Highlighted
Absent Member.
Absent Member.
472 views

creating a LAB environment from PROD edirectory guidance


We are in the process of creating a lab IDM environment and I am not all
that familiar with eDirectory. After I get my lab servers installed,
with eDirectory and IDM....what is the best route/method to getting my
production eDirectory into my LAB. I am sorry if I am not wording this
correctly but I need to have all the objects and OU's etc in lab just as
in production. Thank you,


--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=54222

Labels (1)
0 Likes
10 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: creating a LAB environment from PROD edirectory guidance

The easiest way is probably using ndsrc.pl (CoolSolution) from the server
holding the Master replica of the [root] partition, plus a real copy of
all other partitions (preferably master, though) to grab a DIB from
production, then restore that in your lab environment AFTER being SURE
that the two environments cannot ever communicate to eachother.

After setting that up in the lab, use LDAP or iManager to clean out the
other servers which are not in this environment, and you can start using
this box for whatever.

It is really, really important that if you do this you do NOT have your
two environments communicate.

Alternative, safer, ways involve using LDAP to export objects from prod
and into the lab. You could also setup an IDM driver to sync things
one-way from prod to dev, so you have a semi-updated environment all of
the time (other than what you change in the lab which is not synchronized
back to prod).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: creating a LAB environment from PROD edirectory guidance


With me not being that familiar with eDir, what steps can I/ should I
take to make sure that lab and prod cannot communicate after building
the lab. Also could I just use the backup utility through iManager to
back up prod and then restore to LAB and would that give me a good
working copy of production eDri in my Lab?


--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=54222

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: creating a LAB environment from PROD edirectory guidance

The separation of environments is not eDirectory related. Put the dev
environment somewhere that is physically disconnected from prod, meaning
the wires don't link the two, at all. If you're all virtual, be sure dev
is on a network that cannot, ever, at all, reach prod, and be sure that
nobody changes the networking on the dev box to use the prod network.

You can use backup/restore using dsbk (same as iManager, but much easier)
and then clean up the DIB of non-existent-in-dev servers if you'd like,
sure. It's a lot more work, but it should be fine. The same restrictions
apply, though; be sure the two environments never send a single packet to
eachother, because they WILL try to do so (that's what replication is all
about) and when it works, you will have ugly issues, including objects
changing in ways you dislike in production.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: creating a LAB environment from PROD edirectory guidance


The responses so far have been great.

So when I setup LAB eDirectory from a backup of PROD, all of my accounts
in LAB will now have associations to drivers that are in PROD. If I keep
the same names of the drivers in LAB that was in PROD...is this going to
be a problem and will a resync need to be done. My associations with
Banner for exampled have the Banner PIDM in them and I am wondering is
that association going to cause an issue when syncing up with my LAB
Banner environment, and if so could I just force a resync on the
accounts to Banner and it update the associations...just using Banner as
an example and will replicate that procedure with other drivers. Thx


--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=54222

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: creating a LAB environment from PROD edirectory guidance

On Fri, 04 Sep 2015 13:04:01 +0000, wferguson wrote:

> The responses so far have been great.
>
> So when I setup LAB eDirectory from a backup of PROD, all of my accounts
> in LAB will now have associations to drivers that are in PROD.


This isn't really an eDirectory question any more. For IDM, we have the
idm.engine-drivers forum, where you'll find a lot more IDM specific
expertise.


> If I keep
> the same names of the drivers in LAB that was in PROD...is this going to
> be a problem and will a resync need to be done. My associations with
> Banner for exampled have the Banner PIDM in them and I am wondering is
> that association going to cause an issue when syncing up with my LAB
> Banner environment, and if so could I just force a resync on the
> accounts to Banner and it update the associations...just using Banner as
> an example and will replicate that procedure with other drivers. Thx


Basically, yes, and no. Yes, it'll be a problem. No, a resync probably
isn't going to be sufficient. But, that answer will be different for each
driver, so you'll have to work through probably a few different scenarios.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.microfocus.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: creating a LAB environment from PROD edirectory guidance


OK, Thank you


--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=54222

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: creating a LAB environment from PROD edirectory guidance


Hey ab, I have a question in regards to your statement about "because
they WILL try to do so ". We are not using SLP in our production
environment that I know of, and in my LAB env I have not and will not be
installing any SLP related packages. My question: without SLP running in
both prod and lab, is there anyway that prod can talk to lab period? If
so, can you inform me how they would even know that each other exists'
?

Thank you.


--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=54222

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: creating a LAB environment from PROD edirectory guidance

When you clone prod to dev, all of your IP addresses are stored on server
objects. When a server tries to look up an object (such as a server
object, because it is in the local server's list of replica-holders of a
given partition), it uses an NCP Referral request (which goes to
eDirectory) to ask how to find that object, and the referral is returned
with IP addresses for replica-holders.

When you clean up your tree (after copying it to the new dev server on the
isolated network) you do so by removing all server objects other than the
one you cloned/copied, so then all of those requests will eventually come
back empty. Until you do that cleanup, though, starting this
cloned/copied server will cause it to try to talk to its friends, and it
has a copy of all of its friends locally, including their addresses. The
replica-holders contacted do not know that the server was copied, and so
they'll happily chat with it and then bad things are now happening in
production.

Removing all servers' (other than the copied one) NCP Server Objects from
the dev environment means that this server will not try to replicate with
anybody out there, and since you cannot have two boxes with the same IP
address, presumably your cloned/copied box has a new IP address so nobody
should reach out to find it directly. In that case, you're pretty safe,
but isolating the networks entirely is still a good idea since this is a
basic setup and there could be a lot of other variables involved. OES
configuration, for example? Identity Manager (IDM) pieces that could try
to talk to the driver meant to be out there? Anything else using LDAP?
The first time you get IPs confused and find out that you're testing stuff
against the production network because the servers look the same, trees
look the same, and credentials are the same, you'll either gouge out your
eyes, or want to use them to brush up your resume (depending on how badly
your testing has destroyed production).

It's your environment.... just be careful. NCP is an intelligent
protocol, meaning it tries to do a lot for you. Other protocols are much
simpler, less-intelligent, and are easier to understand, but they make you
do more work for them to behave nicely in more situations (LDAP, for
example). With that intelligence in NCP comes the possibility that it
will do something too-smart, such as finding replica-holders during
startup in order to do replication, even though the copy of the original
server should never be talking to the prod environment.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: creating a LAB environment from PROD edirectory guidance

On Tue, 08 Sep 2015 19:14:02 +0000, wferguson wrote:

> Hey ab, I have a question in regards to your statement about "because
> they WILL try to do so ". We are not using SLP in our production
> environment that I know of, and in my LAB env I have not and will not be
> installing any SLP related packages. My question: without SLP running in
> both prod and lab, is there anyway that prod can talk to lab period?


Yes. If IP works, they will attempt to communicate.

> If
> so, can you inform me how they would even know that each other exists' ?


Servers store the IP address of other servers, so that the other servers
are reachable.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.microfocus.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: creating a LAB environment from PROD edirectory guidance


Thank you both.


--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=54222

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.