Ongoing maintenance of HugeCo's large directory service requires a lot of attention from IS system administrators. This is especially true at the present time because the service is still evolving as new directory-enabled applications are being integrated. All basic maintenance is handled by automated procedures that are similar to those used for other systems that the IS organization manages . The following sections provide specific information on each aspect of directory maintenance within HugeCo's deployment. Data Backups and Disaster RecoveryAs discussed earlier in this chapter, there are two master servers for each portion of the HugeCo directory namespace. Once a month, one of the master servers is taken down, and the system is tested to ensure that everything can still function well with only one master. The master servers are backed up to disk nightly via the directory server's "hot backup" feature and archived to tape via digital linear tape (DLT) drives . Twice a week, each region sends a set of backup tapes to another region for off-site storage. The backup procedures are largely automated and similar to those used for all the services that HugeCo's IS organization supports. HugeCo outsources all its disaster recovery planning and services to IBM Business Continuity and Recovery Services, which maintains cold sites in each of HugeCo's four regions . So far HugeCo has not experienced a disaster that required use of the cold sites. Maintaining DataThe IS organization spends a lot of time and money on data maintenance across all of HugeCo's systems. Corporate data is held in a variety of databases, and keeping the data up-to-date is largely a manual process. One goal of the directory service team was to increase the overall data maintenance burden as little as possible. The team managed to minimize maintenance demands by automating some processes and distributing data maintenance responsibilities. To integrate with its PeopleSoft HR database, HugeCo contracted with America Online's Professional Services organization to create a directory synchronization tool. The synchronization tool runs once per hour to transfer changes made in the HR database to the directory service. Basic information about employees is synchronized, including name , contact information, ID number, and location. The synchronization tool takes care of creating new hugeCoPerson entries in the directory service when employees join HugeCo, and it disables user accounts by altering passwords after an employee leaves the company. The synchronization tool, written in Perl, operates on text extracts generated from the PeopleSoft database, and it uses the PerLDAP module to access the LDAP directory. To distribute the data maintenance responsibilities, the HugeCo team defined the following categories of directory data managers:
For access control purposes, groups are maintained in the directory for each category of data administrators. The one exception is the end-user category: End users are identified by the absence of group membership. Access control rules were placed in the directory to give people in each category an appropriate level of access. Because departmental administrators and end users are allowed to manage some of their own information, the data management burden carried by the IS employees (directory administrators and Help Desk staff) is minimized.
MonitoringThe overall HugeCo strategy for network monitoring revolves around HP OpenView, a commercial network management system (NMS). Each regional IS department runs an HP OpenView system that monitors the network and the applications located in that region. In addition, the central IS organization runs an HP OpenView system that monitors the global network and centrally managed applications such as the PeopleSoft system. A combination of techniques was used to integrate the Netscape Directory Server software and important directory-enabled applications into the NMSs. First the Simple Network Management Protocol (SNMP) support built into the server software was used to provide basic service and performance monitoring. Then a set of Perl scripts was developed with the PerLDAP module to probe all the critical directory servers from several locations on HugeCo's network. Finally, indirect monitoring of the directory service was started through extensive observation of critical directory-enabled applications, including the e-mail servers, the PeopleSoft synchronization process, the phone book servers, the Netegrity SiteMinder servers, and the Web servers that support critical applications. As much as possible, probes mimic the operations that end users and applications frequently perform.
When a problem is detected by HugeCo's OpenView monitoring system, the following automated notification methods are used to bring the problem to the attention of the appropriate system administrator:
Overall, the directory service and associated applications have proven to be reliable. So far, there has been no need to automate such actions as restarting failed directory server processes or machines. TroubleshootingHugeCo's IS organization maintains a well-documented set of escalation procedures stating that members of the IS staff with increasing seniority will be called in over time to address critical problems. Directory-specific procedures were developed during the directory pilot deployment and refined over time to ensure that problems are addressed quickly by the right people. |