scrogers

Q: Best Practice Upgrade Path- Server 3 to 5?

Hello,

 

I'm in the process of both a migration and upgrade of a Profile Manager server. I currently run an older mac mini server running 10.9.5 and Server 3 with an extensive Profile Manager setup. I have recently successfully migrated the server itself off the old mac mini onto a late 2009 Xserve by cloning the drive. Still double-checking everything, but it appears the move from the mini to the Xserve was successful and everything is working as it should (just with vastly improved performance).

 

My main question now comes that I'd like to get this all up-to-date software-wise and move to Server 5 and 10.11. I see plenty of documentation (even officially from Apple) about best practice for upgrading from Server 3 to 4 and Yosemite, but cannot find much about Server 5 and El Captain, let alone jumping from 3 to 5. I understand I'll likely have to buy Server.app again, and that's fine... but should I be staging this with 10.9 to 10.10 and Server 4... make sure all is well... and THEN jump to 10.11 and Server 5... Or, is it "safe" (or ok) to jump from Server 3 to 5 (and 10.9.5 to 10.11.x)? Obviously, the AppStore is happy to make the jump from 10.9 to 10.11, but again, looking for best practice here.

 

I will of course make sure all backups are up to date and pull another clone just before any path I take... but just wondering if anyone has made the 3-5 jump... and had things (like Profile Manager) still work correctly on the other side?

 

Thanks for any info and/or direction.

Posted on Jun 22, 2016 11:24 AM

Close

Q: Best Practice Upgrade Path- Server 3 to 5?

  • All replies
  • Helpful answers

  • by cdhw,

    cdhw cdhw Jun 22, 2016 2:25 PM in response to scrogers
    Level 4 (2,623 points)
    Servers Enterprise
    Jun 22, 2016 2:25 PM in response to scrogers

    In your position I would keep the Mini running Server 3, install El Capitan and Server 5 on the Xserve and plod through setting up Server 5 by hand. Things that have to be 'migrated', like Open directory should be handled by exporting from the mini and re-importing on the Xserve.

     

    In my experience, OS X Server installations that have been 'migrated' always seem to end up with esoteric problems that are difficult to fix and it's easier to adopt the above procedure that to waste a day trying.

     

    YMMV

     

    C.

  • by Strontium90,

    Strontium90 Strontium90 Jun 22, 2016 8:01 PM in response to scrogers
    Level 5 (4,067 points)
    Servers Enterprise
    Jun 22, 2016 8:01 PM in response to scrogers

    I will agree with cdhw.  Profile Manager is a service I love to hate.  Going from Server 3 to Server 5 is a big jump with a lot of changes to the underlying database.  I've seen Profile Manager self-destruct on a dot dot OS patch.  I am pretty confident it will self-destruct and take your geographic region with it on a two OS and two server version jump.

     

    So before you begin, ask yourself if the upgrade is really needed.  If you are buying new gear and embracing new features like DEP and the latest iteration of VPP, then you need to move to the latest.  If you are supporting the same fleet and not altering the OS, then maybe your best bet is to stay where you are and continue to function.

     

    This is not to say that and in place upgrade will not be successful.  You may be lucky.  If you are going to try the upgrade route, I strongly encourage getting the server into as much isolation as possible.  Close any NAT/PAT maps to the server to ensure no external devices can access.  Turn off as many client devices as possible.  If you have an OD replica, destroy it BEFORE upgrading (you can add it later)  Stop all stoppable services on the server.  Shutdown the server.  Reboot to alternate volume.  Create a DMG restorable clone of the server.  Confirm that it is restorable.  Perform the upgrade, ensuring that no services are active until you valid the required service chain.  After final reboot, make sure ARD is working (usually the management ports are active but the control/observe functions are busted), make sure DNS is working.  Don't start any services until DNS and server identity if validated as unchanged.  Validate one service at a time.  Go into OD and make sure you can add, delete, and EDIT accounts.  Do this test repeatedly (meaning at least 6 times).  If you have any problems, revert to your backup.  If OD checks out, then launch Profile Manager.  Cross fingers.  Watch the system log during Server.app install/upgrade and when launching individual services.  Use tail -f /var/log/system.log to watch the log live.  In a second Terminal windows use the logger command to ender break points, such as logger "starting server.app upgrade now"

     

    Once Profile Manager fires up, hit the web admin first.  Confirm that all users, groups, and devices are present.  Check your payloads.  Try and create a bogus placeholder to confirm DB write.  If you get this far, turn on one machine.  Send a blank push to the one machine or force and update.  Confirm that no errors appear on the machine and that the push is successful (meaning it does not sit forever in pending).  Create a new payload just for the test machine.  Confirm delivery of the payload.

     

    If you are already doing VPP, get a free App, make sure it appears, and assign it to the test device.  DEP is new so there will be no means of testing unless you buy your latest round through DEP association.  If you have a spare device, try and enrollment.  If all functions check out, then open up your network, turn on your other devices, and rejoice in the glow of success.

     

    Out of curiosity, I am guessing you are a school.  How large is your fleet and are you supporting both iOS and OS X?

