OES2 Rolling Cluster Upgrade from NetWare - Part 4 - iPrint Migration
OES2 Rolling Cluster Upgrade from NetWare - Part 4 - Migrating iPrint to OES2 Linux
In our setup, we had 3 clustered iPrint resources on NetWare. We had 1 broker, and 2 iPrint Managers. Further, the Broker and Managers were THREE Separate cluster resources. Most of this design was leftover from a NetWare 6.0 Cluster implementation where we originally started with NDPS and later migrated to iPrint. As such, we found out that the OES2 Migration Utility basically required that we consolidate the Broker and Manager into one resource, and then have a second resource for the second Manager.
Please review TID #7005448 as it's tremendously helpful. Remember, iPrint is fairly easy to migrate BECAUSE you can test the migrated items without affecting your production iPrint environment on NetWare. This gives you time to make sure that things are working properly.
You must create NEW Pools/cluster resources on an OES2 SP2 linux node first. You CAN do this in a mixed cluster (Novell is adjusting the docs for OES2 SP3 to mention this). Obviously you will have new IP addresses and temporary DNS names for your cluster resource(s).
This assumes a fully patched OES2 SP2 server and that you've successfully created the new Cluster Resource(s) accordingly as per Novell's documentation.
Install the iPrint code on the OES2 SP2 Linux node(s) that will be running iPrint. Login to the server as root. Select the Computer -> Yast -> Open Enterprise Server -> OES Install & Configuration.
Select iPrint (so that the box is checked) and click Accept:
Wait for the code to be installed.
Click the iPrint item to configure it.
Enter the admin password and click OK.
By default, the Directory Server Address will be the IP of the Cluster Node that you're installing iPrint onto. IF the server IP (from above) does NOT contain R/W replicas of the tree, you should use the arrow to select a server that DOES contain those replicas. We use the arrow to select our DS Master replica server.
Then Click Next.
Configure Later and click Next. (We use SMT so we don't need this).
Make sure that the NEW OES2 iPrint resources you created previously (at this point they're just NSS volumes with an IP) are onlined onto the OES2 node that you are going to work with.
Login to iManager -> Clusters -> Cluster Manager and online the resource if necessary.
Let's assume that our NEW clustered volume resource on OES2 is: NDPS1OES
Open a terminal window on the OES2 server that hosts this resource and type:
Then use the following command:
./iprint_nss_relocate -a <admin dn> -p <password> -n <NSS path> [-l cluster]
As an example:
./iprint_nss_relocate –a cn=admin,o=abc –p <password> -n /media/nss/NDPS1OES –l cluster
(The above screenshot has a different cluster resource name than the example I have used. I am only illustrating what output you should expect to see). IF all goes well you should get a green "done" and something like what is shown above.
You would then offline the resource onto the next OES2 node and re-run this script on that NEW node. Repeat for each physical cluster node that will run this resource. In our case, because we were "combining" our Broker and Manager (from NetWare) onto ONE OES2 Cluster resource, I had to run the above command for the Broker and for the Manager. However, most people will not encounter this scenario.
You MUST do this next step or it fails (or it did for me).
iprntman psm –l –u admin
ACCEPT the certificate.
Failure to do this won't let the idsd or ipsmd start for some reason. I am assuming this is because the physical host cluster node has a different name/IP SSL certificate than the clustered resource and therefore, needed to get the additional certificates imported.
Login (as the admin user) to iManager -> iPrint -> Create Driver Store
For the TARGET SERVER make sure you use the IP Address of the NEW OES2 CLUSTER RESOURCE object. For the eDir Server Name, make sure you enter a server that contains a replica of the partition that will hold the iPrint objects (we ensure that the "iprint" container is partitioned and replicated onto the appropriate servers).
One thing to make sure of is that you do NOT migrate your iPrint objects into a container that holds your CURRENT NetWare-based iPrint objects. This can lead to renaming issues that will cause failures. Therefore, it's recommended that you create a NEW container to hold your new iPrint objects for OES2.
If you get the above error, click the "iPrint Certificate Manager" and you'll get the screen below:
Then re-enter the information AGAIN for the Broker to create it.
Now, why did we go through all that? In our case, the physical cluster node has an IP and DNS name that is different than our clustered iPrint resource. (Each clustered resource has a unique IP and DNS name, so the SSL certs won't match). You could probably also work around this by creating additional eDir certs, but we just found it easier to go through this once for each node.
Now we create the Print Manager.
iPrint -> Create Print Manager
Make sure for the eDir server name, you select a server that holds a replica of the partition that will hold the iPrint objects.
