Preparing for an ADC Install of Domain Services for Windows.

  • 7009927
  • 24-Dec-2011
  • 18-Nov-2013

Environment

Open Enterprise Server 11 (OES11)
Open Enterprise Server 11 SP1 (OES11SP1)
Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows
DSfW

Situation

Here are some tips for a successful DSfW install of an Additional Domain Controller (ADC)

Resolution

The install of DSfW has to be done on a new OES2 server.  The OES server can be configured on and existing SLES 10 server or a new install of SLES where OES is the add on product.

For OES2-SP2 or OES2-SP3 DSfW use SLES10-SP3.
For OES11 use SLES11-SP1.
 
eDirectory can not be installed on the server prior to installing DSfW.

/etc/hosts should have the domain name listed as well as the loopback address listed.  If the 127.0.0.2 address also exists, please rem it out along with the IPv6 line (starts with ::1) or follow TID 7010075.
example of an /etc/hosts with a server named server1 and domain name of dsfwdomain.com:
    127.0.0.1       localhost
    192.168.0.6 server2.dsfwdomain.com server2

/etc/resolv.conf should list the first nameserver with the IP address of the PDC DSfW server.  If DNS is to be configured on the ADC server, the second nameserver should be the ADC servers. 
example:
    nameserver 192.168.0.5
    nameserver 192.168.0.6
    nameserver 4.2.2.2
    search dsfwdomain.com
If DNS is not running on the PDC the install will fail.  DNS has to authoritive and primary for the zone.

Verify the time and time zone is correct.

When installing DSfW only select the DSfW pattern.  All the necessary patterns will also be selected.  Do not uncheck any of the other patterns.

Perform a eDirectory Health check as listed in TID 3564075.

In the eDirectory configuration section, for the "IP Address of an existing eDirectory server with a replica" enter the IP address of the PDC server of the domain.  This usually means the IP address of the first DSfW server.  If installing an ADC for a child domain be sure to use the IP address of the PDC for the child domain.

Verify uniquedomainid attribute is present on all objects within the domain.  This can be done using ldapsearch or with iMonitor.

Check for objects with out the uniquedomainid using ldapsearch on the first DSfW server.
This search will list of objects with out uniquedomainid attribute and send the list to /tmp/uniquedomainid.txt.  First export the LDAPCONF by doing:
export LDAPCONF=/etc/opt/novell/xad/openldap/openldap.conf

Then do this search:
DEFAULTNAMINGCONTEXT=`/usr/bin/ldapsearch -x -b "" -s base defaultnamingcontext | grep -i 'defaultnamingcontext: ' | awk '{print $2}'`/usr/bin/ldapsearch -Y EXTERNAL -LLL -Q -b "$DEFAULTNAMINGCONTEXT" -s sub '(&(!(uniqueDomainID=*))(!(|(cn:dn:=Builtin)(cn:dn:=Configuration)(cn:dn:=ForeignSecurityPrincipals))))' dn | tee /tmp/uniquedomainid.txt

The search list might have objects that are not in the domain like the ou=configuration container or other partitions that are not part of the domain since the search is going a subtree search.  If the base is specified as the domain name (dc=dsfwdomain,dc=com) the search be restricted to the domain on a dsfw server.

    Some key objects to check for the uniquedomainid attribute are: krbtgt, domain controller object, and the container mapped to the domain.

    ldapsearch can be used to check these individual objects.
    Example of ldapsearches:
    domain name = novell.com
    container mapped to domain = o=novell
    dsfw server = dsfw-s1

    Example of a ldapsearch for the container mapped to the domain and successfully returning the uniquedomainid on the container mapped to the domain:
LDAPCONF=/etc/opt/novell/xad/openldap/openldap.conf ldapsearch -Y EXTERNAL -LLL -Q -b "o=novell" -s base dn uniquedomainid
dn: o=novell
uniquedomainid: 1049076

    Example of a ldapsearch for the Domain Controller object and successfully returning the uniquedomainid on  the Domain Controller object:
LDAPCONF=/etc/opt/novell/xad/openldap/openldap.conf ldapsearch -Y EXTERNAL -LLL -Q -b "cn=dsfw-s1,ou=domain controllers,dc=novell,dc=com" -s base dn uniquedomainid
dn: cn=DSFW-s1,ou=Domain Controllers,o=novell
uniquedomainid: 1049076

    Example of a ldapsearch for the krbtgt object and successfully returning the uniquedomainid on  the krbtgt object:
LDAPCONF=/etc/opt/novell/xad/openldap/openldap.conf ldapsearch -Y EXTERNAL -LLL -Q -b "cn=krbtgt,cn=users,dc=novell,dc=com" -s base dn uniquedomainid
dn: cn=krbtgt,cn=Users,o=novell
uniquedomainid: 1049076

Reset the Tree Admin and Administrators passwords or check that the Tree Admin and Administrators password expiration.  By default the administrators password is set not to expire.  That setting is only true when NMAS authentication is used.  During the install a ncp authentication will be attempt for admin and administrator.  If either of these users reports the password expiration date older than the current date then authentication will fail and result in a failed install.

To check the if the password is expired login to iManager | Directory Administration | Modify Object | select Administrator under the cn=users container | Restrictions tab | verify the data under "Date password expires:"  is not older than the current date.  If the date is expried, set the password for the user.  Unless your password policy has a password history the same password can be used.  See TID 7011732

If the ADC was installed then removed and is to be installed again, verify the server object, the DC object with in the Domain Controllers container, and DNS records do not exist.
iManager, Console One, or ldapsearch are good tools to check that the old server was completly removed.
For ldapsearch on an existing DSfW server do
export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
ldapsearch -Y EXTERNAL -LLL -Q "cn=*dsfw1*" dn

Starting with the April 2013 Maintenance patch, apply patches before installing and configuring DSfW.

Additional Information

LDAPSEARCH can be used on a eDirectory server aswell.  Be user to use the eDirectory ldapsearch tool located at /opt/novell/eDirectory/bin/ldapsearch

example:
/opt/novell/eDirectory/bin/ldapsearch -x -LLL -h 127.0.0.1 -p 636 -D cn=admin,o=novell -w novell -E /etc/opt/novell/certs/SSCert.der -b "o=novell" -s base dn uniquedomainid