• State Verified Answer
  • Replies 13 replies
  • Subscribers 61 subscribers
  • Views 4048 views
  • Users 0 members are here
Options
Related

What PS> string can be used to return the partner DC currently selected by each host listed under managed domains in ARS config?

dyannic
over 3 years ago

I see a great deal of data under this node … I see the domains, and other details - just not a seeing a way to crack into the details on currently selected DC … along with current state/health info

Get-QADObject -SearchRoot "CN=<managed domain FQDN>,CN=Managed Domains,CN=Server Configuration,CN=Configuration"

I'm looking for this info to pro-actively switch hosts when my DirSync host becomes unresponsive to ARS.   The DC is still running - but not returning password unlock/reset info - the end users just sees the spinning-wheel-of-wait.
and I get a priority ticket....  There is too-long a window between the failure-to-communicate, and ARS switching to next available....
if I can use PS> to xpose the current value - and externally test the connection, then maybe I can use the same PS> path to trigger a change of the DirSync currently selected host value.

ideas? 

Parents
  • 0 over 3 years ago

    And then you can re-direct your write (or read) like this:

    set-qaduser -proxy -identity jsmith -description "something new" -control @{'ldapserver'="someotherDC"}

  • 0 over 3 years ago in reply to JohnnyQuest

    is it possible to set the managed domain target DC for ARS under "Configuration/Server Configuration/Managed Domains/<ARS Server>..<any dc in site>..<current dc>

     tried a slight variation of the command above - but no changey

    Connect-QADService -Service <ARS SERVER> -proxy ; Set-QADObject -Identity "DC=<my Target domain>" -IncludedProperties ldapserver -Control @{'ldapserver'="<my target domain contoller"}

    it runs - as in no error.  returns the object.   Yet again, no change post execution.

  • 0 over 3 years ago in reply to dyannic

    'ldapserver' is a AR Service Control associated with a specific transaction - basically, the operational DC.

    You could try:
    Connect-QADService -Service <ARS SERVER> -proxy ; Set-QADObject -Identity "DC=<my Target domain>" -objectattributes @{edsaldapserver=$MyDC}

    ...but I have never tried that.

    I'm not 100% clear on what setting you are actually hoping to change though and why.

  • 0 over 3 years ago in reply to dyannic

    Re-reading and thinking about it, I surmise you are talking about the Dirsync Server in the properties of a Managed Domain.  I'm not sure that I would want to be "hard wiring" that to a particular host.  I'm not personally aware of the attribute that contains that setting.

  • 0 over 3 years ago in reply to JohnnyQuest

    We have 100 +/- DC's,  and for each geographic location that ARS is hosted in, we've setup two dedicated DC's in an ARS-<AD SITE> AD site.  ARS on the hosts within those two sites are allowed to choose any available DC in the AD site ARS-<AD SITE> for that location.  

    However … It doesn't float.  it doesn't switch DC's


    When ARS encounters an issue with timely password change requests to one DirSync host - we expect that it would float to the alternate DC.  But it doesn't... It may do so after some lengthy timeout built in to the switching algorithm  - but by then, I'm standing on a carpet being yelled at.  : )  figuratively speaking.

    So, we get an internal priority ticket - generically titled ARS IS DOWN, we can't change passwords.

      - and I go into ARS config and point-click force a disync change to the specific other DC in that ARS-<AD SITE>  Then they can work.  like magic.

    after we restart the problematic DirSync host, we manually point and click set the ARS preferred DirSync back  any DC in the ARS-<AD SITE> for that location.

    the PS> I'm looking for - is to allow me to switch to one of those DC's programmatically rather than using the GUI.... and then switch back to 'any in the AD site'

    and maybe proactively script a timed alternate round-robin style switch to one DC or the other in the same site in hopes that load balancing DirSync operations between two DC's will prevent future internal tickets proclaiming ARS IS DOWN.   When it i clearly not down.

  • 0 over 3 years ago in reply to dyannic

    Given that you say that ARS doesn't float to your liking, let me suggest this:

    Identify those transactions that are DC-sensitve for you

    For example, a password change through AR.

    Have a workflow intercept the request and do an AD-ping against the value returned by $Request.Parameter('ldapserver').