     

    Reid

    Apple Consultants Network

    Author - "El Capitan Server – Foundation Services"

    Author - "El Capitan Server – Control & Collaboration"

    Author - "El Capitan Server – Advanced Services"

    :: Exclusively available in Apple's iBooks Store

  • by scrogers,

    scrogers scrogers Jun 23, 2016 10:35 AM in response to Strontium90
    Level 1 (4 points)
    Servers Enterprise
    Jun 23, 2016 10:35 AM in response to Strontium90

    C and Reid, thanks so much for the reply,

     

    First, to C's points- Starting from scratch with a fresh 10.11 install and importing was what I had initially wanted to do. However (and please correct me if I'm wrong), my research from here and other enterprise managed mac sites led me to believe that there is no real way to properly export and then migrate and import a Profile Manager installation(?). While it is totally possible to export the database and reimport (again, from what I'd read), you'd lose the individual group setting in the migration (have to remake them), but much more problematic, while the clients still work/communicate properly with the "new" Profile Manager installation, the server will now not accept new clients due to the certificates not being identical on the new hardware.

     

    In the end, I had read that essentially the only option to truly maintain your Profile Manager server on a different physical machine was to do a true drive clone onto the new machine, then from there, do upgrades. This was why I went the way I did, but now cannot find much info on upgrading from 3 to 5, only 3 to 4.

     

    Reid,

     

    Yes we're a school and my Profile Manager installation has 500+ clients and is growing, and losing management (or re-enrollment) of the clients would be a mess. We have everything from 10.9 to 10.11. I have experimented (successfully) with iOS devices, but we don't have many actually being managed (not a big deal). I have also experimented (successfully) with VPP distribution. We sorta had a system in place for VPP distribution long before Profile Manager could handle it, and we've sorta stuck with that... but I was asked to prepare PM to do it if we ever wanted. I made it work in a test environment and keep the certs up to date, but don't actively use VPP via PM. We have PM tied in with AD for both login and some permissions setting on the client machines.

     

    My training started back in the 10.6 Server "Golden Triangle" days of Workgroup Manager and OD with AD. We migrated to PM about 3 years ago and use it mostly for machine settings distribution and permissions management.

     

    I hear you on the dot upgrades... honestly, we have had a little weirdness since a Server 3.2.1 update that causes new clients to not automatically push their settings, but works if you manually update the info and then from there out. I have actually seen reference to this exact issue before on this site, but the recommendations to fix ranged from "leave it, you may mess it up" to "mess with the database" (which didn't end well for one person), to "upgrade to Server 4 and see if it fixes it (mixed success of others on this front).

     

    Anyway, thanks to both of you again for the advice... I'm a little torn... if and export and reimport works the way I thought (all above) then I don't think that's a route I want to go... but... upgrading is scaring me a bit...

  • by scrogers,

    scrogers scrogers Jul 26, 2016 12:20 PM in response to scrogers
    Level 1 (4 points)
    Servers Enterprise
    Jul 26, 2016 12:20 PM in response to scrogers

    Hey all,

     

    Well... Mixed success and now stuck...

     

    So, as an update... I basically followed the procedure outlined by Reid (thank you again) on a completely separate, non-networked box (Mini) running a clone of my active server. I shutdown all services, etc etc... then ran a 10.11.5 upgrade off of a USB key. That went smoothly. I then upgraded to 10.11.6 using a downloaded combo updated (again, no network connections and all smooth). I then installed Server 5.1.7 downloaded from another machine. Again, everything here appeared to work, nothing glaring in the logs etc.

     

    Launched Server 5... Took upwards of 20 min to "update" but landed me on the Server page. OD had started itself once the new Server.app was opened (even though it had been shut down). All appeared well OD however. Reenabled "websites"- all fine. Crossed fingers, turned "on" Profile Manager... nothing... It says "Starting" for about 5 minutes, before resetting to off... In the log... only one thing-

     

    "Jul 26 14:50:37 <server name> Server[1401]: Error: The server '127.0.0.1' reported an error while processing a command of type: 'writeSettings' in plug-in: 'servermgr_devicemgr'. Error: Error Domain=NSOSStatusErrorDomain Code=-25304 "errKCInvalidItemRef / errSecInvalidItemRef:  / The item reference is invalid." UserInfo={NSLocalizedDescription=Carbon error -25304}"

     

    This single line comes up about a second after trying to start the Profile Manager Service, nothing else... The internet isn't helping me much here. From the limited info I was able to find -25304 is a Keychain Access error(?), but again, having a very difficult time finding much of any experience with this.

     

    Only other bit of info was the second (not first) time I opened the Server App, the OS came up with a Keychain Dialog box saying that "The app "Server.app" was attempting to access the keychain for "127.0.0.1" and would I like to allow it?" I said yes (and always allow)...

     

    So, I've been trying various things... but am now stuck. the PM service won't even start and throws that single line when attempting to start it...

     

    Open to any ideas or guidance... Thanks in advance!

  • by BoxRoyer,

    BoxRoyer BoxRoyer Aug 3, 2016 11:01 PM in response to scrogers
    Level 1 (4 points)
    Aug 3, 2016 11:01 PM in response to scrogers

    I have the same issue here on a x server 5.1.
    I performed the sudo slapconfig -destroyldapserver and re created ldap server, but it didn't help.