Domain Services for Windows

DSfW 2008 R2 Schema Update

DSfW is in the process of being updated to 2008 R2 schema and needs your help.  If you are interested in beta testing the next version of DSfW please send an e-mail to pmadhan@microfocus.com and Chitradevi.Kumaraswamy@microfocus.com with a subject line ‘Interested in Domain Services for Windows Beta Program’

The final version will support 2012 schema, aes encryption, and fine grained password policies.  This is exciting and would be a great project to be part of.  This is your chance see and be a major contributor for the coming versions of DSfW.

For more information on this project please go to the coolsolution page below.

Updating DSfW Environment to AD2008 R2 Level – Beta Planned

Logon-Logoff / Power-on-Shutdown Scripts Execution for Windows Clients of DSfW

A new coolsolution has been released allowing the login and logoff tasks on a workstation.  The script can also power down or power on workstations.  Administrators and end users can automate these tasks.  The scripts can be stored in the netlogon or sysvol on the primary domain controller which will sync it out to the other DCs.  The profile tab of user properties, or Logon GPO can be used for integrating these scripts into startups and shutdown cases.

Go to novell.coolsolutions.com to download the script and read more about what you can do with this script.

How to remove a DSfW Domain Controller

Need to remove a DSfW Domain Controller?  ndsdcrm is the tool to do it.  There have been older versions that worked ok but not a version that works with OES11SP2.  Some times it would fail or not completely clean up the domain.  With OES11SP2 we have had to resort to the manual removal process as described in TIDs 7005431 and 7012738.

A new version has been released on Novell Cool Solutions.  If you want to remove an ADC or the entire domain, this is the tool to do it.  The tool can be found on Novell Cool Solutions, Removing DSfW Domain Controllers

March 2015 OES 11 SP2 Scheduled Maintenance Update 10332

March 2015 OES 11 SP2 Scheduled Maintenance Update 10332

 

How to apply the patch with zypper.  YaST Online Update can also be used.

1) List repositories to ensure the update the server is registerd and the updated repository is present
zypper lr
Should see the following:
nu_novell_com:OES11-SP2-Updates | OES11-SP2-Updates | Yes | Yes

2) List the Updates
zypper pch OES11-SP2-Updates
Should see the following:
OES11-SP2-Updates | oes11sp2-March-2015-Scheduled-Maintenance | 10332 | security | Needed

3) Install the maintenance patch
OES11SP2
zypper up -t patch oes11sp2-March-2015-Scheduled-Maintenance

4) Then list the patches again to verify the patch is listed as Installed
OES11SP2
zypper pch OES11-SP2-Updates

Should see the following:
OES11-SP2-Updates | oes11sp2-March-2015-Scheduled-Maintenance   | 10332 | Installed

5) To apply all OES11 SP2 updates run the following command
zypper up -t patch -r OES11-SP2-Updates

6) To apply all SLES 11 SP3 updates run the following command
zypper up… Continue reading

January 2015 Scheduled Maintenance Update

January 2015 Scheduled Maintenance has been released

How to apply the patch with zypper.  YaST Online Update can also be used.

1) List repositories to ensure the update the server is registerd and the updated repository is present
zypper lr
Should see the following:
nu_novell_com:OES11-SP2-Updates | OES11-SP2-Updates | Yes | Yes

2) List the Updates
zypper pch OES11-SP2-Updates
Should see the following:
OES11-SP2-Updates | oes11sp2-January-2015-Scheduled-Maintenance | 10105 | security | Needed

3) Install the maintenance patch
OES11SP2
zypper up -t patch oes11sp2-January-2015-Scheduled-Maintenance

4) Then list the patches again to verify the patch is listed as Installed
OES11SP2
zypper pch OES11-SP2-Updates

Should see the following:
OES11-SP2-Updates | oes11sp2-January-2015-Scheduled-Maintenance   | 10105

5) To apply all OES11 SP2 updates run the following command
zypper up -t patch -r OES11-SP2-Updates

6) To apply all SLES 11 SP3 updates run the following command
zypper up -t patch -r… Continue reading

DSfW Migration – OES 11 SP1 to OES11 SP2

DSfW Migrations can be tricky if you do not follow the documentation carefully.  I created two videos that take you through the process of a successful migration.  The videos do not cover the pre-migration.  For the pre-migration you want to ensure the tree and DSfW server specifically is healthy.

