In order to get some level of redundancy I did set up a second OES SP2
server as a virtual machine in our small network.

Configuration with YAST (names and IPs changed):
(x) Existing Tree
Tree Name mycompany
IP Address of an existing eDirectory server with a replica:
Enter NCP Port on the existing server: 524
Enter Secure LDAP Port on the existing server: 636
FDN Existing admin name with context (i.e. cn=admin.o=novell):
Admin Password: ****
Enter Server Context: o=mycompany
Directory Information Base (DIB) Location: /var/nds/dib
Enter LDAP Port: 389
Enter Secure LDAP Port: 636
Enter iMonitor Port: 8028
Enter Secure iMonitor Port: 8030
Network Time Protocol (NTP) Server:
(x) Do not configure SLP
SLP has not been configured.

On the Linux clients:
The other files relevant on the client side like /etc/nsswitch.conf oder
/etc/pam.d/* do not specify the server name. So probably no further
changes are needed here. Right?

E.g. /etc/pam.d/common-auth:
auth required
auth required

On the old server I can see the replica in iManager with
Roles and Tasks -> Partition and Replica Management -> Replica View

As a test I can boot one of the clients with the entry removed in /etc/ldap.conf. Then the client
binds to secondserver (as seen e.g. with netstat) and users can happily
log in.

If, however, firstserver is down all logins are rejected. The LDAP is
still searchable and I can see the ldap-connections on secondserver with
netstat. So obviously I am missing something.

As this is possibly a very silly newbie question I would be happy and
content with some keywords to search for or a link to a paper that
describes in plain words how to set up OES SP2 as a replica with user