admin
Latest DSfW Health Check Script
I’ve received a great deal of feed back on the DSfW Health Check Script and applied some changes.
I am always looking for suggestions. I’ve created an updated video with the latest script. Watch to to learn about configuring it for your specific needs.
OES 11 SP1 eDirectory Install
Looking to install eDirectory on OES 11 SP1? Here is a video going through the install and giving some tips on doing a successful install.
Script to modify grouptype – modify_grouptype.sh
I did a post in January on grouptype and their impact on DSfW performance in TID 7011498 DSfW Slow Performance/Group Types. The post shows how to find grouptype settings, goes over a couple of TIDs discussing grouptypes and a video giving even more info on the subject.
I have since written a script that will easily search for and modify grouptypes. Here is how the script works. Executing the script will display the following menu:
This script can report grouptype information and change grouptypes
To run the script enter 1, 2, or 3
1. Display groups with grouptypes of Universal
2. Create a ldif to change grouptype to Domain Local
3. Create and apply ldif to change grouptype to Domain Local
Options … Continue reading
Troubleshooting High Utilization – High Utilization Gstack tool
Some times ndsd or another process can cause a server to go into high utilization or to become unresponsive. A great TID to follow for OES servers is TID 7007332 – Troubleshooting ndsd becoming unresponsive on OES Linux. A TID specific for DSfW servers to start with is TID 7010462- Troubleshooting slow logins and unresponsive DSfW server.
When trouble shooting a process stuck in high utilization or causing a server to slow down or become unresponsive looking at a top output for a daemon like ndsd with individual threads shown and a correlating gstack can show us which thread is in high utilization and what that thread is doing. In most cases it is best to take a number of gstacks every 10 seconds to 60 seconds depending on the situation. We can see not only what that thread is doing but if the… Continue reading
January 2013 Scheduled Maintenance for eDirectory 8.8 SP7 Patch 2
January 2013 OES11SP1 Scheduled Maintenance for eDirectory 8.8 SP7 Patch 2 has been released
Description
January 2013 OES11SP1 Scheduled Maintenance for eDirectory 8.8 SP7 Patch 2 Hot Patch1
- – 795674: ndsd crashes in libnldap.so with latest November 2012 eDirectory Patch 8.8.7 Patch 2
- – 799053: ldap and ldaps interfaces are lost on DSFW server after installing eDir887patch2 + OES11SP1 Nov Patches
Solution
This update is provided as a set of RPM packages that can easily be installed onto a running system by using the YaST online update module. Please install the update.
file contents
| Files Included | Size | Date |
|---|---|---|
| novell-NDSbase-32bit-8.8.7.2-0.7.1.x86_64.rpm | 420.2 KB (430316) | 2013-01-31 11:52:45 |
| novell-NDSserv-8.8.7.2-0.7.1.x86_64.rpm | 5.7 MB (6069650) | 2013-01-31 11:52:51 |
| novell-NDSbase-8.8.7.2-0.7.1.x86_64.rpm | 579.0 KB (592953) | 2013-01-31 11:52:44 |
| novell-edirectory-jclnt-8.8.7.2-0.7.1.x86_64.rpm | 280.7 KB (287529) | 2013-01-31 11:52:56 |
| novell-edirectory-tsands-8.8.7.2-0.7.1.x86_64.rpm | 283.4 KB (290253) | 2013-01-31 11:52:57 |
| novell-NOVLice-8.8.7.2-0.7.1.x86_64.rpm | 462.3 KB (473462) | 2013-01-31 11:52:55 |
| novell-edirectory-tsands-32bit-8.8.7.2-0.7.1.x86_64.rpm | 276.4 KB (283131) | 2013-01-31 11:52:58 |
| novell-NOVLice-32bit-8.8.7.2-0.7.1.x86_64.rpm | 281.5 KB (288314) | 2013-01-31 11:52:55 |
| novell-NDScommon-8.8.7.2-0.7.1.x86_64.rpm | 243.7 KB (249642)… Continue reading |
January 2013 Scheduled Maintenance for OES11SP1
January 2013 Scheduled Maintenance for OES11SP1 has been released
How to apply the patch with zypperList repositories
zypper lr
Should see the following:
nu_novell_com:OES11-SP1-Updates | OES11-SP1-Updates | Yes | Yes
List patches in the Updates repository
zypper pch OES11-Updates
Should see the following:
OES11-SP1-Updates | oes11-sp1-January-2013-Scheduled-Maintenance | 7195 | recommended | Need
