FileNet P8 Platform, Version 5.2.1            

Failover Support (Active Directory)

Content Platform Engine supports LDAP failover for authorization when Active Directory is the configured directory server. You can configure Active Directory failover using host:post pairs or by using domain names.

Active Directory failover support for authorization

Connections between Content Platform Engine and Active Directory fail if the configured domain controller is not available. Therefore, you should provide Active Directory failover for authorization if your FileNet® P8 system requires continuous availability and a high degree of reliability. Active Directory failover eliminates a single point of failure by switching automatically to another domain controller when the current domain controller becomes unavailable. The Content Platform Engine server can be unavailable for a variety of reasons, including system failure, decommissioning the directory server, stopping the server for maintenance, or changing its host name. Because failover happens automatically and no application restart is necessary, users usually do not experience service disruption. Of the three types of Active Directory configurations (single-realm, multi-realm, and entire forest), you can configure failover for single-realm and multi-realm, but not for the entire forest.

Active Directory consists of two types of repositories:
  • Domain Controllers (DC) that hold domainwide data
  • Global Catalog servers (GC) that hold forestwide data
You can configure Content Platform Engine for Active Directory failover by specifying a list of host:port pairs or by using domain names.
  • The failover list method is useful if you have a preferred order of servers for your failover sequence.
  • The domain name or multiple-IP address method uses the services of the DNS server and can require less maintenance.
  • Both types can be configured programmatically through the API or in Administration Console for Content Platform Engine.

For performance reasons, you should create your failover list by using Active Directory and Content Platform Engine servers that are local, that is, at the same network site. If you must specify remote Active Directory servers and you are using the host:port pair method, place the remote servers at the end of the failover list.

To provide failover support for authentication, that is, for login, use the features of the Content Platform Engine application server. Consult your application server documentation. For a more detailed procedure on how to configure a failover, see Configuring directory server failover (Microsoft Active Directory).

Active Directory failover that uses a list of host:port pairs

One way to configure Active Directory failover support is by specifying a failover list. A failover list consists of one or more host:port pairs, for example, dc1:389 dc2:389 dc3:389. The host can be a host name or an IP address. The host name can be either a short name such as dc1 or a fully-qualified DNS name such as dc1.mydomain.com. Although you can specify only one pair in the failover list, you should have two or more pairs to create a true failover sequence. You must create both a DC failover list and a GC failover list.

When Content Platform Engine is started, it attempts to connect to each pair in order from left to right until it finds a working pair. Content Platform Engine then uses this pair for LDAP access until the server that is specified by this pair becomes unavailable for some reason. Content Platform Engine then starts the failover process again by going back to the beginning of the failover list and trying each pair from left to right. If it cannot connect to any pair in the list, various types of errors can be generated on the client, depending on the point of failure. For example it might be a DNS error such as UnknownHost, a network error, or a connection refused error.

Specify a failover list in the DirectoryServerHost property of the DirectoryConfiguration class. Because each pair contains a port number, Content Platform Engine ignores any value in the DirectoryServerPort property. Separate each pair with a space character. The following table shows examples of a DC failover list:
Table 1. Failover configuration example that uses host:port pairs
Properties in Administration Console for Content Platform Engine Value
Host

dc1:389 dc2:389 dc3:389 (for nonsecured connection)

dc1:636 dc2:636 dc3:636 (for SSL connection)

Port Content Platform Engine ignores any value in the Port property
GCHost

gc4:3268 gc5:3268 gc6:3268 (for nonsecured connection)

gc4:3269 gc5:3269 gc6:3269 (for SSL connection)

GCPort Content Platform Engine ignores any value in the GCPort property

Active Directory failover using domain name or multiple IP addresses

An alternative method to the host:port pair method that you can use to configure Active Directory failover support is to specify one of the following options for the values of the DCHostName and GCHostName properties:
  • Active Directory domain and global catalog names
  • DNS A record that represents multiple IP addresses

The benefit of using domain names for failover is that you do not need to modify a failover list when you decommission a domain controller or change its host name. Instead, the DNS data will be updated by the DNS Server, and Content Platform Engine will read the latest DNS data when it needs to fail over to another domain controller.

A DNS A (address) record is a DNS record that associates a DC or GC host name with one or more IP addresses. For example, you could create an A record named my_dc that will associated with three local domain controllers: 9.39.50.155, 9.39.50.157, and 9.39.50.159. Content Platform Engine pings these domain controllers until one is available.

In some cases, this method is preferable to the host:port pairs method. For example, if you have many applications communicating with many directory servers and a directory server is decommissioned or its host name is changed, you remove it from the DNS server and all applications will use the updated DNS data to perform failover. No application restart is necessary.

You can maintain a list of directory servers that is associated to a DNS name on your DNS server. All applications point to this DNS name instead of specific server names. The DNS name can be either an AD domain name or an arbitrary host name that is associated to multiple IP addresses of AD servers.

Content Platform Engine follows these general steps during failover when the failover support is configured to use domain name or multiple IP addresses:
  1. Retrieves the AD domain name or a multiple-IP address host name from GCD. If Content Platform Engine finds only one host name in the Host field and not a pair or several pairs and if this host name resolves to more than one IP in DNS server, then Content Platform Engine interprets it as a domain name or multiple-IP host name and not as a host:port configuration.
  2. Searches DNS server for all A records whose name is this domain name or multiple-IP address host name.
  3. Gets back a list of IP addresses and pings them all at the same time.
  4. Uses the first IP address that responds and ignores the others.
The following table provides examples of domain names that are configured for failover and set in Administration Console for Content Platform Engine. The examples are based on the following assumptions:
  • The Active Directory domain name is mydomain.com.
  • More than one domain controller (in this domain) has Global Catalog server running on it.
  • Port 3268 is used for the global catalog server.
In Administration Console for Content Platform Engine, you would set the following fields.
Table 2. Failover configuration example that uses domain names
Properties in Administration Console for Content Platform Engine Value
Host mydomain.com
Port 389
GCHost mydomain.com
GCPort 3268
The following example shows how to configure failover using multiple IP addresses. The example is based on the following assumptions:
  • You have at least two domain controllers for your Active Directory domain in your local site.
  • Global Catalog server is installed on each domain controller.
  • The IP addresses of the two DCs are 10.10.10.11 and 10.10.10.12.
  • The multiple-IP address host name is localAD.
  • You created the following A records in your DNS server:
    Name           Type            Data
    ==========================================
    localAD        Host (A)        10.10.10.11
    localAD        Host (A)        10.10.10.12

Then, in Administration Console for Content Platform Engine, you can set the following fields.

Table 3. Failover configuration example using DNS A records
Properties in Administration Console for Content Platform Engine Value
Host localAD
Port 389
GCHost localAD
GCPort 3268

For more information about DNS A records, see your Active Directory documentation.



Last updated: October 2015
p8psd005.htm

© Copyright IBM Corporation 2015.