    If the server doesn't respond quickly enough, reset the 'ldapserver' control to an alternate DC to be determined by whatever algorithm you choose.

    i.e. $Request.PutInControl('ldapserver',$MyNewDC)

Reply
  • 0 over 3 years ago in reply to dyannic

    Given that you say that ARS doesn't float to your liking, let me suggest this:

    Identify those transactions that are DC-sensitve for you

    For example, a password change through AR.

    Have a workflow intercept the request and do an AD-ping against the value returned by $Request.Parameter('ldapserver').

    If the server doesn't respond quickly enough, reset the 'ldapserver' control to an alternate DC to be determined by whatever algorithm you choose.

    i.e. $Request.PutInControl('ldapserver',$MyNewDC)

Children
  • 0 over 2 years ago in reply to JohnnyQuest

    Johnny -

    I believe I figured it out - at least tested my theory this weekend, and it appears to work consistently.  Changes using the follow two sections detected current DirSync mode and switched between 'any dc in site', and 'specific DC' on the fly.

    # edsvaSelectDCOption

    #1=Select Any DC available in the site specified by 'edsvapreferredsite', don't specify 'edsvapreferredDC'
    #2=Select only the DC explicitly defined in 'edsvaprefferedDC' / can specify 'edsvapreferredsite'

    #SET 'ANY AVAILABLE DIRSYNC DC IN SITE' OPTION (PROVIDES REDUNDANT DIRSYNC WITHIN SPECIFIED SITE)

    $ARSession = Connect-QADService -service <FQDN of ARS Service host> -proxy
    $ARCONNECTION = Get-QADObject -Connection $ARSession -SearchRoot "CN=<FQDN of MANAGED DOMAIN>,CN=Managed Domains,CN=Server Configuration,CN=Configuration" -includeallproperties *

    #SEE CURRENT DIRSYNC SETTINGS FOR A SPECIFIC HOST (after setting above two vars)

    $ARCONNECTION |select @{name='ARHost';e={$_.adspath.split('/')[2]}},edsvaPreferredDC, edsvaPreferredsite, edsaAccountName, edsvaSelectDCOption, edsaDomainCacheStatus, edsvaDomainPercentLoaded

    # RESET DIRSYNC OPTION TO ANY DC in <SITE>

    Set-QADObject -identity "CN=<FQDN of MANAGED DOMAIN>,CN=Managed Domains,CN=Server Configuration,CN=Configuration" `
    -Connection $ARCONNECTION.connection  `
    -Control @{'edsvapreferredsite'='<NAME OF AD SITE>'}  `
    -ObjectAttributes @{'edsvaSelectDCOption'='1';'edsvapreferredsite'='<NAME OF AD SITE>'} | out-null


    To Switch back to 'specific DC, during slow/no perormance issues with currently selected DC, or for MS patch related reboots that target one of the ARS partner DC's - this is what works for me to target the 'other' ARS DirSync DC in the site.

    #SET ' TO SPECIFIC DIRSYNC DC IN SITE' OPTION (TARGETS A SPECIFIC DC FOR TEMPORARY OPERATIONS)

    $ARSession = Connect-QADService -service <FQDN of ARS Service host> -proxy
    $ARCONNECTION = Get-QADObject -Connection $ARSession -SearchRoot "CN=<FQDN of MANAGED DOMAIN>,CN=Managed Domains,CN=Server Configuration,CN=Configuration" -includeallproperties *

    #VIEW EXISTING OPTIONS (after setting above two vars)
    $ARCONNECTION |select @{name='ARHost';e={$_.adspath.split('/')[2]}},edsvaPreferredDC, edsvaPreferredsite, edsaAccountName, edsvaSelectDCOption, edsaDomainCacheStatus, edsvaDomainPercentLoaded

    #SET NEW TARGET SITE/DC RULES
    Set-QADObject -identity "CN=<FQDN of MANAGED DOMAIN>,CN=Managed Domains,CN=Server Configuration,CN=Configuration" `
    -Connection $ARCONNECTION.connection  `
    -Control @{'edsvapreferreddc'='<FQDN of TARGET DC>';'edsvapreferredsite'='<NAME OF AD SITE>'}  `
    -ObjectAttributes @{'edsvapreferreddc'='<FQDN of TARGET DC>';'edsvaSelectDCOption'='2';'edsvapreferredsite'='<NAME OF AD SITE>'} | out-null