11.0 Using Migration Commands for Transfer ID

Before running Transfer ID, ensure you have met all the prerequisites and prepared your servers as described in Section 4.2, Preparing the Source Server for Migration and Section 4.3, Preparing the Target Server for Migration.

Before you begin, remember the following considerations:

To perform a Transfer ID using CLI:

  1. eDirectory Precheck: Executes prerequisites that need to be done for Transfer ID scenario.

    1. Use the following command to do an eDirectory precheck:

      migedir -s <sourceipaddress> -u -A <projectpath> -i -t

      For example, /opt/novell/migration/sbin/migedir -s 172.16.100.101 -u -A /var/opt/novell/migration/NewProj0 -i -t

      When prompted, enter the username and password of the source server.

      This step can be executed multiple times to verify the health of the eDirectory tree. Execution of this step does not modify the source server and target server.

    2. Check the availability of the hostname and IP address on the source server. The hostname or IP address can be resolved using the DNS server or using the /etc/hosts file of the source server.

    3. The nam.conf file on the target server includes LUM settings that will be required later while performing the repair steps for migration. Create a backup of /etc/nam.conf file on the target server by executing the command: cp /etc/nam.conf <Project_path>/nam.conf.target.

      For example: cp /etc/nam.conf /var/opt/novell/migration/NewProj0/nam.conf.target

    4. If the source server is OES1 or OES2, create a backup of the /etc/nam.conf file of the source server.

    5. Retrieve and store the list of LUM enabled groups:

      (Conditional) If the source server is NetWare, enter

      ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-grpmod.rb -H <source short hostname> -a <admin dn> -S <ldap-server-ip> [--use-unsecure-ldap] [--ldap-port] -p <password> --grp <group FDN> -l <LUM enabled user and groups>

      The above commands displays the list of groups that are LUM-enabled on the target server. These same groups must be LUM-enabled on completion of Transfer ID.

    6. (Conditional) If the source server is OES 1 or OES 2, ensure that ssh keys to avoid multiple prompts for password on execution of this step.

      To copy the ssh keys:

      1. Enable ssh on the source server and target server.

      2. Enter the command on the target server, # ssh-keygen -t rsa

        On executing the above command, you are prompted for the following:

        1. Enter file in which to save the key (/root/.ssh/id_rsa), press Enter.

          The ssh keys are stored in the default location.

        2. Enter passphrase (empty for no passphrase), press Enter.

          We recommend you not to include passphrase.

      3. Copy the key value i.e. the output of the above command to the source server

        # scp ~/.ssh/id_rsa.pub root@<source-server>:/tmp

      4. Log to source server using ssh and add the key value to the list of authenticated keys.

        cat /tmp/id_rsa.pub >> /root/.ssh/authorized_keys

  2. Preparation: Removes the eDirectory from the target server. The LUM association with the groups and users is no longer available because the Unix Workstation object is also removed.

    1. To remove the Unix Workstation object on the target server, enter

      /usr/bin/namconfig rm -a admindn

    2. To remove eDirectory from the target server, enter

      /opt/novell/eDirectory/bin/ndsconfig rm -c -a "admin" -w ADM_PASSWD --config-file /etc/opt/novell/eDirectory/conf/nds.conf

    3. To verify the health of the eDirectory and to ensure that both the source server and target server are time-synchronized, enter

      migedir -s <sourceipaddress> -u -A <projectpath> -i -t

      For example, /opt/novell/migration/sbin/migedir -s 172.16.100.101 -u -A /var/opt/novell/migration/NewProj0 -i -t

      NOTE:When prompted, enter the username and password of the source server.

  3. DIB Copy: Creates a backup of the eDirectory DIB (Directory Information Base) of the source server on to the target server. This step locks the DIB of the source server and further operations are not permitted on the source server.

    migedir -s <source-server-ip> -u -A <logfile directory> -i -B

    For example, /opt/novell/migration/sbin/migedir -s 172.16.100.101 -u -A /var/opt/novell/migration/NewProj0 -i -B

    On running the above command, you are prompted for the username and password of the source server. Enter the admin credentials when prompted.

    IMPORTANT:This command fails to execute if the replica ring is not in sync, or the time is not synchronized between all the servers in the replica ring.

    NOTE:If you need to perform any operations on the source server, you must unlock the DIB. To unlock the DIB on the NetWare server, reload the DS.nlm file and on the OES 1 Linux server or OES 2 Linux server, restart ndsd daemon.

  4. Shutdown Source: You need to shutdown the source server and disconnect it from the network.

  5. DIB Restore: Restores the eDirectory database that was backed up from the source server in Step 3 on the target server. This includes the NICI keys and the DIB identity.

    IMPORTANT:Ensure to backup the target eDirectory database and NICI keys, see Section 11.1, Backup eDirectory Database and NICI Keys for more information.

