11.2 Grafting a Single Server Tree

The Graft Tree option lets you graft a single server source tree's Tree object under a container specified in the target tree. After the graft is completed, the source tree receives the target tree's name.

During the graft, DSMerge changes the object class of the source tree's Tree object to Domain and makes a new partition. The new Domain object is the partition root for the new partition. All the objects under the source tree's Tree object are located under the Domain object.

The target tree's administrator has rights to the resulting tree's root container and, therefore, has rights to the source tree's grafted root.

NOTE:It might take up to several hours for the inherited rights to be recalculated and become effective. This time will vary based on the tree's complexity, size, and number of partitions.

The source tree's administrator has rights only in the newly created Domain object.

Figure 11-3 and Figure 11-4 illustrate the effects of grafting a tree into a specific container.

Figure 11-3 eDirectory Trees before a Graft

Figure 11-4 Grafted eDirectory Tree

This sections contains the following information:

11.2.1 Understanding Context Name Changes

After the source tree has been grafted into the target tree container, the distinguished names for objects in the source tree will be appended with the source tree's name followed by the distinguished name of the target tree's container name where the source tree was merged. The relative distinguished name will remain the same.

For example, if you are using dot delimiters, the typeful name for Admin in the Preconfigured_tree (source tree) is


After the Preconfigured_tree is merged into the New Devices container in the Oak_tree, the typeful name for Admin is


NOTE:The maximum number of characters allowed in a DN of any type, including a container DN, is 255 characters. This limitation is particularly important when you are grafting the root of one tree into a container near the bottom of the target tree.

The last dot following Oak_tree (Oak_tree.) indicates that the last element in the distinguished name is the tree name. If you leave off the trailing dot, then also leave off the tree name.

11.2.2 Preparing the Source and Target Trees

Before initiating the graft operation, ensure that the state of all of the servers affected by the operation is stable. The following table provides prerequisites for preparing the source and target trees before grafting.


Required Action

WANMAN should be turned off on all servers that hold a replica of the source tree's Tree partition or the target tree's Tree partition.

Review your WANMAN policy so that WAN communication restrictions do not interfere with the merge operation. If required, turn WANMAN off before initiating the merge operation.

The source tree must have only one server.

Remove all but one server from the source tree.

No aliases or leaf objects can exist at the source tree's Tree object.

Delete any aliases or leaf objects at the source tree's Tree object.

No similar names can exist in the graft container.

Rename objects under the target tree graft container or rename the source tree.

Move objects from one of the containers to a different container in its tree if you don't want to rename objects, then delete the empty container before running DSMerge. For more information, see Section 3.0, Managing Objects.

You can have identical container objects in both trees if they are not immediately subordinate to the same parent object. Objects are uniquely identified by their immediate container object.

The eDirectory version for both the source tree and target tree container must be 8.51 SP2a or later.

DSMerge will search for the appropriate version of eDirectory. If an acceptable version isn't found, DSMerge will return an error. You can get the latest version of eDirectory from the NetIQ Download page.

The container where you will join the target tree is in a partition that has no replicas (a single-server partition).

If the target container has multiple replicas, do one of the following:

  • Make the partition associated with this container the master replica and delete other replicas.

  • Split the target tree graft container into a separate partition and remove replicas.

After the graft is complete, the partition association can be re-established.

The server holding the target container must also hold a replica of the ROOT partition.

If the server doesn’t hold a replica of ROOT, the graft will fail and you will see error -672 No Access because the directory is unable to verify administrator rights for the target tree.

Use iManager to add a replica for ROOT. For more information, see Adding a Replica.

The schema on both the source and target trees must be the same.

Run the Graft option in DSMerge. If reports indicate schema problems, run DSRepair on the target tree to import the schema from the source tree.

The graft operation automatically imports the schema from the target tree to the source tree.

Run DSMerge again.

Only one tree can have a security container subordinate to the tree root.

If both the source and target tree have the security container, remove one container as explained in Section A.0, NMAS Considerations.

The source tree's time reference must be reconfigured.

The source tree should usually be set as a secondary server configured to get its time source from a server in the target tree.

To reconfigure Timesync, see “Configuring and Administering Time Synchronization” in the OES Planning and Implementation Guide.

11.2.3 Containment Requirements for Grafting

To graft a source tree into a target tree container requires that the target tree container be prepared to accept the source tree. The target tree container must be able to contain an object of the class domain. If there is a problem with containment, error -611 Illegal Containment will occur during the graft operation.

Use the information in the following table to determine if you need to run DSRepair to modify containment lists.

Target Tree Container Requirements

The target tree container object must include the domain object in its containment list.

You can check this using iMonitor > Schema. If the containment list does not include Domain, run DSRepair to make schema enhancements.

Source Tree Requirements

The graft operation changes the source tree root from the class Tree Root to the class Domain. All of the object classes that are subordinate to the Tree must be able to be contained by the class Domain according to the schema rules.

You can check this using iMonitor > Schema. If the containment list does not include Domain, run DSRepair to make schema enhancements.

If containment requirements aren't met, run DSRepair to correct the schema.

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click eDirectory Maintenance > Schema Maintenance.

  3. Specify the server that will perform the operation, then click Next.

  4. Specify a user name, password, and context for the server where you will be performing the operation, then click Next.

  5. Click Optional Schema Enhancements, then click Start.

  6. Follow the online instructions to complete the operation.

11.2.4 Grafting the Source and Target Tree

After you ensure that prerequisites are met, use DSMerge to perform the graft.

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click eDirectory Maintenance > Graft Tree.

  3. Specify which server will run Graft (this will be the source tree), then click Next.

  4. Authenticate to the server, then click Next.

  5. Specify the source tree Administrator name and password and the target tree name, Administrator name, and Password.

  6. Click Start.

    A Graft Tree Wizard Status window appears, showing the progress of the graft. A “Completed” message finally appears with information returned from the graft process.

  7. Click Close to exit.