Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Vice Admiral
Vice Admiral
4369 views

A couple of OES2/nw to OES11/SLES11 migration questions

Will not be doing an id transfer, just a slow migration from NW65sp8 to OES11 and had a couple quick ?'s

1. Will be moving iprint, dns, dhcp, CA, ftp, data volumes (NSS) and making this new server the root part of edir. In what order do you all think I should do this?

2. When should the new sles11sp1/oes11 server be patched? after all services have been installed and migrated or after the services have been installed but not migrated. I believe you do not patch sles prior to oes install either, correct?

Thanks for any insight!
Labels (2)
0 Likes
43 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

shesser;2205860 wrote:
Will not be doing an id transfer, just a slow migration from NW65sp8 to OES11 and had a couple quick ?'s

1. Will be moving iprint, dns, dhcp, CA, ftp, data volumes (NSS) and making this new server the root part of edir. In what order do you all think I should do this?

2. When should the new sles11sp1/oes11 server be patched? after all services have been installed and migrated or after the services have been installed but not migrated. I believe you do not patch sles prior to oes install either, correct?

Thanks for any insight!


Check out my older migration guides (some of the screenshots won't match up) but the concepts are mostly the same.

1) You will do your non-eDir stuff first (data, DNS, DHCP). I'm not sure about FTP As I never did an FTP service migration (there's MAJOR differences between NW and OES FTP so prepare yourself).

2) Before you do the ID transfer, you'll do a final sync for your NSS data, then do the ID transfer. That'll get all the eDir replica/certs/CA (assuming your OLD NW server is the CA) over to OES.

3) Patch the server BEFORE migrating. If you do the "integrated install" (where you add on the OES CD during the SLES 11 software) you should be able to patch everything afterwards. I believe that's the way the docs have you do things.

Make sure your eDir tree is healthy and your certs are healthy before inserting OES into the tree and/or doing any ID transfers.

Oh, I mis-read your main statement you won't be doing an ID transfer. Well in that case, you'll have some fun moving the CA and fixing all your other servers, but it IS doable (last time I had to do it on NetWare, I had to manually run a bunch of sdidiag or something commands on 50+ servers so it was very time-consuming).

There's a Novell TID that explains how to do that.

--Kevin
0 Likes
Vice Admiral
Vice Admiral

Thanks for the reply Kevin

No ID will be transfered on this migration. I've read and been given conflicting info on the patching thing hence the question. Some say install sles first, do not patch, install OES11, edir first, restart then install services. Do not patch sles or oes until the services have been migrated over. I've also seen info related to what you posted. The doc's don't really give a clear cut path on this. I have checked out your link above and have read through it also. I think I'll use my oes maint. and blow a call into Novell to see what they say.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

shesser;2205875 wrote:
Thanks for the reply Kevin

No ID will be transfered on this migration. I've read and been given conflicting info on the patching thing hence the question. Some say install sles first, do not patch, install OES11, edir first, restart then install services. Do not patch sles or oes until the services have been migrated over. I've also seen info related to what you posted. The doc's don't really give a clear cut path on this. I have checked out your link above and have read through it also. I think I'll use my oes maint. and blow a call into Novell to see what they say.


The docs are pretty clear on the install order:
Novell Documentation

Install OES11 WITH SLES.

Then your only choice is to patch afterwards (note there ARE issues with patching OES11 with SLES and it's not exactly fun).
(note that technically you CAN install things differently, I'm just stating what the DOCS list).

You can search the forums for a few threads on patching issues (I seem to remember there were cases that affected both installation methods, so it probably didn't matter much).

I usually suggest fully patching the OES server for the following reasons:
1) If you have a problem and call support, they'll want a supportconfig, see you're NOT on the latest code and basically make you patch before going further
2) the miggui has bugs sometimes and patching is usually the only way to resolve any issues that Novell has found.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

kjhurni;2205867 wrote:
.. you'll have some fun moving the CA and fixing all your other servers, but it IS doable (last time I had to do it on NetWare, I had to manually run a bunch of sdidiag or something commands on 50+ servers so it was very time-consuming).


Sanity check.... 🙂 the sdidiag/pkidiag commands are only needed when deleting and recreating the existing CA (which is a good thing to do if it's to expire in two years time or even earlier).

But if you are moving the CA (export/delete CA object/recreate CA with import to new host), all certificates stay valid. If the CA was made on an older NetWare CA, there is no option to export the private key - and you'll have to do the delete/recreate/fix certificates dance.
On the other hand, deleting the CA does not invalidate the server certificate itself... just the chain and it's link to the trusted CA certificate. The server certificates themselves will continue to work until they have passed the expiracy date.

Or did you encounter something else Kevin?

-Willem
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

shesser;2205875 wrote:
Thanks for the reply Kevin

No ID will be transfered on this migration. I've read and been given conflicting info on the patching thing hence the question. Some say install sles first, do not patch, install OES11, edir first, restart then install services. Do not patch sles or oes until the services have been migrated over. I've also seen info related to what you posted. The doc's don't really give a clear cut path on this. I have checked out your link above and have read through it also. I think I'll use my oes maint. and blow a call into Novell to see what they say.