Novell says to use the IP Address for the iPrint Service.
(make sure to specify the CLUSTERED IP address and not the physical cluster node IP)
Then you need to remember to go into the iPrint -> Manage Print Manager -> Access Control and ADD the appropriate users (by default only the user that created the Manager is added).
You need to install the patch per TID 7007014 (at least as of the date of this document-11/22/10, the patch is NOT in the channel). Failure to do this will result in the inability to modify printer driver profiles and give you wbem errors after the migration.
Also, you will want to adjust the ipsd.conf file and the ipsmd.conf file (more than likely). This is per page 123 of the iPrint best practices Guide, section E.2.6, step 10 on Novell's online docs for OES2.
In our case, we put the 3 replica servers (standalone servers) in:
Now, we have essentially created TWO working iPrint environments. One on NetWare (the production stuff) and one on OES2 Linux (the "new" stuff). However, the OES2 stuff is "blank" (there's no drivers/printer agents, etc.) We are now going to "import" our NetWare drivers and printers into OES2 (ie: Migrate). This can be done during the day without disrupting your users.
On the OES2 Linux node that is hosting the NEW iPrint resource, click the Computer -> More Applications -> System -> Novell Migration Tools.
Click the Source Server icon:
Use the IP of the CLUSTERED RESOURCE. (we originally tried to use the server name and that presented problems).
CHECK the box for "Is Cluster Resource"
Click the TARGET Server icon:
All green (green is good). Co-nc1-svr07 is our NetWare 6.5.8 server. Co-nc1-svr05 is our OES2 SP2 server.
On the Migration Type box, select: Consolidate
Now click the ADD button to add the iPrint service.
If you get an error that iPrint is down, open a terminal and verify that both iPrint items are up and running:
If one is down, just start it:
NOTE: There's a bug in the miggui that will prevent you from clicking the OK button if you do not have your screen resolution LARGE than 1024x768. This should be fixed in OES2 SP3, but as of OES2 SP2 it's not fixed.
(the arrow is where the missing button it at—you cannot resize the screen to get to the button)
Click the browse button for the SOURCE Print Manager (the Target print manager is already pre-populated)
It will pause for a few seconds while it resolves the DNS/IP address to the NetWare server.
It will take you back to the main screen again.
Notice that the screen has auto-resized JUST enough so that you can move it up a little bit to see the OK/Cancel buttons.
Click the Get Printers button.
Change the options as shown on the next screenshot.
Select all the printers, and make sure that you select the Target Context and browse for the iPrint container shown above. Notice that our source Manager is our NetWare one and it's in a different eDir container than our Target OES2 Manager.
Obviously you can decide whether to migrate all printers or not.
Click the Other Options tab.
We migrated all drivers, but again, this is up to you to decide. If you overwrite the drivers in the driver store, you may end up overwriting new drivers. However, we chose to keep our existing "working" drivers as we did not have time to test the new drivers. Again, it's up to you to decide if you wish to migrate the profiles and iprint.ini.
Click Yes to save the project.
Click Yes to start
Wait a while during the pre-check phase.
The building psminfo.xml phase takes even longer (I think about 30 minutes for the 300+ printers we have and the multiple drivers per printer).
Some things may error (ie, we had a few printer agents that no longer existed, and a Windows 95 printer driver that didn't go over). Examine the log file to determine if things work okay or not. In our case, we had a few bad printer agent objects and we did not need them anymore, so we deleted the "old" iPrint objects that were causing problems and re-ran the consolidate option. Another choice is to simply not select those problem printer agents as well. Out of about 450 printer agents, we had about 4 that were not migrated.
Modify the cluster load/unload scripts as shown below:
The script is as follows (there is NO line break for the "ignore_error mv" line. It's ONE single line. The lines highlighted in light green are the THREE lines that you add (again, the first line for the "mv" command is a single line). Also, remember that the /media/nss/VOLUME name will be different if you have multiple clustered iPrint resources.
exit_on_error nss /poolact=NDPS1_OESPOOL
exit_on_error ncpcon mount NDPS1OES=211
exit_on_error add_secondary_ipaddress 10.10.1.168
exit_on_error ncpcon bind --ncpservername=CS1-NDPS1-OES --ipaddress=10.10.1.168
ignore_error mv /media/nss/NDPS1OES/var/opt/novell/iprint/iprintgw.lpr /media/nss/NDPS1OES/var/opt/novell/iprint/iprintgw.lpr.bak
exit_on_error rcnovell-idsd start
exit_on_error rcnovell-ipsmd start
The UNLOAD SCRIPT is:
ignore_error rcnovell-ipsmd stop
ignore_error rcnovell-idsd stop
ignore_error ncpcon unbind --ncpservername=CS1-NDPS1-OES --ipaddress=10.10.1.168
ignore_error del_secondary_ipaddress 10.10.1.168
ignore_error nss /pooldeact=NDPS1_OESPOOL
Okay, so we have TWO running iPrint environments at this point. One on NetWare that everyone is using and one on OES2 Linux that nobody is using. But how do we know that the OES2 one works and was migrated properly? Well, we can fake it by adjusting some hosts files until we are confident that it IS working and then we'll change the DNS entries.
