Manual Transfer ID process eDirectory 8.7.x Linux to 8.8.x Linux

  • 7012029
  • 26-Mar-2013
  • 28-Mar-2013

Environment

Novell eDirectory 8.7.3.10 for Linux
NetIQ eDirectory 8.8.x for Linux

Situation

What is the manual eDirectory transfer ID process?

Resolution

This process will migrate eDirectory 8.7.3.10 from one linux server to another server running eDirectory 8.8.7. The new server will assume the identity of the old server when the process is completed successfully. This process does not take into account any OES services running on the linux server, such as NSS volumes, LUM, etc. If you desire to migrate all your OES services over, you need to use the MIGGUI utility that is a part of OES. However, this process could be used to transfer the id from one OES server to another, if the transfer id fails with MIGGUI. You will then have to verify your OES services and reconfigure them as needed. 

This process is a more detailed version of the process documented section “8.2 Migrating to eDirectory 8.8 SP7 Without Upgrading the Operating System” in the eDirectory 8.8.7 documentation. (https://www.netiq.com/documentation/edir88/pdfdoc/edirin88/edirin88.pdf)

The commands outlined in this document are specific to 87.3.10 Linux to 8.8.7 Linux migration.  This document has not been tested for an 8.8.x to 8.8.x migration.

Preparatory Steps:

  1. Install your target server into a temp tree using all the default paths, to get eDirectory on the server and running. (Assumes that nds.conf is in /etc/opt/novell/eDirectory/conf, and the eDirectory dib is in /var/opt/novell/eDirectory/data/dib, which are the defaults paths on our target server) It still should work if they are not, but you will have to modify the commands to the correct corresponding directories)

  2. Download a copy of the ndsrc.pl script from cool solutions. (https://www.novell.com/communities/node/1129/ndsrc)

  3. Extract and copy the ndsrc.pl script over to your source server (using winscp or comparable) and then set the appropriate flags on the file so it will execute. (chmod 777 ndsrc.pl)

  4. It is always a good idea to get a copy of your customizations made to your server object and related objects in case there is a problem or mistake and those objects are removed. Like Attribute mappings on your ldap group object for the server, your custom indexes on the NCP file server object, any custom trustee assignments on the NCP file server or related objects, etc.

  5. This process assumes that you are logged in as Root on the Source and Target servers.

Source Server:

  1. Run a repair local database on the source server to clean up the database and prepare the server for migration. (ndsrepair -R)

  2. Backup the nds files using ndsrc.pl on the source server. (ndsrc.pl) This creates two files in the /root/ directory. one edir-... and one nici-.... Copy those files off the server.

  3. Shutdown the source server.

Target Server:

  1. Copy the files to the target server and extract them. In this example I copied them to /root/mig/. Then I used tar xvf edir-<filename> to extract the edir file and tar xvf nici-<filename> for the nici file.

  2. Make a backup of the nds.conf file (cp /etc/opt/novell/eDirectory/conf/nds.conf /etc/opt/novell/eDirectory/conf/nds.conf.bak)

  3. Stop ndsd (rcndsd stop)

  4. Reconfigure the network address to match the source server (yast, network devices), and verify with ifconfig.

  5. Edit the nds.conf file to reflect information from source server (Leave directory path locations in the default locations you used for 887, but verify / change any server names, server contexts, tree names etc to match the source server.) (vi /etc/opt/novell/eDirectory/conf/nds.conf) It is a good idea to have a printout of the existing nds.conf file from the source server to verify and transfer the settings including custom settings to the new server. Like max threads (if over 256), even though you may want to adjust those settings on the new server, it is a good idea to use them to start with. The nds.conf file from your source server will be in /root/mig/etc/nds.conf (from your edir-... file extracted in step 3 above).

  6. Delete the files in the existing dib on the server (rm /var/opt/novell/eDirectory/data/dib/*.*). It will give some errors on the directories in there.

  7. Copy the eDirectory dib from the backup location to the correct location. (cp /root/mig/var/nds/dib/*.* /var/opt/novell/eDirectory/data/dib) It will give errors on omitting the nds.rfl directory.

  8. Copy the Roll forward log over from the backup directory (cp /root/mig/var/nds/dib/nds.rfl/*.* /var/opt/novell/eDirectory/data/dib/nds.rfl)

  9. Copy the backup nici directory in place. (cp /root/mig/var/novell/nici/*.* /var/opt/novell/nici

  10. Verify the symbolic link is still in place from /var/novell/nici to /var/opt/novell/nici (ls –l /var/novell). If they are missing they need to be replaced. But they should be there.

  11. Start ndsd (rcndsd start) (you will get errors)

  12. Replace ndspath. (. /opt/novell/eDirectory/bin/ndspath)

  13. Upgrade the certificates with ndsconfig upgrade. (ndsconfig upgrade) You may get errors on conflicting ports. Simply roll the ports up one for the time being. (8029,8031) This adds two lines in the nds.conf, which I deleted later. (http.server.clear-port=8029, http.server.tls-port=8031)

  14. Restart ndsd. (rcndsd restart)

  15. Verify that ldap is listening and working with an ldap browser or other tool.

  16. Verify and adjust eDirectory caches settings. (64Bit – eDir hard cache limit should be the size of the dib or larger with 200MB MIN, MAX depends upon RAM in server, 32Bit – eDir hard cache limit should be slightly larger than the size of the dib with limits of 200MB MIN – 512MB MAX). It is recommended to adjust eDirectory cache in iMonitor (https://<IPAddressOfServer>:8030) under Agent Configuration, Database Cache. You can see the DIB size of the server there and adjust cache accordingly. It is always recommended to restart ndsd after adjusting the cache settings, so memory is allocated in one contiguous chunk and is not fragmented.

  17. Monitor eDirectory threads and adjust if needed. (ndstrace -c threads, look at the peak on the pool workers line) (Default max threads in eDirectory 8.8.7 is 256, which should be sufficient for 99.5% of all servers) Use “ndsconfig get” to see the current settings.

  18. Once the migration is complete, delete temporary directory you used for the process.   (rm -r /root/mig)

!! Post Migration Caution !! Once the migration is complete and destination server is up and running. Disable / Destroy / Fdisk, your source server. It must NEVER come back up on the network again. Doing so will cause corruption in your eDirectory tree, which may be irreversible.

Additional Information

Tested with
Source SLES9 OES1SP2 eDir 8.7.3.10 (32bit) to Destination SLES 11SP1 eDir 8.8.7 (32bit)
Source SLES9 OES1SP2 eDir 8.7.3.10 (32bit) to Destination SLES 11SP1 eDir 8.8.7 (64bit)