OD Master/Replica upgrade best practices

Question

Level 1

0 points

OD Master/Replica upgrade best practices

I am attempting to upgrade a Mac Pro running OS X 10.6.8 Server to OS X 10.9 with Server App and having difficulties. I am looking to know the best practices for upgrading a 10.6.8 Open Directory Master and Replica to 10.9 or later.

Some background on our environment:

Our 10.6.8 Master server also functions as an afp/smb file server, an internal web server, and manages Mac clients using MCX controls. Our Mac clients (running various versions of OS X 10.9 and OS X 10.10) log into their computers with their OD accounts. Our replica server also performs the same functions. We have a ChronoSync job that mirrors data from the file shares to the replica server every night. (Only the shared volumes are mirrored, nothing on the OS volume) In case of an emergency, we can cut over our users to the Replica server.

I have attempted to upgrade the Master server before:

Upgrading the OS and installing the Server.app was remarkably simple, and I found that AFP, SMB, and web services all worked normally. However, after the upgrade, some users are unable to log in to their Macs. Specifically, no clients running OS X 10.10 can log in, while clients running 10.9 are able to log in normally. I tried unbinding a 10.10 client from the OD domain but was unable to rebind it.

I had created an archive of my OD before starting this upgrade. Thinking the OD may have been corrupted, I attempted to restore using slapconfig -restoredb /myarchive but this resulted in all my users and groups being wiped out! That may be an unrelated issue but regardless it ended up with my having to do a bare metal restore of the whole server from before the upgrade. Once the server was back to the previous state, I was able to rebind by 10.10 client and log into all clients normally.

I have read in a few places that an OD server should be upgraded Master first, and then Replica. What is not clear is whether the Replica will specifically corrupt or confuse the upgrade process, and if I should be destroying the replica first.

Mac Pro, Mac OS X (10.6.8), OS X Server

Posted on Jun 1, 2015 3:26 PM

Reply

Answer 1

mhadjar

Level 2

191 points

Jun 18, 2015 2:00 PM in response to burtfurn

When I did my 10.7 to 10.8 upgrade, I did a full disk image of both servers. I then shutdown the replica and upgraded the master. Once I verified the master was working fine, I then upgraded the OS and Server app on the replica and completed the upgrade.

The downside to this is a large window of downtime where users can't authenticate or use the server. However, I'm not sure if leaving the replica up would cause any issues with its copy once it detects a newer OS/Server on the primary. I would like to hear from an expert on this.

Reply

Answer 2

Jun 19, 2015 2:38 AM in response to burtfurn

A replica has to be on the same major version as the master e.g. 10.6 and 10.6 or 10.9 and 10.9. Some people are even so paranoid as to say they need to be on the same minor versions although I think that is taking things too far. You cannot have a 10.6 replica connected to a 10.9 master.

Note: The latest Server.app is now supposed to be independent of the version of OS X itself.

In your case with 10.6 and moving to 10.9 you would need to first destroy the replica, then upgrade the master, then upgrade the Mac that was the replica, and then finally remake it in to a replica. Having backups before doing all of this would of course be a very good idea and yes this does take some time to do.

I would also say that historically Apple have not always been perfect at handling in-situ upgrades as a result it is sometimes necessary or preferable to go to the extra hassle of exporting all your users and groups (except your Open Directory Admin account), building a brand new empty Open Directory master and then importing your users and groups. This method does however mean you need to reapply passwords for all the users. I had to do this recently myself.

Reply