Environment
SDIDIAG.EXE Version 2.1 Jun 26 2003
Situation
Error -1423
Error -1411
Error: 1416
Using SDIDiag to gather specific SDKey information from servers
Resolution
1) Copy the SDIDIAG.EXE to a workstation or run it directly from a NetWare servers system console. SDIDIAG can be downloaded from https://download.novell.com. In the case where you run SDIDiag from the workstation you will create output files and reference input files locally as shown in the examples below. In the case where you run SDIDiag directly on a server you will output the files to one of the server volumes, for example: SYS:\LIST.TXT. SDIDIAG.NLM should already be on a NetWare 6.5 server by default.
2) Go to a windows command prompt and change to the directory where SDIDIAG.EXE is located and type SDIDIAG
3) SDIDiag, Security Domain Infrastructure Diagnostic Utility
Version 2.1 Jun 26 2003
Copyright 2003 Novell, Inc. All rights reserved.
Server IP Addr : 192.168.100.10
User Name (Full DN): admin.novell
Password : *******
SDIDIAG>
*** If the TREE and ORGANIZATION names are the same (ie. Tree name is NOVELL and Organization is NOVELL) you need to specify the whole Full DN, including the TREE NAME or will get errors when trying to get authenticated. So, in this case it would be :
User Name (Full DN): admin.novell.NOVELL
4) SDIDIAG> LK -O C:\LIST.TXT
This will show the list of keys for all the servers in the W0 object and send this information to the C:\LIST.TXT file. Another way to gather this information is to open Console One and go to the W0 object in the Security Container. Select the "Other" tab on the W0 object and view the values of the "NDSPKI:SD Key Server DN" attribute.
5) SDIDIAG> FS -A -O C:\SERVER.TXT
This will create a file on the local workstation called SERVER.TXT which will hold a list of all servers in the tree. The "-A" switch will mean that SDIDiag will access servers regardless of their eDir or NICI versions. This will be necessary if you have some servers which are not running eDirectory 8.7.1 or later and you still wish to see which keys are on each of the servers.
6) SDIDIAG> LK -I C:\SERVER.TXT -O C:\PROCESS.TXT
This will show a list of all the servers in the tree and their SDI key(s)
*** It's important to understand that, that's ("-I" as in"Information" and NOT "-l" as in "lima", which will cause the Error -6.
.
Additional Information
Below is an example output of the C:\PROCESS.TXT generated from the steps above.
Server : .SERVERA.NOVELL.TEST-TREE.
SDKey : 1
Object Class : Secret Key
Key Size : 168 bits
Key Usage : 0x4400C0
Key Format : DES-EDE3-CBC-IV8
Key Id : 9C 44 68 B6 4C BD 54 F5 5B 57 FB 88 61 2F E2 E2
Validity : Sun Aug 1921:05:092003 - Sun Feb 323:59:002036
Server : .SERVERB.NOVELL.TEST-TREE.
SDKey : 1
Object Class : Secret Key
Key Size : 168 bits
Key Usage : 0x4400C0
Key Format : DES-EDE3-CBC-IV8
Key Id : 9C 44 68 B6 4C BD 54 F5 5B 57 FB 88 61 2F E2 E2
Validity : Sun Aug 1921:05:092003 - Sun Feb 323:59:002036
Server : .SERVERC.NOVELL.TEST-TREE.
SDKey : 1
Object Class : Secret Key
Key Size : 168 bits
Key Usage : 0x4400C0
Key Format : DES-EDE3-CBC-IV8
Key Id : 9C 44 68 B6 4C BD 54 F5 5B 57 FB 88 61 2F E2 E2
Validity : Sun Aug 1921:05:092003 - Sun Feb 323:59:002036
Formerly known as TID# 10088626