Looking for DSfW Feedback
There is a new survey for Domain Services for Windows at https://www.surveymonkey.com/s/dsfwsurvey
Please provide any feedback on DSfW. You can have direct impact as to the road map of DSfW plus enter a chance to win $50. If your orginization is currently using DSfW, planning on using DSfW, or thinking about using DSfW please help out by taking the survey.
For more information on the survey itself go to coolsolutions.
July 2012 Maintenance for OES11 is released
July 2012 Maintenance for OES 11 along with July 2012 Scheduled Maintenance for eDirectory 8.8 SP6 patch 6 have been released
Key DSfW specific bugs fixed with this maintenance patch
- – 771737: OES11SP1LH: MMC can not create a User
- – 761449: Can not Create Groups or OUs with MMC
- – 758572: DSFW: Windows 7 remote assistance is not working.
- – 766772: UpdatePDCMaster.pl failed during PDC role transfer
- – 763854: Managing GPOs fail due to SYSVOL DFS referral link pointing to wrong path
- – 738214: DSfW – All xadsd threads stuck in pthread_cond_wait/lock wait, causing xadsd to be unresponsive
- – 758992: DSFW: Polycom SSO configuration fails with error “”Access Denied”” while changing password
- – 703655: SYSVOL DFS referral link points to ADC and interrupts GPO Administrator operations
July 2012 Scheduled Maintenance for OES11
- – 583261: httpstkd randomly stops
- – 658145: NSS volume with Di and RI flags, incorrectly blocks root user… Continue reading
July 2012 Maintenance for OES2SP3 has been released
The July 2012 Maintenance Patch for oes2 sp3 has been release
The 64 bit version can be found here
The 32 bit version can be found here
List of bug fixes in the July 2012 Maintenance for OES2SP3
- 142091: Inconsistency with naming in the GUI
- 142183: Secrets added to Gnome Keyring through CASAManager have a default key/value pair of GKPassword/novell
- 146015: A CASAKeyring is created to add secrets to the Gnome Keyring through CASAManager
- 147031: CASAManager should have a menu item.
- 155529: Firefox Tab is available in CASAManager Preferences even if Firefox is not installed
- 172719: Starting CASAManager with store locked throws exception
- 200912: After a lun is resized gpt does not work correctly
- 508945: When micasad is stopped its status is displayed as “dead”
- 509471: miCASASetCredential handles input argument incorrectly
- 523398: CASA Manager prints GTK warning messages on terminal
- 523402: CASA Manager prints messages on terminal when… Continue reading
July 2012 Maintenance for OES11 eDirectory 8.8 SP6 patch 6 released
The July 2012 Maintenance Patch for eDirectory 8.8 SP6 has been release
The 64 bit version can be found here
List of bug fixes in the July 2012 Maintenance for OES11 for eDirectory patch 6
- – 679767: NMAS Client aborts NCP connection and returns error -625 immediately upon having sent NMAS Start Session request on an idle NCP connection where server sent Watchdog packets.
- – 733188: eDirectory returns error 48 ‘Anonymous Simple Bind Disabled’ for authenticated TLS bind
- – 749516: Dclient DDCGetSEVList function does not return cifs users GUID causing CIFS users authorization failure and Memory/CPU spike up.
- – 765688: Right granted to dynamic group is assigned to whole tree, not just its members
| novell-dclient-32bit-8.8.6.6-1.1.x86_64.rpm | 350.2 KB (358675) |
| novell-dclient-8.8.6.6-1.1.x86_64.rpm | 352.7 KB (361182) |
| novell-edirectory-jclnt-8.8.6.6-1.1.x86_64.rpm | 267.9 KB (274431) |
| novell-edirectory-tsands-32bit-8.8.6.6-1.1.x86_64.rpm | 258.3 KB (264554) |
| novell-edirectory-tsands-8.8.6.6-1.1.x86_64.rpm | 265.3 KB (271675) |
| novell-NDSbase-32bit-8.8.6.6-1.1.x86_64.rpm | 406.9 KB (416672) |
| novell-NDSbase-8.8.6.6-1.1.x86_64.rpm | 553.3 KB (566596) |
| novell-NDScommon-8.8.6.6-1.1.x86_64.rpm | 225.7 KB (231121) |
| novell-NDSimon-8.8.6.6-1.4.x86_64.rpm | 2.5 MB (2672112)… Continue reading |
How to find all DNS Locator objects
When installing DSfW into an environment were Novell DNS is already in use, be sure to use the existing DNS Locator object. It will simplify management for the all the zones and DNS servers. The locator object is used by the DNS/DHCP Console to return all zones and DNS servers the locator object knows about. If there are multiple locator objects then the first locator object discovered by the DNS/DHCP Console will be used. What will happen is only zones and DNS servers the DNS Loctor object knows about will be displayed and managed in the DNS/DHCP Console. This makes managing DNS difficult. Before installing doe a quick search for existing locator objects.
