DSfW Slow Performance/Group Types
DSfW, like AD, has multiple group types. This is found in the grouptype attribute. TID 7004405 goes over the three group types.
Domain Local group: -2147483644
Global group: -2147483646
Universal group: -2147483640
The default group type is Universal group. This group type can generate a lot of extra traffic causing the performance of the domain controller to suffer.
Global and Universal groups calculate a virtual attribute called tokenGroupsDomainLocal. This attribute is calculated for the group by the slapi layer. When a user is a member of several groups login times can increase. An increase in ndsd utilization can also result from the calculation of the tokenGroupsDomainLocal when a large number of groups reside within the domain.
If ndsd utilization is high or login times need to be reduced, change groups to Domain Local groups to avoid the calculation of the tokenGroupsDomainLocal virtual attribute.
Here is a… Continue reading
November 2012 Maintenance for OES11SP1 is released
November 2012 Maintenance patch for OES11SP1 has been released
Key DSfW specific bugs fixed with this maintenance patch
- – 736416: DSfW – Apple OSX Compatibility: Login to DSfW without ID mapping doesn’t work
- – 739450: DSfW: W32Time auth provider for ntp does not work in a cross partition setup
- – 768113: DSFW: xadsd crashes in dcerpc libprot_ncacn.so library
- – 769945: Assignment of users o authorise RDP Access to Windows Workstation
- – 770416: OES11SP1LH: DNS/DHCP management console can not configure update policy option as DSfW requires
- – 771993: OES11SP1LH: gposync runs in a loop
- – 774802: xadsd crashes in rpc__list_element_alloc ()
- – 778235: gposync tool reports success even if nsimAssignments is not updated
- – 783939: DSFW: No results for LDAP Query when OID is used instead of attribute name in the search filter.
- – 784366: xadsd crashes in rpc__cn_binding_inq_addr () due to failed NTLMSSP authentication requests
Key CIFS, DNS,… Continue reading
November 2012 Maintenance for OES11 is released
November 2012 Maintenance patch for OES11 has been released
Key DSfW specific bugs fixed with this maintenance patch
- – 736416: DSfW – Apple OSX Compatibility: Login to DSfW without ID mapping doesn’t work
- – 739450: DSfW: W32Time auth provider for ntp does not work in a cross partition setup
- – 768113: DSFW: xadsd crashes in dcerpc libprot_ncacn.so library
- – 769945: Assignment of users o authorise RDP Access to Windows Workstation
- – 770416: OES11SP1LH: DNS/DHCP management console can not configure update policy option as DSfW requires
- – 771993: OES11SP1LH: gposync runs in a loop
- – 774802: xadsd crashes in rpc__list_element_alloc ()
- – 778235: gposync tool reports success even if nsimAssignments is not updated
- – 783939: DSFW: No results for LDAP Query when OID is used instead of attribute name in the search filter.
- – 784366: xadsd crashes in rpc__cn_binding_inq_addr () due to failed NTLMSSP authentication requests
Key CIFS, DNS,… Continue reading
November 2012 Scheduled Maintenance for OES2SP3
November 2012 Maintenance patch for OES2P3 has been released
Key DSfW specific bugs fixed with this maintenance patch
- 736416: DSfW – Apple OSX Compatibility: Login to DSfW without ID mapping doesn’t work
- 739450: DSfW: W32Time auth provider for ntp does not work in a cross partition setup
- 768113: DSFW: xadsd crashes in dcerpc libprot\_ncacn.so library
- 769945: Assignment of users of authorise RDP Access to Windows Workstation
- 771993: gposync runs in a loop
- 774802: xadsd crashes in rpc\_\_list\_element\_alloc ()
- 778235: gposync tool reports success even if nsimAssignments is not updated
- 783939: DSFW: No results for LDAP Query when OID is used instead of attribute name in the search filter.
- 784366: xadsd crashes in rpc\_\_cn\_binding\_inq\_addr () due to failed NTLMSSP authentication requests
- 790470: KDC service and Domain services daemon does not come up post Nov 2012 patch build installed
Key CIFS, DNS, and AFT specific bugs fixed with this maintenance… Continue reading
Windows 8 and DSfW
I am still in the process of using Windows 8 with Domain Services for Windows. From what I have seen so far it behaves similar to Windows 7 as a workstation joined to the domain. Logging in, mapping drives, running GPOs, executing login script from a GPO, all seem to work as in Windows 7. The biggest challenge for me is getting used to the Start menu in Windows 8 and that isn’t DSfW related.
