Basic Troubleshooting of Domain Services for Windows

  • 3576510
  • 25-Jul-2007
  • 26-Apr-2012

Environment

Novell eDirectory 8.8 SP4 for Linux
Novell Open Enterprise Server 2.0 (Linux based) SP1
Novell Domain Services for Windows 1.0

Situation

There are many components involved in Domain Services for Windows.  These include:
eDirectory, LDAP, XAD, Kerberos, Samba, Namcd, DNS, NTP, NMAS, etc.  This document attempts to provide the basic steps in determining whether these components are functioning correctly.

Resolution

POST INSTALLATION CHECK:
 
1.
Are the daemons running?  " xadcntrl status " - will show all the running daemons.
The output should look similar to the following:
Tree Name: NOVELLTREE
Server Name: .CN=DSFW-S1.OU=OESSystemObjects.O=novell.T=NOVELLTREE
Binary Version: 20503.15
Root Most Entry Depth: 1
Product Version: eDirectory for Linux v8.8 SP5 [DS]

Checking for nameserver BIND
number of zones: 3
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
server is up and running
zone details are dumped at /var/opt/novell/log/named/named_zones.info
                                                                                    running
Checking for Name Service Cache Daemon:                         running
Checking for RPC Endpoint Mapper Service                        running
Checking for Kerberos KDC Service                                   running
Checking for Kerberos Password Change Server                    running
Checking for Domain Services Daemon                               running
Checking for Samba NMB daemon                                     running
Checking for Samba  WINBIND daemon                             running
Checking for Samba SMB daemon                                     running
Checking for service sshd                                                  running
Checking for rsync daemon:                                               running

To manually perform this step the following commands can be used:
ps -eaf | grep ndsd
ps -eaf | grep xad
ps -eaf | grep xadsd.pid
ps -eaf | grep smb
ps -eaf | grep name
ps -eaf | grep ncsd
ps -eaf | grep nscd -may not show

 
2.
Check that the /etc/hosts file only has one entry for this server's primary ip address.
Example:
127.0.0.1       localhost
# special IPv6 addresses
::1             localhost ipv6-localhost ipv6-loopback
fe00::0         ipv6-localnet
ff00::0         ipv6-mcastprefix
ff02::1         ipv6-allnodes
ff02::2         ipv6-allrouters
ff02::3         ipv6-allhosts
192.127.80.5 DSFW-S1.novell.com
 
3.
Check /etc/resolv.conf to make sure there is at least one nameserver and domain search entry for this server.
Example:
nameserver 192.127.80.5
nameserver 192.127.90.1
search novell
 
4.
Make sure eDirectory is up and it can find the localhost:  /opt/novell/eDirectory/bin/ndsstat -h localhost
Example output:
Tree Name: NOVELLTREE
Server Name: .CN=DSFW-S1.OU=OESSystemObjects.O=novell.T=NOVELLTREE
Binary Version: 20503.15
Root Most Entry Depth: 1
Product Version: eDirectory for Linux v8.8 SP5 [DS]
 
5.
Verify the KDC is up and a ticket can be created:  /opt/novell/xad/bin/kinit Administrator@novell.com
An empty prompt should be returned.
(If not restart:  /etc/init.d/xad restart)
 
6.
Verify Domain Services and DNS are working:  /opt/novell/xad/sbin/provision --locate-dc hines2.com
Example output:
Domain Services for Windows Server Provisioning Tool
Copyright (c) 2001-2007 Novell, Inc. All rights reserved.
           DC: \\DSFW-S1.novell.com
      Address: \\192.127.80.5
     Dom Guid: 35326600-78dd-4082-7c93-00663235dd78
     Dom Name: novell.com
  Forest Name: novell.com
 Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
        Flags: PDC GC DS LDAP KDC TIMESERV CLOSEST WRITABLE GTIMESERV DNS_DC DNS_DOMAIN DNS_FOREST
 
7. Verify xadsd is working: rpcclient -k localhost -c dsroledominfo
If a NT_STATUS_IO_TIMEOUT error is returned restart xad with the following command:
xadcntrl reload
 
NOTE:  If the rpclient command fails the ticket may be expired.  Kerberos tickets are only good for one day.  If a day has passed get a new one:
 /opt/novell/xad/bin/kinit Administrator@novell.com
 klist
 kdestroy
 We cache the ticket - reissue it if the server is rebooted.
 
8. From the workstation attempt to join the workstation to the domain as Administrator.
If not can one login as Administrator using the server's ip address?
net use file://%5C%5C151.155.247.28 /user:Administrator
 
 
PATTERN INSTALL:
Only the Domain Services for Windows pattern can be selected during installation.  No other product other than the products that pattern selects can be installed.
 
