The most time critical aspect of an MIIS installation is likely to be the Password Sync. There are always going to be delays in syncs through the MAs, and people should be used to that – but when a user changes their password they are going to expect it to go straight through.
If you are regularly replicating MIIS to a failover server then you can have password sync up and running within a matter of minutes after a failure of your primary server.
I take the precaution of pre-registering my failover server with PCNS. When you installed Password Sync you would have run the SETSPN and PCNSCFG ADDTARGET commands to enable your MIIS server as a password sync target for PCNS. You should now also execute these commands for your failover server, adding an extra one to disable it until needed.
This post is not intended to be an instruction on installing PCNS – for that you should refer to this Technet document. So, on the assumption that you’ve already got PCNS working for you primary MIIS server, you just need to run these extra commands to register your failover server.
setspn.exe -A PCNSCLNT/failoverserverDN domainsvcaccount
pcnscfg.exe addtarget /n:miispw_failoverserver /a:failoverserverDN
/s:PCNSCLNT/failoverserverDN /fi:”Domain Users” /f:3
pcnscfg disabletarget failoverserverDN
You now have the failover server registered, but disabled. To confirm this use the command
When you’re ready to switch from your primary to failover server all you need to do is execute these commands:
pcnscfg disabletarget primaryserverDN
pcnscfg enabletarget failoverserverDN
The failover MIIS server should now be able to sync the passwords of all the users it knows about.
Of course, if new users have been created since the last time you replicated the MicrosoftIdentityIntegrationServer database then the failover server can’t be expected to know about them until you’ve done your re-sync’ing work. But at least, in the meantime, Password Sync will be working for the majority of your users. And that’s what I’d call a very successful DR plan!