Windows 8 with VMWare View 5.1.1 and DSfW OES11SP1 all appear to play well with each other. Making templates and linked clones do not seem to have any gotchyas to look out for. Let me know or the Novell Forums know if you discover a bug with DSfW and Windows 8.
Diagnostic tool for DNS Records
The DSfW team has a great tool called check-dns.pl to help diagnose DNS issue with DSfW.
The tool validates essential records for forward and reverse lookups. This tool can be found at Novell Coolsolutions.
The tool might incorrectly report PDC and DC records if there is more than one Domain Controller. The Coolsolutions article will be updated with a new check-dns.pl to address this issue.
Until the Coolsolutions article is updated you can download it from dsfwdude.com.
Download
September 2012 Maintenance for OES11.1 is released
September 2012 Maintenance patch for OES11SP1 has been released
Key DSfW specific bugs fixed with this maintenance patch
- – 667829: On Win2K8 R2 client joined to DSfW domain fails to create xen Desktop image from xendesktop studio
- – 723878: Normal Domain Users have all filesystem rights to new GPOs with Oes2Sp3
- -736413: DSfW – Apple OSX Compatibility: memberOf query returns incorrect groupmembership results
- – 736414: DSfW – Apple OSX Compatibility: ObjectSid queries return incorrect results
- – 737877: CIFS- Support for CIFS invalid user name/password presented multiple times
- – 738031: DSFW: Configuration of Windows 2008R2 Remote Desktop Licensing fails
- – 765721: DSfW – Apple OSX Compatibility: OSX 10.6.x mobile account login issues when attribute loginintruderaddress is populated for users
September 2012 Scheduled Maintenance for OES11SP1
- – 583261: httpstkd randomly stops
- – 667829: On Win2K8 R2 client joined to DSfW domain fails to create xen Desktop image from xendesktop studio
- – 706758:… Continue reading
September 2012 Maintenance for OES11 is released
September 2012 Maintenance patch for OES11 has been released
Key DSfW specific bugs fixed with this maintenance patch
- – 667829: On Win2K8 R2 client joined to DSfW domain fails to create xen Desktop image from xendesktop studio
- – 723878: Normal Domain Users have all filesystem rights to new GPOs with Oes2Sp3
- -736413: DSfW – Apple OSX Compatibility: memberOf query returns incorrect groupmembership results
- – 736414: DSfW – Apple OSX Compatibility: ObjectSid queries return incorrect results
- – 737877: CIFS- Support for CIFS invalid user name/password presented multiple times
- – 738031: DSFW: Configuration of Windows 2008R2 Remote Desktop Licensing fails
- – 765721: DSfW – Apple OSX Compatibility: OSX 10.6.x mobile account login issues when attribute loginintruderaddress is populated for users
- – 768348: DSFW Migration:Other service repair is failing in miggui tool from oes2sp2 and oes11fp0 to oes11sp1 migration
- – 780394 – DSFW support for resolving a Well Known GUID, AD distinguishedName format… Continue reading
September 2012 Maintenance for OES2SP3 is released
September 2012 Maintenance patch for OES2P3 has been released
Key DSfW specific bugs fixed with this maintenance patch
- – 667829: On Win2K8 R2 client joined to DSfW domain fails to create xen Desktop image from xendesktop studio
- – 723878: Normal Domain Users have all filesystem rights to new GPOs with Oes2Sp3
- -736413: DSfW – Apple OSX Compatibility: memberOf query returns incorrect groupmembership results
- – 736414: DSfW – Apple OSX Compatibility: ObjectSid queries return incorrect results
- – 737877: CIFS- Support for CIFS invalid user name/password presented multiple times
- – 738031: DSFW: Configuration of Windows 2008R2 Remote Desktop Licensing fails
- – 765721: DSfW – Apple OSX Compatibility: OSX 10.6.x mobile account login issues when attribute loginintruderaddress is populated for users
September 2012 Scheduled Maintenance for OES2SP3
- 583261: httpstkd randomly stops
- 667829: On Win2K8 R2 client joined to DSfW domain fails to create xen Desktop image from xendesktop studio
- 675596: oes-ldap not getting… Continue reading
VMWare and best practices for Timekeeping
