Migrating Domino baremetal to ActiveGrid (E2E)

Desired Outcome
-Create an end-to-end detailed flow of processes and configurations for Domino Migration
-This is the copy-style method, where the same Domino OS version is migrated to new hardware

ActiveGrid Configuration (OS, Drives, Drive Space, RAM, IP Address)
-ActiveGrid currently certified to Microsoft Server 2012 R2
-Disk capacity total I requested = 800GB
-Drive C = 150GB (Windows OS)
-Drive D = 350GB (Domino Apps, Installers, manual Backups)
-Drive D = 300GB (Domino Data)

Web-Browser application for connecting to ActiveGrid
-Use Safari on the Mac to make the connection
-Note: I was getting “Server Disconnected Code: 1015; Connect Timout” with Firefox

Firewall configuration on ActiveGrid
-Note: Possible to add my @Home IP address within ActiveGrid Firewall – for SSH’ing
-The well-known port for Domino is 1352
–Note: Added 0.0.0.0/0 for ANY to 1352
–Note: Added 0.0.0.0/0 for ANY to 80
–Note: Added 0.0.0.0/0 for ANY to 443
-All ports to/from ActiveGrid will be direct (with no flip-flopping)

Firewall configuration on Windows Server
-XXX –

LogMeIn Agent Installation
-Installed Agent – manually typed the URL for installer
-Connected from home via Firefox – fast!

LogMeIn for copying data from baremetal server to ActiveGrid
-Logged in from ActiveGrid to baremetal servers (from the LogMeIn Control Panel)
-Note: This is the preferred method – using the local LogMeIn Control Panel on ActiveGrid
-Note: Change time out on both baremetal and ActiveGrid Servers
–LogMein Control Panel; Options; Preferences; Advanced; Network, Idle Time Allowed
–Change to 0:03:00:00 – 3 hours (Note: Default was 1 hour)

-For making the connection between the two servers (for file copying)
–LogMein Control Panel; Connect to: (log-in to other server)
–See both servers within the File Directory
–Note: Appeared faster when initiating everything from ActiveGrid server

Windows Updates and Restart
-Routine Windows Update process and server restart

Copying over Installers
-Domino
-Fixpacks
-Java JVM (Just in case)
-McAfee Mail Security (will come back to actual installation/configuration later)

HOSTS file changes because ActiveGrid not using NAT

Current IP configuration of baremetal (LAX) is:
–Server: 10.60.60.2
–Gateway: 10.60.60.1
–Subnet: 255.255.255.0
–DNS: 8.8.8.8 and 4.2.2.2
–Note: For the system with IBM Traveler, I can request a second NIC for the “DMZ”

Copying over data for IBM Domino with baremetal server down
-Note: Approximately 1GB/minute file transfer (via LogMeIn)
-set config server_restricted=4 (within console)
-drop all (repeat until sh users shows no active users)
-tell router show q (check the router queue); repeat until no mail pending
-tell router quit
-tell adminp process new
-sh tasks (and check that adminp is idle)
-Quit Domino Server
-Change Domino Server Services to change from Automatic to Manual

-Copy over D: (baremetal) to D: (ActiveGrid) using LogMeIn
–Note: Only took about 4 minutes
-Copy over E: (baremetal) to D: (ActiveGrid) using LogMeIn
–Note: Took about 3 hours

Info on how I ensured Test Server didn’t talk outside
-Remove replicator task from servertasks= within notes.ini
-Remove router task from servertasks= within notes.ini
-Block port 1352 outbound within Windows Server Firewall
-Create alias in etc/hosts file and point it to test server IP

Changing FQDN pointer to new IP Address
Changing MXPurify pointer to new IP Address (including the port)
-Ensure the new IP address correct for server I’m migrating
-Ensure I’m using the default port this time (no flip-flopping now)