Install the maintenance patch
zypper up -t patch oes11-sp1-January-2013-Scheduled-Maintenance
Then list the patches again to make sure it is installed
zypper pch OES11-Updates
Should see the following:
OES11-SP1Updates | oes11-sp1-January-2013-Scheduled-Maintenance | 7195 | recommended | Installed
Key… Continue reading
January 2013 Scheduled Maintenance for OES11
January 2013 Scheduled Maintenance for OES11 has been released
How to apply the patch with zypperList repositories
zypper lr
Should see the following:
nu_novell_com:OES11-Updates | OES11-Updates | Yes | Yes
List patches in the Updates repository
zypper pch OES11-Updates
Should see the following:
OES11-Updates | oes11-January-2013-Scheduled-Maintenance | 7170 | recommended | Need
Install the maintenance patch
zypper up -t patch oes11-January-2013-Scheduled-Maintenance
Then list the patches again to make sure it is installed
zypper pch OES11-Updates
Should see the following:
OES11-Updates | oes11-January-2013-Scheduled-Maintenance | 7170 | recommended | Installed
Key DSfW specific… Continue reading
January 2013 Scheduled Maintenance for OES2SP3
January 2013 Maintenance patch for OES2P3 has been released
Key DSfW specific bugs fixed with this maintenance patch
- 787330: Can’t install ADC to DSfW domain that is updated to Sept 2012 patch level
- 790828: DSfW Assign rights fails in XAD\_RETAIN\_POLICIES=no case and if there are containers with nspm… attr set
- 792131: DSFW – behavior for isdeleted attribute doesn’t match with Active Directory
- 792146: DSFW FTU1: “Enable Kerberos” task fails while provisioning for CDC in case of FRD is updated with FTU1 build
- 792192: DSFW – “unavailableCriticalExtension” being returned when LDAP\_SERVER\_NOTIFICATION\_OID is being used during ldapsearch
- 793390: Fresh install & configuration of OES11SP1 DSFW Server along with November 2012 patch is failing.
January 2013 Scheduled Maintenance for OES2SP3
- 567151: provide an icon for group in the history window
- 624515: Adding an Auxiliary Class fails if a mandatory attribute of the Aux Class is an optional for another class
- 638542: iManager upgrades… Continue reading
DSfW and eDirectory Health Check
It is a good idea to periodically check the health of DSfW and eDirectory servers.
This video concentrates on a script I wrote that can be ran on both eDirectory and DSfW servers.
The script demonstrated in this video is called dsfw_edir_healthchk.sh. To get the latest version of the script click on the DSfW Health Check link in the download section on DSfWDude.com.
A great TID to start off with for a eDirectory health check is TID 3564075.
On a DSfW server start off with an eDirectory health check as well as TID 7001884 which has DSfW specific commands to check the health and overall operation of a DSfW server.
The script does most of the suggestions in both TIDs mentioned above plus a few more checks.
For eDirectory there are 8 checks the script does and… Continue reading
DSfW Express Install in OES11SP1
With OES11SP1 there are two install options. Express and regular.
The difference between the two is the express install will not prompt for the server and dib location, SLP configuration, the OES proxy user, or the DNS configuration. If there are no other Novell DNS servers in the tree this is a good option. Otherwise do the regular install to use the same DNS Locator object as the existing Novell DNS server is using.
Install error: ndsconfig error 74
Installs can be tricky especially when installing into an existing tree that has been around since NetWare 4.11, has multiple partitions, several locations, and dozens of servers. If the tree is not healthy the install of DSfW has a greater chance of failure. If communication with all servers is good, the tree is healthy, and the Preparing for Domain Services for Windows Install TID is followed then usually the install goes through with out any issues.
If there is a failure a common error is ndsconfig error 74. This video goes over the error. The troubleshooting of this error can be applied to a similar error “ndsconfig error 80”.
