Questions about migrating to a new server on a new domain

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
patrickwilson82
Advanced member
Advanced member
Posts: 134
Joined: Tue Mar 13, 2018 5:37 pm
ZCS/ZD Version: 8.8.15

Questions about migrating to a new server on a new domain

Post by patrickwilson82 »

What I'm looking to accomplish is this. Hopefully someone can help me with laying out a game plan on getting to where I need to be.

My current Zimbra VM (hostname: zm01.old.domain) is running 8.8.15 Patch 19 on Ubuntu 16.04.2. There are underlying issues with the operating system that are keeping me from being able to install any new updates. Therefore, I need to migrate to a new Server. I've already familiarized myself with this process using the rsync method (thanks to some great info I've found on this forum). I've set up a new Server running Zimbra 8.8.15 Patch 34, and given it a temporary hostname. My plan is after migrating the LDAP data (including user mailboxes), I want to change the mail flow to the IP address of the new Server. All email addresses should remain the same along with the public IP and hostname of the Server, but I want to change the internal hostname to zm01.new.domain and have it authenticate to a different LDAP Server, as we are moving all of our AD accounts to a new domain. I currently have most of our Outlook clients pointing to the current internal hostname (zm01.old.domain) and would need all of them to start pointing towards the new internal hostname (zm01.new.domain). Is this where the zimbraVirtualHostname parameter might be beneficial? What do I need to do for certs in regards to changing over to the new server?

So to sum it all up, in what order do I need to do this? I'd like to have the new server up with the ability to authenticate on the new domain for testing purposes before I change the mail flow. Or am I better off moving everything to the new server first, making sure that everything is up and running with the existing IP address, hostname, and LDAP server of the current Zimbra VM before I go changing all that. Any thoughts would be appreciated. Thank you in advance.
karl.b
Zimbra Employee
Zimbra Employee
Posts: 37
Joined: Tue Aug 02, 2022 3:31 pm

Re: Questions about migrating to a new server on a new domain

Post by karl.b »

Quite a few questions in there Patrick. One thing you could to is stay in the - same LDAP tree. If you read this https://wiki.zimbra.com/wiki/LDAP_Multi ... eplication - it explains it. So you when install/config Zimbra on the new server (using the same version but could be for a different OS) - you will setup multi-master replication between old and new server, and install all the same services that are running on the old server, on the new server. Now when it's done, you have the ability in the Admin Console to move the mailboxes from old to new (or at the command-line using zmmboxmove). This way you can ease into it, and there is no downtime. You did not say how many users/mailboxes you have? So users could continue to connect to the old or the new server and they will hit the proxy service that will "find" where their mailbox is located dynamically (based on LDAP zimbraMailHost value). If you have like 100 users or so, as you move them, work with them reconfigure the server setting in their Outlook profile to connect to the new server. Now generally speaking it's bad news to have them connecting directly to the FQDN of the server, you want them to connect to something like mail.domain.ext, which could be a C-Name that then points to the A-record of the new server. A comm cert would want the actual FQDN in the cn (Subject) field, but add mail.domain.ext in the Subject Alt Name field. SMTP connections could also eventually be switched to route to mail.domain.ext,which sends them over to the new server, but same dynamic routing will take place - as message arrives in MTA service on new server it will look up where the user exists and send the message accordingly. All these dynamic things are because you configure multi-master replication in the beginning. This is a lot, I could go on and on. Let me know how many users you have before we go further, and whether you are on Network Edition.
patrickwilson82
Advanced member
Advanced member
Posts: 134
Joined: Tue Mar 13, 2018 5:37 pm
ZCS/ZD Version: 8.8.15

Re: Questions about migrating to a new server on a new domain

Post by patrickwilson82 »

Kranium62 wrote:Quite a few questions in there Patrick. One thing you could to is stay in the - same LDAP tree. If you read this https://wiki.zimbra.com/wiki/LDAP_Multi ... eplication - it explains it. So you when install/config Zimbra on the new server (using the same version but could be for a different OS) - you will setup multi-master replication between old and new server, and install all the same services that are running on the old server, on the new server. Now when it's done, you have the ability in the Admin Console to move the mailboxes from old to new (or at the command-line using zmmboxmove). This way you can ease into it, and there is no downtime. You did not say how many users/mailboxes you have? So users could continue to connect to the old or the new server and they will hit the proxy service that will "find" where their mailbox is located dynamically (based on LDAP zimbraMailHost value). If you have like 100 users or so, as you move them, work with them reconfigure the server setting in their Outlook profile to connect to the new server. Now generally speaking it's bad news to have them connecting directly to the FQDN of the server, you want them to connect to something like mail.domain.ext, which could be a C-Name that then points to the A-record of the new server. A comm cert would want the actual FQDN in the cn (Subject) field, but add mail.domain.ext in the Subject Alt Name field. SMTP connections could also eventually be switched to route to mail.domain.ext,which sends them over to the new server, but same dynamic routing will take place - as message arrives in MTA service on new server it will look up where the user exists and send the message accordingly. All these dynamic things are because you configure multi-master replication in the beginning. This is a lot, I could go on and on. Let me know how many users you have before we go further, and whether you are on Network Edition.
Kranium62,

