Hi,
We are in the process of rolling over our CA as described here: https://help.hcl-software.com/domino/12.0.2/admin/conf_certificateauthoritykeyrollover_t.html
After rolling over the CA I have to recertify the server-id's. This has been done without problems for most of our "normal" servers.
We are using Directory Sync to sync passwords from our AD. So my question is: How is the proces of recertifying a "Request Creator" running on our Domain Controller ?
/Jesper
Hello.
The Request Creator server for AD password synchronization works like a Notes client.
However, since it is a special server, it may be better to manually re-certificate the server.id on the Request Creator's server.
Regards,
Shigemitsu Tanaka
Hello Jesper,
After rolling over the Certificate Authority (CA), you need to recertify the Notes ID used by the Directory Sync Request Creator. This ID is treated like any other user ID and must be updated to trust the new CA.
Identify the Notes ID used by the Request Creator.
Recertify it using Domino Administrator.
This ensures password sync continues to work with the new CA in place.
Regards
Hitesh G
UPDATE AFTER POST BELOW:
The mssing updates of files described below seems to start after the 1. password-update has been done on the DC. So everything seems to be working :-)
Hello Hitesh,
Thank you for your reply.
Actually that was how I did it. But how do I check that the connection to the Request Creator is still working ?
Prior to the recertify the files log.nsf, adpwsync.nsf and DA_Pwsync.nsf was periodically updated in the data-folder on the Request Creator (domain-controller). But after restart of the server (DC) and Directory Sync service on our Domino-server the files are not updatede anymore.
Furthermore: Shouldn't the Request Creator-server pick-up a new ID-file and store in the local Domino program-folder ?
Regards
Jesper
Hello Jesper,
A: On the Domino server running the Directory Sync service: Open log.nsf : Look for entries related to Directory Assistance Password Sync or similar messages tied to AD sync or the DA_Pwsync task.
If the Notes ID used by the Request Creator is invalid or no longer trusted, errors like Authentication failed, Cannot establish connection, or ID not trusted, type of errors may appear.
B. Check adpwsync.nsf / DA_Pwsync.nsf: On the domain controller or wherever the Request Creator is installed:
Ensure these databases are being accessed or modified.
If they're no longer updating, it could mean the Domino Directory Sync server is no longer able to push sync jobs or connect.
Additionally, The Request Creator process does not fetch a new ID file automatically. You have to manually replace the old Notes ID file with the newly recertified one on the system where the Request Creator runs.
Note: for your awareness, we have launched a new Digital Solutions Community site (https://developer.ds.hcl-software.com/) which includes our new product forums.
The content for our legacy product forums will soon be migrated to this new site. If you haven’t yet done so, we encourage you to sign up on the site and engage with the community of experts for our products!!
Regards
Hitesh G
Hello Hitesh,
Once again - thanks for your reply.
Regarding replacing the ID-file: How do I extract the ID-file manually after recertifying the Request Creator from the Domino Administrator ? Or do I have to recertify the current ID-file directly instead of "Recertify Selected Server" on a server-document ?
(I'm aware of the new Community, but I realized it just after posting my initial question)
Regards
Jesper