I have set up my Active Directory driver according to the following

Configuring the Identity Manager driver for Active Directory with SSL

In summary, I have the following machines:
Machine A: Primary Active Directory 2003
Machine B: Secondary Active Directory 2003
Machine C: member server that is running the remote loader
Machine D: server running edirectory 8.8 SP5 and Identity Manager

Machine A and B is configured with PassSync that will send any password
changes from Active Directory to Machine C(remote loader). In addition,
SSL is also setup between machine A and C and machine B and C

The "Issued to" of the SSL certificates is the Fully Qualified Domain
Name(FQDN) of the machines:
Machine A: myAcontroller.domain.com
Machine B: myBcontroller.domain.com

Machine C will send the password changes to machine D where the changes
is save to edirectory.

I have set the authentication context in the AD driver as the FQDN of
machine A (primary domain controller) (e.g.: myAcontroller.domain.com).

Everything is working fine when both machine A and machine B is turn
on. However, when I turn off machine A (primary domain controller) and
machine B takes over (secondary domain controller), I encounter a
LDAP_SERVER_DOWN error. I think is because the driver could not
establish a SSL connection with Machine B (secondary domain controller)
as I have specified the FQDN of machine A(which is turn off) in the
authentication context.

I tried specifying just the domain name(e.g.: domain.com) instead of
the FQDN of machine A (e.g. myAcontroller.domain.com) in the
authentication context and installing SSL certificates with "Issued to"
value set to the domain name instead of FQDN of the machines and yet, I
am having the same error.

The "Issued to" of the SSL certificates is the domain name:
Machine A: domain.com
Machine B: domain.com

I am wondering why do we need to authenticate to a specific machine?
Why aren't we authenticating to a domain?
It is quite common to have a few domain controllers in a domain. So,
why is active directory driver authenticating to a specific machine and
hence, imposing a limitation that this SPECIFIC domain controller have
to be always up and running?

Is there any work around for that?

Pls advise.

Thanks alot!

gumiho's Profile: https://forums.netiq.com/member.php?userid=1295
View this thread: https://forums.netiq.com/showthread.php?t=2973