Apologies in advance for the long post, but I figured I'd better try to
get out all the relevant details for my quandary to aid in advice

The subject for this should be "Planning an eDir/IDM upgrade in
conjunction with OS upgrade and VM environment change" but it wouldn't
let me type all that.

Our current environments are eDir HF1 / IDM 4.0.2 Patch 6 on
RHEL 5 (and a few RHEL 6) VMware VMs. Depending on the environment
(Sandbox, Development, QA, Production) and the function (what we refer
to as the "vault", plus two smaller trees (4-6 servers each) connected
by eDir-to-eDir drivers that provide LDAP services to a subset of the
data that's in the "vault"), the trees have anywhere from 1-12 eDir
servers. 1-4 eDir servers in each tree also have IDM installed.

With support for RHEL 5 ending in Dec 2016, we are being told to migrate
all servers to RHEL 7. There is apparently no supported "in-place"
upgrade for RHEL 5->7 (if this is not correct, please let me know!). To
further complicate things, our RHEL 5 servers are in a VM environment
that is being phased out.

I'm trying to plan the most efficient, yet safe/supported, migration of
our data and drivers from the current set of servers to new VMs running
RHEL 7. Basically we're currently running everything on RHEL 5 in data
centers A and B, and need to move everything to RHEL 7 in data centers C
and D. And the VLANs to each set of servers are different, so every RHEL
7 server has to get a new hostname/IP address (even if we could just
move the VMs from one environment to the other).

My current plan is to spin up the new RHEL 7 VMs on a 1-for-1 basis to
match the RHEL 5 servers for each tree, install eDir on them
all, add them to the existing trees and replicate the data/partitions.
Then install IDM 4.5.2 on RHEL 7 servers 1-for-1 to match the RHEL 5
servers (anywhere from 1-4 IDM servers per tree) and shift the drivers
one a time to RHEL 7 servers, testing as we go (with the fallback of
restoring drivers to RHEL 5 temporarily if firewall updates etc need to
be worked out). Finally, once each RHEL 5 VM is nothing but a replica
holder (not running any drivers, serving any search requests, etc.),
remove all the partitions, then remove the server from the tree.

My concern about this plan is the amount of data we have to replicate
(DIB set is about 37 GB / ~4 million objects), and the amount of time it
will take to set up all the backlinks as each RHEL 7 replica is added,
and then to purge them as each RHEL 5 replica is removed later (with our
largest tree having 16 servers in it).

I'm also wondering about the actual sequence as well - should I shift
over the master of each partition to a new server first (and also move
the CA there), and then tackle the other ones? Or do I move the
master/CA last?

And I'm currently unclear about the best way to update the RBPM-related
drivers and application (4.0.2 -> 4.5.x) if they will end up running on
different servers than they currently reside on. But that is not a main
concern at the moment; just mentioning it for completeness as it's
always been a thorn in our sides with previous (in-place) upgrades.

Oh, and one last complicating factor - it's been about 8 years since we
set up our original environments; the CAs will all be expiring in less
than 2 years. While I've got everything torn up, I would like to renew
them. Any thoughts about the best way to update/renew the CA and move
it to a new server/eDir version? Should I update/renew the CA in the
current environment before things even start moving? Or wait until I get
all the eDir RHEL 7 servers operational first? And once the CA
is renewed, do I have to update/renew all the CA-generated certs that
are out there?

Another thought I had, to hopefully be quicker than the
add-new-replicas/delete-old-replicas plan, was to try some kind of an
rsync of the data/dib directories from a RHEL 5 server (which has ndsd
shut down first) over to a RHEL 7 server, combined with some tweaks of
hosts.nds to tell the rest of the tree what the new IP for the server
object (now running on RHEL 7) is. That seems like it would be faster,
but also riskier if I didn't get all the bits I needed to get, or copied
some extras that I shouldn't have, etc. I don't know how eDirectory
would respond if it was stopped while on RHEL 5 and then restarted on
RHEL 7. But that way I'm not effectively doubling the number of servers
in my tree, with all the extra backlink work, until the migration
process is complete. Or maybe a tool like dibclone is more correct than
a straight file system copy?

Has anyone ever done a complete migration from one set of servers/eDir
version to another set of servers/different eDir version that could
speak from experience as to where the dragons are, while I'm still in
the planning stages?

brucetimberlake's Profile: https://forums.netiq.com/member.php?userid=1036
View this thread: https://forums.netiq.com/showthread.php?t=55269