11.0 Using Migration Commands for Transfer ID

Before running Transfer ID, ensure you have met all the prerequisites and prepared your servers as described in Preparing the Source Server for Migration and Preparing the Target Server for Migration.

Before you begin, remember the following considerations:

  • All the services you need must be migrated to the target server.

  • When you start the Transfer ID process, you cannot perform any operations on the source server because the process locks the DIB (eDirectory database) on the source server.

Run all the commands on the target server, to perform Transfer ID:

  1. eDirectory Precheck: Executes prerequisites that need to be done for Transfer ID scenario.

    1. Use the following command to do an eDirectory precheck:

      migedir -s <sourceipaddress> -u -A <projectpath> -i -t

      For example, /opt/novell/migration/sbin/migedir -s 172.16.100.101 -u -A /var/opt/novell/migration/NewProj0 -i -t

      When prompted, enter the username and password of the source server.

      This step can be executed multiple times to verify the health of the eDirectory tree. Execution of this step does not modify the source server and target server.

    2. Check the availability of the hostname and IP address on the source server. The hostname or IP address can be resolved using the DNS server or using the /etc/hosts file on the source server (OES Linux).

    3. The nam.conf file on the target server includes LUM settings that will be required later while performing the repair steps for migration. Create a backup of /etc/nam.conf file on the target server by executing the command: cp /etc/nam.conf <Project_path>/nam.conf.target.

      For example: cp /etc/nam.conf /var/opt/novell/migration/NewProj0/nam.conf.target

    4. If the source server is OES, create a backup of the /etc/nam.conf file of the source server.

    5. (Conditional) In an Active Directory environment, copy the following files from the source server to the migration project location on the target server. For example, /var/opt/novell/migration/NewProj0/.

      • /etc/krb5.conf

      • /etc/krb5.keytab

      • /etc/resolv.conf

      • /etc/opt/novell/nit/nitd.conf

    6. Retrieve and store the list of LUM enabled groups:

      (Conditional) If the source server is NetWare, enter

      ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-grpmod.rb -H <target server short hostname> -a <admindn> -S <ldap-server-ip> --ldap-port <port number> -p <password> -l

      The above commands displays the list of groups that are LUM-enabled on the target server. These same groups must be LUM-enabled on completion of Transfer ID.

    7. If the source server is OES, ensure that ssh keys to avoid multiple prompts for password on execution of this step.

      To copy the ssh keys:

      1. Enable ssh on the source server and target server.

      2. Enter the command on the target server, # ssh-keygen -t rsa

        On executing the above command, you are prompted for the following:

        1. Enter file in which to save the key (/root/.ssh/id_rsa), press Enter.

          The ssh keys are stored in the default location.

        2. Enter passphrase (empty for no passphrase), press Enter.

          We recommend you not to include passphrase.

      3. Copy the key value i.e. the output of the above command to the source server

        # scp ~/.ssh/id_rsa.pub root@<source-server>:/tmp

      4. Log to source server using ssh and add the key value to the list of authenticated keys.

        cat /tmp/id_rsa.pub >> /root/.ssh/authorized_keys

    8. If the source server is OES, ensure to copy the .nss.dat file to the target server. This file stores the nss user context information of the source server and is required when we repair the NSS admin object.

      Enter the command on the target server,

      scp <Source-IP>:/var/opt/novell/nss/.nss.dat /tmp/

  2. Preparation: Removes the eDirectory from the target server. The LUM association with the groups and users is no longer available because the Unix Workstation object is also removed. In an AD environment the source server leaves the AD domain.

    1. (Conditional) In an Active Directory environment, execute the following command:

      1. /opt/novell/xad/bin/kinit Administrator@<ad domain name>

        This command prompts for the administrator password.

        IMPORTANT:Executing kinit is necessary to obtain and cache Kerberos ticket-granting ticket. It is mandatory to obtain the ticket before performing any AD domain related operations.

      2. The target server must leave the AD domain, execute the following command:

        /opt/novell/bin/novell-ad-util --leave-domain

        For more information, see --leave-domain in the NSS AD Administration Guide.

    2. To remove the Unix Workstation object on the target server, enter

      /usr/bin/namconfig rm -a <admindn>

      In the above command for SSL connection, you must use -l option and specify default port number as 636.