The key is to install and configure eDirectory with the pre-migration pattern on the target server using the Software Management tool provided by the YaST utility.  DO NOT Use the OES Install and Configuration utility.  This is the key piece most people miss.  If you use the OES Install and Configuration utility the DSfW patter will not be able to be installed.  Instead the pre-migration pattern will be layed down, the pre-migration wizard will pop up.  If you continue through the pre-migration pattern eDir will be installed.  You then click… Continue reading

supportconfig updated with DSfW information

A great tool to get essential information on a server is supportconfig.  It comes with SLES/OES and the latest set of patches has the DSfW information in the tool.

If you have a SR opened with support you can get the supportconfig analyzed by running supportconfig -ur $srnum; where $srnum is your 11 digit service request number.  A html report will be given which will list Critical, Warning, and Recommended messages.  Some will have TIDs and/or videos to apply to fix the issue.  Some will list a rpm to apply.

Another option to return just DSfW and OES information in the /root directory is to run:
supportconfig -kt /root -i OES,DSFW

This will not upload to Novell to have the supportconfig analyzed.  It is the ray files to look at.

 

With this DSfW piece in the new supportconfig, specific to DSfW is exporting… Continue reading

DSfW Monitor daemon

I just created a demonized version of the DSfW Monitor script.  For more information on the script look the DSfW Monitor script post.

Now you don’t have to create a cronjob to continuously run the tool.  Simply download and install the dsfwmon.rpm.

The install will create the /etc/init.d/dsfwmon startup script, the /opt/dsfwdude/conf/dsfwmon.conf file to edit the configuration and the dsfwmon daemon.  It also has log rotating enabled.

The install will enable the dsfwmon script so that when the server starts, the script will start monitoring the services.

Edit the /opt/dsfwdude/conf/dsfwmon.conf to send an e-mail if a service has to be restarted.  Do not adjust the delay time less than 5 minutes.  The script could possibly step on itself, trying to check the services while restarting the services.

Common changes are to enable e-mail setting to be sent when the services restart,… Continue reading

I/OTest script to check if the disk I/O is causing slow performance

Slow VM Performacne, use IOTest to see if the disk IO is the culprit

This script will test the disk IO by copying 500Mb of data using the same block size as eDir uses and with the same api eDir uses “fdatasync”.
This writes 500 Mb of data each iteration to the iotest.log in the dib directory, usually the /var/opt/novell/eDirectory/data/dib/
It will overwrite the previous data in the iotest.log each time it runs.  Anything under 100 MB/s is a concern and will cause slowness for eDirectory and possible memory build up.  IO causes a bottleneck for events to be written to disk.  A build up of memory by ndsd can cause a ndsd to take all available memory (both virtual and resident) causing ndsd to core.

If slow IO writes are seen with the iotest script begin the process of adding hard drives and reducing the… Continue reading

New Features in DSfW OES11SP2

There is a great article on Novell CoolSoltutions about the New Features in DSfW OES11SP2.

It gives great information on the new features with screenshots and explanations. Take a look and learn more about the new features of DSfW.

OES11SP2 is Available for Download

OES11sp2 is now available for download.

Sites and Subnets functionality is the biggest addition to DSfW.  It will allow the configuration of users to authenticate to a specific Domain Controller.  For this feature to work all Domain Controllers must be OES11sp2 servers.
Easy Wins configuration, Mac Client Support, Windows 8 Support,  Windows 2012 Support, and SASL NTMSSP Support are also big additions.
The SASL NTLMSSP Support will allow NTLM over LDAP bind request to be fullfilled.  Since more and more applications are supporting SASL NTLMSSP as the primary authentication mechanism for 2008 and 2012 servers this will allow more applications to work directly with DSfW.
The Novell Client has worked with well DSfW since OES2SP3, but that configuration was not supported.  It is now supported.
Download and test OES11sp2.  It is more robust and feature rich than previous… Continue reading

DNS CASA Repair Script

A common reason for  Novell DNS to fail to update records or even fail to load is do to CASA credentials for the DNS proxy user.

