It’s so easy.
On your source host simply copy the contents of /Library/Server/named to same directory on the new host. Refresh server.app and don’t forget to change the NS records to point to the new host.
Bam
I was faced with a DNS migration, but from Snow Leopard Server to Server.app 5.x. There were only 9 zones but there are hundreds of records and Apple provides zero tools to help make this migration easy. But, I found a hack. Now I’m going to say right now that I just found that this worked and YMMV.
First, on your Snow Leopard Server box do an ls /var/named/zones and make a primary zone in Server.app 5.x for every file listed in this directory. Then tarball up all these files and copy them over to your Server.app 5.x machine. One by copy the zones files from this tarball into /Library/Server/named matching the names as you go with some tab-auto-complete action.
For example, if the zone files in your Snow Leopard server are:
db.1.5.10.in-addr.arpa.zone.apple
db.mgmt.clientname.com.zone.apple
db.remote.clientname.com.zone.apple
db.backup.clientname.com.zone.apple
db.lan.clientname.com.zone.apple
Then you would issue the following commands:
sudo cp db.1.5.10.in-addr.arpa.zone.apple /Library/Server/named/db.1.5.10.in-addr.arpa
sudo cp db.lan.clientname.com.zone.apple /Library/Server/named/db.lan.clientname.com
sudo cp db.mgmt.clientname.com.zone.apple /Library/Server/named/db.mgmt.clientname.com
sudo cp db.remote.clientname.com.zone.apple /Library/Server/named/db.remote.clientname.com
sudo cp db.backup.clientname.com.zone.apple /Library/Server/named/db.backup.clientname.com
Hi Everybody! 
So I’ve been in the Mac game for quite some time now and all along I was always longing for a good automated backup solution. A few years ago myself and a colleague got together and wrote osx-backup.sh. A simple shell script with a few variables inside. Simply edit the shell script and then install as a cronjob to run nightly. Features of this backup script include:
I’ve been using this script for years now under 10.6, 10.7 and 10.8. The version listed here is for Server 2.2.2 under 10.8.5
Restoration of these backups is fairly simple to do as long as you know some postgres commands. Here’s the article on how to restore the wiki.
Calendar, webmail are fairly similar. DNS restoration is just a matter of placing the files back in /var/named and /etc/named.conf
If you need to restore open directory archive you should use Apple’s latest knowledge base instructions. Just make sure that the server hostname matches the backup.
To restore OS X Server setting plists:
sudo serveradmin settings < /path/to/your-sa_backup-servicename-plist
Get a terminal session on your Zentyal box and install the VNC service
sudo apt-get install vnc4server
Next, run the server once to initialize a config file, kill the service and make a backup of the config file and then edit.
vncserver
vncserver -kill :1
cp .vnc/xstartup .vnc/xstartup.bak
nano .vnc/xstartup
Uncomment one line and add another:
# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
# exec /etc/X11/xinit/xinitrc
/usr/bin/lxsession -s LXDE -e LXDE
Then just launch
vncserver
Watch the output so you can ensure what port to connect to. For example, the following means my VNC server is listening on port 5901
jordan@mrsparkle:/etc/X11$ vncserver
New 'mrsparkle:1 (jordan)' desktop is mrsparkle:1
Starting applications specified in /home/jordan/.vnc/xstartup
Log file is /home/jordan/.vnc/mrsparkle:1.log
As you all probably know that using Apple’s DNS server can be challenging at times. If you make changes on the primary you usually have to wait some time before those changes propagate to the secondaries. However with the following commands you can force this propagation without having to nuke files or folders in /var/named
1. On the secondary server, run this command. (use whatever zone you want to transfer in place of lan.example.com
rndc -p 54 retransfer lan.example.com IN com.apple.ServerAdmin.DNS.public
2. Reload configuration
rndc -p 54 reload
3. Forcing client cache flush
dscacheutil -flushcache
The reason I think this is better in my opinion is it gets rid of the potential “oops” of deleting critical files in /var/named.
