Community in read only mode June 18 & 19
This community will be set in READ ONLY mode for a while on Tuesday June 18 into Wednesday June 19 while we import content and users from our Micro Focus Forums community site. MORE INFORMATION

How to do an offline DIB Clone

How to do an offline DIB Clone

1 Executive summary


 

From time to time a hardware malfunction, network outage or simple a disaster can occur, so it is a very good idea to have a disaster recovery plan available and updated.



The following document describes the process of cloning an eDirectory box in a “Offline” fashion. It is very useful when you need to restore a previous eDirectory box that was lost for any reason.



Basically what the process does is clone the information from an eDirectory healthy box (Source server) to a server that need to be recovered / inserted to the replica ring (Target Server)














Source server



eDirectory server which information will be cloned (highly recommended to be the Master sever). In this case the source server is tqidnlabedir01



Target server



eDirectory box that receives the clone. In this case the source server is tqidnlabedir03




The current situation is something like this:



Current situation Current situation



We have an eDirectory replica ring conformed by 2 servers (tqidnlabedir01 and tqidnlabedir02). We use to have a third eDirectory box (tqidnlabedir03) but after a hardware malfunction it was lost... so we need to clone the tqidnlabedir01and restore the tqidnlabedir03



Note: The following process is only applicable if the eDirectory replica ring is installed under Linux.



2 What do you need?


 

Basically the requirements are the following:




  1. Access to the eDirectory boxes (source and target) as root




  2. The admin account and password of eDirectory tree




  3. Ensure that the eDirectory replica ring is healthy (i.e. ndsrepair -E reports no errors)




  4. Time is syncronized between servers (replica ring)




  5. Ensure that the eDirectory source box is not receiving ldap requests during the process (i.e. remove it from any load balancer configuration or set it as not operational)





Note 1: Do not use an IDM box as a source server, because the process generates unnecessary TAO files



Note 2: To ensure that the eDirectory source box is not receiving ldap requests during the process (in case of the presence of Load Balancers) you can use the following ldapsearch instruction (few times in a row)



# ldapsearch -LLL -h  <Virtual_load_balancer_IP> -p 389 -b "" -s base "objectclass=*" -D <eDir_admin_user_in_formar_cn=,ou=> -x -w <eDir_admin_user_password>  dsaName | grep dsaName


The query must return an ldap server name of any of the servers in the replica ring, but not the source's box server name. If you don't remove the source box from the load balancer configuration, the clients consuming the ldap service can get an “database locked error”.




  • It is also important that the eDirectory servers are able to reach each other through their DNS and host name, the easiest way to do so is by ensuring that the /etc/hosts entries are correct



    Hosts file Hosts file





  • Additionally it is necessary to verify that no references of the target server exist in the TREE. A very good way to check this out is by doing an ldap query to the source server asking for any object pointing to the Target server. In other words if you execute the following command and it returns nothing, you are good to go.



    # ldapsearch -LLL -h <Source_Server_HostName>-D <ldap_user_to_query>-b <organization> -s sub -x -w <password> cn=*<Target_server>* cn

    e.g.


    #ldapsearch -LLL -h tqidnlabedir01 -D cn=admin,o=novell -b o=sat -s sub -x -w novell cn=*tqidnlabedir03* cn


    Query for server objects Query for server objects





  • In the case of the previous query it returned an entry, so it needs to be removed it (through iManager, ldapdelete instruction, or any other tool)



    Delete target's server references Delete target's server references






You have to do that for every reference that appears pointing to the Target server


The following table shows the most common set of objects that eDirectory creates for each server in the replica ring



















































Object



Example



Server



dn: cn=tqidnlabedir03,ou=SERVIDORES,ou=SERVICIOS,o=NOVELL



SSL DNS certificate



dn: cn=SSL CertificateDNS - tqidnlabedir03,ou=SERVIDORES,ou=SERVICIOS,o=NOVELL|



DNS Certificate



dn: cn=DNS AG tqidnlabedir03.novell.com - tqidnlabedir03,ou=SERVIDORES, ou=SERVICIOS,o=NOVELL



SSL IP Certificate



dn: cn=SSL CertificateIP - tqidnlabedir03,ou=SERVIDORES,ou=SERVICIOS,o=NOVELL



IP AG Object



dn: cn=IP AG 10.10.251.85 - tqidnlabedir03,ou=SERVIDORES,ou=SERVICIOS,o=NOVELL



SAS Object



dn: cn=SAS Service – tqidnlabedir03,ou=SERVIDORES,ou=SERVICIOS,o=NOVELL



SNMP Object



dn: cn=SNMP Group – tqidnlabedir03,ou=SERVIDORES,ou=SERVICIOS,o=NOVELL



LDAP group object



dn: cn=LDAP Group – tqidnlabedir03,ou=SERVIDORES,ou=SERVICIOS,o=NOVELL



LDAP server object



dn: cn=LDAP Server - tqidnlabedir03,ou=SERVIDORES,ou=SERVICIOS,o=NOVELL




3 eDirectory DIB Offline clone


 

3.1 Start the NDSCLONE module




  • The very first thing to do in the dibclone process is to start the ndsclone module in the source server,, an easy way to check if the module is already running is by typing the following command:



