Avoiding the Top eDirectory ™ Issues on NetWare ®, Windows, Linux, and Solaris Josh Baxter Worldwide Support Engineer Novell, Inc. Jason Record Worldwide Support Engineer Novell, Inc. Robby Taylor Worldwide Support Engineer Novell, Inc.

Vision…one Net A world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries Mission To solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

Deployed Versions Novell eDirectory ™ and Novell Directory Services ® (NDS) Product VersionBuild VersionPlatforms NetWare 5.1 SP4 (NDS 7)DS.nlm v7.57NetWare 5.1 NetWare 5.1 SP 4 (NDS 8)DS.nlm v8.79NetWare 5.1 eDirectory 8DS.nlm & DS.dlm v8.79NetWare 5.0,Win NT/2K eDirectory 8.5.xDS v85.23NetWare 5.x,Win,Solaris NetWare 6 (eDirectory 8.6)DS.nlm v NetWare 6 eDirectory 8.6.1DS v NW 5.1,NW 6,Win,Solaris,Linux NetWare 6 SP1 (eDirectory 8.6.2)DS.nlm v NetWare 6 eDirectory 8.6.2DS v103xx.xxNW 5.1,NW 6,Win,Solaris,Linux eDirectory 8.7DS v10410.xxNW 5.1,NW 6,Win,Solaris,Linux,AIX

Differences Between eDirectory and NDS ® NetWare 6 NetWare NDSeDirectory NOS directory focused on managing NetWare ® servers A cross-platform, scalable, standards-based directory used for managing identities that span all aspects of the network—eDirectory is the foundation for eBusiness NetWare 5

How We Decided On These Topics The topics used in this presentation are based on a Novell technical support report that linked the greatest number of solutions or Technical Information Documents (TIDs) to incidents We have also included other common issues that we feel will help you maintain your eDirectory environment

Agenda Troubleshooting obituaries Timesync configuration eDirectory health checks UNIX issues NT/2000 issues Question and answer

Obituaries Obituaries (a.k.a. Death Notice) are used for the processing of updates, such as renames, moves, and deletions, of objects Processing obituaries  Obit process  Purger How do I know I have obituary problems?  -637 when attempting a partition operation  Object that was moved, deleted, or renamed shows up sometimes, but not others

Possible Causes of Obituary Problems Older versions of eDirectory Communication problems Time synchronization problems Replica synchronization problems Purge Vector issues Known defects and issues

Troubleshooting Obituaries Run Obituary Listing Report from within iMonitor Any entry records that have Obituary Attributes on them will be displayed Choose an entry record

Troubleshooting Obituaries (cont.) From here you can see the obit flags for each value The obit flags on the Primary Obit will always be 0 until all secondary obits have been notified Notice that neither PRV-MP3SERV nor SIVIE_TEST2 have been notified of the modification to the object Choose Agent Health for any server that has not been notified

Troubleshooting Obituaries (cont.) Look for warning signs As you can see this server’s time is not currently synchronized Lack of time synchronization could cause the obituaries to be stuck To determine the cause use iMonitor

Troubleshooting Obituaries (cont.) Using iMonitor DSTrace function turn on obituaries Monitor the log file—as you can see in this case we are actually processing the obituary with no errors If there is a reason for the obituary to not be processed an error would be displayed here

Troubleshooting Obituaries (cont.) For more obituary troubleshooting information as well as a list of current obituary issues see TID # at

iMonitor Notes The reports previously mentioned are only available in iMonitor and newer Free for download if you own eDirectory or newer

Timesync and eDirectory eDirectory relies on Timesync eDirectory will function even if Timesync is not working Results will not be as expected since the highest timestamp wins

Timesync Configuration NetWare 5.x Patches  Timesync 5.24o (TS524O.EXE)  SERVER.EXE (OS5PT2A.EXE)  Winsock 4f (WSOCK4F.EXE)  NW51SP4.EXE includes all of the above fixes NetWare 6.x Patches  Timesync from TS524O.EXE  NW6SP1.EXE includes these fixes Start the update of Timesync at the Reference Server and work down All servers need to be updated Use NTP whenever possible (Port 123) Always use Monitor to configure Timesync rather than editing TIMESYNC.CFG

Timesync Configuration Single reference or reference  Reference servers must have a configured sources list  Point only to external sources  Do not point to primaries for fault tolerance  Do not use Loopback Address in configured sources list

Troubleshooting Timesync Other configuration issues  If your provider is IP only then do not use the IPX name of the server—you will need to use either an IP address or a DNS name  If your server has multiple NICs, then there is a timing issue during initialization—add the following to your AUTOEXEC.NCF Unload Timesync Load Timesync