This is a follow up to my last blog entry: Magic Triangle Setup with Windows File Server backed Portable Home Directories. Myself and a team of amazing people deployed the Magic Triangle solution in an architectural firm that recently was involved in a merger and needed to be brought into one unified “domain.” I place that word in quotations after some disagreements and long discussions with AD administrators as to the default definition of the word. Before we begin let’s just go over our Magic Triangle deployment and the roles of our servers.
For all intensive purposes, the migration went fairly smoothly. The client was quite happy with the result, although the users of the network do not have as fast of a desktop environment as they did with a pure Macintosh network. The final outcome was Mac clients bound to both AD and OD. AD handled all the user and group authentication and authorization while OD took care of computer and group client management through MCX. I put a standard computer heirarchy in place on the OD side for computer group so different settings could be applied to different sets of computers. Such as, making all laptops automatically create portable home directories and install the HomeSync menu in the top menu bar. However, there was one very strange problem I encountered while binding the Macintosh clients to the Open Directory server.
Normally, when you set “Require authenticated binding between directory and clients” to on in Server Admin the Mac client will prompt you for directory administrator credentials when binding a client. However, this was not happening for us. We were using 10.6.4 server and client everywhere, yet the clients were just not asking for authentication. Thus, a computer record was not being generated on the server side. What I did for the first few test cases was create computer records manually inside of Workgroup Manager, but this was not fun and tedious.
Update: One of my readers, JJ, pointed out a great kb article from Apple on how to require directory authentication while binding. http://support.apple.com/kb/HT4068 End of Update
I whipped up a quick AppleScript to bind the clients for me, this script had the diradmin login and pass embedded in it which I know is not best practice yet it was a temporary fix. The reason for using the script is so that the command line utility dsconfigldap is passed the ‘-f’ flag which forces the client to authenticate to the directory server.
The script is as follows:
tell application "Terminal"
do shell script "dsconfigldap -u diradmin -p 'diradminpass' -f -a od01.tld.ca -c `hostname` -n od01.tld.ca -l localsudouser -q localsudopass -v > /Users/Shared/odbind.log" with administrator privileges
do shell script "echo 'Writing Search policy to plists' >> /Users/Shared/odbind.log" with administrator privileges
do shell script "defaults write /Library/Preferences/DirectoryService/SearchNodeConfig 'Search Node Custom Path Array' -array '/LDAPv3/od01.tld.ca'" with administrator privileges
do shell script "defaults write /Library/Preferences/DirectoryService/SearchNodeConfig 'Search Policy' -int 3" with administrator privileges
do shell script "defaults write /Library/Preferences/DirectoryService/ContactsNodeConfig 'Search Node Custom Path Array' -array '/LDAPv3/od01.tld.ca'" with administrator privileges
do shell script "defaults write /Library/Preferences/DirectoryService/ContactsNodeConfig 'Search Policy' -int 3" with administrator privileges
do shell script "echo 'Successfully added the Open Directory server to your search path' >> /Users/Shared/odbind.log" with administrator privileges
do shell script "echo 'Writing LDAP in your search paths' >> /Users/Shared/odbind.log" with administrator privileges
do shell script "dscl /Search -append / CSPSearchPath /LDAPv3/od01.tld.ca" with administrator privileges
do shell script "dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/od01.tld.ca" with administrator privileges
end tell
tell application "Finder"
activate
display dialog "Computer is now bound to Open Directory as " & (do shell script "hostname")
end tell
This was one of the more challenging issues at hand. We had a whole bunch of OD user’s home folders on two Apple XRAIDs served out via AFP and needed to move the data to the Windows Filer using SMB. What we ended up doing is creating an LACP link to a MacPro and using the following script to migrate the users one by one.
syncit.sh is a shell script that mounts two network homes for one user, one from AD and one from OD. It then transfers all data from OD to AD via rsync. To make this script work it depends on a couple things.
Home Directory Ghost Mount
One issue that we’ve seen appear more than once is home directory ghost mounting. When a user logs out of their profile sometimes their home directory does not unmount cleanly. As a result when the user tries to log in again on the same workstation they are unable to due to the computer believing the home directory is already mounted. This may also affect logins of the same user account to other workstations due to the home directory filer not timing out the mount session.
