To convert a secondary Administration Console into a primary Administration Console, a recent backup of Administration Console must be available. For information about how to perform a backup, see Section 30.2, Backing Up the Access Manager Configuration. A backup is necessary to restore the certificate authority (CA).
If the failed server holds a master replica of any partition, you must use ndsrepair to designate a new master replica on a different server in the replica list.
WARNING:Perform these steps only if the primary Administration Console cannot be restored. If you have a recent backup, you can restore the primary Administration Console to new hardware. This is an easier configuration task than converting a secondary console into a primary console. See Section 32.1.5, Moving the Primary Administration Console to a New Hardware.
This conversion includes the following tasks:
If your primary Administration Console is running, you must log in as an administrator and shut down the service.
Linux: Start YaST, click System > System Services (Runlevel), then select to stop the ndsd service.
Windows: Open the Control Panel, click Administrative Tools > Services, then select to stop the x64 NDS Server.
Changing the master replica to reside on the new primary Administration Console makes this Administration Console into the certificate authority for Access Manager. You need to first designate the replica on the new primary Administration Console as the master replica. Then you need to remove the old primary Administration Console from the replica ring.
At secondary Administration Console, log in as root.
Change to the /opt/novell/eDirectory/bin directory.
Run DSRepair with the following options:
./ndsrepair -P -Ad
Select the one available replica.
Select Designate this server as the new master replica.
Type I Agree when prompted.
Specify the DN of the admin user in leading dot notation. For example:
.admin.novell
Run ndsrepair -P -Ad again.
Select the one available replica.
Select View replica ring.
Select the name of the failed primary server.
Select Remove this server from replica ring.
Specify the DN of the admin user in leading dot notation. For example:
.admin.novell
Specify password.
Type I Agree when prompted.
Continue with Restoring CA Certificates.
At secondary Administration Console, log in as an administrator.
Change to the C:\Novell\NDS directory.
Start the NDSCons.exe program.
Select dsrepair.dlm.
In the Parameters box, specify -A, then click Start
Click Partitions > Root > Designate This Server As The New Master Replica.
Open Partitions > Root, select the server, and verify that the replica is the master replica.
Run dsrepair again with -A in the Parameters box.
Click Partitions > Root, then select the name of the failed primary server.
From the menu, click Partitions > Replica Rings > Remove Server From Ring.
Specify the DN of the admin user in leading dot notation. For example:
.admin.novell
Specify password.
Continue with Restoring CA Certificates.
Perform the following steps on the machine that you are promoting to be a primary console.
Copy your most recent Administration Console backup files to your new primary Administration Console.
On a Windows 2012 server, open the Registry Editor using the regedit command.
Traverse to \HEKY_LOCAL_MACHINE\SOFTWARE\NOVELL\AccessManager\Devman key.
Update the value of the key with the IP address of the new Primary Administration Console.
Change to the backup bin directory:
Linux: /opt/novell/devman/bin
Windows Server 2012: \Program Files\Novell\bin
Verify the IP address in the backup file. The IP_Address parameter value should be the IP address of the new Primary Administration Console.
Open the backup file:
Linux: defbkparm.sh
Windows: defbkparm.properties
Verify that the value in the IP_Address parameter is the IP address of your new primary console.
Save the file.
Run the certificate restore script:
Linux: sh aminst-certs.sh
Windows: aminst-certs.bat
When prompted, specify the administrator’s password and location of the backup files.
Continue with Verifying the vcdn.conf File.
Verify whether the vcdn.conf file contains IP address of the new Administration Console. If it contains IP address of the failed primary Administration Console, replace it with the new IP address.
IMPORTANT:Delete the line <vcdnPrimaryAddress><Failed Primary Administration Console IP address></vcdnPrimaryAddress> from the vcdn.conf file.
For example, delete <vcdnPrimaryAddress>10.10.10.11</vcdnPrimaryAddress> where 10.10.10.11 is the IP address of the failed primary administration console.
Change to the Administration Console configuration directory:
Linux: /opt/novell/devman/share/conf
Windows Server: \Program Files\Novell\Tomcat\webapps\roma\WEB-INF\conf
Run the following command in the command line interface to restart Administration Console:
Linux: /etc/init.d/novell-ac restart or rcnovell-ac restart
Windows: net stop Tomcat8
net start Tomcat8
Continue with Deleting Objects from the eDirectory Configuration Store.
Objects representing the failed primary Administration Console in the configuration store must be deleted.
Log in to the new Administration Console, then click Troubleshooting.
In the Other Known Device Manager Servers section, select the old primary Administration Console, then click Remove.
Remove traces of the failed primary Administration Console from the configuration datastore:
In the Access Manager menu bar, select View Objects.
In the Tree view, select novell.
Delete all objects that reference the failed primary Administration Console.
You should find the following types of objects:
SAS Service object with the hostname of the failed primary console
Any object that starts with the last octet of the IP address of the failed primary console
LDAP server object with the hostname of the failed primary console
LDAP group object with the hostname of the failed primary console
SNMP Group object with the hostname of the failed primary console
HTTP Server object with the hostname of the failed primary console
DNS AG object with the hostname of the failed primary console
DNS EC AG object with the hostname of the failed primary console
DNS IP object with the hostname of the failed primary console
SSL CertificateDNS with the hostname of the failed primary console
SSL EC CertificateDNS with the hostname of the failed primary console
SSL CertificateIP with the hostname of the failed primary console
IP AG object with the hostname of the failed primary console
IP EC AG object with the hostname of the failed primary console
NCP server object with the hostname of the failed primary console
PS object with the hostname of the failed primary console
Continue with Performing Component-Specific Procedures.