    3. To remove eDirectory from the target server, enter

      /opt/novell/eDirectory/bin/ndsconfig rm -c -a <admindn.novell> -w ADM_PASSWD --config-file /etc/opt/novell/eDirectory/conf/nds.conf

      Use dot format when passing values for -a option. For example, -a admin.novell

    4. To verify the health of the eDirectory and to ensure that both the source server and target server are time-synchronized, enter

      migedir -s <sourceipaddress> -u -A <projectpath> -i -t

      For example, /opt/novell/migration/sbin/migedir -s 172.16.100.101 -u -A /var/opt/novell/migration/NewProj0 -i -t

      When prompted, enter the username and password of the source server.

    5. To perform common proxy migration, see Pre-Migration Procedure.

  3. DIB Copy: Creates a backup of the eDirectory DIB (Directory Information Base) of the source server on to the target server. This step locks the DIB of the source server and further operations are not permitted on the source server.

    migedir -s <source-server-ip> - u -A <logfile directory> -i -B

    For example, /opt/novell/migration/sbin/migedir -s 172.16.100.101 -u -A /var/opt/novell/migration/NewProj0 -i -B

    On running the above command, you are prompted for the username and password of the source server. Enter the admin credentials when prompted.

    IMPORTANT:This command fails to execute if the replica ring is not in sync, or the time is not synchronized between all the servers in the replica ring.

    NOTE:If you need to perform any operations on the source server, you must unlock the DIB.

  4. Shutdown Source: You need to shutdown the source server.

  5. DIB Restore: Restores the eDirectory database that was backed up from the source server in Step 3 on the target server. This includes the NICI keys and the DIB identity.

    IMPORTANT:Ensure to backup the target eDirectory database and NICI keys, see Backup eDirectory Database and NICI Keys for more information.

    1. At the command prompt of the target server, enter

      migedir -R

      For example, /opt/novell/migration/sbin/migedir -R

      On running the above command, you will be prompted for the administrator credentials for the source server.

      WARNING:If the backup in Step 3 was not successful, the DIB Restore step fails. A failure at this point may cause the eDirectory service on the target server to be unusable.

  6. IP Address Change: The IP address of the target server and its services is changed to the source server IP address.

    The scripts to be executed in this step are located in the /opt/novell/migration/sbin/serveridswap/scripts/ipchange and /opt/novell/migration/sbin/serveridswap/scripts/ipchange/nonplugin folders.

    • To change the IP address of the server in the /opt/novell/migration/sbin/serveridswap/scripts/ipchange folder, enter

      ruby server-yast-ipchange.rb --old-ip <target_server IP> --ip <source_serverIP>

      For example, ruby server-yast-ipchange.rb --old-ip 172.16.200.201 --ip 172.16.100.101

    • The ipchange folder contains a list of scripts that need to be executed for changing the IP address. An example to change the IP address of the services on the target server by using the iprintipchange.sh script in the /opt/novell/migration/sbin/serveridswap/scripts/ipchange/nonplugin folder, enter

      <server-script> <target_server IP> <source_server IP> <source_server IP> <source_server IP>

      For example, iprintipchange.sh 172.16.200.201 172.16.100.101 172.16.100.101 172.16.100.101

      You also need to run the remaining scripts for other services in the same manner.

      WARNING:Failure of the script to change the IP address or terminating the operation manually, may cause the system to hang. If a service-specific IP address script fails to change the IP address, replace the <service>.conf file with <service>.orig file. For example, if eDirectory authentication fails on completion of IP Change step, do the following:

      cp /etc/opt/novell/eDirectory/conf/nds.conf.orig /etc/opt/novell/eDirectory/conf/nds.conf

    • To change the IP address for the configuration files of each service on the target server enter the following in the /opt/novell/migration/sbin/serveridswap/scripts/ipchange/nonplugin folder:

      ipchange.sh <oldip> <newip> <oldremoteip> <newremoteip> yes

      Here, oldip is the IP address of the existing server and newip is the new IP address assigned to the server. The oldremoteip is the remote IP address that you used when installing the existing server into the eDirectory tree. If the remote IP address is not changed then, oldremoteip and newremoteip can be same.

      Example 11-1 For example, ipchange.sh 172.16.200.201 172.16.100.101 172.16.200.200 172.16.200.200 yes

      If you want to execute any additional scripts copy them to the /ipchange/nonplugin folder in the same pattern as the existing scripts.

  7. Host Name Change: Hostname of the services is changed to source server hostname.

    1. To change the hostname of the server and the services go to /opt/novell/migration/sbin/serveridswap/scripts/hostchange folder, enter

      <hostname-script> <targethostname> <sourcehostname>

      For example, server-hostname-change.sh aus-market201.marketing.com aus-market101.marketing.com

    2. On the console, enter

      hostname <sourceserver_name>

      The above command changes the hostname of the server, when you relogin.