When troubleshooting Novell DNS issues start with the /var/opt/novell/log/named/named.run log.
If novell-named fails to start or update records and CASA Error has occured, error:No credential is retrived from CASA is seen in the log, it is almost a guarantee the reason is the dns-ldap key is missing, the password is incorrect for the proxy user, or the user name is incorrect.
Below is a sample of a named.run log demonstrating what is seen when CASA credentials in invalid or missing.
Look for the starting of named and the CASA Error

19-Nov-2013 15:30:13.489 general: main: notice: starting BIND 9.3.2 -u named
19-Nov-2013 15:30:13.490 general: server: info: found 4 CPUs, using 4 worker threads
19-Nov-2013 15:30:13.500 general: dns/message: error: Credential Not found
19-Nov-2013… Continue reading

New DSfW Monitor Script

I previously created two scripts, dsfw_processcheck.sh and dsfw_portchk.sh, one to monitor pids and one to monitor ports.  With the two script they are helpful to ensure the DSfW services are up.  A new script combines the two and adds additional options.  The script not only checks for pids and ports, but it can be used to create a cron job to run the script every 10 minutes by adding the “add” switch.  To remove the cron job use the “rm” switch.

If a DSfW server running DNS (or not) has a DSfW specific process stop or crash a quick stop gap measure is to monitor the DSfW processes and restart them if one or more of the DSfW processes stop.

If the DSfW server is an Additional Domain Controller (ADC) DNS might not be configured on the server.  If DNS is not running on the… Continue reading

DSfW: Provisioning using python script

Need to do the DSfW install via a putty session/ no gui.  Look at this coolsolution article DSfW: Provisioning using python script.  It provides a python script to do the provisioning portion of the  install with out the need of X Server.  It is also reported to be faster.  Great for scripted installs.

Adding displayName to DSfW user accounts

BES10 requires AD authentication so DSfW is being deployed to accomplish this in eDirectory environments.
The displayName attribute is one attribute that must be populated.

The following attributes must be populated for BES10
displayName
mail
samAccountName
distinguishedName
objectGUID

All but two are automatically populated on DSfW users.
displayName and mail are not.  Hopefully mail is already populated since this is for an e-mail application.  displayName most likely is not.

This video will go over a script that can be used populate displayName with the value used in samAccountName.  It will also show you how to modify the script if the value from another attribute is desired to be used for displayName.

The script does the following search to find users and generate a ldif file

ldapsearch -Y EXTERNAL -LLL -Q -b “$DEFAULTNAMINGCONTEXT” -s sub ‘(&(objectclass=user)(samAccountName=*)(!(|(objectClass=Computer)(displayName=*)(cn:dn:=users)(ou:dn:=oessystemobjects))))’ dn: samAccountName |sed s[samAccountName[‘changetype:modify\nadd: displayName\ndisplayname'[g | grep -v ^# >/tmp/add_displayname.ldif

As… Continue reading

Latest DSfW Health Check Script

I’ve received a great deal of feed back on the DSfW Health Check Script and applied some changes.
I am always looking for suggestions. I’ve created an updated video with the latest script. Watch to to learn about configuring it for your specific needs.

 

Script to modify grouptype – modify_grouptype.sh

I did a post in January on grouptype and their impact on DSfW performance in TID 7011498 DSfW Slow Performance/Group Types.  The post shows how to find grouptype settings, goes over a couple of TIDs discussing grouptypes and a video giving even more info on the subject.

I have since written a script that will easily search for and modify grouptypes.  Here is how the script works.  Executing the script will display the following menu:

This script can report grouptype information and change grouptypes

To run the script enter 1, 2, or 3

1. Display groups with grouptypes of Universal
2. Create a ldif to change grouptype to Domain Local
3. Create and apply ldif to change grouptype to Domain Local

Options                           … Continue reading

Troubleshooting High Utilization – High Utilization Gstack tool

Some times ndsd or another process can cause a server to go into high utilization or to become unresponsive.  A great TID to follow for OES servers is TID 7007332 – Troubleshooting ndsd becoming unresponsive on OES Linux.  A TID specific for DSfW servers to start with is TID 7010462- Troubleshooting slow logins and unresponsive DSfW server.

