Cool Solution - "Backup to Master" recommendations
From Univention Wiki
This article gives some additional information and recommendations about the "Backup to Master" process, which is needed in case the DC Master of an UCS Domain needs to be replaced.
- 1 Overview
- 2 Handling of individual Services
- 3 Apps / Services recommended to be installed on other UCS system roles
- 4 Other ressources
This article extends the information given in the Backup to Master section in the UCS documentation, where also a good introduction for the use cases of the "Backup to Master" process can be found. Please note that the documentation may be more up-to-date than this article, so doubt please follow the documentation.
The main goal of the "backup2master" process included in the product is to enable a Backup Domain Controller instance to offer the standard UCS services. So the process includes automated reconfiguration of standard services including OpenLDAP, Samba 4 and the SSL certification authority. To ensure that this process is possible even if the "old" DC Master is down, all information needed for these services is synced between the DC Master and all DC Backup instances.
The following sections are focused on additional services, which are optionally installed on a Domain Controller Master but are not covered in the standard "backup2master" process.
Handling of individual Services
This list is not complete, so please assume individual steps needed also for those App/Service not included here.
Windows compatible Domain Controller (Samba 4 DC)
The needed steps for the Samba 4 Domain Controller are included in the backup2master process. Typically the "Samab 4 Connector" instance is active on the DC Master, which is detected automatically so the new DC Master will have this functionality afterwards.
Recommendation is to have Samba 4 installed on all DC Backup instances that might become DC Master in the future to ease the process.
Google G-Suite Connector
As the first step the google-apps app has to be installed on the new DC Master. Then, the directory /etc/univention-google-apps has to be copied from the DC master or restored from a backup to the same directory.
To restore the synchronization, the google-apps listener must be enabled on the DC master:
chown listener:root /etc/univention-google-apps/* service univention-directory-listener restart
To test the connector connection, a simple test is to print all known users and groups by calling /usr/share/univention-google-apps/print_google_users_and_groups
Single Sign-On will work after the app has been installed.
Office 365 Connector
As the first step the office365 app has to be installed on the new DC Master. Then, the directory /etc/univention-office365 has to be copied from the DC master or restored from a backup to the same directory.
To restore the synchronization, the office365 listener must be enabled on the DC master:
chown listener:root /etc/univention-office365/* service univention-directory-listener restart
To test the connector connection, a simple test is to print all known users and groups by calling /usr/share/univention-office365/scripts/print_users_and_groups
Single Sign-On will work after the app has been installed.
Typically setups are migrated automatically as all information is stored in LDAP. Only if a failover peer configuration was in place on the old DC Master attention might be needed.
The Radius App can be installed on other UCS Domaincontroller instances, manually configuration on UCS is only needed in case it was needed on the DC Master. A switch to a different Radius Server typically needs manual reconfiguration of Radius Clients (i.e. WLAN Access Points).
In case the Password Self Service App is installed on a new Domaincontroller, it can directly be used by end users. All needed information for the default configuration is stored in LDAP. Only users who started the password reset process on the old DC Master will fail to use the temporary token or link and need to retrieve a new one.
The App can be configured to use alternative messaging services like SMS gateways. This configuration needs to be restored manually.
Further Apps / Services
These Services also need additional attention, but currently no step-by-step guide is available.
Active Directory Connector
The service isn't migrated automatically during a backup2master. It should be possible to ease a migration by restoring the local configuration (UCR, mapping definition files in /etc) and cache files, but this is not yet documented.
As the typical scenario is to sync two directories, it is possible to install the App on the new DC Master after the backup2master and reconfigure the sync. This will initiate a full re-sync.
Apps / Services recommended to be installed on other UCS system roles
It is perfectly fine to install these services on a Domaincontroller Master instance, typically this is done in smaller UCS Domains. In case of unrecoverable failures of the DC Master with these services, we recommend to restore from a recent backup instead of the "Backup 2 Master" process - otherwise App/Service specific data needs to be restored from a recent backup of the old DC Master instance on the new server including App/Service specific restore procedures.
The following Services should not be installed on a Domain Controller Master to avoid unnecessary complexities in case of a backup2master:
- Mail & Groupware Services: We recommend a Domaincontroller Slave for all Mail and Groupware services.
- File- and Printservices: Recommended are Memberserver or Domaincontroller Slave instances
- Business Applications: Typically these Applications include a Database backend and additional service processes. Examples are ERP, CRM or project management solutions. Recommendation is to install these services on Memberserver instances.
To reduce the risks in case of outages of individual UCS instances, an UCS domain should be configured with redundant services. Further information is linked in the "Faul-tolerant domain setup" section in the UCS documentation.