DSfW Slow Performance/Group Types
DSfW, like AD, has multiple group types. This is found in the grouptype attribute. TID 7004405 goes over the three group types.
Domain Local group: -2147483644
Global group: -2147483646
Universal group: -2147483640
The default group type is Universal group. This group type can generate a lot of extra traffic causing the performance of the domain controller to suffer.
Global and Universal groups calculate a virtual attribute called tokenGroupsDomainLocal. This attribute is calculated for the group by the slapi layer. When a user is a member of several groups login times can increase. An increase in ndsd utilization can also result from the calculation of the tokenGroupsDomainLocal when a large number of groups reside within the domain.
If ndsd utilization is high or login times need to be reduced, change groups to Domain Local groups to avoid the calculation of the tokenGroupsDomainLocal virtual attribute.
Here is a… Continue reading
Troubleshooting DSfW Slow Performance/Duplicate Workstation Names
Slow logins and poor performance of a DSfW Domain Controller is often due to too many failed authentications to the domain. This video goes over the specific issue of multiple workstations with the same name increasingly queuing up logins until the server comes to a halt. The video covers TIDs 7010462 and TID 7006851.
This video concentrates on TID 7006851.
The command to display and sort Decrypt integrity check failed errors is:
grep -A1 -i ‘Decrypt integrity check failed’ /var/opt/novell/xad/log/kdc.log |grep -v ‘Decrypt integrity check failed’ |awk -F ‘)’ ‘{print $3}’ |grep -v ‘^$’ |awk -F ‘for’ ‘{print $1}’ |sort -n | uniq -c | sort -n
DSfW Install Error: No Such Partition
An error I have seen during installs is No Such Partition. The majority of the time it is easly solved by adding a replica of the name mapped partition to the DSfW server. This video will go through troubleshooting steps for this error.
Either run them on the eDirectory server specidifed for the install or use the -h [ip] if running on the DSfW server.
ndsstat -r
ndstat -p .o=novell.t=tree. -h 192.168.0.51 -n
November 2012 Maintenance for OES11SP1 is released
November 2012 Maintenance patch for OES11SP1 has been released
Key DSfW specific bugs fixed with this maintenance patch
- – 736416: DSfW – Apple OSX Compatibility: Login to DSfW without ID mapping doesn’t work
- – 739450: DSfW: W32Time auth provider for ntp does not work in a cross partition setup
- – 768113: DSFW: xadsd crashes in dcerpc libprot_ncacn.so library
- – 769945: Assignment of users o authorise RDP Access to Windows Workstation
- – 770416: OES11SP1LH: DNS/DHCP management console can not configure update policy option as DSfW requires
- – 771993: OES11SP1LH: gposync runs in a loop
- – 774802: xadsd crashes in rpc__list_element_alloc ()
- – 778235: gposync tool reports success even if nsimAssignments is not updated
- – 783939: DSFW: No results for LDAP Query when OID is used instead of attribute name in the search filter.
- – 784366: xadsd crashes in rpc__cn_binding_inq_addr () due to failed NTLMSSP authentication requests
Key CIFS, DNS,… Continue reading
November 2012 Maintenance for OES11 is released
November 2012 Maintenance patch for OES11 has been released
Key DSfW specific bugs fixed with this maintenance patch
- – 736416: DSfW – Apple OSX Compatibility: Login to DSfW without ID mapping doesn’t work
- – 739450: DSfW: W32Time auth provider for ntp does not work in a cross partition setup
- – 768113: DSFW: xadsd crashes in dcerpc libprot_ncacn.so library
- – 769945: Assignment of users o authorise RDP Access to Windows Workstation
- – 770416: OES11SP1LH: DNS/DHCP management console can not configure update policy option as DSfW requires
- – 771993: OES11SP1LH: gposync runs in a loop
- – 774802: xadsd crashes in rpc__list_element_alloc ()
- – 778235: gposync tool reports success even if nsimAssignments is not updated
- – 783939: DSFW: No results for LDAP Query when OID is used instead of attribute name in the search filter.
