Replicating Windchill Directory Server
Windchill Directory Server (WindchillDS) supports replication. Two or more instances of WindchillDS could be configured to contain the same data and replicate changes to other servers in the replication configuration.
Prerequisites
Before starting the WindchillDS replication, perform the following steps:
• For Windows:
1. Navigate to <HOME>\SW\SW\System\WindchillDS\server\config
2. Open java.properties and add the following code at the end of the file on both installation directory of client and servers: dsreplication.java-args="-Xms64m" "-Xmx128m" "-client" "-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"
3. Navigate to <HOME>\SW\SW\System\WindchillDS\server\bin and run dsjavaproperties
4. Restart the WindchillDS.
• For Unix:
1. Change the directory to <HOME>/SW/SW/System/WindchillDS/server/config
2. Open java.properties and the following code at the end of file on both installation directory of client and servers:dsreplication.java-args="-Xms64m" "-Xmx128m" "-client" "-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"
3. Change the directory to <HOME>/SW/SW/System/WindchillDS/server/bin and run dsjavaproperties
4. Restart the WindchillDS.
Windchill Directory Server Replication
WindchillDS replication uses a multi-master replication model. That is, directory servers participating in replication can fully respond to LDAP requests that modify directory content as well as LDAP requests that query directory content. A change made on one server will appear, almost immediately, on the other servers.
Replication can be used to provide a basis for high availability. If an LDAP server on one system fails, Windchill can be quickly reconfigured to use an alternate server with no loss of data. Alternatively, a load balancer can be used in front of the directory servers so that failover can occur automatically in the event of an LDAP server failure.
Replication can also aide backup. However, it should never replace consistent use of the recommended daily backups and weekly exports. If all servers in a replication configuration have the same baseDNs, and if all baseDNs are being replicated, then a backup needs to be taken on only one server in the replication configuration. If backup is being performed on only one server, the backup (and exports) should be taken consistently from the same server. If the primary server to which Windchill is connected is expected to be heavily loaded, backups and exports could be generated on a different server in the replication configuration. However, the overhead to generate backups and export files should be small, and it is recommended that you generate backups and exports on all servers.
The following image illustrates the use of two instances of the WindchillDS set up to replicate data between installations on two different hosts. As the diagram shows, the WindchillDS can be configured to include both an embedded LDAP server to respond to LDAP requests and an embedded Replication Server to manage replication and exchange data with other replication servers.
 | An instance of a Windchill DS can alternatively be configured so that it does not contain a replication server, yet the embedded LDAP Server can contact other replication servers so that it can participate in the replication. Also, an instance of a Windchill DS can be configured to include a Replication Server and an embedded LDAP Server that does not participate in replication. In the latter case, the LDAP interface can be disabled so the WindchillDS instance acts as a stand-alone Replication Server. At this time, PTC recommends using simpler configurations similar to those in the diagrams and examples. |
The LDAP Server sends all changes it receives to the included Replication Server. The Replication Server, in turn, sends all such changes it receives on to all other Replication Servers. When a Replication Server receives a change from another Replication Server, it forwards the change to the associated LDAP server, but not on to the other Replication Servers. This ensures that all changes are propagated correctly without too much protocol overhead.
As an LDAP server receives replicated changes, the changes are applied to the local database. So, all servers contain about the same data at any point in time. And, all LDAP servers will contain the same data and thus be considered synchronized if LDAP changes stop occurring and all outstanding changes have been replicated and applied to all servers. Normally changes are replicated and applied very promptly, so all directories will appear to be synchronized almost all the time.
More complex replication configurations are possible than the two-host example above.
The following image shows a possible replication configuration between two geographically separated locations.
Supported Configurations
The following configurations, while possible, are not supported or recommended due to their complexity and the performance issues they may cause.
• Configurations using standalone replication servers or standalone directory servers
• Assured Replication configurations
Setting Up Replication
Replication is configured per baseDN. The examples shown later illustrate configuration for just a single baseDN: o=ptc. If you have multiple baseDNs and you want them to be replicated, you will need to repeat the sample steps for each baseDN.
| | There are two baseDNs that are implicitly included when you set up replication. These are to also replicate schema changes (cn=schema) and administrative information (cn=admin data). Replication of schema changes can be disabled. Since schema changes are not anticipated as needed for normal WindchillDS use with Windchill, the examples show schema replication disabled. |
The following is an overview of the steps involved in setting up replication.
1. Plan the replication configuration:
a. Determine the number of WindchillDS that will be involved in replication.
b. Select the appropriate host for each server.
c. Is there an existing installation with one of the Windchill DSs already running and managing Windchill data? If so, this is the server that will be used to supply data to the other servers.