    # ndstrace -c modules | grep clone


    In case the module is running, you will see the following screen:



    ndsclone  running ndsclone running




  • In case the module is not running, you will need to add the following line in the ndsmodules.conf file (located under /etc/opt/novell/eDirectory/conf/)



    ndsclone auto #Clone eDir


    Configure ndsclone Configure ndsclone





  • After that restart the ndsd service



    /etc/init.d/ndsd stop
    /etc/init.d/ndsd start




3.2 Create the DIB clone file set




  • Go to iMonitor in the source server and run the DIB Clone Configuration ( “Agent Configuration > Clone DIB Set > Create New Clone”)




    Create dib clone set Create dib clone set





  • Specify the fqdn of the Target server and make sure that the “Clone DIB Online box” is unchecked and the click in the Submit button



    Create dib clone Create dib clone





  • iMonitor will report an “- 663 URL: /nds/agent/clone/status/data” error which is expected, since the offline dib clone process locks the database in the source server



    DB blocked DB blocked





  • Manually copy the *.nds, nds*, and nds.rfl/*.* files (usually located under /var/opt/novell/eDirectory/data/dib) from the source server’s DIB directory to a Target server in the same directory (Usually /var/opt/novell/eDirectory/data/dib)




  • *.nds files



    sudo rsync -P --log-file /var/log/rsync-dib-201501-nds -avz *.nds root@10.10.10.6:/var/opt/novell/eDirectory/data/dib/


    *.nds *.nds





  • nds* files



    sudo rsync -P --log-file /var/log/rsync-dib-201501-nds_ -avz nds* root@10.10.10.6:/var/opt/novell/eDirectory/data/dib/


    nds* nds*





  • nds.rfl/*.*



    tqidnlabedir01:/var/opt/novell/eDirectory/data/dib # sudo rsync -P --log-file /var/log/rsync-dib-201501-rfl -avz nds.rfl/*.* root@10.10.10.6:/var/opt/novell/eDirectory/data/dib


    rfl* rfl*





  • Copy the nds.conf file from source to target server and edit it according to the target server name ips and hostnames



    nds.conf nds.conf





  • In order to disable the inbound sync (avoiding updates in the source server ) export the “NDSD_DISABLE_INBOUND=Y” variable



    Inbound sync Inbound sync





  • After exporting the variable, restart the ndsd service in the origin server



    # /etc/init.d/ndsd stop


    # /etc/init.d/ndsd start


    restart ndsd service restart ndsd service






3.3 eDirectory target Configuration





  • Make sure that the target server is an eDirectory box (it has the ndsd binaries) and the DIB clone file set is properly located (usually under /var/opt/novell/eDirectory/data/dib )



    Dib set Dib set





  • Make sure that the master replica is up and running, because the target server will communicate with it once the ndsd service in the target server is started, to do so... run the following command in the Master server



    #ndsrepair -P -Ad


    master ok master ok





  • Stop the ndsd service in the target server in case it is running



    #ndsstat


    ndsstat ndsstat


    And then



    # /etc/init.d/ndsd stop




  • Copy the NICISDI.KEY file from the source server to the target server



    #scp /var/opt/novell/nici/0/nicisdi.key root@10.10.10.6:/var/opt/novell/nici/0/


    NICISDI.KEY NICISDI.KEY




  • Start the ndsd service in the target server.



    # /etc/init.d/ndsd start




  • You will see an error referring to the LDAP certificate which is expected. In the next steps this error will be addressed:




    ndsd start target ndsd start target






3.4 Final steps




  • Run the following command in order to create the SAS, LDAP and SNMP objects related to the target service



    # ndsconfig upgrade


    ndsconfig upgrade ndsconfig upgrade


    The message “The instance at /etc/opt/novell/eDirectory/conf/nds.cof is upgraded successfully” is the key. If you see it, everything goes ok so far.





  • Enable the inbound synchronization by executing the following command in the source server





1. Enter in ndstrace



# ndstrace


2. In the ndstrace command line, type the following



# set ndstrace =!e


3. Depending on the flags that are enabled you will see something like this:




ndstrace ndstrace



  • Export the NDSD_DISABLE_INBOUND variable and set it to "N" in the source server. After that, restart the ndsd service in the source server in order to enable the inbound sync



 export NDSD_DISABLE_INBOUND=N; /etc/init.d/ndsd stop; sleep 5  ;/etc/init.d/ndsd start


enable inbound sync (source server) enable inbound sync (source server)





  • Verify the health in the replica ring and the references of the target server by following these commands in the source and target server and if everything goes ok, you will see 0 errors



    # ndsrepair -E


    ndsrepair -E ndsrepair -E



    # ndsrepair -N


    ndsrepair -N ndsrepair -N





Voilá, you will have an eDirectory ring conformed by 3 servers, the target server is now back to life!



4 Conclusion


By doing the nds offline process you are able to restore an eDirectory box in case of a disaster of by adding a new server in case the DIB files are too big and you don't time enough to let the natural sync process to do its job.

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
This step:
"copy the NICISDI.KEY " is invalid. This will force ther creation of a new tree key. This is because is cannot be read due to that file being wrapped by the other server's NICI storage key.
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2015-02-03 23:23
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.