Lately I’ve been getting a lot of requests for timekeeping best practices for VMWare
VMWare has a great support article on this. Below are the SLES recommendations. The article can be found here
| SLES 11 (All updates) | No additional kernel parameters required. | |
| SLES 10 SP4 on ESX 5.0 and later | clock=pmtmr hpet=disable |
|
| SLES 10 SP4 on ESX 4.x | Use a VMI enabled kernel. | |
| SLES 10 SP3 on ESXi 5.0 | clock=pmtmr hpet=disable |
|
| SLES 10 SP3 on ESX 3.5 and 4.x | Use a VMI enabled kernel. | |
| SLES 10 SP3 on ESX 3.0.x and earlier | clock=pmtmr hpet=disable |
|
| SLES 10 SP2 on ESXi 5.0 | clock=pmtmr hpet=disable |
|
| SLES 10 SP2 on ESX 3.5 and 4.x | Use a VMI enabled kernel. | |
| SLES 10 SP2 on ESX 3.0.x and earlier | clock=pmtmr hpet=disable |
|
| SLES 10 SP1 | clock=pmtmr hpet=disable |
|
| SLES 10 | clock=pmtmr hpet=disable |
|
| SLES 9 (All updates) | clock=pmtmr hpet=disable |
|
| SLES 8 | No additional kernel parameters required.… Continue reading |
Script to check if ports are listening
If you are concerned about a DSfW service going down and or the port is not accessible, this script will help keep the services up or notify you of a service going down. The script will check if each DSfW service is listening, then telnet to each port. If it can not telnet, the script will log which port is not accessable in the /var/opt/novell/xad/log/dsfw_portchk.log.
The dsfw_portchk.sh script can be ran on PDC or ADC, running Novell DNS or not running Novell DNS.
The script can also e-mail and restart the services if desired.
It will detect if the server has IPv6 enabled so to properly detect the correct port Samba and NetBios is listening on.
The script detects if Novell DNS is configured to start. Some times on ADC servers DNS is not configured or is not set to run. The original script… Continue reading
Open Enterprise Server 11 SP1 is released
Open Enterprise Server 11 SP1 has been released today
LearnEventually, hopefully in the next update or two to more about OES11SP1 here
The download links for OES11 SP1 are:
Download link: http://download.novell.com/SummaryFree.jsp?buildid=rmqoq2iehSQ~
Documentation: http://www.novell.com/documentation/oes11/
As far as Domain Services for Windows goes, the install will now allow you to choose between a simplified install or the standard. The simplified install of DSfW reduces the number of screen, removing many of the screens that most people click next on with out any changes too. The install is also more intuitive. If follows along with the type of DSfW install you are doing instead of starting with the eDirectory configuration.
OES11SP1 has also improved gposync. This should help reduce issues with gopsync not working correctly or properly syncing gpos out to the ADC DSfW servers.
OES11SP1 migrations for DSfW servers are now supported. The supported migrations are:… Continue reading
Script to check DSfW Processes
I have a updated script to check all essential DSfW processes. The name of the script is dsfw_processchk. The script is great to use if you are worried that a DSfW process will stop and you don’t want to receive several phone calls alerting you to the problem or the DSfW server has been unstable you you need to time track down the invalid requests hitting the DSfW server.
The script will report which processes are running or have stopped. It works by validating that a PID exists for each process. If a process is not running the script has the option to restart the services, send an e-mail that a process has stopped, and update the syslog.
Key configuration
# Set RESTART_DSFW to 1 to reload DSfW services if one or service is not running,
# Set RESTART_DSFW to 0 to leave the services… Continue reading
Looking for DSfW Feedback
There is a new survey for Domain Services for Windows at https://www.surveymonkey.com/s/dsfwsurvey
Please provide any feedback on DSfW. You can have direct impact as to the road map of DSfW plus enter a chance to win $50. If your orginization is currently using DSfW, planning on using DSfW, or thinking about using DSfW please help out by taking the survey.