If your question is also how to best setup the OES base server... my answer would be:

Install SLES 11 SP1 64bit, no addon, no registration, nu updates
After SLES install, use YaST's Add-in module to add-in the OES11 GM media (I usually first place the iso on a local store , like in /usr/install/ISOs - then add-in the iso)
Now register the server with Novell NCC (use 'suse_register -a email=[your ncc account email@yourdomain.com] -a recode-sles=[your SLES 11 activation code found in NCC] -a regcode-oes=[your OES11 activation code found in NCC]

When the registration has run successfully, check if both the SLES and OES channels have been added and are active (the debug ones won't be by default):
zypper ls # < lists services which should show SLES and OES add-on as well as the nu_novell_com service when registered with NCC
zypper ca # < lists the catalogs that are registered and active/inactive - check to make sure the SLES and OES Online and Update catalogs are there and set to active

Now run the updates, I prefer using YaST's Online update tool > run it, don't select anything and just accept the defaults. Usually the update tools gets updated first, then on the second run all updates for the OS and OES will come thorough.

Then make sure services like NTP, SLP and DNS resolving are in working order (also make sure the slpd service is running and set to start at boot after it's been configured in /etc/slp.conf), and if so , continue on to the OES Install and Configure module in YaST.

I usually first only install eDir and NSS , then on a second/third install pass add other OES products to the server.

Also one tip that might save you some trouble: use a separate admin account to install the OES server and services with - so changing a password or moving a current admin account does not interfere with OES workings, and also use your own set password for the Common proxy configuration.

Following these lines I've always had solid servers.

Up next, the order in which you migrate things is not really important and can be done how it best fits as long as the dependencies are clear (which other systems or services hook into each bit).

Of the list you gave, my order would be:

Move/recreate CA after installing first OES11 server
dns
dhcp (watch out for duplicate leases when running tight dhcp address pools : Important Notice)
file services (watch out for linked attributes in eDir to the volumes, like home directory environment)
ftp (needs LUM enabled accounts if you want eDir users to be able to authenticate - no server to server transparent ftp option at this moment)


Hope that helps,
Willem
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

magic31;2206039 wrote:
Sanity check.... 🙂 the sdidiag/pkidiag commands are only needed when deleting and recreating the existing CA (which is a good thing to do if it's to expire in two years time or even earlier).

But if you are moving the CA (export/delete CA object/recreate CA with import to new host), all certificates stay valid. If the CA was made on an older NetWare CA, there is no option to export the private key - and you'll have to do the delete/recreate/fix certificates dance.
On the other hand, deleting the CA does not invalidate the server certificate itself... just the chain and it's link to the trusted CA certificate. The server certificates themselves will continue to work until they have passed the expiracy date.

Or did you encounter something else Kevin?

-Willem


This was back in the old days where if you created your CA with NW 5.0 (ie, you upgraded from NW 4.11 to NW 5.0 and then maybe to 5.1 and to 6.0 and then 6.5) you couldn't export the CA, so you had no choice but to whack it, create it from scratch and then re-link all the certificates and we had a few servers that refused to get the new one so had to basically sdidiag (the one where you have to list all the keys from every server, find the ones that are broken and manually prod the "number" so that they all agree that XYZ is the new number).

Royal PITA.

If we'd just gone directly from NW 4.11 to 6.0 I think we wouldn't have had the problem, but that was so long ago.

🙂
0 Likes
Vice Admiral
Vice Admiral

Thanks much for your insight! To let you know I had some converstaion with the OEM techs and edir techs yesterday. They basically told me to either install sles11 and add the oes11 as an add-in together (same install), skip register & patching at that point, migrate all services, register and patch then move CA and promote r/w to master OR separate the sles install, then add-on the oes11 and install the services needed, skip register & patching at that point, migrate services, register and patch then move CA and promote r/w to master.

Below are a couple of questions some of your input. And once again, thanks for that input.

magic31;2206042 wrote:
If your question is also how to best setup the OES base server... my answer would be:

Install SLES 11 SP1 64bit, no addon, no registration, nu updates
After SLES install, use YaST's Add-in module to add-in the OES11 GM media (I usually first place the iso on a local store , like in /usr/install/ISOs - then add-in the iso)
Now register the server with Novell NCC (use 'suse_register -a email=[your ncc account email@yourdomain.com] -a recode-sles=[your SLES 11 activation code found in NCC] -a regcode-oes=[your OES11 activation code found in NCC]

What's the difference if I add-in from cdrom? Can I use the yast piece to do the same as above?

When the registration has run successfully, check if both the SLES and OES channels have been added and are active (the debug ones won't be by default):
zypper ls # < lists services which should show SLES and OES add-on as well as the nu_novell_com service when registered with NCC
zypper ca # < lists the catalogs that are registered and active/inactive - check to make sure the SLES and OES Online and Update catalogs are there and set to active

Now run the updates, I prefer using YaST's Online update tool > run it, don't select anything and just accept the defaults. Usually the update tools gets updated first, then on the second run all updates for the OS and OES will come thorough.

If OES11 is not installed yet, how do the updates get applied? Are the patches applied to the iso location?