2. Install the servers: Using PSI, install a Windchill DS instance on each of the selected hosts. Under PSI, choose Standalone Product or Component and select WindchillDS and Java SDK. Complete the install.
| | When setting up replication, it is recommended that PSI be used to install a separate instance of the WindchillDS on each replication host. An instance of WindchillDS that is not running can be copied to another system. However, doing so can cause both instances to have the same server-id assigned. This will cause replication errors |
3. Enable replication: Enable replication using the command dsreplication enable. This command enables replication between two servers. So, for the four host configuration shown above, this command would need to be entered to enable replication between server-1 and server-2, then between server-1 and server-3, and then between server-1 and server-4. Or, you could enable replication between server-1 and server-2, then server-2 and server-3, and then server-3 and server-4.
4. Synchronize data: Synchronize data across all servers using the command dsreplication initialize-all. You identify the source directory server with this command, and the command then replicates the data in that server to all other servers.
| | In the event that the primary Windchill DS fails, you can manually reconfigure Windchill to use a secondary Windchill DS. |
Sample setup commands for the two-host configuration
For the two-host configuration, only two commands are needed to enable replication and synchronize data. Both servers must be running before entering these commands. If you have an existing server with data, that server must be identified as the hostSource and portSource in the initialize command. The following assumes that the two servers will be on different hosts, and:
• the default LDAP port, 389, is being used for both servers
• the default administrative port, 4444, is being used for both servers
• the default replication port, 8989, is being used for both servers, so the replication ports are not specified in the example.
You must modify the baseDN value (o=ptc in this example), hosts, passwords, and, possibly ports to make the following appropriate for your configuration:
dsreplication enable --host1 <server-1> --port1 4444 --bindDN1cn=manager --bindPassword1 admin --host2 <server-2> --port2 4444 --bindDN2 cn=manager --bindPassword2 admin --adminUID admin --adminPassword admin --noSchemaReplication --baseDN o=ptc --trustAll --no-prompt
dsreplication initialize-all --hostname <server-1> --port 4444 --adminUID admin --adminPassword admin --baseDN o=ptc --trustAll --no-prompt
Sample setup commands for the four-host configuration
For the four-host configuration, four commands are needed to enable replication and synchronize data. All four servers must be running before entering these commands. If you have an existing server with data, that server must be identified as the hostSource and portSource in the initialize command. The following assumes all servers are on different hosts, and:
• the default LDAP port, 389, is being used for both servers
• the default administrative port, 4444, is being used for all servers
• the default replication port, 8989, is being used for both servers, so the replication ports are not specified in the example.
You must modify the baseDN value (o=ptc in this example), hosts, passwords, and, possibly ports to make the following appropriate for your configuration:
dsreplication enable --host1 <server-1> --port1 4444 --bindDN1 cn=manager --bindPassword1 admin --host2 <server-2> --port2 4444 --bindDN2 cn=manager --bindPassword2 admin --adminUID admin --adminPassword admin --noSchemaReplication --baseDN o=ptc --trustAll --no-prompt
dsreplication enable --host1 <server-1> --port1 4444 --bindDN1 cn=manager --bindPassword1 admin --host2 <server-3> --port2 4444 --bindDN2 cn=manager --bindPassword2 admin --adminUID admin --adminPassword admin --noSchemaReplication --baseDN o=ptc --trustAll --no-prompt
dsreplication enable --host1 <server-1> --port1 4444 --bindDN1 cn=manager --bindPassword1 admin --host2 <server-4> --port2 4444 --bindDN2 cn=manager --bindPassword2 admin --adminUID admin --adminPassword admin --noSchemaReplication --baseDN o=ptc --trustAll --no-prompt
dsreplication initialize-all --hostname <server-1> --adminUID admin --adminPassword admin --baseDN o=ptc --trustAll --no-prompt
Replication Conflicts and Conflict Resolution
In typical Windchill installations, most LDAP requests that modify LDAP data will be directed at a particular WindchillDS. In such a configuration, replication conflicts should not occur, or be very unlikely to occur. However, it may be useful to understand more about replication conflicts so you can recognize conflicts if they do occur.
A replication conflict can occur in a replication configuration if changes are made at about the same time on two or more servers and the changes are not compatible, or involve the same entry or set of entries. These are examples of possibly conflicting changes:
• If at about the same time, an attribute value is added on one server, and the entire attribute is deleted on another server.
• Two entries with the same name are added on two different servers at about the same time.
• Subordinate entry is added on one server, while the superior entry is deleted on another server at about the same time.