For more information on the survey itself go to coolsolutions.
July 2012 Maintenance for OES11 is released
July 2012 Maintenance for OES 11 along with July 2012 Scheduled Maintenance for eDirectory 8.8 SP6 patch 6 have been released
Key DSfW specific bugs fixed with this maintenance patch
- – 771737: OES11SP1LH: MMC can not create a User
- – 761449: Can not Create Groups or OUs with MMC
- – 758572: DSFW: Windows 7 remote assistance is not working.
- – 766772: UpdatePDCMaster.pl failed during PDC role transfer
- – 763854: Managing GPOs fail due to SYSVOL DFS referral link pointing to wrong path
- – 738214: DSfW – All xadsd threads stuck in pthread_cond_wait/lock wait, causing xadsd to be unresponsive
- – 758992: DSFW: Polycom SSO configuration fails with error “”Access Denied”” while changing password
- – 703655: SYSVOL DFS referral link points to ADC and interrupts GPO Administrator operations
July 2012 Scheduled Maintenance for OES11
- – 583261: httpstkd randomly stops
- – 658145: NSS volume with Di and RI flags, incorrectly blocks root user… Continue reading
July 2012 Maintenance for OES2SP3 has been released
The July 2012 Maintenance Patch for oes2 sp3 has been release
The 64 bit version can be found here
The 32 bit version can be found here
List of bug fixes in the July 2012 Maintenance for OES2SP3
- 142091: Inconsistency with naming in the GUI
- 142183: Secrets added to Gnome Keyring through CASAManager have a default key/value pair of GKPassword/novell
- 146015: A CASAKeyring is created to add secrets to the Gnome Keyring through CASAManager
- 147031: CASAManager should have a menu item.
- 155529: Firefox Tab is available in CASAManager Preferences even if Firefox is not installed
- 172719: Starting CASAManager with store locked throws exception
- 200912: After a lun is resized gpt does not work correctly
- 508945: When micasad is stopped its status is displayed as “dead”
- 509471: miCASASetCredential handles input argument incorrectly
- 523398: CASA Manager prints GTK warning messages on terminal
- 523402: CASA Manager prints messages on terminal when… Continue reading
July 2012 Maintenance for OES2SP3 eDirectory 8.8 SP6 patch 6 released
The July 2012 Maintenance Patch for eDirectory 8.8 SP6 has been release
The 64 bit version can be found here
The 32 bit version can be found here
List of bug fixes in the July 2012 Maintenance for OES2SP3 for eDirectory patch 6
- – 679767: NMAS Client aborts NCP connection and returns error -625 immediately upon having sent NMAS Start Session request on an idle NCP connection where server sent Watchdog packets.
- – 733188: eDirectory returns error 48 ‘Anonymous Simple Bind Disabled’ for authenticated TLS bind
- – 749516: Dclient DDCGetSEVList function does not return cifs users GUID causing CIFS users authorization failure and Memory/CPU spike up.
- – 765688: Right granted to dynamic group is assigned to whole tree, not just its members
| novell-dclient-32bit-8.8.6.6-0.7.x86_64.rpm | 372.8 KB (381796) |
| novell-dclient-8.8.6.6-0.7.x86_64.rpm | 385.3 KB (394647) |
| novell-edirectory-jclnt-8.8.6.6-0.7.x86_64.rpm | 273.7 KB (280353) |
| novell-edirectory-ldap-extensions-32bit-8.8.6.3-0.11.x86_64.rpm | 28.2 KB (28933) |
| novell-edirectory-ldap-extensions-8.8.6.3-0.11.x86_64.rpm | 29.7 KB (30492) |
| novell-edirectory-tsands-32bit-8.8.6.6-0.7.x86_64.rpm | 257.4 KB… Continue reading |
July 2012 Maintenance for OES11 eDirectory 8.8 SP6 patch 6 released
The July 2012 Maintenance Patch for eDirectory 8.8 SP6 has been release
The 64 bit version can be found here
List of bug fixes in the July 2012 Maintenance for OES11 for eDirectory patch 6
- – 679767: NMAS Client aborts NCP connection and returns error -625 immediately upon having sent NMAS Start Session request on an idle NCP connection where server sent Watchdog packets.