Slow Network File System Access
There have been at times severe client stalls due to slow file system access. This was noticed on literally zero network traffic congestion. This is a noted issue from many different implementations of using SMB shares for Mac home directories. Read http://www.macwindows.com/snowleopard-filesharing.html#091709k for more information. One suggested solution is to turn on Internet Sharing on the Mac client, however this is not a wise idea.
Portable Home Directory Will Not Sync
Sometimes homesync will become cranky. Definitely cranky. The easier and fastest way to resolve a home directory that does not sync is to perform the following.
For most HomeSync problems it usually has something to do with file conflict resolution. To find out always open Console.app and look at FileSyncAgent.log. Try to perform a FileSync and watch the output of the log. If you are having problems with an initial sync try erasing the login.keychain file found in ~/Library/KeyChains on both server and client. Many times this will cause problems due to The Chicken and The Egg issues.
Illegal Characters in File Names
“ ‘/ \ + * ( ) [ ] are all illegal characters for file names on the Windows File Servers, as are directories or files that end in a space. As a result you may have issues creating working with these files. The Windows file server use unicode to map these characters, however there are failures often. Resolution is done by manually replacing filenames. This is also a LARGE contributor to File Sync failing.
Like I mentioned at the beginning everything went quite smoothly. There were of course strange things that happened through out the deployment, and the short one week runway I had to prep for this was WAY too short but in the end we pulled it off. If any of you out there are planning on deployment or need questions answer feel free to contact me via the About Me button at the top of blog!
Update: Please check out my next post regarding HomeSync errors on an SMB server.
Update 2: One of my readers, JJ, pointed out a great kb article from Apple on how to require directory authentication while binding. http://support.apple.com/kb/HT4068
Free Geek Mascot #1
BAM! WHOLE NETWORK GOES DOWN. Not just vlan5, no no, the whole god damn network. No Internet access nothing, not even from the router, the router can’t ping a thing on the whole network.
Why God? Why?
Then the Network God ARP said, “Jordan did you check those top kwality DLink switches?” So off I went to check the switch I just modified. For some unknown reason the DLINK decided to plunk VLAN 6 tagged onto port 16 for no reason what-so-ever. So I fixed that, but no, nothing worked still. So Tyler says, just unplugg the ethernet cables to the NFS server. Voila! Problem solved. Basically we think the NFS was just spewing out crap across the network and making all the servers in VLAN 5 bail, including the router. We were getting some pretty crazy ARP poisoning happening the router. Now, on to the good stuff.
This is a basic (and poorly made) diagram of how the Free Geek Vancouver network looks. We’ll take a look at how an LTSP client boots and logs in.
First the LTSP client boots looking for a PXE server, DHCP is handed out and tells the client to grab a boot image from yew. The LTSP client then boots into Ubuntu 10.04 (bleeding edge baby) where the login screen is presented. The user logs in and authenticates against our new fancy LDAP server on teak. When the client logs in their home directory is handed out via LDAP as /net/home/<$user> This directory is handled by AutoFS and mounts the NFS home from maple. The user now has full desktop experience with all their account info and home directory handled by 3rd parties.
What? Centralized authentication AND home directories?! REALLY?
Our LTSP server is now a 2 x Dual Core Xeon 3.20GHz with 4GB of RAM. A HUGE upgrade from what we running before. In addition to all this insanity Vicki was able to migrate our ticketing system for us as well as update all the LDAP records for home directories, install autofs on all servers, install the mount maps, comment out all the irrelevant fstab crap AND switch over all our servers to the LDAP server. Pow vicki, pow!
The backup system is pretty sweet as well. In our NFS server that holds the home directories is two RAID 5’s, a RAID 1 and some spares. One RAID 5 has a slice out of it that is for home directories. The other is 1TB for nothing but backups. What Tyler did was write a script that uses rsync to create incremental backups all done thru hard links. It’s pretty rad.
Now that I come to think of it, I didn’t really do much except play with the dogs!!
She helped in her own way
What's going on?
mkdir /var/backups/dns; cp -r /etc/dns /var/named /etc/named.conf /var/backupsdns
serveradmin start dns