There are two types of replication conflicts: modify conflicts and naming conflicts. Modify conflicts occur when conflicting LDAP modify requests are made to two different servers at about the same time. Naming conflicts are those in which at least one of the conflicting changes is an LDAP request other than an LDAP modify request. The first conflict in the list above is a modify conflict and the other two are naming conflicts.
A replication conflict is detected as conflicting changes are replicated and applied on the local server. When a replication conflict is detected, WindchillDS attempts to automatically resolve the conflict in a logical way. Modify conflicts are relatively simple to resolve, and the resolution is performed in an intuitive way. In general, modify conflicts will be resolved based on the order in time in which the change occurred. For this to work properly, of course, system clock settings must be accurate.
If, for example, an attribute is deleted from an entry on one server, and immediately thereafter a value is added to the same attribute on another server, the final result will be the same as if the first change and then the second happened on the same server and in that order. In this example, the final result will be that the attribute will have only the value added on the second server. If the timing of the two changes is reversed, the final result will be that the attribute is deleted from the entry.
Naming conflicts, however, can be much more complex and are more difficult to resolve. In all cases, WindchillDS will resolve the naming conflict. However, in some cases, the likelihood of an incorrect resolution may be high and after resolving the conflict it saves the losing entries involved in the conflict. This allows later recovery by an administrator, if appropriate.
| | When WindchillDS saves entries involved in conflict resolution, it calls this case an unresolved conflict. The conflict is resolved, however, and the same resolution will occur on all servers in the replication configuration. |
As one simple example, suppose two entries with different content, but the same DN are added at about the same time to two different servers. When the conflict is detected, the entry added first will be retained, and the entry added second will be saved and given a name based on the entry’s UUID. The DN of such an entry might look like this:entryuuid=6c6ac8ba-80ca-4ffd-9b83-4e63954078e7+o=conflict,o=ptc
Recovery
In the event a server is down or failed, there are different recovery actions needed depending on the type of failure:
• Server down:If one of the servers involved in replication is down for a relatively short period of time, simply restart the server. The missing changes will automatically be replicated and applied and then all servers will be in sync. No other manual steps are needed.
• Server down for a long period of time:If one of the servers involved in replication is down for a day or longer, data may need to be re-synchronized. This request will cause the server’s data to be rebuilt from data on the specified server. This can be done using a command similar to the following. Modify parameters as appropriate:
dsreplication initialize --hostSource <server-that’s-running-well> --portSource 4444 --hostDestination <server-that-was-down> --portDestination 4444 --adminUID admin --adminPassword admin --baseDN o=ptc --trustAll --no-prompt
• Server fails totally:If one of the servers involved in replication fails completely due to a hard drive failure or other such failure, recovery should still be relatively easy. Correct the underlying failure and simply re-install WindchillDS on the failed system. Then, re-run the dsreplication enable command as for the initial setup. Then run a dsreplication initialize command similar to that in the previous paragraph. All servers should again be in sync.
• Servers no longer in synch:If one of the servers involved in replication is no longer is sync with the other servers, run a dsreplication initialize command similar to that in a previous paragraph.
Other Administrative Actions
The following are some of the administrative actions you may perform when administering your WindchillDS Replication.
• Disable replication on each server
• Searching for conflict entries
• Monitoring Replication
Disable replication on each server
If you want to disable replication, you must perform these steps on each server:
1. On each server, enter a command similar to the following.dsreplication disable --disableAll -h localhost --adminUID admin --adminPassword admin --trustAll --no-prompt
Replace the adminUID and adminPassword values with the appropriate global administrator values—that is, the values you used when setting up replication. You are likely to see an error with this command, but you can ignore it.
2. Verify that the string server-id does not appear in the config or config.ldif file for either server.
3. Verify that the cn=monitor output no longer contains an entry for cn= replication,cn=monitor.
Searching for conflict entries
You might want to occasionally search for conflict entries left over from resolving naming conflicts. To do so, enter a subtree search request looking for entries that have the attribute ds-sync-conflict. This would be a search filter of (ds-syncconflict=*). Such entries could be helpful if a naming conflict is resolved in an unexpected way. However, the best choice is probably to simply delete such entries.
Monitoring Replication
You can monitor replication by using the following:
• Using the dsreplication status commandOne of the ways to monitor replication is through the dsreplication status command. For example, dsreplication status --hostname <server-1> --adminUID admin --adminPassword admin –trustAll
The output from this command shows a summary of replication status for each baseDN. A list is displayed of each server participating in replication along with a status of replication with that server. This command is useful to provide a quick picture of the overall health of replication. The following is a sample output:
• Examining Startup MessagesDuring startup, WindchillDS displays some information about replication. These messages are also written to the server.out log. The following are sample messages you might see.