- – 784366: xadsd crashes in rpc__cn_binding_inq_addr () due to failed NTLMSSP authentication requests
Key CIFS, DNS,… Continue reading
November 2012 Scheduled Maintenance for OES2SP3
November 2012 Maintenance patch for OES2P3 has been released
Key DSfW specific bugs fixed with this maintenance patch
- 736416: DSfW – Apple OSX Compatibility: Login to DSfW without ID mapping doesn’t work
- 739450: DSfW: W32Time auth provider for ntp does not work in a cross partition setup
- 768113: DSFW: xadsd crashes in dcerpc libprot\_ncacn.so library
- 769945: Assignment of users of authorise RDP Access to Windows Workstation
- 771993: gposync runs in a loop
- 774802: xadsd crashes in rpc\_\_list\_element\_alloc ()
- 778235: gposync tool reports success even if nsimAssignments is not updated
- 783939: DSFW: No results for LDAP Query when OID is used instead of attribute name in the search filter.
- 784366: xadsd crashes in rpc\_\_cn\_binding\_inq\_addr () due to failed NTLMSSP authentication requests
- 790470: KDC service and Domain services daemon does not come up post Nov 2012 patch build installed
Key CIFS, DNS, and AFT specific bugs fixed with this maintenance… Continue reading
eDirectory 8.8 SP7 Patch 2 for Linux & Unix
Stand alone eDirectory 838 SP7 Patch 2 has been released. It can be found at Novell.com/downloads
Do not apply this patch on an OES server!
Issues resolved in eDirectory 8.8 SP7 Patch 2 (20703.00)
December 2012
NDSD
– FLAIM: when performing a LDAP search on a non-existent user using a complex filter err = no such entry (-601) is returned (Bug 608436)
– NCP: NDSD cores allocating a connection slot (OES Bug 710806) (Non-OES Bug 692389)
– NDSD cores on PDC in DSFW environment iterating nested groups (Bug 719736/711799/750982)
– CIFS core during sub-tree search (Bug 751962)
– Security Vulnerability: eDirectory DoS dhost request with certains characters (Bug 772895) (CVE-2012-0429)
– Security Vulnerability: eDirectory Authorization Mechanism Bypass (Bug 772898) (CVE-2012-0430)
– Security Vulnerability: eDirectory Cross Site Scripting exploit (Bug 772899) (CVE-2012-0428)
– Nauditds.dlm fails to initialize completely during initial eDirectory startup … Continue reading
Windows 8 and DSfW
I am still in the process of using Windows 8 with Domain Services for Windows. From what I have seen so far it behaves similar to Windows 7 as a workstation joined to the domain. Logging in, mapping drives, running GPOs, executing login script from a GPO, all seem to work as in Windows 7. The biggest challenge for me is getting used to the Start menu in Windows 8 and that isn’t DSfW related.
Windows 8 with VMWare View 5.1.1 and DSfW OES11SP1 all appear to play well with each other. Making templates and linked clones do not seem to have any gotchyas to look out for. Let me know or the Novell Forums know if you discover a bug with DSfW and Windows 8.
Diagnostic tool for DNS Records
The DSfW team has a great tool called check-dns.pl to help diagnose DNS issue with DSfW.
The tool validates essential records for forward and reverse lookups. This tool can be found at Novell Coolsolutions.
The tool might incorrectly report PDC and DC records if there is more than one Domain Controller. The Coolsolutions article will be updated with a new check-dns.pl to address this issue.
Until the Coolsolutions article is updated you can download it from dsfwdude.com.