Do the following search to discover existing locator objects
ldapsearch -x -b “” -s sub objectClass=dNIPlocator
OES11 SP1 Beta released
The OES11 SP1 Beta has been publicly released
Check it out if you are interested in seeing some of the new features in OES
The big news for Domain Services for Windows is the simplified install.
The install allows for a simplified install
For the simplified install the YaST configuration screens have been minimized.
The first screen start with what type of install instead of the eDirectory screen.
Some screens have been eliminated and common default values are used automatically making the install less confusing.
Plus it runs on SLES11 SP2
For more info see http://www.novell.com/beta/auth/beta.jsp?id=4425&type=1
The ISOs can be found here:
ISOs:http://download.novell.com/Download?buildid=hXpxKX0Z4g8~
The documentation can be found here:
Docs:http://www.novell.com/documentation/beta/oes11/oes11_toc/data/index-stand.html
Delete an attribute on all users with a script
Here is the bases of a script to delete an attribute on a user.
I come across issues where an attribute was populated on several users that shouldn’t be there or you want to create new objectsids or just remove the existing objectsids and replace them with a back up.
Most DSfW installs are a name mapped install meaning the install is mapped to an existing container in the tree. If this is the case the domain name most likely will not patch to context in the tree and most likely the objectclass wit not be domain. An example of a domain with the name of novell.com mapped to a container with an objectclass of Organization (o=novell) and not domain (dc=novell). Even it if is a dc most likely the fdn does not match the domain name. Continuing with our example of novell.com that would… Continue reading
Troubleshooting slow logins and unresponsive DSfW servers
I have seen several issues were a DSfW server becomes sluggish or unresponsive. Logins can take several minutes. Some times ndsd or another DSfW process crashes.
If a DSfW server running DNS has a DSfW specific process stop or crash a quick stop gap measure is to monitor the DSfW processes and restart them if one or more of the DSfW processes stop. I created a simple script that will check that a pid exists for each process. The script is called dsfw_processchk.sh. While it does not restart DSfW in every condition like if a process continues to run but is not responding or say a process crashes but the pid is never cleaned up, it does work for most situations. Create a cron job to run the script every hour, 30 minutes, 10 minutes, what ever you desire. My… Continue reading
Script to monitor DSfW processes and restart services
If a DSfW server running DNS has a DSfW specific process stop or crash a quick stop gap mesure is to monitor the DSfW processes and restart them if one or more of the DSfW processes stop. I created a simple script that will check that a pid exists for each process. The script is called dsfw_monitor.sh. While it does not restart DSfW in every condition like if a process continues to run but is not responding or say a process crashes but the pid is never cleaned up, it does work for most situations.
Create a cron job to run the script every hour, 30 minutes, 10 minutes, what ever you desire. My recomendation is to not go below 5 minutes since eDirectory might take several minutes to stop and start again.
To create a cronjob use the crontab command with the -e… Continue reading
Backup ObjectSid
For a disaster recovery issue it might be necessary to have a backup of all objectsSids for users and computers.
Here is a simple script to create a ldif file that is ready to import and replace existing objectsids.
Since computers have an objectclass of user setting the filter to “(&(objectclass=user)(objectsid=*))” will return all users and computers with an objectsid. The base can be set to the domain name context (ex: dc=domain,dc=com) if this is ran from a DSfW server other wise use the standard context in eDir (ex: o=novell) assuming this is a name mapped install and the context does not use dc objectclass.
