Converting a Backup Directory Node backup to the new Primary Directory Node
3.10. Converting a Backup Directory Node backup to the new Primary Directory Node#
A UCS domain consists of only one Primary Directory Node, but is not limited in the number of Backup Directory Node. A Backup Directory Node stores all the domain data and all SSL security certificates as read-only copies. However, in contrast to the Primary Directory Node, writing changes are not allowed.
Any Backup Directory Node can be converted to a Primary Directory Node. There are two typical scenarios for this:
In an emergency if the hardware of the Primary Directory Node fails.
To replace a fully functional Primary Directory Node with new hardware or changing the architecture from i386 to amd64.
The conversion of a Backup Directory Node to a Primary Directory Node is a serious configuration change and should be prepared carefully. The conversion cannot be reversed.
The Primary Directory Node that is going to be replaced has to be shut down before the conversion. It must not be powered on during or after the conversion!
Before the conversion, the installed software packages and the current configuration has to be compared between the Primary Directory Node and Backup Directory Node. If the Primary Directory Node is not available anymore, use a file backup. After the conversion, all possibly remaining references of the old Primary Directory Node have to be removed or changed to the new Primary Directory Node.
The conversion primarily involves the changeover of the services relevant for authentication such as LDAP, DNS, Kerberos and Samba. The installed software needs to be adjusted manually (this can be done using the UMC modules App Center or Package Management).
For example, if the mail component was installed on the previous Primary Directory Node, it will not be automatically installed on the new Primary Directory Node after the conversion. To minimize manual changes after the conversion, please consider Fault-tolerant domain setup.
If additional LDAP schema packages were installed on the Primary Directory Node, they must also be installed on the Backup Directory Node prior to the conversion. The package list of the old Primary Directory Node should be saved prior to the promotion in order to allow a subsequent comparison of the installed packages. The package list can be created with the following command:
$ dpkg --get-selections \* >> dpkg.selection
This file should be compared with the same output on the Backup Directory Node. Missing packages should then be installed on the Backup Directory Node. Especially those packages that install a LDAP schema are absolutely necessary. The following command executed on the Primary Directory Node will list all affected packages:
$ dpkg -S /etc/ldap/schema/*.schema \ > /usr/share/univention-ldap/schema/*.schema
To simply install all packages of the Primary Directory Node also on the Backup Directory Node,
use the previously created file
dpkg.selection of the Primary Directory Node and
run the following command on the Backup Directory Node:
$ dpkg --set-selections < dpkg.selection $ apt-get dselect-upgrade
In addition, the Univention Configuration Registry inventory needs to be saved so that it is possible to compare the configuration adjustments on the new Primary Directory Node. The following files on the Primary Directory Node need to be compared with those on the Backup Directory Node:
UCS saves a copy of those files every night to
The conversion of a Backup Directory Node to the new Primary Directory Node is performed by
running the command /usr/lib/univention-ldap/univention-backup2master
on the Backup Directory Node. The system must be rebooted after the conversion. The
process is logged to
/var/log/univention/backup2master.log The following
steps are performed by univention-backup2master:
Checking the environment: The system must be a Backup Directory Node that already joined the domain. Additionally, it is checked if the Primary Directory Node can be resolved via DNS and if the repository server can be reached. Also, the Primary Directory Node must be powered off and not reachable anymore.
Now, the most important services OpenLDAP, Samba, Kerberos and Univention Directory Notifier and Listener will be stopped. Important Univention Configuration Registry Variable, such as
server/rolewill be changed. The UCS Root CA certificate will be available via the web server on the Backup Directory Node. All mentioned services will be started again.
The DNS SRV record
kerberos-admwill be changed from the old to the new Primary Directory Node.
If present, the Univention S4 Connector (see Univention S4 connector) will be removed from the computer object of the old Primary Directory Node and will be scheduled for re-configuration on the new Primary Directory Node.
The server role of the new Primary Directory Node will be changed to
domaincontroller_masterin the OpenLDAP directory service. The DNS SRV record
_domaincontroller_master._tcpwill also be adjusted.
If present, all entries of the old Primary Directory Node will be removed from the local Samba directory service. Additionally, the FSMO roles will be transferred to the new Primary Directory Node.
The computer object of the old Primary Directory Node will be deleted from OpenLDAP.
The OpenLDAP directory service will be searched for any remaining references to the old Primary Directory Node. All found references (e.g. DNS records) are shown and suggested to be fixed. The suggested fixes have to be checked and confirmed one by one.
Finally, the package univention-server-backup will be replaced by univention-server-master.
Subsequently, the LDAP directory on the new Primary Directory Node and the Univention Configuration Registry values on all UCS systems of the domain should be checked for any remaining references to the hostname or the IP address of the old Primary Directory Node. Those references need to be adjusted to the new Primary Directory Node, too.