, this is a challenge when you are managing multiple ADS domains that do not have ADS trust between them. You can validate the public CA root cert with Jxplorer or other ldap client tools.
------------------------------Network and security Engineer technical associativeCas Trading HousePutalisadak, KTMOriginal Message:Sent: May 26, 2023 03:16 AMFrom: Rinat MatityahuSubject: Change of domain controller AD
Original Message:Sent: May 26, 2023 02:39 AMFrom: sudip karmacharyaSubject: Change of domain controller AD
------------------------------Network and security Engineer technical associativeCas Trading HousePutalisadak, KTMOriginal Message:Sent: May 26, 2023 02:16 AMFrom: Rinat MatityahuSubject: Change of domain controller AD
Original Message:Sent: May 25, 2023 07:05 AMFrom: sudip karmacharyaSubject: Change of domain controller AD
------------------------------Network and security Engineer technical associativeCas Trading HousePutalisadak, KTM------------------------------