- – 733188: eDirectory returns error 48 ‘Anonymous Simple Bind Disabled’ for authenticated TLS bind
- – 749516: Dclient DDCGetSEVList function does not return cifs users GUID causing CIFS users authorization failure and Memory/CPU spike up.
- – 765688: Right granted to dynamic group is assigned to whole tree, not just its members
| novell-dclient-32bit-8.8.6.6-1.1.x86_64.rpm | 350.2 KB (358675) |
| novell-dclient-8.8.6.6-1.1.x86_64.rpm | 352.7 KB (361182) |
| novell-edirectory-jclnt-8.8.6.6-1.1.x86_64.rpm | 267.9 KB (274431) |
| novell-edirectory-tsands-32bit-8.8.6.6-1.1.x86_64.rpm | 258.3 KB (264554) |
| novell-edirectory-tsands-8.8.6.6-1.1.x86_64.rpm | 265.3 KB (271675) |
| novell-NDSbase-32bit-8.8.6.6-1.1.x86_64.rpm | 406.9 KB (416672) |
| novell-NDSbase-8.8.6.6-1.1.x86_64.rpm | 553.3 KB (566596) |
| novell-NDScommon-8.8.6.6-1.1.x86_64.rpm | 225.7 KB (231121) |
| novell-NDSimon-8.8.6.6-1.4.x86_64.rpm | 2.5 MB (2672112)… Continue reading |
How to find all DNS Locator objects
When installing DSfW into an environment were Novell DNS is already in use, be sure to use the existing DNS Locator object. It will simplify management for the all the zones and DNS servers. The locator object is used by the DNS/DHCP Console to return all zones and DNS servers the locator object knows about. If there are multiple locator objects then the first locator object discovered by the DNS/DHCP Console will be used. What will happen is only zones and DNS servers the DNS Loctor object knows about will be displayed and managed in the DNS/DHCP Console. This makes managing DNS difficult. Before installing doe a quick search for existing locator objects.
Do the following search to discover existing locator objects
ldapsearch -x -b “” -s sub objectClass=dNIPlocator
OES11 SP1 Beta released
The OES11 SP1 Beta has been publicly released
Check it out if you are interested in seeing some of the new features in OES
The big news for Domain Services for Windows is the simplified install.
The install allows for a simplified install
For the simplified install the YaST configuration screens have been minimized.
The first screen start with what type of install instead of the eDirectory screen.
Some screens have been eliminated and common default values are used automatically making the install less confusing.
Plus it runs on SLES11 SP2
For more info see http://www.novell.com/beta/auth/beta.jsp?id=4425&type=1
The ISOs can be found here:
ISOs:http://download.novell.com/Download?buildid=hXpxKX0Z4g8~
The documentation can be found here:
Docs:http://www.novell.com/documentation/beta/oes11/oes11_toc/data/index-stand.html
Delete an attribute on all users with a script
Here is the bases of a script to delete an attribute on a user.
I come across issues where an attribute was populated on several users that shouldn’t be there or you want to create new objectsids or just remove the existing objectsids and replace them with a back up.
Most DSfW installs are a name mapped install meaning the install is mapped to an existing container in the tree. If this is the case the domain name most likely will not patch to context in the tree and most likely the objectclass wit not be domain. An example of a domain with the name of novell.com mapped to a container with an objectclass of Organization (o=novell) and not domain (dc=novell). Even it if is a dc most likely the fdn does not match the domain name. Continuing with our example of novell.com that would… Continue reading
Troubleshooting slow logins and unresponsive DSfW servers
I have seen several issues were a DSfW server becomes sluggish or unresponsive. Logins can take several minutes. Some times ndsd or another DSfW process crashes.
If a DSfW server running DNS has a DSfW specific process stop or crash a quick stop gap measure is to monitor the DSfW processes and restart them if one or more of the DSfW processes stop. I created a simple script that will check that a pid exists for each process. The script is called dsfw_processchk.sh. While it does not restart DSfW in every condition like if a process continues to run but is not responding or say a process crashes but the pid is never cleaned up, it does work for most situations. Create a cron job to run the script every hour, 30 minutes, 10 minutes, what ever you desire. My… Continue reading
Script to monitor DSfW processes and restart services
If a DSfW server running DNS has a DSfW specific process stop or crash a quick stop gap mesure is to monitor the DSfW processes and restart them if one or more of the DSfW processes stop. I created a simple script that will check that a pid exists for each process. The script is called dsfw_monitor.sh. While it does not restart DSfW in every condition like if a process continues to run but is not responding or say a process crashes but the pid is never cleaned up, it does work for most situations.