Thank you for the reply. I think I get the general idea. I just probably need more specifics. That would be perfect if this could be done with no down time. I'm running on Network Edition and have 130 mailboxes and 33 distribution lists to be migrated. My question regarding the article you sent me is that I know my Zimbra admin password. Is there way to find out if the LDAP replication, NGINX LDAP, Amavis LDAP, Postfix LDAP, and BES LDAP passwords are the same as my admin password? Or if they are not, how do I find out what they are currently? I'd rather not reset these if I could end up breaking something in the process. Also, the new server should be authenticating on a different LDAP Server, since we're moving to a new domain, but as I mentioned earlier email address will remain the same. Will that still work with this process?

Also, if I'm undersatanding you correctly, then there would be no need to do the rsync prcess that I had mentioned, since this would replicate all of the data? Thanks in advance.
karl.b
Zimbra Employee
Zimbra Employee
Posts: 37
Joined: Tue Aug 02, 2022 3:31 pm

Re: Questions about migrating to a new server on a new domain

Post by karl.b »

On your current server, as zimbra user, run "zmlocalconfig -s | grep -i pass", that will show you all the passwords that you need to enter during the install/config of your new Zimbra server. What you are talking about in regard to LDAP authentication is what is know as "external authentication" which is from the perspective of Zimbra, and you stated you are using AD - so it would be this https://wiki.zimbra.com/wiki/Configure_ ... _Directory. This is setup at the domain level within Zimbra. So it means to switch all users of the domain within Zimbra to use external AD authentication against a new AD server, it's all at once - you modify the config for that Zimbra domain. Keep in mind the domain in AD does not have to exactly match the domain in Zimbra, because in most cases the logic is only looking at the value to the left of the @ in AD - see this article https://wiki.zimbra.com/wiki/LDAP_Authentication - we are either looking at samAccountName or userPrincipalName. So if you are moving all of your users from domain1.local to domain2.org - you should be able to auth to the new AD server with new domain.
patrickwilson82
Advanced member
Advanced member
Posts: 134
Joined: Tue Mar 13, 2018 5:37 pm
ZCS/ZD Version: 8.8.15

Re: Questions about migrating to a new server on a new domain

Post by patrickwilson82 »

You mentioned, as I move the users over to the new server, the proxy would find which server the mailbox is located on. How does that work exactly? I'm not sure if I actually have a proxy set up or not. Currently our public mx record points incoming external mail to our Fortimail Hardware SPAM filter, which then forwards legitimate incoming mail messages to our Zimbra Server.

Let me see if I'm understanding correctly so far. Please correct me if I'm wrong on anything. For claraification I'll refer to the old server as zm01.domain1.local and the new server as zm01.domain2.org.

1.) Run the commands on zm01.domain1.local as outlined here to enable MMR https://wiki.zimbra.com/wiki/LDAP_Multi ... eplication.
2.) Install a fresh new server. Set the hostname as zm01.domain2.org
3.) Update the ldap_master_url to contain both masters zmlocalconfig -e ldap_master_url="ldap://zm01.domain2.org:389 ldap://zm01.domain1.local:389" (**Do I run this on just the newserver? I'm assuming that listing the new server first in the command makes that preferred?)
4.) Run command zmlocalconfig -s ldap_url to verify that both servers show in ldap_url
5.) Start moving mailboxes to new server. (**Is the preferred method using the Zimbra NG Backup module or the zmmailboxmove command? I'm looking for which ever one would not give users any down time.)
6.) Point users Zimbra Outlook connectors to the FQDN of the new mail server. (**Is there a better method? Most of my users have their Outlook connectors pointing to the internal FQDN zm01.domain1.local while some laptop users and users who are using their mobile phones to connect are pointting towards the external webmail FQDN zmail.mydomain.com
7.) Change authentication on the new server to authenticate with the new AD Server. https://wiki.zimbra.com/wiki/Configure_ ... _Directory

Additional questions:
1.) Does LDAP automatically sync all of my configuration settings between the two servers?
2.) How does this work with the GAL? Obviously when the new server is authenticating with the new AD, i want the GAL to pull data from the new AD Server.

I know this is a lot and I really appreciate all of your help so far. Thank you.
karl.b
Zimbra Employee
Zimbra Employee
Posts: 37
Joined: Tue Aug 02, 2022 3:31 pm

Re: Questions about migrating to a new server on a new domain

Post by karl.b »