If you have installed the following components, perform the cleanup steps for the component:
If you had an Identity Server installed with your failed primary Administration Console, you need to clean up the configuration database to remove references to this Identity Server.
Log in to Administration Console.
Remove Identity Server:
Click Devices > Identity Servers.
Select Identity Server that was installed with the primary Administration Console.
Remove it from the cluster, then delete it.
If you installed a third Administration Console used for failover, you must manually perform the following steps on that server:
Open the vcdn.conf file.
Linux: /opt/novell/devman/share/conf
Windows Server 2012: \Program Files\Novell\Tomcat\webapps\roma\WEB-INF\conf
In the file, look for the line that is similar to the following:
<vcdnPrimaryAddress>10.1.1.1</vcdnPrimaryAddress>
In this line, 10.1.1.1 represents the failed primary Administration Console IP address.
Change this IP address to the IP address of the new primary Administration Console.
Restart Administration Console by entering the following command from the command line interface:
Linux: /etc/init.d/novell-ac restart OR rcnovell-ac restart
Windows: Use the following commands:
net stop Tomcat8
net start Tomcat8
For each Access Gateway Appliance imported into Administration Console, edit the settings.properties file on Access Gateway if the primary Administration Console was not configured as the Audit Server. The settings.properties file is required for JCC Communication between devices and Administration Console.
If the primary Administration Console was configured as an Audit Server, you must update the IP address of the new primary Administration Console in the Auditing page.
When the Primary Administration Console Was Not Configured as the Audit Server
At Access Gateway Appliance, log in as the root user.
Open a terminal window and shut down all services by entering the following command:
/etc/init.d/novell-appliance stop
Edit the settings.properties file:
Enter: vi /opt/novell/devman/jcc/conf/settings.properties
Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.
Enter :wq! to save and exit.
At Access Gateway Appliance, start all services by entering the following commands:
/etc/init.d/novell-appliance start
(Conditional) Repeat this process for each Access Gateway that has been imported into Administration Console.
When the Primary Administration Console Was Configured as the Audit Server
On the secondary Administration Console Dashboard, click Auditing.
In the Server Listening Address field change the IP address to the secondary Administration Console’s IP address.
Click Apply > OK.
(Conditional) Repeat this procedure for each Access Gateway that has been imported into Administration Console.
For each Access Gateway Service imported into Administration Console, edit the settings.properties file on Access Gateway if the primary Administration Console was not configured as the Audit Server.
If the primary Administration Console was configured as an Audit Server, you must update the old IP address with the IP address of the new primary Administration Console.
At Access Gateway Service, log in as the root or the Administrator user.
Shut down all Access Gateway Services.
Linux: Enter the /etc/init.d/novell-appliance stop command.
Windows: Click Control Panel > Administrative Tools > Services, then stop the following services:
Apache Tomcat JCCServer
Stopping Apache Tomcat causes Apache 2.4 to also stop.
(Conditional) If your audit server was on the primary Administration Console, replace the old IP address with the new primary Administration Console IP address:
On the secondary Administration Console Dashboard, click Auditing.
In the Server Listening Address field change the IP address to the secondary Administration Console’s IP address.
Click Apply > OK.
Edit the settings.properties file:
Change to the directory and open the file.
Linux: /opt/novell/devman/jcc/conf
Windows: \Program Files\Novell\devman\jcc\conf
Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.
Save and exit.
At Access Gateway Service, start all services by entering the following command:
Linux: /etc/init.d/novell-appliance start OR rcnovell-appliance start
Windows: Click Control Panel > Administrative Tools > Services, then start the following services:
Apache Tomcat JCCServer
Starting Apache Tomcat causes Apache 2.4 to also start.
(Conditional) Repeat this process for each Access Gateway Service that has been imported into Administration Console.
For each Linux Identity Server imported into Administration Console, perform the following steps:
Log in as the root user.
Open a terminal window and shut down all services by entering the following commands:
/etc/init.d/novell-jcc stop OR rcnovell-jcc stop
/etc/init.d/novell-idp stop OR rcnovell-idp stop
Edit the settings.properties file:
Enter vi /opt/novell/devman/jcc/conf/settings.properties
Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.
Enter :wq! to save and exit.
Start the services by entering the following commands:
/etc/init.d/novell-jcc start OR rcnovell-jcc start
/etc/init.d/novell-idp start OR rcnovell-idp start
For each Windows Identity Server imported into Administration Console, perform the following steps:
Open a terminal window and shut down all services by entering the following commands:
net stop JCCServer
net stop Tomcat8
Edit the settings.properties file:
Change to the following directory:
Windows Server 2012: \Program Files\Novell\devman\jcc\conf
Open the settings.properties file.
Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.
Save your changes.
Start the services by entering the following commands:
net start JCCServer
net start Tomcat8
After the secondary console has been promoted to be the primary console, uninstall Administration Console software of the old primary Administration Console. Before uninstalling, make sure the machine is disconnected from the network. For instructions, see Uninstalling Administration Console in the NetIQ Access Manager 4.5 Installation and Upgrade Guide.
If you want to use the old primary console as a secondary console, you need to first uninstall Administration Console software. Connect the machine to the network, then reinstall the software, designating this console as a secondary console.