How to do an offline DIB Clone


1 Executive summary


From time to time a hardware malfunction, network outage or simple a disaster can occur, so it is a very good idea to have a disaster recovery plan available and updated.

The following document describes the process of cloning an eDirectory box in a “Offline” fashion. It is very useful when you need to restore a previous eDirectory box that was lost for any reason.

Basically what the process does is clone the information from an eDirectory healthy box (Source server) to a server that need to be recovered / inserted to the replica ring (Target Server)

Source server

eDirectory server which information will be cloned (highly recommended to be the Master sever). In this case the source server is tqidnlabedir01

Target server

eDirectory box that receives the clone. In this case the source server is tqidnlabedir03

The current situation is something like this:

Current situation Current situation

We have an eDirectory replica ring conformed by 2 servers (tqidnlabedir01 and tqidnlabedir02). We use to have a third eDirectory box (tqidnlabedir03) but after a hardware malfunction it was lost... so we need to clone the tqidnlabedir01and restore the tqidnlabedir03

Note: The following process is only applicable if the eDirectory replica ring is installed under Linux.

2 What do you need?


Basically the requirements are the following:

  1. Access to the eDirectory boxes (source and target) as root

  • The admin account and password of eDirectory tree

  • Ensure that the eDirectory replica ring is healthy (i.e. ndsrepair -E reports no errors)

  • Time is syncronized between servers (replica ring)

  • Ensure that the eDirectory source box is not receiving ldap requests during the process (i.e. remove it from any load balancer configuration or set it as not operational)

Note 1: Do not use an IDM box as a source server, because the process generates unnecessary TAO files

Note 2: To ensure that the eDirectory source box is not receiving ldap requests during the process (in case of the presence of Load Balancers) you can use the following ldapsearch instruction (few times in a row)

# ldapsearch -LLL -h  <Virtual_load_balancer_IP> -p 389 -b "" -s base "objectclass=*" -D <eDir_admin_user_in_formar_cn=,ou=> -x -w <eDir_admin_user_password>  dsaName | grep dsaName

The query must return an ldap server name of any of the servers in the replica ring, but not the source's box server name. If you don't remove the source box from the load balancer configuration, the clients consuming the ldap service can get an “database locked error”.

  • It is also important that the eDirectory servers are able to reach each other through their DNS and host name, the easiest way to do so is by ensuring that the /etc/hosts entries are correct

    Hosts file Hosts file

  • Additionally it is necessary to verify that no references of the target server exist in the TREE. A very good way to check this out is by doing an ldap query to the source server asking for any object pointing to the Target server. In other words if you execute the following command and it returns nothing, you are good to go.

    # ldapsearch -LLL -h <Source_Server_HostName>-D <ldap_user_to_query>-b <organization> -s sub -x -w <password> cn=*<Target_server>* cn


    #ldapsearch -LLL -h tqidnlabedir01 -D cn=admin,o=novell -b o=sat -s sub -x -w novell cn=*tqidnlabedir03* cn

    Query for server objects Query for server objects

  • In the case of the previous query it returned an entry, so it needs to be removed it (through iManager, ldapdelete instruction, or any other tool)

    Delete target's server references Delete target's server references

You have to do that for every reference that appears pointing to the Target server

The following table shows the most common set of objects that eDirectory creates for each server in the replica ring




dn: cn=tqidnlabedir03,ou=SERVIDORES,ou=SERVICIOS,o=NOVELL

SSL DNS certificate

dn: cn=SSL CertificateDNS - tqidnlabedir03,ou=SERVIDORES,ou=SERVICIOS,o=NOVELL|

DNS Certificate

dn: cn=DNS AG - tqidnlabedir03,ou=SERVIDORES, ou=SERVICIOS,o=NOVELL

SSL IP Certificate

dn: cn=SSL CertificateIP - tqidnlabedir03,ou=SERVIDORES,ou=SERVICIOS,o=NOVELL

IP AG Object

dn: cn=IP AG - tqidnlabedir03,ou=SERVIDORES,ou=SERVICIOS,o=NOVELL

SAS Object

dn: cn=SAS Service – tqidnlabedir03,ou=SERVIDORES,ou=SERVICIOS,o=NOVELL

SNMP Object

dn: cn=SNMP Group – tqidnlabedir03,ou=SERVIDORES,ou=SERVICIOS,o=NOVELL

LDAP group object

dn: cn=LDAP Group – tqidnlabedir03,ou=SERVIDORES,ou=SERVICIOS,o=NOVELL

LDAP server object

dn: cn=LDAP Server - tqidnlabedir03,ou=SERVIDORES,ou=SERVICIOS,o=NOVELL

3 eDirectory DIB Offline clone


3.1 Start the NDSCLONE module

  • The very first thing to do in the dibclone process is to start the ndsclone module in the source server,, an easy way to check if the module is already running is by typing the following command:

    # ndstrace -c modules | grep clone

    In case the module is running, you will see the following screen:

    ndsclone  running ndsclone running

  • In case the module is not running, you will need to add the following line in the ndsmodules.conf file (located under /etc/opt/novell/eDirectory/conf/)

    ndsclone auto #Clone eDir

    Configure ndsclone Configure ndsclone

  • After that restart the ndsd service

    /etc/init.d/ndsd stop
    /etc/init.d/ndsd start

3.2 Create the DIB clone file set

  • Go to iMonitor in the source server and run the DIB Clone Configuration ( “Agent Configuration > Clone DIB Set > Create New Clone”)

    Create dib clone set Create dib clone set

  • Specify the fqdn of the Target server and make sure that the “Clone DIB Online box” is unchecked and the click in the Submit button

    Create dib clone Create dib clone

  • iMonitor will report an “- 663 URL: /nds/agent/clone/status/data” error which is expected, since the offline dib clone process locks the database in the source server

    DB blocked DB blocked

  • Manually copy the *.nds, nds*, and nds.rfl/*.* files (usually located under /var/opt/novell/eDirectory/data/dib) from the source server’s DIB directory to a Target server in the same directory (Usually /var/opt/novell/eDirectory/data/dib)

  • *.nds files

    sudo rsync -P --log-file /var/log/rsync-dib-201501-nds -avz *.nds root@

    *.nds *.nds

  • nds* files

    sudo rsync -P --log-file /var/log/rsync-dib-201501-nds_ -avz nds* root@

    nds* nds*

  • nds.rfl/*.*

    tqidnlabedir01:/var/opt/novell/eDirectory/data/dib # sudo rsync -P --log-file /var/log/rsync-dib-201501-rfl -avz nds.rfl/*.* root@

    rfl* rfl*

  • Copy the nds.conf file from source to target server and edit it according to the target server name ips and hostnames

    nds.conf nds.conf

  • In order to disable the inbound sync (avoiding updates in the source server ) export the “NDSD_DISABLE_INBOUND=Y” variable

    Inbound sync Inbound sync

  • After exporting the variable, restart the ndsd service in the origin server

    # /etc/init.d/ndsd stop

    # /etc/init.d/ndsd start

    restart ndsd service restart ndsd service

3.3 eDirectory target Configuration

  • Make sure that the target server is an eDirectory box (it has the ndsd binaries) and the DIB clone file set is properly located (usually under /var/opt/novell/eDirectory/data/dib )

    Dib set Dib set

  • Make sure that the master replica is up and running, because the target server will communicate with it once the ndsd service in the target server is started, to do so... run the following command in the Master server

    #ndsrepair -P -Ad

    master ok master ok

  • Stop the ndsd service in the target server in case it is running


    ndsstat ndsstat

    And then

    # /etc/init.d/ndsd stop

  • Copy the NICISDI.KEY file from the source server to the target server

    #scp /var/opt/novell/nici/0/nicisdi.key root@


  • Start the ndsd service in the target server.

    # /etc/init.d/ndsd start

  • You will see an error referring to the LDAP certificate which is expected. In the next steps this error will be addressed:

    ndsd start target ndsd start target

3.4 Final steps

  • Run the following command in order to create the SAS, LDAP and SNMP objects related to the target service

    # ndsconfig upgrade

    ndsconfig upgrade ndsconfig upgrade

    The message “The instance at /etc/opt/novell/eDirectory/conf/nds.cof is upgraded successfully” is the key. If you see it, everything goes ok so far.

  • Enable the inbound synchronization by executing the following command in the source server

1. Enter in ndstrace

# ndstrace

2. In the ndstrace command line, type the following

# set ndstrace =!e

3. Depending on the flags that are enabled you will see something like this:

ndstrace ndstrace

  • Export the NDSD_DISABLE_INBOUND variable and set it to "N" in the source server. After that, restart the ndsd service in the source server in order to enable the inbound sync

 export NDSD_DISABLE_INBOUND=N; /etc/init.d/ndsd stop; sleep 5  ;/etc/init.d/ndsd start

enable inbound sync (source server) enable inbound sync (source server)

  • Verify the health in the replica ring and the references of the target server by following these commands in the source and target server and if everything goes ok, you will see 0 errors

    # ndsrepair -E

    ndsrepair -E ndsrepair -E

    # ndsrepair -N

    ndsrepair -N ndsrepair -N

Voilá, you will have an eDirectory ring conformed by 3 servers, the target server is now back to life!

4 Conclusion

By doing the nds offline process you are able to restore an eDirectory box in case of a disaster of by adding a new server in case the DIB files are too big and you don't time enough to let the natural sync process to do its job.


How To-Best Practice
Comment List
Parents Comment Children
No Data