      If you want to execute any additional scripts copy them to the nonplugin folder in the same pattern as the existing scripts.

      For example, ./iprinthostchange.sh oldhostname newhostname oldmasterhostname newmasterhostname

      where oldhostname is the old server host name and newhostname is the new server host name. The master hostname is the hostname of the master server in the eDirectory tree. The oldmasterhostname and newmasterhostname can be the same if the master hostname is not changed on performing Transfer ID migration.

      WARNING:Failure of the script to change the hostname or terminating the operation manually, may cause the system to hang. If a service specific hostname script fails to change the hostname, replace the <service>.conf with <service>.orig file. For example, if iPrint authentication fails on completion of Hostname Change step, do the following:

      cp /etc/opt/novell/iprint/httpd/conf/iprint_ssl.orig /etc/opt/novell/iprint/httpd/conf/iprint_ssl.conf

  8. Reinitialize Server: Reinitialize the target server with the IP address and hostname of the source server. In this step, eDirectory is also restarted.

    • To re initialize the server, enter

      systemctl restart network

    • To restart eDirectory, enter

      systemctl restart ndsd.service

    Next, you need to repair eDirectory, certificates for the server, LUM, and other OES services on the target server.

  9. Repair: Performs repair of eDirectory, certificates, LUM, and services on the target server. The ndsrepair command is used to perform eDirectory repair. The service-specific repairs run only for services that were migrated using the current project.

    1. eDirectory: You can either perform “Unattended full repair of eDirectory” or “Local eDirectory database and network repair”

      1. To perform unattended full repair of eDirectory, enter

        /opt/novell/eDirectory/bin/ndsrepair -U

        or

      2. To perform local eDirectory database and network repair

        /opt/novell/eDirectory/bin/ndsrepair -N

        /opt/novell/eDirectory/bin/ndsrepair -R

      3. To restart eDirectory, enter

        systemctl restart ndsd.service

      Ensure to fix all errors before proceeding with the next step.

    2. Repair Certificates: To create the SAS object, enter

      /opt/novell/eDirectory/bin/ndsconfig add -m sas -a <admin dn> --config-file /etc/opt/novell/eDirectory/conf/nds.conf

      1. To regenerate the certificate on the target server, enter

        /opt/novell/oes-install/util/getSSCert -a <new_ip_address> -t <treename> -u <admindn dot format> - x <password>

        For example, /opt/novell/oes-install/util/getSSCert -a 172.16.100.101 -t TESTTREE -u cn=admin.o=novell -x novell

        The regenerated SSCert.der certificate is stored at /etc/opt/novell/certs location.

      2. To convert the certificate to the pem format, enter

        openssl x509 -inform der -in /etc/opt/novell/certs/SSCert.der -outform pem -out /etc/opt/novell/certs/SSCert.pem

      3. To verify the health of eDirectory, enter

        ndscheck -h <new_ip_address> -a <admindn dot format> -w <adminpass> -F <Project_path>

        For example, ndscheck -h 172.16.100.101 -a cn=admin.o=novell -w novell -F /var/opt/novell/migration/Newproject1/ndscheck.log

        You must resolve all errors before proceeding to the next step. It is recommended to backup the nam.conf file before proceeding with the next step.

      4. (Conditional) To remove the existing nam.conf, enter

        rm /etc/nam.conf

    3. LUM: Create or modify the existing Unix Workstation object:

      • If the source server is OES, the Unix workstation object is retained. To modify the Unix workstation object, enter the following command:

        ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-reconf.rb -a <admindn comma format> -p <admin password> -S <ldap-server-ip> --ldap-port <port number> -u <Unix_config_object-dn>

        where Unix_config_object-dn is the value of the base-name parameter in the nam.conf file. A backup of the file was created in Step 1.d.

        ldap-server-ip is the value of the preferred-server parameter in the nam.conf.target file.

        NOTE:If the value of the preferred-server parameter is the same as the IP address of the target server, then the value of the ldap-server-ip must be the same as the IP address of either the source server or the appropriate LDAP server.

        For example, ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-reconf.rb -a cn=admin,o=novell -p novell -S 172.16.200.201 --ldap-port 636 -u "o=novell"

      1. To copy the certificate for LUM operations, enter

        cp /etc/opt/novell/certs/SSCert.der /var/lib/novell-lum/.<new_ip_address>.der

        For example, cp /etc/opt/novell/certs/SSCert.der /var/lib/novell-lum/.172.16.100.101.der

      2. (Conditional) If the source server is NetWare, run the command to modify the users and groups listed in Step 1.f:

        ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-grpmod.rb -H <source short hostname> -a <admin dn> -S <ldap-server-ip> --ldap-port <port number> -p <password> --grp <group FDN> -l <LUM enabled user and groups> [--check]

        ldap-server-ip is the value of the preferred-server parameter in the nam.conf.target file.