Download
September 2012 Maintenance for OES11.1 is released
September 2012 Maintenance patch for OES11SP1 has been released
Key DSfW specific bugs fixed with this maintenance patch
- – 667829: On Win2K8 R2 client joined to DSfW domain fails to create xen Desktop image from xendesktop studio
- – 723878: Normal Domain Users have all filesystem rights to new GPOs with Oes2Sp3
- -736413: DSfW – Apple OSX Compatibility: memberOf query returns incorrect groupmembership results
- – 736414: DSfW – Apple OSX Compatibility: ObjectSid queries return incorrect results
- – 737877: CIFS- Support for CIFS invalid user name/password presented multiple times
- – 738031: DSFW: Configuration of Windows 2008R2 Remote Desktop Licensing fails
- – 765721: DSfW – Apple OSX Compatibility: OSX 10.6.x mobile account login issues when attribute loginintruderaddress is populated for users
September 2012 Scheduled Maintenance for OES11SP1
- – 583261: httpstkd randomly stops
- – 667829: On Win2K8 R2 client joined to DSfW domain fails to create xen Desktop image from xendesktop studio
- – 706758:… Continue reading
September 2012 Maintenance for OES11 is released
September 2012 Maintenance patch for OES11 has been released
Key DSfW specific bugs fixed with this maintenance patch
- – 667829: On Win2K8 R2 client joined to DSfW domain fails to create xen Desktop image from xendesktop studio
- – 723878: Normal Domain Users have all filesystem rights to new GPOs with Oes2Sp3
- -736413: DSfW – Apple OSX Compatibility: memberOf query returns incorrect groupmembership results
- – 736414: DSfW – Apple OSX Compatibility: ObjectSid queries return incorrect results
- – 737877: CIFS- Support for CIFS invalid user name/password presented multiple times
- – 738031: DSFW: Configuration of Windows 2008R2 Remote Desktop Licensing fails
- – 765721: DSfW – Apple OSX Compatibility: OSX 10.6.x mobile account login issues when attribute loginintruderaddress is populated for users
- – 768348: DSFW Migration:Other service repair is failing in miggui tool from oes2sp2 and oes11fp0 to oes11sp1 migration
- – 780394 – DSFW support for resolving a Well Known GUID, AD distinguishedName format… Continue reading
September 2012 Maintenance for OES2SP3 is released
September 2012 Maintenance patch for OES2P3 has been released
Key DSfW specific bugs fixed with this maintenance patch
- – 667829: On Win2K8 R2 client joined to DSfW domain fails to create xen Desktop image from xendesktop studio
- – 723878: Normal Domain Users have all filesystem rights to new GPOs with Oes2Sp3
- -736413: DSfW – Apple OSX Compatibility: memberOf query returns incorrect groupmembership results
- – 736414: DSfW – Apple OSX Compatibility: ObjectSid queries return incorrect results
- – 737877: CIFS- Support for CIFS invalid user name/password presented multiple times
- – 738031: DSFW: Configuration of Windows 2008R2 Remote Desktop Licensing fails
- – 765721: DSfW – Apple OSX Compatibility: OSX 10.6.x mobile account login issues when attribute loginintruderaddress is populated for users
September 2012 Scheduled Maintenance for OES2SP3
- 583261: httpstkd randomly stops
- 667829: On Win2K8 R2 client joined to DSfW domain fails to create xen Desktop image from xendesktop studio
- 675596: oes-ldap not getting… Continue reading
Updated dsfw_processchk script 2.1.5
I updated the dsfw_processchk script to not only check all essential DSfW processes, but to handle multiple pids for the xadsd process. The script is great to use if you are worried that a DSfW process will stop and you don’t want to receive several phone calls alerting you to the problem or the DSfW server has been unstable you you need to time track down the invalid requests hitting the DSfW server.
The script will report which processes are running or have stopped. It works by validating that a PID exists for each process. If a process is not running the script has the option to restart the services, send an e-mail that a process has stopped, and update the syslog.
Key configuration
# Set RESTART_DSFW to 1 to reload DSfW services if one or service is not running,
# Set RESTART_DSFW to 0 to leave the services… Continue reading
VMWare and best practices for Timekeeping
Lately I’ve been getting a lot of requests for timekeeping best practices for VMWare
VMWare has a great support article on this. Below are the SLES recommendations. The article can be found here
| SLES 11 (All updates) | No additional kernel parameters required. | |
| SLES 10 SP4 on ESX 5.0 and later | clock=pmtmr hpet=disable |
|
| SLES 10 SP4 on ESX 4.x | Use a VMI enabled kernel. | |
| SLES 10 SP3 on ESXi 5.0 | clock=pmtmr hpet=disable |
|
| SLES 10 SP3 on ESX 3.5 and 4.x | Use a VMI enabled kernel. | |
| SLES 10 SP3 on ESX 3.0.x and earlier | clock=pmtmr hpet=disable |
|
| SLES 10 SP2 on ESXi 5.0 | clock=pmtmr hpet=disable |
|
| SLES 10 SP2 on ESX 3.5 and 4.x | Use a VMI enabled kernel. | |
| SLES 10 SP2 on ESX 3.0.x and earlier | clock=pmtmr hpet=disable |
|
| SLES 10 SP1 | clock=pmtmr hpet=disable |
|
| SLES 10 | clock=pmtmr hpet=disable |
|
| SLES 9 (All updates) | clock=pmtmr hpet=disable |
|
| SLES 8 | No additional kernel parameters required.… Continue reading |
Script to check if ports are listening
If you are concerned about a DSfW service going down and or the port is not accessible, this script will help keep the services up or notify you of a service going down. The script will check if each DSfW service is listening, then telnet to each port. If it can not telnet, the script will log which port is not accessable in the /var/opt/novell/xad/log/dsfw_portchk.log.
