Today's project was to do a hardware migration of my IDM server to new hardware, you could use this process for any server but I'm focussing on the IDM stuff.

This is how I accomplished it, and some of the problems/resolutions I found during the process are listed at the end. I'm not going to list a blow-by-blow account of the Server Consolidation Migration Utility as it's very straight forward. However, if you'd like some info let me know and I can give you the step-by-step process. I may even include this in a separate blog entry.

If you've read any of my other Novell Blog entries you'll know that my IDM system runs on NetWare... let me hear you say YEAH!!!

Because I'm still running Netware, migrating to other hardware is quite easy. Novell has provided a neat little utility called the Server Consolidation and Migration Utility and it's a good time saver. Download this free product before you begin and I highly recommend you run this process through your test environment.

A few notes before we start.

I don't recommend trying to migrate to a higher DS level than the one your source server is on. ie, don't migrate from 8.7.3 to 8.8. If you wish to upgrade your DS version, do it after the migration has settled.

I do recommend using the latest patches and version of Netware as your destination server.

Side note: because my source server was a NW65SP7 server that was updated from SP6, I am still running eDir 8.7.3.9 and this is by choice. If you've installed a new Netware server from the SP7 overlay DVD you'll notice the default version of DS is 8.8sp2. So to get around this I install the pre-migration server with the SP6 overlay CD's and then apply the downloaded SP7.

Let the games begin.

1. Take note of the products/services your original server is running. You're going to re-install these on the new server so it helps to know what the old one did. Go make yourself a coffee and get comfortable.

2. Build the migration server ensuring all hardware is functioning correctly.
Use the Pre-migration server installation option in the Netware install. This installs a bare-bones Netware server with no additional products.

Note at this point: to cut down on editing in the comparison step later on, I recommend your temporary eDirectory has the same containment structure of your original tree. Create the same structure down to the server location. The following is what I typically used:

TREE Name: TEMPTREE
Server Name: OLDSERVERNAME1
Server context: Same structure as original server in production tree.
Server IP: something in the same network as the original server

3. On the source server comment out all unnecessary load lines in the AUTOEXEC.NCF. Backup clients and anything else that is not immediately required (which should be nothing as you're working inside a maintenance window or scheduled outage.. right??)

4. Stop all drivers running on the server and set them to manual start. Unload any backup clients or other applications to ensure files are not in use.

5. Export all driver configurations.

6. Start the Server Consolidation Migration utility and create a new project for your server. I usually just name the project after the server name being migrated followed by the date. Eg: SERVER1_220408

7. If your server is not a file server (ie doesn't have any volumes other than SYS) you can "next" your way through to the data copy. You can run this stage of the migration days ahead if you like. Then do a final update copy for any files that have changed at the time of the migration. This is a HUGE time-saver. This step simply backs up the trustees on the server and copies the entire contents of the SYS volume to the SYS:\SYS.MIG directory on the destination server.

Note at this point: take a bit of time to clean up your source server, delete any old patches etc that might be lingering around. The data copy stage will copy EVERYTHING, even stuff you don't necessarily need.

8. Complete the Migration process. I usually just accept the defaults given (unless you've done a pre-copy). Read each screen carefully and ensure you follow any additional steps that are suggested. Pay particular attention to the configuration file comparisons. You'll get a second warning about the Server name and IP address. Make sure these are correct.

9. At this point, your original server should be down and turned off, and your new server has now taken on the identity of the original. It's now time to install all the goodies again, but take a moment to yank the network and power cables from the old box.

10. Insert the SP7 overlay DVD and start installing the additional products. My server also ran DNS so I installed it at this point along with the following:

General:
Tomcat 4 and 5
Apache2
iManager 2.7
Novell Modular Authentication Services
reboot server.

Products required for IDM 3.5.1
Security Services 2.0.5
NMAS updates
CIMOM updates
reboot server.

11. Reinstall IDM 3.5.1 engine/utilities and any drivers. I have a blog entry on upgrading from 3.0.1 to 3.5.1 and I just followed these steps.

12. Load DSTRACE using the following:

load dstrace
load dstrace screen on
load dstrace +dvrs dxml

13. Start iManager and fire up the drivers one at a time. Watch the trace screen in step 12 for any errors. Once you've confirmed all is running, edit the driver configurations and set the drivers to auto-start.

14. Pat yourself on the back for a job well done.

Problems encountered:

The above process is exactly how it all went... in test.

In production, however, things were slightly more "interesting".

My hardware migration went perfectly and the new server became the old one as expected. I then went and started installing all the Netware products and patches. Still all good at this point.

I then installed IDM on the server and for good measure, rebooted.

