DIB Clone


Hello everyone, I know Dib clone has been around for awhile and I had
tested in some many years when it hit in 8.7x as beta, but I never used
it in production.

I was going to start to use in production for adding replicas since my
replica adds normally take about an hour.

I read however in the documentation that Dib clone is not to be used for
an IDM server, due to the pseudo server stuff I am guessing. Is that
correct? Also how reliable is Dib clone? The documentation I read
mentioned nothing about NICI, but I have to believe you need to restore
NICI after the clone? Thanks!!


--
mtsjej
------------------------------------------------------------------------
mtsjej's Profile: https://forums.netiq.com/member.php?userid=6351
View this thread: https://forums.netiq.com/showthread.php?t=53254

Tags:

  • Section 9.4.25 of the eDir administration guide talks about DIB Clone and
    mentions copying over the appropriate NICI files. Yes, you must do it for
    things to work fully; encrypted attributes, including the Universal
    Password (UP) data, will not work if you do not do this, meaning user
    authentication may fail.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  • Thank you. This is the warning I was a bit worried a bit:

    Do not use the Dibclone utility on an Identity Management server to
    clone another server, because this generates unnecessary TAO files on
    the cloned server.

    So I will have to only clone a box that has never had IDM installed, or
    is not in a Driver Set I suppose. Thanks!


    --
    mtsjej
    ------------------------------------------------------------------------
    mtsjej's Profile: https://forums.netiq.com/member.php?userid=6351
    View this thread: https://forums.netiq.com/showthread.php?t=53254

  • On 04/03/2015 09:24 AM, mtsjej wrote:
    > Do not use the Dibclone utility on an Identity Management server to
    > clone another server, because this generates unnecessary TAO files on
    > the cloned server.
    >
    > So I will have to only clone a box that has never had IDM installed, or
    > is not in a Driver Set I suppose. Thanks!


    Well, maybe. That warning is a real one based on a bug I found doing that
    exact thing. Also note that I think the DIB Clone documentation,
    somewhere, strongly recommends (or requires?) cloning from the Master
    replica. Since IDM engines are recommended to be on Master replicas too,
    there is an obvious conflict here.

    In order for TAO files to be generated you MUST have IDM engine software
    installed on a box. If your target system does not have that, no TAO file
    will be added-to. The pseudo-server link may still be there (until the
    eDir engineers fix that) but it does not do anything unless the engine
    software is on the box. If you happen to add an engine in a
    week/month/year, then you'll have all kinds of fun as a result. If you do
    intend for the box to be an IDM engine, you can remove the pseudo-server
    link by using iManager or Designer to create the link officially (which
    sets an attribute on both the driverset and the pseudo-server object for
    the linked-to server) and then remove it again (which deletes both of
    those attribute values). It's a workaround, admittedly, and only works if
    the IDM engine is on the box, but it's very effective.

    Other thoughts: if you clone from an IDM box, regardless of the driver
    object state (running or stopped) set its auto-start to Manual. At least
    in that case the drivers won't auto-start at any point in the future on
    the clone target. Set back to Auto-Start after the clone is complete.

    With all of that said, here is what I do these days:
    Set drivers to Manual start temporarily.
    Clone from the Master, preferably the box that holds the Master of all
    partitions since I typically put all of those together.
    Open an SR with Novell to remove the pseudo-server link. They can do this
    with ndsdump, and it also gets the SR refunded because this is a known
    limitation with no proper workaround other than the extensive hacking, and
    software installation and then removal, documented above. Linking that SR
    to the bug (or enhancement, whatever they call it) to fix the clone
    process means they get an idea of how much of a problem this really is.
    Re-enable driver objects on the source of the clone, so things auto-start
    next time things start.
    I always do online (vs. offline) clones, because they work perfectly for
    me. Someday I'll try an offline one, but so far I've never seen the benefit.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  • This is very helpful!! Thank you very much for this information.


    --
    mtsjej
    ------------------------------------------------------------------------
    mtsjej's Profile: https://forums.netiq.com/member.php?userid=6351
    View this thread: https://forums.netiq.com/showthread.php?t=53254


  • Could you not remove the pseudo server object with ndsimon in advanced
    mode?


    --
    mtsjej
    ------------------------------------------------------------------------
    mtsjej's Profile: https://forums.netiq.com/member.php?userid=6351
    View this thread: https://forums.netiq.com/showthread.php?t=53254

  • Deleting the pseudo-server object is the easiest way to ruin the server.
    You're welcome to try it I suppose, but doing so is server suicide (well,
    if you're doing it to the server I suppose that's homicide). The
    pseudo-server has a lot of things useful to the running eDir instance,
    which is why you must clean it (ndsdump) vs. nuke it. If iMonitor has an
    option to delete attribute values from objects that will work on the
    pseudo-server, that may be an option, but I doubt it does.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...