        Parameters

        Description

        -H

        Specify the hostname of the source server

        -a

        Specify the administrator’s name in LDAP format

        -S

        Specify the IP address of the preferred LDAP eDirectory server.

        --ldap-port

        Specify the port for LDAP server to listen on.

        -p

        Specify the administrator’s password.

        --grp

        Specify the group to be modified.

        -l

        Specify the list of LUM enabled user and groups in fully distinguished format.

        --check

        Verify LUM enabled users and groups

        When prompted, enter the password for the administrator.

      3. (Conditional) If the source server is OES, modify the users and groups by entering the following command:

        ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-fix.rb -H <new_server short hostname> -a <admindn_comma_format> -p <password> -S <ldap-server-ip> --ldap-port <port number>

        For example, ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-fix.rb -H mark-nov101 -a cn=admin,o=novell -p novell -S 172.16.100.101 --ldap-port 636

      4. Refresh LUM Cache, run /usr/bin/namconfig cache_refresh to rebuild LUM cache.

      5. (Conditional) If the source server is OES linux server, enter

        chown -R wwwrun:www /var/opt/novell/nici/30

        You must change the ownership, so that you can login to iManager post-Transfer ID.

    4. To repair pool and volume objects, enter

      /opt/novell/migration/sbin/serveridswap/scripts/repair/volrepair.rb -a <admindn_comma_format> -p <password> -f <project_path>/fs

      For example, /opt/novell/migration/sbin/serveridswap/scripts/repair/volrepair.rb -a cn=admin,o=novell -p novell -f /var/opt/novell/migration/NewProj1/fs

    5. Services: The scripts are executed for the services that are migrated before performing Tansfer ID.

      • To repair iPrint service, enter

        /opt/novell/migration/sbin/serveridswap/scripts/repair/iprintrepair.sh -s <new IP> -u <admindn comma format> -T <source type {-L|-N}> -p <ssl port> -S

        For example, /opt/novell...iprintrepair.sh -s 172.16.100.101 - u cn=admin,o=novell -T -L -p 636 -S

        Specify -S option only when LDAP server is configured for SSL. And do specify SSL port only if its configured.

      • To repair CIFS service, enter

        sh /opt/novell/migration/sbin/migcifs.sh -s <new IP> -p <ssl port> -a <admindn_ldap_format> {-f 1 <if ssl> | -f 0 <non-ssl>} -t <tree name> -d <target server IP> -q <port> -b <admin name> {-g 1 <if ssl> | -g 0 <non-ssl>} -m <project_path>/cifs/cifsSourceShares.tmp -S 3 -r

    6. Others: Execute the repair scripts for the services that are not included in the plug-ins of the Migration Tool.

      • NSS Admin Object: To repair the NSS admin object, execute the following on the target server depending on the source server (NetWare or OES):

        /opt/novell/migration/sbin/serveridswap/scripts/repair/nss-adminrepair.sh -a <admindn dot format> -p <admin password> -s <source server [OES/NW]> -o <nssadmin object name with server context>

        where -a, -p, -s are mandatory parameters. If the source server is NetWare (NW), the -o option is required to create a new NSS admin object.

        For example: nss-adminrepair.sh -a admin.sales.novell -p test -s NW -o nssAdminUser.sales.novell

      • Common Proxy:

        • If the source is Netware, to repair common proxy on the target OES 24.4 server, execute the following:

          /opt/novell/proxymgmt/bin/mignwproxy.sh -d <LDAP Admin FDN> -w <LDAP Admin Password> -i <LDAP-Server-IP-Address> -p <LDAP Secure Port>

        • If the source is Linux, to perform common proxy migration on the target OES 24.4 server, see Post-Migration Procedure.

      • Active Directory:

        1. Overwrite the target server’s files /etc/krb5.conf, /etc/krb5.keytab, and /etc/resolv.conf with source server files copied in Step 1.e.

        2. Merge the contents of the target server’s file /etc/opt/novell/nit/nitd.conf with the source server file nitd.conf copied in Step 1.e.

        3. Execute the following command:

          rcnovell-nit restart

        4. Execute the following command:

          /opt/novell/xad/bin/kinit -E Administrator@<ad domain name>

  10. Restart Server: Restart the target server for the changes to take effect.

    On successful completion of the Transfer ID migration, the target server functions with the source server’s eDirectory identity.