When trouble shooting a process stuck in high utilization or causing a server to slow down or become unresponsive looking at a top output for a daemon like ndsd with individual threads shown and a correlating gstack can show us which thread is in high utilization and what that thread is doing.  In most cases it is best to take a number of gstacks every 10 seconds to 60 seconds depending on the situation.  We can see not only what that thread is doing but if the… Continue reading

DSfW and eDirectory Health Check

It is a good idea to periodically check the health of DSfW and eDirectory servers.

This video concentrates on a script I wrote that can be ran on both eDirectory and DSfW servers.

The script demonstrated in this video is called dsfw_edir_healthchk.sh.  To get the latest version of the script click on the DSfW Health Check link in the download section on DSfWDude.com.

A great TID to start off with for a eDirectory health check is TID 3564075.
On a DSfW server start off with an eDirectory health check as well as TID 7001884 which has DSfW specific commands to check the health and overall operation of a DSfW server.

The script does most of the suggestions in both TIDs mentioned above plus a few more checks.

For eDirectory there are 8 checks the script does and… Continue reading

DSfW Express Install in OES11SP1

With OES11SP1 there are two install options.  Express and regular.

The difference between the two is the express install will not prompt for the server and dib location, SLP configuration, the OES proxy user, or the DNS configuration.  If there are no other Novell DNS servers in the tree this is a good option.  Otherwise do the regular install to use the same DNS Locator object as the existing Novell DNS server is using.

Install error: ndsconfig error 74

Installs can be tricky especially when installing into an existing tree that has been around since NetWare 4.11, has multiple partitions, several locations, and dozens of servers.  If the tree is not healthy the install of DSfW has a greater chance of failure.  If communication with all servers is good, the tree is healthy, and the Preparing for Domain Services for Windows Install TID is followed then usually the install goes through with out any issues.

If there is a failure a common error is ndsconfig error 74.   This video goes over the error.  The troubleshooting of this error can be applied to a similar error “ndsconfig error 80”.

DSfW Slow Performance/Group Types

DSfW, like AD, has multiple group types.  This is found in the grouptype attribute.  TID 7004405 goes over the three group types.

Domain Local group: -2147483644
Global group: -2147483646
Universal group: -2147483640

The default group type is Universal group.   This group type can generate a lot of extra traffic causing the performance of the domain controller to suffer.

Global and Universal groups calculate a virtual attribute called tokenGroupsDomainLocal. This attribute is calculated for the group by the slapi layer. When a user is a member of several groups login times can increase. An increase in ndsd utilization can also result from the calculation of the tokenGroupsDomainLocal when a large number of groups reside within the domain.

If ndsd utilization is high or login times need to be reduced, change groups to Domain Local groups to avoid the calculation of the tokenGroupsDomainLocal virtual attribute.

Here is a… Continue reading

Troubleshooting DSfW Slow Performance/Duplicate Workstation Names

Slow logins and poor performance of a DSfW Domain Controller is often due to too many failed authentications to the domain. This video goes over the specific issue of multiple workstations with the same name increasingly queuing up logins until the server comes to a halt. The video covers TIDs 7010462 and TID 7006851.

This video concentrates on TID 7006851.
The command to display and sort Decrypt integrity check failed errors is:
grep -A1 -i ‘Decrypt integrity check failed’ /var/opt/novell/xad/log/kdc.log |grep -v ‘Decrypt integrity check failed’ |awk -F ‘)’ ‘{print $3}’ |grep -v ‘^$’ |awk -F ‘for’ ‘{print $1}’ |sort -n | uniq -c | sort -n

DSfW Install Error: No Such Partition

An error I have seen during installs is No Such Partition. The majority of the time it is easly solved by adding a replica of the name mapped partition to the DSfW server. This video will go through troubleshooting steps for this error.


