2.2 Where to Install the Active Directory Driver

The Active Directory driver shim must run on one of the supported Windows platforms. However, you don’t need to install the Identity Manager engine on this same machine. Using a Remote Loader, you can separate the engine and the driver shim, allowing you to balance the load on different machines or accommodate corporate directives.

The installation scenario you select determines how the driver shim is installed. If you choose to install the driver shim on the same machine as Identity Manager (where the Identity Manager engine and the Identity Vault are located), Identity Manager calls the driver shim directly. If you choose to install the driver shim on another machine, you must use the Remote Loader.

You can install the Active Directory driver on either the domain controller or a member server. Before you start the driver installation, determine where you want to install the driver.

2.2.1 Local Installation

A single Windows domain controller can host the Identity Vault, the Identity Manager engine, and the driver.

Figure 2-1 All Components on the Domain Controller

This configuration works well for organizations that want to save on hardware costs. It is also the highest-performance configuration because there is no network traffic between Identity Manager and Active Directory.

However, hosting Identity Vault and the Identity Manager engine on the domain controller increases the overall load on the controller and increases the risk that the controller might fail. Because domain controllers play a critical role in Microsoft networking, many organizations are more concerned about the speed of the domain authentication and the risks associated with a failure on the domain controller than about the cost of additional hardware.

2.2.2 Remote Installation on Windows Server Only

You can install the Identity Vault, the Identity Manager engine, and the driver on a computer other than the Active Directory domain controller.

Figure 2-2 All Components on a Windows Server

This configuration fits best when your corporate policy disallows running the driver on your domain controller so that there is no Identity Manager software on the domain controller.

2.2.3 Remote Installation on Windows and Other Platforms

You can install the Remote Loader and the driver shim on the Active Directory domain controller, but install the Identity Vault and the Identity Manager engine on a different server.

Figure 2-3 Remote Loader and Driver on the Domain Controller

This configuration fits best when you require Identity Vault and Identity Manager engine installations on a platform other than one of the supported versions of Windows.

Both types of remote installations eliminate the performance impact of hosting the Identity Vault and the Identity Manager engine on the domain controller.

2.2.4 Remote Installation on a Windows Member Server

If you have platform requirements and domain controller restrictions in place, you can use a three-server configuration.

Figure 2-4 Remote Loader and Driver on a Windows Server

This configuration fits best when your corporate policy disallows running the driver on your domain controller and your Identity Manager engine installation is not on a supported Windows server.