#!/bin/bash
ldapsearch -x -LLL -H ldaps://localhost:636 -D cn=admin,o=novell -W -b “o=novell” -s sub “(&(objectclass=user)(objectsid=*))” dn objectsid|sed s[objectsid[‘changetype:modify\nreplace:objectsid\nobjectsid'[g | grep -v ^# > Objectsids_restore.ldif
exit 0
Trouble shooting Kerberos on a DSfW server
If kerberos fails to start it is usually caused by
Missing ldap interfaces on the ldap server object
Missing uniquedomainid attribute on key objects
Corrupt or missing libraries
Misconfigured or missing kdc.conf
This video will go over kerberos failing to start because of missing ldap interfaces. This most likely will happen if the ldap server object is deleted and recreated.
Novell DSfW and Authasas Bio-metrics authentication
Authasas provides biometric, smartcard, OTP, and any BioAPI compliant device. They have a solution to provide biometric authentication with DSfW. To learn more about this take a look at this presentation.
The presentation is a case study of the City of Apopka, Florida utilizing Novell eDirectory, Domain Services for Windows, Zenworks, and Authasas to provide bio-metric authentication and GPO implementation.
Eliot Lanes from Viable Solutions, Donald Kahrs from City of Apopka, and Rik Peters, and Paul Robertson from Authasas describe their implementation of Authasas with Domain Services for Windows.
How to merge DNS zones
The creation of the DSfW domain will create a DNS zone for the domain along with the reverse zone. If there is already a zone with the same name then merging the zones is necessary.
This video shows how to use the DNS/DHCP Console to export, merge, and import zones.
Manage the Domain Boundary
Starting with OES2SP3 DSfW domain boundaries were no longer restricted to a single partition. Now partitions directly below the partitioned container mapped to the domain can be mapped to the domain as well. This can be done during the install of DSfW and creation of the domain with custom provisioning option or after the creation of the domain using the tool domaincntrl.
Here is a playlist for the videos covering Managing the Domain Boundary
The command and usage for managing the domain boundary can be found in the documentation.
The syntax for domaincntrl is:
domaincntrl <Operation> [arguments]
Operators:
–list
Lists partitions in the domain
–add
Adds a partition to the domain
–remove
Removes a partition (and desamify users) from a domain… Continue reading
Install OES11 DSfW
Here is a playlist for videos covering the install of OES11 DSfW
It is broken out into 6 videos
Install OES11 DSfW – Yast section
Install OES11 DSfW – Log Files
Install OES11 DSfW – Provisioning Wizard
Start with the oes11 documentation and TID 7002172 Preparing for Domain Services for Windows Install
Prepare to install an ADC DSfW server
This video will go through the preparation of installing an ADC DSfW server. It will guide you through TID 7009927.
Cross Forest Trust Password
Some times the cross forest trust between DSfW and AD fails and a common reason for this failure is the cross forest trust password. By default the Windows server will reset the trust password every 30 days. Some times the change only occurs on the Windows side and trust object in DSfW does not get the update leading to a broken trust. Validating and reseting the trust is one way to fix this. Another option is to disable the server from changing the password. This video will show how to validate the trust, reset the password, modify the number of days when a password is changed, and how to disable password changes.
How to disable the automatic machine account password changes.
-
In the registry go toHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
- Change the registry subkey to a value of 1 (default is 0 which enables password changes, 1 disables password changes)
- Restart the… Continue reading
Running Windows 7 on an iPad using VMWare View
Using VMWare View a Apple iPad can run Windows 7. Using Domain Services for Windows as the directory VMWare View can easily be deployed in and existing or new Novell eDirectory environment. This video from Network World demonstrates how Windows 7 can run on a Apple iPad.
Overview of VMWare View 5
VMWare View is one of the most common reasons why Domain Services for Windows is deployed and the most popular app authenticating to Domain Services for Windows. With View workstations can be centrally managed and reside in the data-center. If you are looking at implementing VMWare View, consider DSfW as a replacement for AD. If you are a Novell Shop and want to continue using eDirectory and don’t want to have two directories to administer, DSfW will allow a AD style Domain to be installed into your tree, providing AD style authentication. No CALS, which will saver $, no syncing directories because all the users are in eDirectory. eDirectory is running behind the scenes with DSfW. The users in the DSfW domain are both eDir and DSfW users. AD and NCP authentication will work with DSfW. With applications like VMWare View that require… Continue reading
How to create a cross forest trust
This video will guide you through the creation of a cross forest trust between DSfW and AD.
