Latest DSfW Health Check Script

I’ve received a great deal of feed back on the DSfW Health Check Script and applied some changes.
I am always looking for suggestions. I’ve created an updated video with the latest script. Watch to to learn about configuring it for your specific needs.


DSfW and eDirectory Health Check

It is a good idea to periodically check the health of DSfW and eDirectory servers.

This video concentrates on a script I wrote that can be ran on both eDirectory and DSfW servers.

The script demonstrated in this video is called dsfw_edir_healthchk.sh.  To get the latest version of the script click on the DSfW Health Check link in the download section on DSfWDude.com.

A great TID to start off with for a eDirectory health check is TID 3564075.
On a DSfW server start off with an eDirectory health check as well as TID 7001884 which has DSfW specific commands to check the health and overall operation of a DSfW server.

The script does most of the suggestions in both TIDs mentioned above plus a few more checks.

For eDirectory there are 8 checks the script does and… Continue reading

DSfW Slow Performance/Group Types

DSfW, like AD, has multiple group types.  This is found in the grouptype attribute.  TID 7004405 goes over the three group types.

Domain Local group: -2147483644
Global group: -2147483646
Universal group: -2147483640

The default group type is Universal group.   This group type can generate a lot of extra traffic causing the performance of the domain controller to suffer.

Global and Universal groups calculate a virtual attribute called tokenGroupsDomainLocal. This attribute is calculated for the group by the slapi layer. When a user is a member of several groups login times can increase. An increase in ndsd utilization can also result from the calculation of the tokenGroupsDomainLocal when a large number of groups reside within the domain.

If ndsd utilization is high or login times need to be reduced, change groups to Domain Local groups to avoid the calculation of the tokenGroupsDomainLocal virtual attribute.

Here is a… Continue reading

Open Enterprise Server 11 SP1 is released

Open Enterprise Server 11 SP1 has been released today

LearnEventually, hopefully in the next update or two to more about OES11SP1 here

The download links for OES11 SP1 are:

Download link: http://download.novell.com/SummaryFree.jsp?buildid=rmqoq2iehSQ~
Documentation: http://www.novell.com/documentation/oes11/

As far as Domain Services for Windows goes, the install will now allow you to choose between a simplified install or the standard.  The simplified install of DSfW reduces the number of screen, removing many of the screens that most people click next on with out any changes too.  The install is also more intuitive.  If follows along with the type of DSfW install you are doing instead of starting with the eDirectory configuration.

OES11SP1 has also improved gposync.  This should help reduce issues with gopsync not working correctly or properly syncing gpos out to the ADC DSfW servers.

OES11SP1 migrations for DSfW servers are now supported.  The supported migrations are:… Continue reading

How to find all DNS Locator objects

When installing DSfW into an environment were Novell DNS is already in use, be sure to use the existing DNS Locator object.  It will simplify management for the all the zones and DNS servers.  The locator object is used by the DNS/DHCP Console to return all zones and DNS servers the locator object knows about.  If there are multiple locator objects then the first locator object discovered by the DNS/DHCP Console will be used.  What will happen is only zones and DNS servers the DNS Loctor object knows about will be displayed and managed in the DNS/DHCP Console.  This makes managing DNS difficult.  Before installing doe a quick search for existing locator objects.

Do the following search to discover existing locator objects

ldapsearch -x -b “” -s sub objectClass=dNIPlocator

Delete an attribute on all users with a script

Here is the bases of a script to delete an attribute on a user.

I come across issues where an attribute was populated on several users that shouldn’t be there or you want to create new objectsids or just remove the existing objectsids and replace them with a back up.

Most DSfW installs are a name mapped install meaning the install is mapped to an existing container in the tree.  If this is the case the domain name most likely will not patch to context in the tree and most likely the objectclass wit not be domain.  An example of a domain with the name of  novell.com mapped to a container with an objectclass of Organization (o=novell) and not domain (dc=novell).  Even it if is a dc most likely the fdn does not match the domain name.  Continuing with our example of novell.com that would… Continue reading

Backup ObjectSid

For a disaster recovery issue it might be necessary to have a backup of all objectsSids for users and computers.

Here is a simple script to create a ldif file that is ready to import and replace existing objectsids.

Since computers have an objectclass of user setting the filter to “(&(objectclass=user)(objectsid=*))” will return all users and computers with an objectsid.  The base can be set to the domain name context (ex: dc=domain,dc=com) if this is ran from a DSfW server other wise use the standard context in eDir (ex: o=novell) assuming this is a name mapped install and the context does not use dc objectclass.



ldapsearch -x -LLL -H ldaps://localhost:636 -D cn=admin,o=novell -W -b “o=novell” -s sub “(&(objectclass=user)(objectsid=*))” dn objectsid|sed s[objectsid[‘changetype:modify\nreplace:objectsid\nobjectsid'[g | grep -v ^# > Objectsids_restore.ldif

exit 0

Trouble shooting Kerberos on a DSfW server

If kerberos fails to start it is usually caused by

Missing ldap interfaces on the ldap server object

Missing uniquedomainid attribute on key objects

Corrupt or missing libraries

Misconfigured or missing kdc.conf

This video will go over kerberos failing to start because of missing ldap interfaces.  This most likely will happen if the ldap server object is deleted and recreated.


LDAP Proxy 1.0 is Released

The much awaited LDAP Proxy has been released and is available for download on the download.novell.com site.

The documentation can be found at http://www.novell.com/documentation/ldapproxy/

If you are unfamiliar with LDAP Proxy, it allows a single access point for access to multiple directories. That is the basic function of LDAP Proxy. It does way more than that. Very cool product. I have been waiting a long time for this.

How to take a LDAP trace – quick version

This video will show you how to take a ldap trace on a linux/DSfW server.

This applies to both eDirectory and DSfW (since DSfW is built on eDir)
A ldap trace is helpf in troublehooting applications or workstations authenticating,
searching, or modifying the directory.
Some commands used in the video

ldapconfig utility:
See the screen level
ldapconfig get |grep -i “ldap screen level”

set the screen level for everything but packet dumping
ldapconfig -s “Operation| Connection| Config| Extensions| Error| Critical| DataConnection”

Setting the screen level to all
ldapconfig -s “ldap screen level=all”

Going back to default screen level
ldapconfig -s “ldap screen level= Error| Critical”

ndstrace section:
turn off the screen and file logging
ndstrace off

clear the filter
set ndstrace = nodebug

enabeling ldap and nmas in the filter
ndstrace +time +tags +ldap +nmas

turn on the screen and logging
ndstrace on

The ndstrace.log is located in

How to take a LDAP trace – long version

How to take a LDAP NMAS trace for DSfW TID 7009602

LDAP on DSfW and how it differs from standard eDirectory LDAP ports

TID 7001886 has information on the ports DSfW uses including the ldap ports.