Then make sure services like NTP, SLP and DNS resolving are in working order (also make sure the slpd service is running and set to start at boot after it's been configured in /etc/slp.conf), and if so , continue on to the OES Install and Configure module in YaST.

I usually first only install eDir and NSS , then on a second/third install pass add other OES products to the server.

Also one tip that might save you some trouble: use a separate admin account to install the OES server and services with - so changing a password or moving a current admin account does not interfere with OES workings, and also use your own set password for the Common proxy configuration.

So your saying don't use the EDIR admin account above?

Following these lines I've always had solid servers.

Up next, the order in which you migrate things is not really important and can be done how it best fits as long as the dependencies are clear (which other systems or services hook into each bit).

Of the list you gave, my order would be:

Move/recreate CA after installing first OES11 server
dns
dhcp (watch out for duplicate leases when running tight dhcp address pools : Important Notice)
file services (watch out for linked attributes in eDir to the volumes, like home directory environment)

Are you talking about environment settings like home directory and default server in C1?

ftp (needs LUM enabled accounts if you want eDir users to be able to authenticate - no server to server transparent ftp option at this moment)

One other thing is an edir replica and then the promotion of this box to master of the root, any thought's on that?

Hope that helps,
Willem
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

kjhurni;2206119 wrote:
If we'd just gone directly from NW 4.11 to 6.0 I think we wouldn't have had the problem, but that was so long ago.

🙂


Yeah indeed.... I think you needed to have created the CA with certificate server version 2.5 (or somewhere there) to be able to export the private key. It was a PITA 🙂 , especially when one does not understand the PKI/SSL stuff, as I didn't back then. Stuff one learns by breaking it 😛
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner


What's the difference if I add-in from cdrom? Can I use the yast piece to do the same as above?


Non, other than I like having my install media close-by in case software management prompts for it. Added bonus, having it as a local ISO removes the prompt to insert media (which was always somewhere else when I needed it).


If OES11 is not installed yet, how do the updates get applied? Are the patches applied to the iso location?


By adding in the OES media, the SLES server becomes an OES server. It's just not configured with the needed services yet. Adding in the OES media will also install base packages needed for OES as also tools like miggui.

The updates will always be applied to already installed packages, so that means the miggui and related packages will also be of a later version then the one shipped with the media.

If you are installing OES, it's also important to make sure the online repositories are active and reachable, as the installer will try to pull the lasted updated versions of a package while installing.


So your saying don't use the EDIR admin account above?

Which eDir admin account? I need new glasses I think 🙂

Seriously, you can use any account. I just like creating one dedicated account to install the OES systems with. This account also gets a nice complex password and no one gets it that does not have a direct role to configure OES services.
Next to using such an account for installing and configuring, it can also be used to run automated jobs that require admin credentials in the eDirectory.
Other admin accounts can then be modified as needed without breaking functionality.

Are you talking about environment settings like home directory and default server in C1?

Yes those indeed. There are tools out there that can quickly reset these attributes, like HBware HOMES. Depending on your environment there could be other things to watch for that tie into server or volume identity.


One other thing is an edir replica and then the promotion of this box to master of the root, any thought's on that?

Sure, good idea before cleaning up the other servers 🙂

Moving replicas and types is quite easy. Always do (also before installing and removing servers in/from your tree) make sure eDir is healthy - time is in sync, eDir replicas are in touch and in sync.
Just place a replica on the server (iManager or COne will both do), wait for it to sync out and change the type from r/w to master.

One thing I do do when placing a replica on the server: rerun the OES Install and Configure and point the LUM and LDAP configuration to the servers ip, instead of the one used to install it into the tree.


That does makes me think of one more thing: When configuring the eDirecotry on a new OES server, always point to the master replica & make sure the CA can generate certificates (try creating a certificate 'testcert123' manually for example). It makes the install go smoother having that set & checked.


-Willem
0 Likes
Vice Admiral
Vice Admiral

You guys have shed some light on this post, Thanks!

Have an slp question. Is it possible for the sles11/oes11 server to be the only DA with NW servers still in the tree? I'm trying to get my test setup to work this way. I seen your SLP doc but from how I'm understanding it, as long as you have NW servers, you need a NW DA, right?

Thanks again
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

shesser;2206536 wrote:
You guys have shed some light on this post, Thanks!


Good to hear! & you are welcome. 🙂

shesser;2206536 wrote:
Have an slp question. Is it possible for the sles11/oes11 server to be the only DA with NW servers still in the tree? I'm trying to get my test setup to work this way. I seen your SLP doc but from how I'm understanding it, as long as you have NW servers, you need a NW DA, right?


Yes, it is possible to move to a Linux only DA(s) while still having NetWare servers. OTOH, as long as your NetWare DA stays running, no need to dismantle the DA service on it.

Maybe this thread will shed some light on how/what/why's in Linux vs NetWare DA's: http://forums.novell.com/novell/novell-product-discussion-forums/open-enterprise-server/oes-platform-independent/oes-migration/457486-moving-slpda-netware-open-enterprise-server-11-a.html

Cheers,
Willem
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.