    1. At the command prompt of the target server, enter

      migedir -R

      On running the above command, you will be prompted for the administrator credentials for the source server.

      WARNING:If the backup in Step 3 was not successful, the DIB Restore step fails. A failure at this point may cause the eDirectory service on the target server to be unusable.

  6. IP Address Change: The IP address of the target server and its services is changed to the source server IP address.

    WARNING:If you are executing the Migration GUI by using a remote session, the Transfer ID wizard hangs and fails to proceed.

    The scripts to be executed in this step are located in the /opt/novell/migration/sbin/serveridswap/scripts/ipchange/nonplugin folder.

    • To change the IP address of the server in the /opt/novell/migration/sbin/serveridswap/scripts/ipchange folder, enter

      ruby server-yast-ipchange.rb --old-ip <target_server IP> --ip <source_serverIP>

      For example, ruby server-yast-ipchange.rb --old-ip 172.16.200.201 --ip 172.16.100.101

    • The nonplugin folder contains a list of scripts that need to be executed for changing the IP address. An example to change the IP address of the services on the target server by using the iprintipchange.sh script. In the /opt/novell/migration/sbin/serveridswap/scripts/ipchange/nonplugin folder, enter

      <server-script> <target_server IP> <source_server IP> <source_server IP> <source_server IP>

      For example, iprintipchange.sh 172.16.200.201 172.16.100.101 172.16.100.101 172.16.100.101

      If you want to execute any additional scripts copy them to the /ipchange/nonplugin folder in the same pattern as the existing scripts.

      WARNING:Failure of the script to change the IP address or terminating the operation manually, may cause the system to hang. If a service-specific IP address script fails to change the IP address, replace the <service>.conf file with <service>.orig file. For example, if eDirectory authentication fails on completion of IP Change step, do the following:

      cp /etc/opt/novell/eDirectory/conf/nds.conf.orig /etc/opt/novell/eDirectory/conf/nds.conf

  7. Host Name Change: Hostname of the services is changed to source server hostname.

    • To change the hostname of the server and the services go to /opt/novell/migration/sbin/serveridswap/scripts/hostchange folder, enter

      <hostname-script> <targethostname> <sourcehostname>

      For example, server-hostname-change.sh aus-market201.marketing.com aus-market101.marketing.com

    If you want to execute any additional scripts copy them to the nonplugin folder in the same pattern as the existing scripts.

    For example, ./iprinthostchange.sh oldhostname newhostname oldmasterhostname newmasterhostname

    where oldhostname is the old server host name and newhostname is the new server host name. The master hostname is the hostname of the master server in the eDirectory tree. The oldmasterhostname and newmasterhostname can be the same if the master hostname is not changed on performing Transfer ID migration.

    WARNING:Failure of the script to change the hostname or terminating the operation manually, may cause the system to hang. If a service specific hostname script fails to change the hostname, replace the <service>.conf with <service>.orig file. For example, if iPrint authentication fails on completion of Hostname Change step, do the following:

    cp /etc/opt/novell/iprint/httpd/conf/iprint_ssl.orig /etc/opt/novell/iprint/httpd/conf/iprint_ssl.conf

  8. Reinitialize Server: Reinitialize the target server with the IP address and hostname of the source server. In this step, eDirectory is also restarted.

    • To re initialize the server, enter

      /etc/init.d/network restart

    • To restart eDirectory, enter

      /etc/init.d/ndsd restart for restarting nds

    Next, you need to repair eDirectory, certificates for the server, LUM, and other OES services on the target server.

  9. Repair: Performs repair of eDirectory, certificates, LUM, and services on the target server. The ndsrepair command is used to perform eDirectory repair. The service-specific repairs run only for services that were migrated using the current project.

    1. eDirectory: Performs repair of eDirectory.

      To repair eDirectory, enter

      /opt/novell/eDirectory/bin/ndsrepair -U

      To restart eDirectory, enter

      /etc/init.d/ndsd restart

    2. Repair Certificates: To create the SAS object, enter

      /opt/novell/eDirectory/bin/ndsconfig add -m sas -a <admin dn> --config-file /etc/opt/novell/eDirectory/conf/nds.conf

      This step also repairs the certificates for the server and eDirectory.

      1. To regenerate the certificate on the target server, enter

        /opt/novell/oes-install/util/getSSCert -a <new ip address> -t <treename> -u <admindn>

        For example, /opt/novell/oes-install/util/getSSCert -a 172.16.100.101 -t TESTTREE -u cn=admin,o=novell

        You are prompted for the password of the administrator.

      2. To convert the certificate to the pem format, enter

        openssl x509 -inform der -in /etc/opt/novell/certs/SSCert.der -outform pem -out /etc/opt/novell/certs/SSCert.pem

      3. To verify the health of eDirectory, enter

        ndscheck -h <target-newip> -a <admin dn> -w <adminpass> -F <log directory path>

        Next, you need to LUM enable the target server.

