10 Replies Latest reply: Jul 18, 2013 10:08 AM by rmcleod47
Peter Glock Level 1 Level 1 (45 points)

I suffered a server hd crash on our OD master which was also providing profile manager services. I have sucessfully promoted a replica to master and migrated accounts to the new server. I now need to re-establish profile management services on the new server. I have a time machine backup of the 'old' server. Has anyone sucessfully moved profile management services between servers?


Mac mini, Mac OS X (10.7.4), Server
  • 1. Re: how to move profile manager to another server
    Ryan McLeod Level 1 Level 1 (0 points)

    I would like to bump this back up. There's plenty of information out there about UPGRADING your server to Mountain Lion, but nothing about MOVING to a whole new server. I have an old Xserve running Lion server and we enrolled all of our devices into it and it has been working great. We now need to decomission that server and it's getting replaced with a Mac mini server that comes with Mountain Lion server. I've been able to restore the Profile Manager data from a time machine backup, but the APNS certificate doesn't move as part of that so I had to download a new one. Now I can't push profiles or update data on any of my devices. I don't want to have to re-enroll ALL 500+ devices again either! There's got to be a way to do this!

  • 2. Re: how to move profile manager to another server
    Peter Glock Level 1 Level 1 (45 points)

    I only had 10 devices enrolled so I took the opportunity to refresh the profiles and re-enroll everyone. Not satisfactory really...

  • 3. Re: how to move profile manager to another server
    John Lockwood Level 5 Level 5 (5,360 points)

    In the case of the original poster - Peter, the simplest approach to replace a server and preserve Profile Manager would be to do a full 'disaster recovery' style Time Machine restore to the new server. This would restore the operating system, applications, and all data including the Profile Manager setup. Doing this type of restore would of course wipe anything on the new server.

     

    The new server would then have the same IP address and name as the backup.

     

    In your case cloning the Xserve on to the Mac mini would be the simplest approach. Again the new server (the Mac mini) would have the same IP address and name as the old server.

  • 4. Re: how to move profile manager to another server
    rmcleod47 Level 1 Level 1 (0 points)

    Unfortunately that's not an option for me as the Xserve is running Lion and cannot be upgraded to Mountain Lion. The Mini shipped with ML, so it cannot run a previous release. I cannot believe there is no solid solution to this, people eventually need to upgrade hardware!

  • 5. Re: how to move profile manager to another server
    John Lockwood Level 5 Level 5 (5,360 points)

    Once you have the files on the Mac mini - even if as an incompatible Lion installation, you can then upgrade it to Mountain Lion and then add the upgraded Server.app for Mountain Lion.

     

    The data from the Lion installation will then still be there and be upgraded as part of this process.

     

    Another way of doing it is to build a Mountain Lion Server on the Mac mini and migrate the data from the Time Machine backup.

     

    See http://support.apple.com/kb/ht5381

     

    For the first approach I listed above detailed steps would be -

     

    1. Boot Mac mini in Target Disk Mode
    2. Connect Mac mini as external drive to XServe
    3. Clone XServe on to Mac mini
    4. Eject Mac mini and disconnect
    5. Boot Mac mini to Recover partition
    6. Re-install Mountain Lion on top of the (now Lion) volume you cloned
    7. Reboot from now Mountain Lion volume
    8. Install Mountain Lion Server.app
    9. Let it upgrade data
  • 6. Re: how to move profile manager to another server
    rmcleod47 Level 1 Level 1 (0 points)

    I did go with the latter approach of setting the the Mini server identically, and then restoring the Server data from a Time Machine backup. It worked fairly well, and all of the devices are there, etc. but the APNS certificate didn't move as part of it. It had me create a new one (I used the same Apple ID), so now I can't push any new profiles to the devices that are in there.

  • 7. Re: how to move profile manager to another server
    John Lockwood Level 5 Level 5 (5,360 points)

    I suspected the second (data migration) approach might not copy across the certificate.

     

    This is why I listed the other approach first since that copies everything. However it should be possible to copy the certificate across from the Time Machine backup. When booted from the Mac mini you need to mount the Time Machine drive. You do not want to be in restore mode, you just want to see it as an external drive. Then in the Finder browse to the backup of /Library/Keychains/System.keychain open this file and copy the Certificate and keys across.

  • 8. Re: how to move profile manager to another server
    rmcleod47 Level 1 Level 1 (0 points)

    That seems like such a hack job though for a production server...

     

    I did try copying the certs out from the system keychain and it doesn't like that either. I believe it's because the CSRs are different because it's a whole new machine and OS. I've emailed a senior engineer at Apple and he never wrote back, I'm assuming because it's not possible...

  • 9. Re: how to move profile manager to another server
    John Lockwood Level 5 Level 5 (5,360 points)

    Maybe you will have to use the first method I suggested.

  • 10. Re: how to move profile manager to another server
    rmcleod47 Level 1 Level 1 (0 points)

    I did resort to trying that method and it did in fact keep that certificate and I'm now able to send locks, etc. to devices that were previously enrolled. I cannot, however, enroll any new devices. I get an error code 500 on an iOS device and an error saying that credentials within the Device Enrollment profile have expired" when attampting to enroll a Mountain Lion computer. I've refreshed my APNS certificate and made sure I'm using a valid SSL cert, tried recreating a new Enrollment Profile, restarting, installing the Trust Profile first, but nothing seems to help. This service is so fragile!