Create a cron job to run the script every hour, 30 minutes, 10 minutes, what ever you desire. My recomendation is to not go below 5 minutes since eDirectory might take several minutes to stop and start again.
To create a cronjob use the crontab command with the -e… Continue reading
Backup ObjectSid
For a disaster recovery issue it might be necessary to have a backup of all objectsSids for users and computers.
Here is a simple script to create a ldif file that is ready to import and replace existing objectsids.
Since computers have an objectclass of user setting the filter to “(&(objectclass=user)(objectsid=*))” will return all users and computers with an objectsid. The base can be set to the domain name context (ex: dc=domain,dc=com) if this is ran from a DSfW server other wise use the standard context in eDir (ex: o=novell) assuming this is a name mapped install and the context does not use dc objectclass.
#!/bin/bash
ldapsearch -x -LLL -H ldaps://localhost:636 -D cn=admin,o=novell -W -b “o=novell” -s sub “(&(objectclass=user)(objectsid=*))” dn objectsid|sed s[objectsid[‘changetype:modify\nreplace:objectsid\nobjectsid'[g | grep -v ^# > Objectsids_restore.ldif
exit 0
Prepare to install an ADC DSfW server
This video will go through the preparation of installing an ADC DSfW server. It will guide you through TID 7009927.
How to create a cross forest trust
This video will guide you through the creation of a cross forest trust between DSfW and AD.
For more information on creating a cross forest trust please read through the documentation
http://www.novell.com/documentation/oes11/acc_dsfw_lx/data/ber65jt.html
The trust password will change every 30 days by default. Consider disabling the automatic machine password changes or increasing the time before the password is changed. Some times when a workstation or in this case trust changes its password the change does not get set in the directory and the trust relationship is broken. In that case the trust needs to be re-established.
If a trust is removed and then re-established, before creating the trust again be sure that the trust object in cn=users, is removed as well. The object will look like a user object with the name of the AD Domain with a $ at the end.
Good MS documents to help troubleshoot errors:
Known… Continue reading
How to create DNS forwarders
In order to create a cross forest trust both the DSfW server and the AD server need to resolve each others domains. The video will show you how to create a forward and reverse forwarder for only the AD zone (domain) to the AD server and how to put a forwarder on the AD server to the DSfW DNS server.
Novell DNS Tools – iManager and DNS/DHCP Console
The Novell DNS DHCP Console is what most prefer to use to manager Novell DNS. It allows for easy viewing, modification, and creation of zones, records, and DNS servers.
If there are more than one dns locator objects in the tree use the -C switch after the executable to specify which locator object to use.
-C OESSystemobjects.novell
If updates made in the DNS/DHCP tool are not fast enough for you, loo at the novell_dyn_reconfigure setting on the DNS server object or restart novell-named.
At 6:51 on the video this setting is displayed. 15 minutes is recommend . If the reconfigure is set to 5 minutes in a large environment, the reconfigure might not finish updating cache before the the process is started again.
iManager is the second tool available to use to manage DNS and DHCP. The second video will… Continue reading
How to join a Mac to a DSfW domain
This video will show you how to join a Mac to a DSfW domain
At this time Mac joined to a DSfW domain is not supported, but it can be done.
Be sure dns resolves the domain name – nslookup <domain name>
Go to the System Preferences
Accounts
click Join button next to Network Account Server
Click Open Directory Utility
Unlock the directory utility
Click Active Directory
Add the domain name to the Active Directory Domain field
Be sure the Computer name ID is a unique name
Click bind
Now the workstation is joined to the domain. To enable DSfW users to login to the workstation
Under Hide Advanced Options
Click the User Experience
use smb as the network protocol
and /bin/bash as the default shell
so that users can login when the domain is not available enable Create mobile account at login
The most important setting is… Continue reading