Environment
Novell Open Enterprise Server 2 SP1 (OES2SP1)
Novell Open Enterprise Server 2 SP2 (OES2SP2)
Novell Open Enterprise Server 2 SP2 (OES2SP2)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Novell Open Enterprise Server 11 (OES11)
Novell Open Enterprise Server 11 SP1 (OES11SP1)
Domain Services for Windows
DSFW
Domain Services for Windows
DSFW
Situation
After successfully install Domain Services for Windows you will need to verify DSFW is working properly.
Resolution
Reboot the server to export all the paths have have the paths take effect. Otherwise export the eDirectory Paths by entering the following command:
. /opt/novell/eDirectory/bin/ndspath (there is a space between the . and /)
Reboot the server or restart all the DSFW services. The xadcntrl command may not be exported the server is rebooted after the initial install of DSFW. If you see an error for one or more services while running xadcntrl, reboot the server.
/opt/novell/xad/bin/xadcntrl reload
If installing a child domain or an additional domain controller, the DSFW DNS server listed in the /etc/resolv.conf must also be restarted
rcnovell-named restart
Verify the eDirectory database is open and that the ndspath properly exported the paths for eDir commands by issuing the following command:
ndsstat
Check that all the services necessary for Domain Services for Windows are running
xadcntrl validate
Verify LDAP is functioning and that Administrator is provisioned. A provisioned user will have an attribute of saMAccountName and the value will be the users ID. Be sure to export the LDAPCONF. If not then use the -e parameter and point to an exported cert or us -x. If using -x the required TLS needs to be unchecked from the ldap group object and nldap needs to be restarted (nldap -u AND nldap -l)
export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
ldapsearch -Y EXTERNAL -LLL -b (base context to search) sAMAccountName
EXMAPLE:
ldapsearch -Y EXTERNAL -LLL -b cn=Administrator,cn=users,dc=mydomain,dc=com sAMAccountName
results should be as follows:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=Administrator,cn=Users,dc=mydomain,dc=com
sAMAccountName: Administrator
Check the /etc/resolve.conf contains a DSFW nameserver and domain search entry for this server.
less /etc/resolv.conf
Should return something like this:
nameserver 10.10.10.10
nameserver 69.111.95.106
nameserver 206.196.151.153
search mydomain.com
Verify the /etc/hosts has only one entry with the server's primary IP address
less /etc/hosts
Verify DNS is working
nslookup mydomain.com
. /opt/novell/eDirectory/bin/ndspath (there is a space between the . and /)
Reboot the server or restart all the DSFW services. The xadcntrl command may not be exported the server is rebooted after the initial install of DSFW. If you see an error for one or more services while running xadcntrl, reboot the server.
/opt/novell/xad/bin/xadcntrl reload
If installing a child domain or an additional domain controller, the DSFW DNS server listed in the /etc/resolv.conf must also be restarted
rcnovell-named restart
Verify the eDirectory database is open and that the ndspath properly exported the paths for eDir commands by issuing the following command:
ndsstat
Check that all the services necessary for Domain Services for Windows are running
xadcntrl validate
Verify LDAP is functioning and that Administrator is provisioned. A provisioned user will have an attribute of saMAccountName and the value will be the users ID. Be sure to export the LDAPCONF. If not then use the -e parameter and point to an exported cert or us -x. If using -x the required TLS needs to be unchecked from the ldap group object and nldap needs to be restarted (nldap -u AND nldap -l)
export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
ldapsearch -Y EXTERNAL -LLL -b (base context to search) sAMAccountName
EXMAPLE:
ldapsearch -Y EXTERNAL -LLL -b cn=Administrator,cn=users,dc=mydomain,dc=com sAMAccountName
results should be as follows:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=Administrator,cn=Users,dc=mydomain,dc=com
sAMAccountName: Administrator
Check the /etc/resolve.conf contains a DSFW nameserver and domain search entry for this server.
less /etc/resolv.conf
Should return something like this:
nameserver 10.10.10.10
nameserver 69.111.95.106
nameserver 206.196.151.153
search mydomain.com
Verify the /etc/hosts has only one entry with the server's primary IP address
less /etc/hosts
Verify DNS is working
nslookup mydomain.com
nslookup -query=any _ldap._tcp.dc._msdcs.mydomain.com
Verify that the local KDC is working. You should be able to authenticate with out any errors
/opt/novell/xad/bin/kinit Administrator@mydomain.com
Locate the domain controller for a domain and get the DC capabilities
/opt/novell/xad/sbin/provision --locate-dc mydomain.com
Should see something like this:
Domain Services for Windows Server Provisioning Tool
Copyright (c) 2001-2007 Novell, Inc. All rights reserved.
DC: \\dsfwserver.mydomain.com
Address: \\10.10.10.10
Dom Guid: c1eada0d-391c-4ca9-b488-0bdaeac11c38
Dom Name: mydomain.com
Forest Name: mydomain.com
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV CLOSEST WRITABLE GTIMESERV DNS_DC DNS_DOMAIN DNS_FOREST
Verify the xadsd is working
rpcclient -k ncalrpc: -c dsroledominfo
Should see something like this:
Machine Role = [5]
Directory Service is running.
Domain is in native mode.
Verify the xadsd is working via netbios.
rpcclient -k localhost -c dsroledominfo
Should see something like this:
Machine Role = [5]
Directory Service is running.
Domain is in native mode.
If you get the following error:
ads_krb5_mk_req: krb5_get_credentials failed for cifs/dsfwserver.mydomain.com@MYDOMAIN.COM (Ticket expired)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Ticket expired
failed session setup with NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Then issue another ticket by running:
kinit Administrator@mydomain.com
Finally join a workstation to the domain and log into the domain with Administrator or another provisioned user in the domain.
Verify that the local KDC is working. You should be able to authenticate with out any errors
/opt/novell/xad/bin/kinit Administrator@mydomain.com
Locate the domain controller for a domain and get the DC capabilities
/opt/novell/xad/sbin/provision --locate-dc mydomain.com
Should see something like this:
Domain Services for Windows Server Provisioning Tool
Copyright (c) 2001-2007 Novell, Inc. All rights reserved.
DC: \\dsfwserver.mydomain.com
Address: \\10.10.10.10
Dom Guid: c1eada0d-391c-4ca9-b488-0bdaeac11c38
Dom Name: mydomain.com
Forest Name: mydomain.com
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV CLOSEST WRITABLE GTIMESERV DNS_DC DNS_DOMAIN DNS_FOREST
Verify the xadsd is working
rpcclient -k ncalrpc: -c dsroledominfo
Should see something like this:
Machine Role = [5]
Directory Service is running.
Domain is in native mode.
Verify the xadsd is working via netbios.
rpcclient -k localhost -c dsroledominfo
Should see something like this:
Machine Role = [5]
Directory Service is running.
Domain is in native mode.
If you get the following error:
ads_krb5_mk_req: krb5_get_credentials failed for cifs/dsfwserver.mydomain.com@MYDOMAIN.COM (Ticket expired)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Ticket expired
failed session setup with NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Then issue another ticket by running:
kinit Administrator@mydomain.com
Finally join a workstation to the domain and log into the domain with Administrator or another provisioned user in the domain.