Troubleshooting Timesync Timesync will now log debug information to the SYS:\SYSTEM\TIMESYNC.LOG file Configuring Timesync logging  SET TIMESYNCE DEBUG = 15 (Turns on logging to screen and log file)  SET TIMESYNCE DEBUG = 7 (Turns logging to screen only)  SET TIMESYNCE DEBUG = 0 (Turns logging off completely)

Troubleshooting Timesync For more information about Timesync issues and configuration refer to TID # at

eDirectory Health Checks Regular health checks avoid problems  Check DS versions  Time synchronization  Replica synchronization  Schema synchronization  External references  Replica ring states Hint—Use iMonitor to help perform your health checks

eDirectory Health Checks For more information about performing regular health checks refer to TID # at

Related Sessions Tutorial 229— Practical NDS iMonitor: Case Studies in eDirectory Diagnosis Tutorial 231—Tips and Tricks for Using eDirectory Utilities

eDirectory on UNIX Jason Record Worldwide Support Engineer Novell, Inc.

Novell eDirectory for UNIX Novell eDirectory 8.5x topics  Two primary obituaries get stuck  ndsd core dumps or becomes defunct Novell eDirectory topics  Patch disables ndsd  Upgrading from the shipping CD Tuning Parameters UNIX Information Tool

Tuning Parameters Don’t make the cache too big  TID —Performance Tuning on NDS for UNIX Solaris tuning parameters  TID —Performance tuning for eDirectory 8.5 on Solaris

ndsd Core Dump/Defunct Many issues fixed in Linux memory corruption fixed after 85.23

Patch Disables ndsd Occurs on Solaris 8 only Remove the LD_LIBRARY_PATH reference

Fixing ndsd Script

nds-install Doesn’t Upgrade Fixed in the web download release nds-install upgrades shipping code, but not later patches

UNIX Information Tool Gathers most needed system information TID —UNIX Information Tool (unixinfo)  Replaces ndsunix.sh

eDirectory on Win32 Platform

Agenda Understanding eDirectory on Windows platform eDirectory configuration Timesync Known issues

Understanding eDirectory on Win32 Platform eDirectory is an application that runs on top of Windows eDirectory starts as a service

Understanding eDirectory on Win32— Components NDSServe.exe A Shim that run the NDS Server Service—It calls DHOST.EXE Dhost.exe NCP Engine on Windows and executes DLM’s instead of NLMs  You can start Dhost manually from a command prompt \NOVELL\NDS\DIBFILES 1.Make the current directory \NOVELL\NDS\DIBFILES (..\dhost dsrepair) 2.Type..\dhost (..\dhost dsrepair) NDSCons.exe  Management Utility that allows the start, stop, and configuration of DLM’s NDSCons.exe is connection based and must make an internal Named Pipe connection to Dhost

NDSCons Utility

eDirectory Configuration eDirectory must have a static IP address  This address is stored in \NOVELL\NDS\DIBFILES\CONFIG.ASC  When eDirectory starts it reads this file and attempts to bind to the listed address If you change your TCP/IP address  Edit \NOVELL\NDS\DIBFILES\CONFIG.ACS  Delete all lines that start with [Dhost/NCP Engine/Transports ……]

eDirectory Configuration (cont.) Config.asc example [DHost/Thread Pool/Min Pool Threads] = 0x [DHost/Thread Pool/Max Pool Threads] = 0x [DHost/Thread Pool/Start Pool Threads] = 0x [DHost/Thread Pool/Long Term Threshold] = 0x [DHost/Thread Pool/Kill Thread Delay] = 0x c [DHost/NCP Engine/Server State/Allow Large Internet Packets] = ?1 [DHost/NCP Engine/Server State/Allow Logins] = ?1 [DHost/NCP Engine/Server State/Allow Unencrypted Passwords] = ?1 [DHost/NCP Engine/Server State/Checksum Level] = 0x [DHost/NCP Engine/Server State/Signature Level] = 0x [DHost/NCP Engine/Transports/Enabled] = 0x [DHost/NCP Engine/Transports/Enum] = 0x [DHost/NCP Engine/Transports/Enum/00] = {0x09 0x00 0x00 0x00 0x06 0x00 0x00 0x00 0x02 0x0c 0x89 0x41 0xd7 0x10} [DHost/NCP Engine/Transports/Enum/01] = {0x08 0x00 0x00 0x00 0x06 0x00 0x00 0x00 0x02 0x0c 0x89 0x41 0xd7 0x10} [DHost/NCP Engine/Transports/Enum/02] = {0x00 0x00 0x00 0x00 0x0c 0x00 0x00 0x00 0x01 0x01 0x06 0xe0 0x00 0xb0 0xd0 0x84 0x0b 0x55 0x04 0x51} [DHost/NCP Engine/Watchdog/Ping Interval] = 0x000000f0 [DHost/NCP Engine/Watchdog/Pings To Kill] = 0x [DHost/Module Loader/Modules/nldap.dlm/Flags] = 0x [DHost/Module Loader/Modules/NDSiMon.dlm/Flags] = 0x [DHost/Module Loader/Modules/ds.dlm/Flags] = 0x [DHost/Module Loader/Modules/sapserv.dlm/Flags] = 0x [DHost/Module Loader/Modules/miscncp.dlm/Flags] = 0x [DHost/Module Loader/Modules/niciext.dlm/Flags] = 0x [DHost/Module Loader/Modules/pki.dlm/Flags] = 0x [DSTrace/Last Window Position] = {0x63 0x00 0x00 0x00 0x92 0x00 0x00 0x00 0x63 0x03 0x00 0x00 0xc0 0x02 0x00 0x00}

