Sorry for the long email. I'm trying to supply a bunch of information
in order to give a complete picture of my problem.
I've failed twice now to migrate my existing 10.4.11 Server setup on a
G5 Xserver (OD Master, AFP, NFS, SMB PDC and iChat server) to a new
Intel Xserve also running 10.4.11. The point of failure is the
Windows PDC functionality, and I seem to have localized it to the
Windows domain SID getting mangled during the migration process. My
Mac and Linux clients work fine after the migration. I'll start with
a question: Is it possible to migrate from 10.4 Server PPC to 10.4
Server Intel and keep all the Windows PDC stuff intact so that it is
not necessary to rejoin the Windows clients to the domain?
Here's what I've done so far...
(0) I install and update 10.4 Server on the Intel Xserve and partition
all the disks the way they are on the existing G5. I transfer data
files from the G5 that will be served up by the Intel when it takes
over. The home directory share is on an external SCSI box, so they
don't need to be transfered because I'll just plug the box into the
Intel server. I create local admin accounts to mimic the ones on the
existing G5. I name the computer differently than the existing one,
but I will use "changeip" later after the existing G5 is down. Set up
the shares as they should be compared to the existing G5.
(1) To prepare for migration, I archive the OD stuff on the G5 Xserve
using the tool in the Server Admin program to do so. I've noticed (by
mounting the resulting sparse image) that the archive process does
save the Samba /var/db/samba/secrets.tdb file, that supposedly stores
the domain SID. The other stuff in /var/samba is not saved, but I
have no idea what's stored in them anyway, presumably easily-recreated
stuff.
(2) I then save all the Server Admin settings tear-off plists to use
to recreate the setups on the new machine. I'm only using the AFP,
Firewall, iChat, Open Directory, NFS and Windows services, and those
are the only tear-offs I save.
(3) Save the SSL certs & keys, etc. (purchased) from the existing
machine.
(4) I shut down the existing G5 server.
(5) Shut down the Intel server and plug my SCSI home directory disk
into the Intel box and turn it back on.
(6) I change the IP address and name of the Intel server to match the
G5. I "changeip" the Intel server to match the name of the G5.
(7) Import the SSL certs onto the new machine.
(8) Here's where I'm not exactly sure what order to do things... I
usually import the Server Admin tear-offs of the Firewall, AFP, NFS
and iChat services first because they seem simple and have fewer
dependencies. I then configure the machine as an OD Master, which
makes me enter the password for 'diradmin' account. I use a matching
password to the one used on the existing G5 server. Start services
that need to be started.
(9) Restore the OD archive from the existing G5. Look in Workgroup
Manager to see if all the accounts came over, and it seems that they
are. One strange thing is that two directory admin accounts from the
existing G5 server imported as regular accounts.
(10) Configure Windows PDC (using same domain name as used on G5) and
apply Windows service tear-off; start the Windows service
(11) Try logging into various clients -- Windows clients act like
they can't log into the domain. The message isn't that the domain
can't be found, just that the user can't be logged onto the domain.
Linux (auth via Kerberos) and Mac clients can log in.
Here are some observations I've made during the process:
Even though the OD archive has the /var/db/samba/secrets.tdb file in
it, it doesn't seem to be restored. If I do a diff to compare the
file on the new Intel machine after the archive was restored to the
one copied from the G5 machine, they are different. I've also looked
at the Windows domain SID on the G5 machine (both in the LDAP and in
the /var/db/samba/secrets.tdb using the "net getlocalsid
<domain>" (where <domain> is my domain name) command) and compared it
to the one on the Intel machine after the restoration, and they don't
match. If I copy the secrets.tdb file from the G5 to the Intel
machine, the SID is wrong, so it looks like the contents of the file
are somehow scrambled and tied to information I don't know about on
the G5. I am hoping that someone with intimate knowledge of how Samba
is integrated into Mac OS X Server can clue me in here.
Here are some more questions that I have regarding the migration
process, especially restoration of the OD archive information:
(1) Does restoration of the OD archive automatically enable the
services that were on on the machine from which the archive was
taken? IOW, do I need to configure the services with the tear-offs in
addition to restoring the OD archive into the destination computer?
(2) If I am restoring OD information from an OD Master, as in my case,
should I use the Server Admin tear-off to configure the service on the
new machine or is restoring the OD archive going to do it for me? The
order in which to apply the tear-offs and the OD archive is
mysterious, and I'm worried that their are dependencies that are
screwing me up.
I've been unable to find Apple documentation on the PPC to Intel
migration process, so if there is such a thing, I'd be grateful if
someone could point me toward it. It would be nice to have a cookbook
procedure like Apple supplies for migrating from earlier versions to
10.4, but I can't find one. Thanks in advance for everyone's help!
-----
- Peter Schwenk
- CITA-3, Systems Administrator
- Mathematical Sciences
- University of Delaware
- schwenk _at_ math _dot_ udel _dot_ edu
- http://www.math.udel.edu/~schwenk
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