      4. (Conditional) To remove the existing nam.conf, enter

        rm /etc/nam.conf

    3. LUM: Create or modify the existing Unix Workstation object:

      • If the source server is NetWare, a new Unix Workstation object is created. Enter the following command:

        ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-reconf.rb -a <admin dn> -p <admin password> -S <ldap-server-ip> -u <Unix_config_object-dn>

        where Unix_config_object-dn is the value of the base-name parameter in the nam.conf file. A backup of the file was created in Step 1.c.

        ldap-server-ip is the value of the preferred-server parameter in the nam.conf.target file.

        NOTE:If the value of the preferred-server parameter is the same as the IP address of the target server, then the value of the ldap-server-ip must be the same as the IP address of either the source server or the appropriate LDAP server.

      • If the source server is OES 1 Linux or OES 2 Linux, the Unix workstation object is retained. To modify the Unix workstation object, enter the following command:

        ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-reconf.rb -a <admin dn> -p <admin password> -S <ldap-server-ip> --ldap-port <port number> -u <Unix_config_object-dn>

        where Unix_config_object-dn is the value of the base-name parameter in the nam.conf file. A backup of the file was created in Step 1.d.

        ldap-server-ip is the value of the preferred-server parameter in the nam.conf.target file.

      1. To copy the certificate for LUM operations, enter

        cp /etc/opt/novell/certs/SSCert.der /var/lib/novell-lum/.<targetnew_ipaddress>.der

        For example, cp /etc/opt/novell/certs/SSCert.der /var/lib/novell-lum/.172.16.100.101.der

      2. (Conditional) If the source server is NetWare, run the command to modify the users and groups listed in Step 1.e:

        1. ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-grpmod.rb -H <source short hostname> -a <admin dn> -S <ldap-server-ip> [--use-unsecure-ldap] [--ldap-port] -p <password> --grp <group FDN> -l <LUM enabled user and groups> [--check]

          ldap-server-ip is the value of the preferred-server parameter in the nam.conf.target file.

          Parameters

          Description

          -H

          Specify the hostname of the source server

          -a

          Specify the administrator’s name in LDAP format

          -S

          Specify the IP address of the preferred LDAP eDirectory server.

          --use-unsecure-ldap

          Specify unsecure LDAP for all LDAP commands.

          --ldap-port

          Specify the port for LDAP server to listen on.

          -p

          Specify the administrator’s password.

          --grp

          Specify the group to be modified.

          -l

          Specify the list of LUM enabled user and groups in fully distinguised format.

          --check

          Verify LUM enabled users and groups

          When prompted, enter the password for the administrator.

      3. (Conditional) If the source server is OES 1 Linux or OES 2 Linux, modify the users and groups by entering the following command:

        ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-fix.rb -H <source short hostname> -a <admin dn> -p<password>

      4. Refresh LUM Cache, run /usr/bin/namconfig cache_refresh to rebuild LUM cache.

      5. (Conditional) If the source server is OES linux server, enter

        chown -R wwwrun:www /var/opt/novell/nici/30

    4. Services: The scripts are executed for the services that are migrated before performing Tansfer ID.

      • To repair File System, enter

        /opt/novell/migration/sbin/serveridswap/scripts/repair/volrepair.rb -a <admin name in ldap format> -p <password> -f <project_path>/fs

        A return value 0 indicates success.

      • To repair iPrint service, enter

        /opt/novell/migration/sbin/serveridswap/scripts/repair/iprintrepair.sh -s <source server IP> -u <admin name in ldap format> -T -L -p <ssl port> -S

        Specify -S option only when LDAP server is configured for SSL. And do specify SSL port only if its configured.

      • To repair CIFS service, enter

        sh /opt/novell/migration/sbin/migcifs.sh -s <source server IP> -p <port> -a <admin name> {-f 1 <if ssl> | -f 0 <non-ssl>} -t <tree name> -d <target server IP> -q <port> -b <admin name> {-g 1 <if ssl> | -g 0 <non-ssl>} -m <project_path>/cifs/cifsSourceShares.tmp -S 3 -r

        A return value 0 indicates success.

    5. Others: Execute the repair scripts for the services that are not included in the plug-ins of the Migration Tool.

      • To repair NetStorage, enter the following commands

        /opt/novell/xtier/bin/xsrvcfg -D

        /opt/novell/xtier/bin/xsrvcfg -d <ipaddress> -c <context>

        where context is the value of the attribute CONFIG_XTIER_USERS_CONTEXT in /etc/sysconfig/novell/netstore2_sp3 file.

        /usr/sbin/rcnovell-xregd restart

        /usr/sbin/rcapache2 restart

  10. Restart Server: Restart the target server for the changes to take effect.

    On successful completion of the Transfer ID migration, the target server functions with the source server’s eDirectory identity.