For more information on creating a cross forest trust please read through the documentation
http://www.novell.com/documentation/oes11/acc_dsfw_lx/data/ber65jt.html
The trust password will change every 30 days by default. Consider disabling the automatic machine password changes or increasing the time before the password is changed. Some times when a workstation or in this case trust changes its password the change does not get set in the directory and the trust relationship is broken. In that case the trust needs to be re-established.
If a trust is removed and then re-established, before creating the trust again be sure that the trust object in cn=users, is removed as well. The object will look like a user object with the name of the AD Domain with a $ at the end.
Good MS documents to help troubleshoot errors:
Known… Continue reading
Novell DNS Tools – iManager and DNS/DHCP Console
The Novell DNS DHCP Console is what most prefer to use to manager Novell DNS. It allows for easy viewing, modification, and creation of zones, records, and DNS servers.
If there are more than one dns locator objects in the tree use the -C switch after the executable to specify which locator object to use.
-C OESSystemobjects.novell
If updates made in the DNS/DHCP tool are not fast enough for you, loo at the novell_dyn_reconfigure setting on the DNS server object or restart novell-named.
At 6:51 on the video this setting is displayed. 15 minutes is recommend . If the reconfigure is set to 5 minutes in a large environment, the reconfigure might not finish updating cache before the the process is started again.
iManager is the second tool available to use to manage DNS and DHCP. The second video will… Continue reading
How to join a Mac to a DSfW domain
This video will show you how to join a Mac to a DSfW domain
At this time Mac joined to a DSfW domain is not supported, but it can be done.
Be sure dns resolves the domain name – nslookup <domain name>
Go to the System Preferences
Accounts
click Join button next to Network Account Server
Click Open Directory Utility
Unlock the directory utility
Click Active Directory
Add the domain name to the Active Directory Domain field
Be sure the Computer name ID is a unique name
Click bind
Now the workstation is joined to the domain. To enable DSfW users to login to the workstation
Under Hide Advanced Options
Click the User Experience
use smb as the network protocol
and /bin/bash as the default shell
so that users can login when the domain is not available enable Create mobile account at login
The most important setting is… Continue reading
How to take a LDAP trace – quick version
This video will show you how to take a ldap trace on a linux/DSfW server.
This applies to both eDirectory and DSfW (since DSfW is built on eDir)
A ldap trace is helpf in troublehooting applications or workstations authenticating,
searching, or modifying the directory.
Some commands used in the video
ldapconfig utility:
See the screen level
ldapconfig get |grep -i “ldap screen level”
set the screen level for everything but packet dumping
ldapconfig -s “Operation| Connection| Config| Extensions| Error| Critical| DataConnection”
Setting the screen level to all
ldapconfig -s “ldap screen level=all”
Going back to default screen level
ldapconfig -s “ldap screen level= Error| Critical”
ndstrace section:
turn off the screen and file logging
ndstrace off
clear the filter
set ndstrace = nodebug
enabeling ldap and nmas in the filter
ndstrace +time +tags +ldap +nmas
turn on the screen and logging
ndstrace on
The ndstrace.log is located in
/var/opt/novell/eDirectory/log/
How to take a LDAP trace – long version
How to take a LDAP NMAS trace for DSfW TID 7009602
LDAP on DSfW and how it differs from standard eDirectory LDAP ports
TID 7001886 has information on the ports DSfW uses including the ldap ports.
How to recreate the Domain Users Group
See TID 7009288 for the steps to re-create the Domain Users group
DSfW and Novell Cifs
Novell Cifs is a wonderful way to access files from a workstation not running the Novell Client.
This video shows how to install Novell Cifs and configure it to work with Domain Services for Windows.
The key is to assign the cifs proxy user to the password policy for the DSfW users.
Password Policies with DSfW
The /etc/opt/novell/xad/xad.ini file has the setting to determine if password policies are controlled by the GPO or Novell password policies. XADRETAINPOLICIES =no will use the GPO, XADRETAINPOLICIES = yes can me managed with iManager
How to Join a workstation to a DSfW domain
Joining a workstation to a DSfW domain is the same as joining to an AD domain.
Be sure the workstation’s time is insync with the server and can resolve the domain with nslookup