Latest DSfW Health Check Script
I’ve received a great deal of feed back on the DSfW Health Check Script and applied some changes.
I am always looking for suggestions. I’ve created an updated video with the latest script. Watch to to learn about configuring it for your specific needs.
DSfW and eDirectory Health Check
It is a good idea to periodically check the health of DSfW and eDirectory servers.
This video concentrates on a script I wrote that can be ran on both eDirectory and DSfW servers.
The script demonstrated in this video is called dsfw_edir_healthchk.sh. To get the latest version of the script click on the DSfW Health Check link in the download section on DSfWDude.com.
A great TID to start off with for a eDirectory health check is TID 3564075.
On a DSfW server start off with an eDirectory health check as well as TID 7001884 which has DSfW specific commands to check the health and overall operation of a DSfW server.
The script does most of the suggestions in both TIDs mentioned above plus a few more checks.
For eDirectory there are 8 checks the script does and… Continue reading
DSfW Slow Performance/Group Types
DSfW, like AD, has multiple group types. This is found in the grouptype attribute. TID 7004405 goes over the three group types.
Domain Local group: -2147483644
Global group: -2147483646
Universal group: -2147483640
The default group type is Universal group. This group type can generate a lot of extra traffic causing the performance of the domain controller to suffer.
Global and Universal groups calculate a virtual attribute called tokenGroupsDomainLocal. This attribute is calculated for the group by the slapi layer. When a user is a member of several groups login times can increase. An increase in ndsd utilization can also result from the calculation of the tokenGroupsDomainLocal when a large number of groups reside within the domain.
If ndsd utilization is high or login times need to be reduced, change groups to Domain Local groups to avoid the calculation of the tokenGroupsDomainLocal virtual attribute.
Here is a… Continue reading
Open Enterprise Server 11 SP1 is released
Open Enterprise Server 11 SP1 has been released today
LearnEventually, hopefully in the next update or two to more about OES11SP1 here
The download links for OES11 SP1 are:
Download link: http://download.novell.com/SummaryFree.jsp?buildid=rmqoq2iehSQ~
Documentation: http://www.novell.com/documentation/oes11/
As far as Domain Services for Windows goes, the install will now allow you to choose between a simplified install or the standard. The simplified install of DSfW reduces the number of screen, removing many of the screens that most people click next on with out any changes too. The install is also more intuitive. If follows along with the type of DSfW install you are doing instead of starting with the eDirectory configuration.
OES11SP1 has also improved gposync. This should help reduce issues with gopsync not working correctly or properly syncing gpos out to the ADC DSfW servers.
OES11SP1 migrations for DSfW servers are now supported. The supported migrations are:… Continue reading
How to find all DNS Locator objects
When installing DSfW into an environment were Novell DNS is already in use, be sure to use the existing DNS Locator object. It will simplify management for the all the zones and DNS servers. The locator object is used by the DNS/DHCP Console to return all zones and DNS servers the locator object knows about. If there are multiple locator objects then the first locator object discovered by the DNS/DHCP Console will be used. What will happen is only zones and DNS servers the DNS Loctor object knows about will be displayed and managed in the DNS/DHCP Console. This makes managing DNS difficult. Before installing doe a quick search for existing locator objects.
Do the following search to discover existing locator objects
ldapsearch -x -b “” -s sub objectClass=dNIPlocator
Delete an attribute on all users with a script
Here is the bases of a script to delete an attribute on a user.
I come across issues where an attribute was populated on several users that shouldn’t be there or you want to create new objectsids or just remove the existing objectsids and replace them with a back up.
Most DSfW installs are a name mapped install meaning the install is mapped to an existing container in the tree. If this is the case the domain name most likely will not patch to context in the tree and most likely the objectclass wit not be domain. An example of a domain with the name of novell.com mapped to a container with an objectclass of Organization (o=novell) and not domain (dc=novell). Even it if is a dc most likely the fdn does not match the domain name. Continuing with our example of novell.com that would… Continue reading
Backup ObjectSid
For a disaster recovery issue it might be necessary to have a backup of all objectsSids for users and computers.
Here is a simple script to create a ldif file that is ready to import and replace existing objectsids.
Since computers have an objectclass of user setting the filter to “(&(objectclass=user)(objectsid=*))” will return all users and computers with an objectsid. The base can be set to the domain name context (ex: dc=domain,dc=com) if this is ran from a DSfW server other wise use the standard context in eDir (ex: o=novell) assuming this is a name mapped install and the context does not use dc objectclass.
#!/bin/bash
ldapsearch -x -LLL -H ldaps://localhost:636 -D cn=admin,o=novell -W -b “o=novell” -s sub “(&(objectclass=user)(objectsid=*))” dn objectsid|sed s[objectsid[‘changetype:modify\nreplace:objectsid\nobjectsid'[g | grep -v ^# > Objectsids_restore.ldif
exit 0
Trouble shooting Kerberos on a DSfW server
If kerberos fails to start it is usually caused by
Missing ldap interfaces on the ldap server object
Missing uniquedomainid attribute on key objects
Corrupt or missing libraries
Misconfigured or missing kdc.conf
This video will go over kerberos failing to start because of missing ldap interfaces. This most likely will happen if the ldap server object is deleted and recreated.
LDAP Proxy 1.0 is Released
The much awaited LDAP Proxy has been released and is available for download on the download.novell.com site.
The documentation can be found at http://www.novell.com/documentation/ldapproxy/
If you are unfamiliar with LDAP Proxy, it allows a single access point for access to multiple directories. That is the basic function of LDAP Proxy. It does way more than that. Very cool product. I have been waiting a long time for this.
How to take a LDAP trace – quick version
This video will show you how to take a ldap trace on a linux/DSfW server.
This applies to both eDirectory and DSfW (since DSfW is built on eDir)
A ldap trace is helpf in troublehooting applications or workstations authenticating,
searching, or modifying the directory.
Some commands used in the video
ldapconfig utility:
See the screen level
ldapconfig get |grep -i “ldap screen level”
set the screen level for everything but packet dumping
ldapconfig -s “Operation| Connection| Config| Extensions| Error| Critical| DataConnection”
Setting the screen level to all
ldapconfig -s “ldap screen level=all”
Going back to default screen level
ldapconfig -s “ldap screen level= Error| Critical”
ndstrace section:
turn off the screen and file logging
ndstrace off
clear the filter
set ndstrace = nodebug
enabeling ldap and nmas in the filter
ndstrace +time +tags +ldap +nmas
turn on the screen and logging
ndstrace on
The ndstrace.log is located in
/var/opt/novell/eDirectory/log/
How to take a LDAP trace – long version
How to take a LDAP NMAS trace for DSfW TID 7009602
LDAP on DSfW and how it differs from standard eDirectory LDAP ports
TID 7001886 has information on the ports DSfW uses including the ldap ports.