Replicating DSCC between two servers?
I am installing my dscc server which I will use to configure all of the DS and DPS servers in my topology. My question is, can I replicate the DSCC database between two servers for redundancy? I have a primary site and a backup site and would like to have a dscc for all of our servers at each site. I know in 5.2 you could replicate the Netscape Root db and have the configs on multiple servers.
Thanks in advance!
[429 byte] By [
keesora] at [2007-11-27 1:30:41]
# 1
In the 6.0 Administration Guide, this is explained in a section called Configuring Failover for DSCC, http://docs.sun.com/app/docs/doc/819-0995/6n3cq3aob?a=view
Here's the content:
Configuring Failover for DSCC
DSCC displays the servers that you have registered in DSCC.
If the machine on which you have installed DSCC fails, you can install DSCC on another machine and then reregister your servers. However, this can be time-consuming. If you want to have immediate access to your servers through DSCC, you can configure DSCC failover.
To configure DSCC failover, take the following considerations into account:
* All information for registered servers is stored in the DSCC registry. This registry is a Directory Server instance. You can use the administration commands dsadm and dsconf to manage the registry.
* The DSCC registry has the following default characteristics:
Server instance
Solaris ?/var/opt/SUNWdsee/dscc6/dcc/ads
Linux and HP-UX ?/var/opt/sun/dscc6/dcc/ads
Windows ?C:\Program Files\Sun\DSEE\var\dscc6\dcc\ads
Suffixcn=dscc
PortLDAP 3998, LDAPS 3999
* After you have installed DSCC on two or more machines, you can set up replication between the DSCC registry suffixes. Use the replication command-line procedures described in Chapter 10, Directory Server Replication. Alternatively, for an example of setting up a simple replication configuration, dsconf(1M) man page.
After replication is set up, you can access the same servers that are registered in DSCC from different machines. For example, if you set up replication between the DSCC registry suffixes on host1 and host2, you can manage the same servers using DSCC on either https://host1:6789 or https://host2:6789. In case of host failure, access DSCC from the other host.
# 2
This is a process I have used to get dscc replication working.
Set the multimaster password file on both servers
echo 揚ASSWORD?> /tmp/dsccreplmanpwd.txt
on SERVER1:
dsconf set-server-prop -e -i -h SERVER1 -p 3998 def-repl-manager-pwd-file:/tmp/dsccreplmanpwd.txt
on SERVER2:
dsconf set-server-prop -e -i -h SERVER2 -p 3998 def-repl-manager-pwd-file:/tmp/dsccreplmanpwd.txt
Enable replication on both servers
on SERVER1:
dsconf enable-repl -h SERVER1 -p 3998 -e -i -d 10 master cn=dscc
on SERVER2:
dsconf enable-repl -h SERVER2 -p 3998 -e -i -d 20 master cn=dscc
Output the default certificates on both servers
on SERVER1:
dsadm show-cert -F der -o /var/tmp/SERVER1-dscc-certfile /var/opt/SUNWdsee/dscc6/dcc/ads defaultCert
on SERVER2:
dsadm show-cert -F der -o /var/tmp/SERVER2-dscc-certfile /var/opt/SUNWdsee/dscc6/dcc/ads defaultCert
Copy certificates to respective servers
Add CA server certificates from respective servers
on SERVER1:
dsadm add-cert --ca /var/opt/SUNWdsee/dscc6/dcc/ads "SERVER2 DSCC Repl Manager Cert" /var/tmp/SERVER2-dscc-certfile
on SERVER2:
dsadm add-cert --ca /var/opt/SUNWdsee/dscc6/dcc/ads "SERVER1 DSCC Repl Manager Cert" /var/tmp/SERVER1-dscc-certfile