When I attempted to start the first driver, the process failed with a -783 error. This TID pointed in the right direction but didn't help me. DIRXML was loading but was not functioning.

I investigated the logger screen and saw an error loading DXLDAP.NLM and followed this TID. However, unloading DIRXML or DS simply locked the console screen and after 20 minutes still wouldn't unload the nlm's. I could see from the DSTRACE screen the drivers were caching any changes so updates weren't going to be lost.

At this point I figured something hadn't installed correctly. DS was working perfectly but DIRXML was being a precious petal. To prevent DIRXML from loading I renamed the dirxml.nlm to dirxml.old and rebooted.

After the reboot I reinstalled IDM and rebooted, but had the same problem. Did the rename dirxml.nlm thing again, rebooted. This time I uninstalled IDM and did the following:

1. Ran the Product install again and re-installed all the products and update in step 10 above.
2. Ran the IDM install again
3. Added the server back to the driver set as it was removed because of the -783 error above.
4. Enabled the drivers but didn't automatically synchronize (drivers are disabled if the server is removed from the set)
5. Started the drivers, this time all went well.

Post investigation seems to point to the NMAS installation, but I haven't confirmed this.

All is working perfectly now and the pointy-haird boss is blissfully unaware of my numerous missed heartbeats this morning.

Tags: Identity Manager, Netware, IDM

So it's time to upgrade to the latest Novell Identity Manager code. This is a rather straight-forward process but still one you'll want to run through a test environment.

I came across a few hiccups in test that I didn't hit in production, but this only helps in the preparation.

I have two eDirectory Trees to contend with. Tree 1 has eDir, MAD, Delimited Text drivers. Tree 2 has eDir, GroupWise, and UserApplication drivers. All IDM servers are OES2 Netware with the exception of the UserApplication server. This is required to be linux.

The really good news is all these drivers will work together at different version levels, allowing you to take your time in the completing the process.

Here is my take on the process of getting to the latest and greatest.

Approach

Prepare for the upgrade
Test roll-back plan
Upgrade the Meta-directory engine in Tree 1
Upgrade the drivers in Tree 1
Upgrade the MAD remote loader and PassSync.
Upgrade the Meta-directory engine in Tree 2
Upgrade the drivers in Tree 2
Install new UserApplication

I have chosen to create a new install of the UserApplication as currently it's only used for password self-service. The original server is a SLES9 box and the new one I want to be an SLES 10.1 box.

Prepare for the upgrade

1. Upgrade IDM servers in both Trees to NW65SP7
2. Upgrade Security Services to 2.0.5
3. Upgrade NMAS to 3.2.0.1
4. Export current driver sets
5. Export each individual driver in both sets
6. Refresh documentation of current settings noting passwords etc
7. Rename sys:\ni\update directory on both IDM servers
8. All software including previous versions of IDM to hand.
9. Set trace level on all drivers to 3

Roll-back plan

1. Ensure there is a current backup of the SYS volume
2. Export of all drivers

Should the installation fail with no ability to continue:

1. remove the new software if possible
2. Install previous version of software

Should the upgrade of the drivers fail with no ability to continue:

1. Delete drivers in driver set and re-import or;
2. Delete driver set and re-import.

Update Process

Schema update

Schema updates are done as part of the Installation of the IDM 3.5.1 Metadirectory engine. This is done once per tree.

TREE 1 (1hr 30mins)
1. Set all drivers to manual start and apply.
2. Stop all drivers
3. Install Metadirectory Server, Web components and utilities to server
4. Deselect all drivers and select

Delimited Text
eDirectory

5. Select Application components
6. Complete install and restart the server
7. Load DSTRACE and set DSTRACE to DXML and DVRS
8. Start all drivers and confirm no errors on trace
9. Apply authorization to Directory set
10. restart all drivers to check for authorization
11. Upgrade eDirectory driver and restart
12. Upgrade Delimited Text driver and restart
13. Upgrade Active Directory driver and restart


AD remote loader (30mins)
1. Stop AD remote loader on Domain Controller.
2. Edit settings and set trace level to 3
3. Copy the remote loader config file C:\Novell\RemoteLoader\ADRemoteLoader-Config.txt to ADRemoteLoader-Config.backup
4. Install new remote loader and start

TREE 2 (1hr 30mins)
1. Set all drivers to manual start and apply.
2. Stop all drivers
3. Export individual drivers and driver set
4. Install Metadirectory Server, Web components and utilities to server
5. Deselect all drivers and select