First, we need to modify the /etc/hosts file on the OES2 Linux server that's running iPrint.
ADD a line so that the IP of the OES2 Cluster iPrint resource matches the NETWARE DNS name (which will probably be your iPrint Manager DNS):
And because we ALSO have this name CNAMED, we need to add it too:
Then we need to modify the /etc/opt/novell/iprint/conf/ipmsd.conf file and adjust the PSMHostAddress line as shown below:
Change the IP to the DNS name of what the NETWARE Manager is/was. In our case we change it to be:
Now, you need to restart iPrint on the OES2 node:
At this point, the OES2 Linux server thinks it's the iPrint system that matches the DNS entries of your NetWare system. (Well mostly because we haven't changed the driver store stuff over yet, but that's okay.) If you REALLY want to test it, you can edit the /etc/hosts file and ADD another entry for the driver store and edit the /etc/opt/novell/iprint/conf/idsd.conf file so the HostAddress has the DNS entry as well.
IF you do this for the Driver Store, make sure that you run iManager from THIS OES2 Linux server when trying to administer the test system. Otherwise iManager will think the Manager and Driver store are "down".
Lastly, we need to edit the HOSTS file on our workstation to test. ADD two lines:
Then open a CMD prompt and type:
Now, open your Printers and try to print to the iPrint system on OES2.
IF everything works okay (also you may wish to try installing new printer to make sure it installs the driver and any profiles you had), then you can wait until "off hours" to change your DNS entries (see later section in this guide).
Modify the /etc/opt/novell/iprint/conf/ipsmd.conf
You'll want to ADD multiple DSServer values:
(again the above screenshot is for illustrative purposes only).
We use auditing for iPrint. One item that does NOT get migrated over is the Auditing setup
You need to access the URL for the psmstatus on the OES2 server:
Scroll to the VERY bottom:
Click the Advanced iPrint Manager Information
Click Configure Log Rotation
The settings are shown above and click Apply
Regardless of which options you chose during the iPrint migration, it's always best to check the iPrint.ini file that you migrated to make sure that it has the proper options that you desire. If you make changes it won't take effect until you restart the iPrint code.
At this stage, if all is working well, you will need to offline the NETWARE iPrint resources. I suggest you do this in the evening when you can "assure" that your users aren't using the iPrint system. You will need to make sure that the OES2 iPrint code is running after you do this (driver store and print manager). Then change your DNS servers to give out the OES2 Linux Cluster IP for the "old" NetWare DNS entries.
Example: co-ndps1.abc.com was pointed to the NetWare Cluster IP. Modify the DNS entries so that the same DNS NAME points to the OES2 Linux Cluster IP Address. Once DNS is finalized, you can edit the /etc/hosts file on the OES2 node and remove the lines you manually entered in order to test. Don't forget to change your hosts file on your Windows workstation and do an: ipconfig /flushdns as well.
Remember, that by default Windows workstations will keep/cache DNS info for 24 hours, so this is why I advise doing this at "night" when (hopefully) all your users have shut off their workstations. Otherwise, what will happen, is that the workstation will cache the "old" IP address (which we have OFFLINED), and they won't be able to print until they reboot their workstation or flush their DNS cache.
In a rolling cluster upgrade, it's conceivable that you may only be able to have iPrint migrated to ONE OES2 Linux node to start with. As you convert more nodes to OES2 Linux, the procedure to add subsequent nodes is as follows. This assumes you have already installed the iPrint code onto the subsequent OES2 Nodes.
- Edit the cluster load/unload scripts and add a "#" in front of the lines that load and unload the iprint code.
- Offline the cluster resource.
- Online the cluster resource onto the secondary node (at this point it only mounts the NSS volume and does NOT load iPrint)
- Run the iPrint relocate code as per page 9 of this document.
- Offline the cluster resource
- UNCOMMENT the lines from the load/unload script that you removed in step 1.
- Online the resource onto the secondary node.
- Verify iPrint works.