Review notes.ini within D:\Lotus\Domino
-For now, remove McAfeeAddinMgrX64 (McAfee Endpoint Security for Domino)
if needing DIOPP anymore
-Left all the ServerTasksAtX – as is
-Left all SAVMailXX – as is (I think this maybe from the old Symantec)
-Left ExistingServerName=DA-OJAI/DAC (This is odd, but leaving as is)
-TCPIP_ControllerTcpipAddress=10.60.60.2:2050
–Note: Changed this to the new static IP address
-Domain=ICA (This is odd, but from the past I remember having to leave as is for now)
-Sametime Stuff (Left as is for now)
-SAVJava=c:\Program Files\java\jre7\bin (Legacy, but left as is for now)

Run installer for Domino including Fixpack and Interim Fixpack
-Setup (During test, saw it saying, “Prepare Java JVM for Virtual Machine”
-Left “Install Partitioned Domino Server” checkbox blank
-D:\Lotus\Domino
-E:\Lotus\Domino\Data
-Domino Enterprise Server (pre-selected)
-Note: Installation took about 4 minutes

Fixpack 6 for Domino 8.5.3
-Ran the installer
-Confirmed directories
-Note: Takes about 4 to 5 minutes

Domino IF 15 for 8.5.3. FP 6
-Ran the installer
-Now going to 8.5.3.FP6 HF2880
-Note: About 1 to 2 minutes

JAVA JVM UPDATE

Notes.INI review – one more time
-OK

Quick system checks before first run
-XXX

Console check with Server down?
-XXX

First run of Domino Server on ActiveGrid

Console Check on Active Server

Trace Checks from Notes client to server on ActiveGrid

Creating Domino Test Server in ActiveGrid

Desired Outcome
Create a Domino Test Server in ActiveGrid by copying over Application folder and Data folder; running the Domino 8.5.3. Server and Fixpack; doing an in-place Server upgrade to Domino 10. This will simulate the actual migration and upgrade for DA-LAX. If this all works out, which I think it will, then I repeat again and do a migration for DA-LAX and just place in Domino 8.5.3 for now, while I work on migrating the other servers to ActiveGrid

Configuration of Test Server
Q: What best practice is there if I have a copy of the Domino Folder for Apps and Data?

Firewall and DNS configurations (Domino Server) within ESXi VM

FQDN of IP address – DA-OJAI-VM (Windows Server 2016 Test – Domino 10)
-A Record and PTR Record must point to the correct IP address for the server
-nslookup is useful to confirm that the A and PTR records are configured correctly in your DNS
-mxtoolbox.com is an old friend for various interrogations of IP addresses, etc
-Now that’s fixed, and the inbound rule for ICMP was set to Profile Public, I can now ping to the FQDN and it resolves correctly to the server’s IP address

Network settings within Server 2016
-Originally configured to Private, and changed to Public
-I think that was the primary reason I was unable to get the Domino Server online

IBM Domino Port 2050 for Console
This document explains how Domino Server Controller can fail to startup without Pot 2050 configured correctly.

-Originally, problem was that Domino Console would give an error about port 2050, which would affect both accessing console and also getting Domino running
-Now that Network security is Public (vs Private), added a rule to allow inbound TCP for port 2050
-Now, when I do netstat -a from Server terminal, I get: TCP 0.0.0.0 listening for Port 1352 and my server’s external IP address listening for port 2050
-During troubleshooting, I had opened up the Public Profile firewall too much, so turning off Inbound connections “allow” – so I’m required to have specific rules. Before changing firewall, shutdown Domino. Changed public firewall to block (default) incoming. Confirmed rule for 1352 (added the internal address) and rule for 2050. Started IBM Domino Service; went into Domino Console and added server.id password; netstat -a looks good for 1352 and 2050.

IBM Domino Port 1352

IBM Domino Console and embedded password – somewhat related to security…
-Would be nice to not have to manually enter this each time.

Allowing Ping from outside to the server
-To enable inbound rule of allowing ICMP packets, select ‘Inbound Rules’. Find out and right click on ‘File and Printer Sharing (Echo Request –ICMPv4-In’), select Enable Rule. That will allow incoming ping requests in Windows 2012 R2/2016 server and respond to them without completely disabling firewall service.
-I think what I was overlooking was that under “Advanced” the Profile was set to Private, and I needed to add Public
-That freakin’ immediately resolved doing a ping from the outside to the server
-I can also ping externally to the FQDN, which resolves correctly to server IP Address