GroupWise
eDirectory

6. Select Application components
7. Complete install and restart the server
8. Load DSTRACE and set DSTRACE to DXML and DVRS
9. Start all drivers and confirm no errors on trace
10. Apply authorization to Directory set
11. Restart all drivers to check for authorization
12. Upgrade eDirectory driver and restart
13. Upgrade GroupWise driver and restart
14. Upgrade UserApplication driver and restart


UserApplication Install
(Yet to be completed)
1. Install new SLES 10.1 server
2. Install additional software including development tools
3. Create a new instance of the IDM UserApplication using different port number to the original
4. Duplicate settings between UserApp drivers but leave the new one stopped
5. Install and configure UserApplication on new server


Problems encountered

Problem: Error updating NMAS methods during IDM install on server.
Solution: Rename sys:\ni\update directory

Problem: Error on eDir driver start using certificates
Solution: Re-issue certificates using the NDS-to-NDS certificate wizard

Problem: Unable to deploy new UserApplication driver from Designer
Solution: Run Project Checker in Designer and redeploy


And there you have it, an upgraded IDM system.

Tags: Identity Manager, IDM, Netware

In preperation for using the Entitlements driver in our IDM solution I had to restrict our driverset to a single server (version 3.5 of IDM overcomes this restriction but I was also trying to streamline). This meant moving the GroupWise driver from one server to another. There are a number of ways to do this but ultimately they involve, exporting the driver, deleting the driver, importing the driver specifying another server and then deleting the superfluous server from the driverset. You can do this with Designer, but I've not taken a liking to it yet and prefer to use iManager. Before doing any work with the driver, install the GW components on the new recipient server.

To export the driver with iManager do the following:

1. Browse to the driver set and click on the driver in question

2. Select export and follow the prompts, exporting to an xml file on your PC

3. Once exported, delete the driver from the driverset

Import the Driver back into the driverset

1. Now that it's gone, we need to import it back in. Import the driver back into the same driverset selecting the other server and following the prompts

2. Because in my case the GW driver is not on a server other than the primary domain database, we have to specify a user account with RWCEMFs rights to the Domain DB. We also need to specify the IP address of the GW server and the path to the Domain DB.

3. Start the driver

NB: if you're running the IDM drivers on a Netware server, make sure you add a search path for the GW driver components before starting the driver. I add the following line up high in the AUTOEXEC.NCF file.

SEARCH ADD SYS:\SYSTEM\GWDRIVER

Once added to the AUTOEXEC.NCF file, type the same line at the console and press ENTER.

Because we didn't change the name of the driver in the driverset all associations remain current.. so no need for the driver to go off madly reassociating objects.

The final step is to delete the old server from the driver set.

1. Click on the IDM overview in iManager and then select the red X next to the server list.

2. Select the server about to be removed from the driverset and click apply.

3. Done. Go grab yourself a coffee.

FINAL NOTE: Run this process through your test environment. iManager crashed on me during test which cause a few skipped heartbeats. Plus I forgot to add the search line on the recipient server which accounted for a couple more.

Tags: Novell, Netware, IDM, Identity Manager

I had an interesting problem a few weeks ago with an IDM 3.0.1 driver on one of my NetWare 6.5 servers. While all drivers in the driver set on the particular server were set to auto-start, one of them refused to do so. After doing some digging it appears that drivers start in the order of creation time. The first driver created is the first to load. I verified this by looking at the driver logs. The driver I was having trouble with, was the first driver created in this driver set.

So what could be causing the first driver to fail to start but the second, and subsequent others, to load just fine?

The core of IDM is DIRXML.NLM which is loaded automatically by DS.NLM which is in turn automatically loaded when the SYS: volume is mounted. Working backwards, IDM uses JAVA to run the drivers. So if JAVA is not loaded or finished loading by the time DIRXML is trying to load the drivers it will fail. In my case, DIRXML was loading the first driver before JAVA was ready.

But if it's all loading automatically how do you ensure JAVA is ready for DIRXML?

Easy.

DS.NLM is loading DIRXML.NLM, so if you rename DIRXML.NLM to DIRXMLA.NLM, DS will not be able to find it and not load it. Now that we have stopped DIRXML from loading we need to wait for JAVA to finish. This is accomplished by ensuring load statements for JAVA (tomcat) are as early in the AUTOEXEC.NCF file as possible. Then add a DELAY command at the end of the AUTOEXEC.NCF, followed by the load command for the DIRXMLA.NLM file. Something like this...

DELAY 30
LOAD DIRXMLA.NLM

DELAY 30 will put a pause in the execution for 30 seconds before continuing with the next line. This should be plenty of time for JAVA to finish loading.

DIRXMLA.NLM will then load and start all the drivers.

As simple as that.

Tags: Novell, IDM, Identity Manager