[25/May/2012:13:44:58.829 -0500] category=SYNC severity=NOTICE sgID=15138878 msg=Replication is up and running for domain cn=admin data with replication server id 19468 host1/192.168.11.186:8989 - local server id is 27305 - data generation is 138072 [25/May/2012:13:45:01.814 -0500] category=SYNC severity=NOTICE msgID=15138878 msg=Replication is up and running for domain o=ptc with replication server id 19468 host1/192.168.11.186:8989 - local server id is 29597 - data generation is 8425
These messages indicate that replication is up and running and also provide the data generation value, sometimes called the generation ID. If the generation ID values for a baseDN are the same across all servers, all servers should be successfully replicating data. If the generation ID values are different across different servers, then some servers will be blocked from replicating data and will need to be synchronized.
• Examining the errors logSome errors encountered during replication are written to the errors log. For example, during conflict resolution, a so-called “unresolved conflict” will be logged in the errors log. Following is an example of such a message.
[25/May/2012:11:31:47.019 -0500] category=CORE severity=NOTICE msgID=458891 msg=The Directory Server has sent an alert notification generated by class org.opendj.server.replication.plugin.LDAPReplicationDomain (alert type org.opendj.server.replication.UnresolvedConflict, alert ID 15138885): An unresolved conflict was detected for DN o=conflict,o=ptc
This message does not necessarily require administrative action. However, an administrator can use this information to resolve the conflict differently, or can search for the losing conflict entry that was saved.
| | You should see similar messages on each server that is part of the replication configuration. |
• cn=monitor Virtual Status EntriesThere are also a set of status entries held as virtual entries in the directory under cn=replication, cn=monitor. These entries can be examined using the ldapsearch command or by using the WindchillDS control-panel. To use the control-panel, first start the control-panel, then click Manage Entries in the left pane. This opens the Manage Entries window. Choose All Base DN’s in the Base DN: dropdown list. Open the cn=monitor entry, then the replication entry (cn=replication). Under this cn=replication entry there are a set of entries associated with each baseDN.
For example, the following three entries might be seen the baseDN being replicated is o=ptc:
cn=cn_admin data
cn=cn_schema
cn=o_ptc
cn=cn_schema
cn=o_ptc
Further, under the cn=o_ptc entry (or similar entry at your site) you should see several entries, two of which will be similar to:
cn=Replication Domain 29597
cn=Replication Server 8989 host1 19468
cn=Replication Server 8989 host1 19468
The first entry gives information about the embedded LDAP server and its associated replication information. The second entry (and its subordinates) give information about the embedded Replication Server and its connections. The following shows some of the content of the first entry:
cn=Replication Domain 29597
status: Normal
resolved-naming-conflicts: 8
unresolved-naming-conflicts: 4
resolved-modify-conflicts: 6
received-updates: 19
replayed-updates: 19
domain-name: o=ptc
connected-to: host1/192.168.11.186:8989
generation-id: 8425
lost-connections: 0
replayed-updates-ok: 17
status: Normal
resolved-naming-conflicts: 8
unresolved-naming-conflicts: 4
resolved-modify-conflicts: 6
received-updates: 19
replayed-updates: 19
domain-name: o=ptc
connected-to: host1/192.168.11.186:8989
generation-id: 8425
lost-connections: 0
replayed-updates-ok: 17
Some of the content of the second entry:
cn=Replication Server 8989 host1 19468
generation-id: o=ptc 8425
domain-name: o=ptc
missing-changes: 0
replication-server-port: 8989
generation-id: o=ptc 8425
domain-name: o=ptc
missing-changes: 0
replication-server-port: 8989
The first entry, the Replication Domain entry, shows an overall status and the Replication Server (connected-to attribute) to which the LDAP server is connected. This should normally be the embedded Replication Server. This entry also contains helpful information regarding conflicts and conflict resolution. If unresolved conflicts have occurred, the administrator can examine these to see if a conflict needs to be resolved differently, or if the losing entries simply need to be deleted.
Both entries contain the generation ID. As noted earlier, for a given baseDN, (or domain-name as shown above), the generation ID should be the same on all servers. If this is not the case, then the servers need to be synchronized.
Replicating WindchillDS with PTC Arbortext Content Delivery
To replicate WindcillDS, perform the following steps:
1. Install a standalone WindchillDS on a machine.
2. You must use the same port that is used for WindchillDS (Publisher or Viewers) for replication and for the standalone WindchillDS. That is, the ports must be same for the primary and replicated servers.
3. On the Configurator UI, in the LDAP entity mention the Backup Server Host Name and ports.
4. Restart the servers.