Timesync on Windows Platform Novell does not provide an NTP time synchronization utility for eDirectory on Windows NT or 2000 servers Windows does not include an NTP time-synchronization utility; you can obtain an NTP-compatible timeserver in the Windows NT 4.0 Resource Kit However, it is important that eDirectory on Windows have its time in sync to all other eDirectory servers

Known Issues: eDirW32b.exe Issue 1: Issue 1: Utilization would increase to 100% during the installation of Edir (NLDAP.DLM) Issue 2: Issue 2: After Installation when manually shutting down the NDS Server is would appear to be hung or utilization would goto 100% (NLDAP.DLM) Issue 3: Issue 3: During installation of eDirecorty the installation would shut down and disappear without any error message (Win2K SP2, NDSI.Jar, Jclient.Jar) Issue 4: Issue 4: With certain configurations of Windows 2000/WinNT during installation an error would occur stating that the Schema was out of date (NDSI.Jar)

Known Issues: eDirW32b.exe (cont.) New install of eDirectory 85.12a for Windows 2000/Windows NT  Take the original EDirectory 85.12a Install CD and copy it to a hard drive  Extract or Unzip edirw32b.exe to the root directory where the EDirectory Install CD was copied—when prompted, choose to over write existing files  Install eDirectory from the \NT directory by typing SETUP.EXE

Known Issues: Auditing Auditing causes high utilization in Dhost This happens even if auditing is turned off—The existence of the auditing files syncing causing the utilization To see if this is your problem look in the \NOVELL\NDS\DIBFILES directory for the existence of auditing files: xxxxxxxx.$af The auditing files must be removed from all servers in the replica ring

Known Issues: Auditing (cont.) How to Disable Auditing: 1. Ensure Container Auditing is disabled using AUDITCON.EXE 2. Delete the AFO0_ object(s) for the affected container with ConsoleOne ® 3. Use DSBROWSE.NLM or DSBROWSE.DLM and browse to the container that had auditing enabled 4. Write down the Entry ID number of the container object (ex EC) 5. Find the associated auditing files in the sys:_NetWare directory using JCMD, for example: search for SYS:_NETWARE\dir 10003EC.$*  You will see something similar to this EC.$AF (Current Auditing File) EC.$O0 (Oldest Backup File) EC.$O1 (Next Oldest Backup File) etc. up to a total of 15 backup files

Known Issues: Auditing (cont.) 6. Delete all files found. (jcmd, NETBASIC or toolbox can be used. You may need to change the attributes on the $AF file so that it can be deleted. This is done in JCMD by typing "attr t- a-". If you still cannot delete the file; you may need to lock the database or unload DS before the file can be deleted. 7. Run a local repair on the Server reporting the errors (A Full Unattended or Local repair with Validate Stream Files will work) 8. Manually turning auditing off requires that DS.NLM and then NDSAUDIT.NLM be unloaded on all servers that hold a replica of the partition that holds the container that had auditing enabled—After it has been unloaded on all servers that hold a replica of the partition, reload NDSAUDIT.NLM and then DS.NLM on each server 9. Synchronize the partition and check synchronization to ensure the errors are no longer being produced

Known Issues: Internal IPX Numbers Installation fails with –614 (Duplicate Value) when more than one network card is present and bound to IPX eDirectory attempts to write the Internal IPX number for each card and fails on the second because by default both have Internal IPX number of

Known Issues: LDAP When users passwords are changed via LDAP their passwords would not sync to the Domain when Account Management 2.10 (Redirection) was installed  This has been fixed in NLDAP Versions and above

eDirectory—Memory Requirements From past experience the following memory requirements seem to work the best  You only need enough physical memory to cache the DB blocks and entries that are frequently being accessed  Refer to iMonitor to see how much memory eDirectory is using—By default eDirectory can use up to 51% of Available memory  Physical Memory 2-3 time the size of the dibfile  Swap File size time greater than physical memory

eDirectory on W32 TIDS —614 Duplicate Value exists during install —How to Remove Auditing from Netware Server —Auditing causes High Utilization of W2k and NT4 Servers TIMESYNC EDIRW32 (Java Files)