The dsfw_portchk.sh script can be ran on PDC or ADC, running Novell DNS or not running Novell DNS.
The script can also e-mail and restart the services if desired.
It will detect if the server has IPv6 enabled so to properly detect the correct port Samba and NetBios is listening on.
The script detects if Novell DNS is configured to start. Some times on ADC servers DNS is not configured or is not set to run. The original script… Continue reading
Open Enterprise Server 11 SP1 is released
Open Enterprise Server 11 SP1 has been released today
LearnEventually, hopefully in the next update or two to more about OES11SP1 here
The download links for OES11 SP1 are:
Download link: http://download.novell.com/SummaryFree.jsp?buildid=rmqoq2iehSQ~
Documentation: http://www.novell.com/documentation/oes11/
As far as Domain Services for Windows goes, the install will now allow you to choose between a simplified install or the standard. The simplified install of DSfW reduces the number of screen, removing many of the screens that most people click next on with out any changes too. The install is also more intuitive. If follows along with the type of DSfW install you are doing instead of starting with the eDirectory configuration.
OES11SP1 has also improved gposync. This should help reduce issues with gopsync not working correctly or properly syncing gpos out to the ADC DSfW servers.
OES11SP1 migrations for DSfW servers are now supported. The supported migrations are:… Continue reading
Script to check DSfW Processes
I have a updated script to check all essential DSfW processes. The name of the script is dsfw_processchk. The script is great to use if you are worried that a DSfW process will stop and you don’t want to receive several phone calls alerting you to the problem or the DSfW server has been unstable you you need to time track down the invalid requests hitting the DSfW server.
The script will report which processes are running or have stopped. It works by validating that a PID exists for each process. If a process is not running the script has the option to restart the services, send an e-mail that a process has stopped, and update the syslog.
Key configuration
# Set RESTART_DSFW to 1 to reload DSfW services if one or service is not running,
# Set RESTART_DSFW to 0 to leave the services… Continue reading
Looking for DSfW Feedback
There is a new survey for Domain Services for Windows at https://www.surveymonkey.com/s/dsfwsurvey
Please provide any feedback on DSfW. You can have direct impact as to the road map of DSfW plus enter a chance to win $50. If your orginization is currently using DSfW, planning on using DSfW, or thinking about using DSfW please help out by taking the survey.
For more information on the survey itself go to coolsolutions.
July 2012 Maintenance for OES11 is released
July 2012 Maintenance for OES 11 along with July 2012 Scheduled Maintenance for eDirectory 8.8 SP6 patch 6 have been released
Key DSfW specific bugs fixed with this maintenance patch
- – 771737: OES11SP1LH: MMC can not create a User
- – 761449: Can not Create Groups or OUs with MMC
- – 758572: DSFW: Windows 7 remote assistance is not working.
- – 766772: UpdatePDCMaster.pl failed during PDC role transfer
- – 763854: Managing GPOs fail due to SYSVOL DFS referral link pointing to wrong path
- – 738214: DSfW – All xadsd threads stuck in pthread_cond_wait/lock wait, causing xadsd to be unresponsive
- – 758992: DSFW: Polycom SSO configuration fails with error “”Access Denied”” while changing password
- – 703655: SYSVOL DFS referral link points to ADC and interrupts GPO Administrator operations
July 2012 Scheduled Maintenance for OES11
- – 583261: httpstkd randomly stops
- – 658145: NSS volume with Di and RI flags, incorrectly blocks root user… Continue reading