Either run them on the eDirectory server specidifed for the install or use the -h [ip] if running on the DSfW server.
ndsstat -r
ndstat -p .o=novell.t=tree. -h 192.168.0.51 -n

Windows 8 and DSfW

I am still in the process of using Windows 8 with Domain Services for Windows.  From what I have seen so far it behaves similar to Windows 7 as a workstation joined to the domain.  Logging in, mapping drives, running GPOs, executing login script from a GPO, all seem to work as in Windows 7.  The biggest challenge for me is getting used to the Start menu in Windows 8 and that  isn’t DSfW related.

Windows 8 with VMWare View 5.1.1 and DSfW OES11SP1 all appear to play well with each other.  Making templates and linked clones do not seem to have any gotchyas to look out for.  Let me know or the Novell Forums know if you discover a bug with DSfW and Windows 8.

Diagnostic tool for DNS Records

The DSfW team has a great tool called check-dns.pl to help diagnose DNS issue with DSfW.

The tool validates essential records for forward and reverse lookups.  This tool can be found at Novell Coolsolutions.

The tool might incorrectly report PDC and DC records if there is more than one Domain Controller.  The Coolsolutions article will be updated with a new check-dns.pl to address this issue.

Until the Coolsolutions article is updated you can download it from dsfwdude.com.

Download

Updated dsfw_processchk script 2.1.5

I updated the dsfw_processchk script to not only check all essential DSfW processes, but to handle multiple pids for the xadsd process.  The script is great to use if you are worried that a DSfW process will stop and you don’t want to receive several phone calls alerting you to the problem or the DSfW server has been unstable you you need to time track down the invalid requests hitting the DSfW server.

The script will report which processes are running or have stopped. It works by validating that a PID exists for each process. If a process is not running the script has the option to restart the services, send an e-mail that a process has stopped, and update the syslog.

Key configuration

# Set RESTART_DSFW to 1 to reload DSfW services if one or service is not running,
# Set RESTART_DSFW to 0 to leave the services… Continue reading

Script to check if ports are listening

If you are concerned about a DSfW service going down and or the port is not accessible, this script will help keep the services up or notify you of a service going down.  The script will check if each DSfW service is listening, then telnet to each port.  If it can not telnet, the script will log which port is not accessable in the /var/opt/novell/xad/log/dsfw_portchk.log.

The dsfw_portchk.sh script can be ran on PDC or ADC, running Novell DNS or not running Novell DNS.

The script can also e-mail and restart the services if desired.

It will detect if the server has IPv6 enabled so to properly detect the correct port Samba and NetBios is listening on.

The script detects if Novell DNS is configured to start.  Some times on ADC servers DNS is not configured or is not set to run.  The original script… Continue reading

Open Enterprise Server 11 SP1 is released

Open Enterprise Server 11 SP1 has been released today

LearnEventually, hopefully in the next update or two to more about OES11SP1 here

The download links for OES11 SP1 are:

Download link: http://download.novell.com/SummaryFree.jsp?buildid=rmqoq2iehSQ~
Documentation: http://www.novell.com/documentation/oes11/

As far as Domain Services for Windows goes, the install will now allow you to choose between a simplified install or the standard.  The simplified install of DSfW reduces the number of screen, removing many of the screens that most people click next on with out any changes too.  The install is also more intuitive.  If follows along with the type of DSfW install you are doing instead of starting with the eDirectory configuration.

OES11SP1 has also improved gposync.  This should help reduce issues with gopsync not working correctly or properly syncing gpos out to the ADC DSfW servers.

OES11SP1 migrations for DSfW servers are now supported.  The supported migrations are:… Continue reading

Script to check DSfW Processes

I have a updated script to check all essential DSfW processes.  The name of the script is dsfw_processchk.  The script is great to use if you are worried that a DSfW process will stop and you don’t want to receive several phone calls alerting you to the problem or the DSfW server has been unstable you you need to time track down the invalid requests hitting the DSfW server.

The script will report which processes are running or have stopped.  It works by validating that a PID exists for each process.  If a process is not running the script has the option to restart the services, send an e-mail that a process has stopped, and update the syslog.

Key configuration

# Set RESTART_DSFW to 1 to reload DSfW services if one or service is not running,
# Set RESTART_DSFW to 0 to leave the services… Continue reading

Categories