Create a replication agreement on each server with the other server
on SERVER1:
dsconf create-repl-agmt -h SERVER1 -p 3998 -e -i --auth-protocol 搒sl-simple?cn=dscc SERVER2:3999
on SERVER2:
dsconf create-repl-agmt -h SERVER2 -p 3998 -e -i --auth-protocol 搒sl-simple?cn=dscc SERVER1:3999
Configure the authentication password file to be the replication manager password file of the consumer (destination) server in the replication agreement
on SERVER1:
dsconf set-repl-agmt-prop -h SERVER1 -p 3998 -e -i cn=dscc SERVER2:3999 auth-pwd-file: /tmp/dsccreplmanpwd.txt
on SERVER2:
dsconf set-repl-agmt-prop -h SERVER2 -p 3998 -e -i cn=dscc SERVER1:3999 auth-pwd-file:/tmp/dsccreplmanpwd.txt
Restart both servers in order to take configuration changes into account
dsadm restart /var/opt/SUNWdsee/dscc6/dcc/ads
Do an ldif export on SERVER1 and SERVER2:
dsconf export -h SERVER1 -p 3998 cn=dscc /var/tmp/dscc-SERVER1.ldif
dsconf export -h SERVER2 -p 3998 cn=dscc /var/tmp/dscc-SERVER2.ldif
Create ldif import file to initialize dscc on SERVER1 with. Use /var/tmp/dscc-SERVER1.ldif and append the following entry from
/var/tmp/dscc-SERVER2.ldif on SERVER2:
dn: cn=SERVER2@/var/opt/SUNWdsee/dscc6/dcc/ads,cn=Servers,cn=dscc
secureport: 3999
port: 3998
servertype: ADS
instanceowner: noaccess
objectClass: extensibleobject
objectClass: top
description: DS instance used as the DSCC registry
cn: SERVER2@/var/opt/SUNWdsee/dscc6/dcc/ads
creatorsName: cn=directory manager
modifiersName: cn=directory manager
createTimestamp: 20070510045551Z
modifyTimestamp: 20070510045551Z
nsUniqueId: b6ad3530-feb211db-80828567-1f32384c
The entry added is for the dscc instance on SERVER2. It is of type ADS which means it is hidden from view in the dscc gui. This entry is needed though to actually be able to use the dscc on SERVER2 in a failover situation.
The import file was saved to /var/tmp/dscc-master-import.ldif on SERVER1.
Initialize SERVER1 with /var/tmp/dscc-master-import.ldif:
dsconf import -h SERVER1 -p 3998 /var/tmp/dscc-master-import.ldif cn=dscc
Initialize SERVER2 from SERVER1 using the replication agreement
on SERVER1:
dsconf init-repl-dest -e -i -h SERVER1 -p 3998 cn=dscc SERVER2:3999
Delete the password file on both servers:
rm /tmp/ dsccreplmanpwd.txt
Show replication status:
dsconf show-repl-agmt-status -h SERVER1 -p 3998 cn=dscc SERVER@:3999
dsconf show-repl-agmt-status -h SERVER2 -p 3998 cn=dscc SERVER1:3999
The dscc ds instance is now replicated too both servers. Before you can manage the /opt/ds instances from SERVER2 you have to bind as the Directory Manager for these instances. The admin user (cn=admin,cn=Administrators,cn=dscc) only has the ability to stop and start these instances. To edit their contents you need to bind as the DM. Until this is done they will show up as an error via the dscc gui and also when running dsccreg from SERVER2:
dsccreg list-servers -C -a
Hostname Port sPort Type OwneriPathLDAPsTLSLDAPS
-- - -- - -- - --
SERVER2 389636DSnobody/opt/ds Error ErrorError
SERVER2 3998 3999ADSnoaccess /var/opt/SUNWdsee/dscc6/dcc/ads OkDenied Denied
SERVER1 389636DSnobody/opt/ds Error ErrorError
SERVER1 3998 3999ADSnoaccess /var/opt/SUNWdsee/dscc6/dcc/ads DownDownDown
4 server instance(s) found in DSCC on localhost.
This bind is done via the dscc gui by clicking on a section requiring DM rights. A box will pop up asking you to put in the DM password. Access is now enabled and there will be no more error messages.