Generally correct. Day before in the evening (after business hours) you have to execute those first steps on the current Zimbra server as stated in https://wiki.zimbra.com/wiki/LDAP_Multi ... eplication (the first black box). The last thing you do is a zmcontrol restart, which is why I stated after business hours. Your next step is to install/config the new Zimbra server and you will continue to follow the steps in the Wiki - but you are installing the same services that are running on the current server (do a zmcontrol status to see this). Yes you have a proxy installed, ZCS 8.8.15 requires it. So when you are done, you are through step 4. Now - before you start moving mailboxes you need to run (as zimbra user) "zmupdateauthkeys" to update authorized_keys of current server with info from newly created server. Now you can start to move users - and I definitely would using the zmmboxmove command line method (no downtime). Step 6, it's sort of inevitable - you have to get out of the practice of users pointing directly at server FQDN - so what I said a few threads up, use a C-Name record in DNS. Step 7 is correct, in the config of the Admin Console there will be a way to test as well. Questions 1) yes, but question 2, you have to reconfig the galsync account (https://wiki.zimbra.com/wiki/GAL_Sync_Account). So you need to identify your galsync account then run the zmprov gds galsync@domain.com, and you should see the "datasoure" that points to AD. Below in the article it shows how to modify the datasource (you need to point the second datasource, using the zmprov mds galsync@domain.com AnotherGAL).
patrickwilson82
Advanced member
Advanced member
Posts: 134
Joined: Tue Mar 13, 2018 5:37 pm
ZCS/ZD Version: 8.8.15

Re: Questions about migrating to a new server on a new domain

Post by patrickwilson82 »

So basically if I point the end user's Outlook client to the public service hostname, will the proxy then know which of the two servers to check, to find that user's email?

Also, will this method of syncing the ldap data between the two servers transfer over the possible suspicious files that I may have due to vulnerability, say for example, like suspicious .jsp files in my public folder?
patrickwilson82
Advanced member
Advanced member
Posts: 134
Joined: Tue Mar 13, 2018 5:37 pm
ZCS/ZD Version: 8.8.15

Re: Questions about migrating to a new server on a new domain

Post by patrickwilson82 »

Also, how do I need to handle the certs? Do I need to deploy news ones for Multi-Server mode on both servers? Or do I just create single server certs for the new server?

And when I'm ready to shut down the old server, it's still ok to leave only one node on the MMR? This statement in the wiki kind of concerned me: "WARNING: Configuring MMR is a one-way trip! Once you have configured MMR, you must not remove all nodes from the MMR configuration! If you're removing nodes, you must retain at least one replication agreement on your MMR nodes."
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Questions about migrating to a new server on a new domain

Post by L. Mark Stone »

patrickwilson82 wrote:
And when I'm ready to shut down the old server, it's still ok to leave only one node on the MMR? This statement in the wiki kind of concerned me: "WARNING: Configuring MMR is a one-way trip! Once you have configured MMR, you must not remove all nodes from the MMR configuration! If you're removing nodes, you must retain at least one replication agreement on your MMR nodes."

Yes, you can run with a single MMR node; the replication agreement with the deleted other MMR node will still be in place, there will be some complaining, but everything will work fine. The existing MMR node will purge access logs on a rolling three-day basis, so after that, if the old MMR node somehow reappeared, replication would be broken until you did a slapcat from the the existing server and a slapadd on the reappearing MMR node.

You should remove the deleted MMR node from the localconfig variables ldap_url and ldap_master_url however.

If you want to clean things up all nice and tidy, backup the LDAP database (maybe keep more than one copy, just in case), and then you can run ~/libexec/zmldapinit to wipe out your existing LDAP database and configuration and bring it to a base, non-MMR single LDAP server bare configuration. You would then do a slapadd to restore your LDAP database, but without restoring the MMR configuration. This zmldapinit step is not required; I know of one customer who has been running with a single LDAP MMR node for a few years now with no issues. Further, when John Holder was alive he and I spent a fair amount of time discussing this on behalf of a customer.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
patrickwilson82
Advanced member
Advanced member
Posts: 134
Joined: Tue Mar 13, 2018 5:37 pm
ZCS/ZD Version: 8.8.15

Re: Questions about migrating to a new server on a new domain

Post by patrickwilson82 »

L. Mark Stone wrote:
patrickwilson82 wrote:
And when I'm ready to shut down the old server, it's still ok to leave only one node on the MMR? This statement in the wiki kind of concerned me: "WARNING: Configuring MMR is a one-way trip! Once you have configured MMR, you must not remove all nodes from the MMR configuration! If you're removing nodes, you must retain at least one replication agreement on your MMR nodes."

Yes, you can run with a single MMR node; the replication agreement with the deleted other MMR node will still be in place, there will be some complaining, but everything will work fine. The existing MMR node will purge access logs on a rolling three-day basis, so after that, if the old MMR node somehow reappeared, replication would be broken until you did a slapcat from the the existing server and a slapadd on the reappearing MMR node.

You should remove the deleted MMR node from the localconfig variables ldap_url and ldap_master_url however.

If you want to clean things up all nice and tidy, backup the LDAP database (maybe keep more than one copy, just in case), and then you can run ~/libexec/zmldapinit to wipe out your existing LDAP database and configuration and bring it to a base, non-MMR single LDAP server bare configuration. You would then do a slapadd to restore your LDAP database, but without restoring the MMR configuration. This zmldapinit step is not required; I know of one customer who has been running with a single LDAP MMR node for a few years now with no issues. Further, when John Holder was alive he and I spent a fair amount of time discussing this on behalf of a customer.

Hope that helps,
Mark
Thank you Mark! That does answer one of my questions!
Post Reply