To verify this examine the /var/log/YaST/y2log file.  The following lines indicate the correct selection of products:
40) [YCP] clients/edirectory.ycp:39 eDirectory (edirectory) module started
2007-07-03 18:10:03 <1> intlab158(3140) [YCP] clients/edirectory.ycp:49 Using PROPOSE mode
2007-07-03 18:10:04 <1> intlab158(3140) [YCP] Edirectory.ycp:145 Edirectory::SoftwareInstalled() returned true
2007-07-03 18:10:04 <1> intlab158(3140) [YCP] clients/edirectory.ycp:60 eDirectory software installed = true
2007-07-03 18:10:04 <1> intlab158(3140) [YCP] novell-edirectory/dialogs.ycp:44 Entering Edirectory NewOrExistingDialog()
2007-07-03 18:10:04 <1> intlab158(3140) [YCP] novell-edirectory/dialogs.ycp:70 Starting values `new,
*2007-07-03 18:10:28 <1> intlab158(3140) [YCP] novell-edirectory/dialogs.ycp:264 Entering Edirectory XadDomainTypeDialog()
*2007-07-03 18:10:28 <1> intlab158(3140) [ui-shortcuts] YShortcutManager.cc(checkShortcuts):82 Shortcut conflict: &apos;E&apos; used for YRadioButton "N&ew Forest"
*2007-07-03 18:10:28 <1> intlab158(3140) [ui-shortcuts] YShortcutManager.cc(checkShortcuts):82 Shortcut conflict: &apos;E&apos; used for YRadioButton "New Domain in an &Existing Forest"
*2007-07-03 18:10:28 <1> intlab158(3140) [ui-shortcuts] YShortcutManager.cc(checkShortcuts):96 No valid shortcut for YCheckBox "Configure this machine to be a primary DNS server"
2007-07-03 18:10:39 <1> intlab158(3140) [YCP] novell-edirectory/dialogs.ycp:451 Entering Edirectory XadNetBIOSDialog()
2007-07-03 18:10:41 <1> intlab158(3140) [YCP] Edirectory.ycp:327 Edirectory::ProposeXadContextSettings(forest, jaffe.com, com) returned: $["CONFIG_EDIR_SERVER_CONTEXT":"dc=jaffe.dc=com","CONFIG_LDAP_ADMIN_CONTEXT":"cn=Administrator.cn=Users.dc=jaffe.dc=com","XAD_LDAP_ADMIN_CONTEXT":""]
2007-07-03 18:10:41 <1> intlab158(3140) [YCP] novell-edirectory/dialogs.ycp:1175 Entering Edirectory Existing Tree Dialog()
2007-07-03 18:10:55 <1> intlab158(3140) [YCP] NetworkDevices.ycp:862 Check(eth,id-00:16:3e:7a:b0:9c,)
 
 
TIME:
Time synchronization between the KDC and the workstation is crucial for authentication to the Kerberos server working correctly.  The timestamp is used by the KDC, client and Application servers to prove the authenticity of the returned login information.
 
Is this port open on the server?                         nmap -p 123 -sU 137.65.1.123   should return open.
 
 
DNS:
This is critical as well.  The primary DNS server must have the extended functions AD requires.  For now this must be a DSFW DNS server.  It should be the primary listed both for this server and the workstation with an external listed as a secondary if need be.  The domain should be specified in the search.
 - Check that the /etc/hosts file only has one entry for this server&apos;s primary ip address.
 - check /etc/resolv.conf to make sure there is a nameserver and domain search entry for this server.
 
If setup is good for XAD the following command should should resolve the domain and return a message saying the domain is already configured:
/opt/novell/xad/sbin/ndsdcinit --dns &apos;hines2.com&apos;
 
 
LDAP:
Is this server listening on the standard ldap ports?            
netstat -na | grep 0.0.0.0:389  and netstat -na | grep 0.0.0.0:636 should return " listening ".
 
Can one resolve the server, bind securely and return referrals for the domain object:
/opt/novell/eDirectory/bin/ldapsearch -x -LLL -D CN=Administrator,CN=Users,dc=hines2,dc=com -w novell -h lab28.lab.novell.com -p 636 -e /etc/opt/novell/certs/SSCert.der -b dc=hines2,dc=com hines2.com
 
 
AUTHENTICATION:
Tail these logs:
tail -f /var/log/YaST/y2log
tail -f /var/opt/novell/eDirectory/log/ndsd.log
(If you see slew too great messages time is not synchronized between the workstation and server.)
 
 
LOGS REQUIRED FOR FURTHER TROUBLESHOOTING:
/var/opt/novell/xad/log/kdc.log
/var/log/YaST/y2log
/var/log/samba/log.smbd
/var/log/messages
Workstation log: %windir%\debug\netsetup.log
 
Also may need a LDAP\NMAS ndstrace log: TID3443824

Feedback service temporarily unavailable. For content questions or problems, please contact Support.