Account Management for NT Toolbox
Novell Cool Solutions: Feature
Digg This -
Posted: 3 Oct 2003
Posted on 3 Oct 2003
The NDS4NT Tool Box is a utility that is used for troubleshooting problems with NDS4NT 2.01, 2.02 and 2.10 (Novell Account Mangement 2.1). The program is a consolidation of multiple, independent tests.
Download the file from TID 2967088
No installation is needed for the toolbox. Just unpack the nds4ntt3.exe into a directory and run the program (NDS4NTTB.EXE).
Depending on the test, the NDS 4 NT Tool Box has to be run on the PDC or BDC. This is true mainly for testing the Domain database integrity.
Warning: When running a Domain related test on an NT/Windows 2000 workstation, the tests will still run, as the same API calls work on NT workstations. The issue is that the local workstation SAM will be read instead of the Domain database from the PDC. The test results from running the Domain tests on a workstation are useless regarding the Domain database integrity.
Warning: When running any test of the NDS4NT Tool Box, high LAN traffic and NetWare/NT server utilization can be created for the moment of the test. In a production environment run tests only if need to get the test result.
Only when testing the domain related NDS4NT NDS objects, the NDS4NT Tool Box can be run from any Windows NT workstation or Server with the Novell Client for Windows NT installed. To run the tests you have to be logged into NDS as Admin. The program has been tested with the NT client v4.60 and higher.
To use the NDS4NT Tool Box properly and to interpret the results correctly, you need to understand how NDS4NT Redirection works. Here's some background info about the architecture of NDS4NT.
All Domain related information of Windows NT is stored in the SAM database. The SAM is basically part of the registry. For applications to access the SAM database they have to go through a software interface. This interface is called the SAM Library DLL (SAMLIB.DLL). Every Application that wants to get access to the SAM database has to go through the SAM Library and make the appropriate calls. The SAM Library DLL itself is talking to the SAM database through the SAM Server DLL (SAMSRV.DLL). This is the level at which NDS4NT comes in. NDS4NT Redirection (NDS4NT v2.10 is called "Account Management" in Corporate Edition v8.5) replaces the central piece of the NT Domain database integration, the database engine SAMSRV.DLL. The NDS4NT SAMSRV.DLL understands and accepts all calls from SAMLIB.DLL and is redirecting the requests into NDS. Because of that, the Novell Client for Windows NT is required on the NT server, because the Novell SAMSRV.DLL is making call to the Novell client libraries to get access to NDS.
Note: You have to have at least the client version that is shipping with the version you have installed. You can always upgrade to a higher version of the client. The only exception is the 1.x version of the product. This version came with a special version of the Novell client v 4.12/v4.14. Never upgrade this client, because the redirection will no longer work. The only option you have is to upgrade the product to version 2.x, which will also upgrade the client.
With the Novell SAMSRV.DLL the Domain database information is stored in NDS and the requests from all applications are satisfied through NDS. If a user wants to authenticate to the Domain, the requests made by NetLogon go to SAMLIB and SAMLIB makes all requests to SAMSRV. SAMSRV then has to retrieve the requested information from NDS. Due to the fact the information is stored in NDS, object properties can be administered through a single interface, NWADMN32 and ConsoleOne. The NT Domain user will be mapped to an NDS user, which will receive additional attributes required for NDS4NT. A few of those attributes are the NT Domain password and the NT group membership. To make an NDS user an NT user the NDS user has to be made a member of the NT Domain. To do this, go to the user properties and select the "Domain Access"-tab.
For each NT Domain there is an NT Domain object existing in NDS. This object is required, so that the SAMSRV.DLL can login to NDS using this object. By doing that, SAMSRV, running as a system service on the NT server, will get access to the Domain user list and is able to administer all existing Domain members and to add or remove Domain members. The NT Domain object is a container object, which holds the NT local and global groups and the workstation objects.
Here a list of the Main Symptoms that you may see with NDS4NT and the possible causes.
- Users cannot login
- Users slow login
- User Manager / Server Manager hangs
- Error that PDC could not be found
RIDs are unique identifiers on NT. SAMSRV.DLL and IWSAM.DLL which use semaphore on master replica to ensure that attribute IWS:RID Counter can be modified from one workstation only.
- Users having problems to login
- User Manager shows two users with the same properties
- If multiple objects have the same RID, Domain can be slow, users cannot login
- Run tool on PDC/BDC
- Delete duplicate users to solve the problem
Names are unique in SAM database due to flat structure.
- Users having problems logging in
- Delete duplicate names or rename user from NDS to solve the problem
IWSAM.DLL is the snap-in for NWADMN32. It assigns rights at the moment of making the user a member of a domain.
Those rights may have been lost.
NDS4NT Tool Box finds users to which the domain does not have supervisor object rights.
Other functions of IWSAM.DLL:
- Takes care that no users with same CN are member of the domain SAMSRV.DLL
- When using User Manager to create users, User Manager takes care that no duplicate names exist -- dupname finds duplicates.
- Find duplicate users using the NDS4NT Tool Box, rename or delete users
Domain Object needs supervisor object rights to Domain users.
- Slow logins/high utilization due to Domain synchronization problem
- Domain does not sync completely
- Syncs are going on constantly
- Check event viewer
- Grant supervisor object right
Revision count out of sync
NDS modifies the Revision count attribute when a change to the object occurs. If Revision count is not the same on each replica, SAMSRV.DLL downloads all user information into cache. Due to the nature of the Novell Client Libraries, they enforce a load balance when reading DS information. This means that SAMSRV may read information from Server A the first time, and when making the next request it is set to Server B. SAMSRV.DLL uses Revision attribute of the following objects to check whether cache is still current.
- Domain Object
- Domain Users-Group
- Slow login
- Losing trusts
- Users cannot login
- User- / Server- Manager does not start or hangs
- "A PDC could not be found"
NDS4NT Tool Box reports the Revision attribute on all Replicas.
- Reset Revision count with DS dial-in
- Get REVRESET.NLM from Support and reset revision count from server with NDS 7.x (the NLM does not run on DS8).
Alternatively, check Revision count using:
The interface of the NDS4NT Tool Box is dialog based. All functions will be called when clicking the appropriate button directly or another dialog box with additional features shows up.
When starting the NDS4NT Tool box the first time, a warning message will display. This message indicates that running the tests is very intensive and will put a high load on the network, the PDC/BDC and/or NDS.
If you do not want to get the message every time you start the NDS4NT Tool Box, check the box: "Don't show this message again". This will create a corresponding key in the registry under HKLM.
Checking Revision count
There are two options to check the revision count:
1) Select "NDS Tools" and type in the domain object name, e.g. "domain.prv.novell" (without quotes). Then click on "Revision". The program will go to all servers holding a replica of the NT Domain object and will read the revision count attribute of the Domain object and the Domain Users groups.
The program will show a little table with the server name, replica type, replica number, replica count and the desired information about the revision count. Make sure that the revision for the Domain is the same on all servers and for the Domain Users group as well.
2) Select "NDS Tools", then select "Search". Click on "refresh" and the program will find all Domain objects in the (default) tree. After that click on "check all". The program will show OK for each Domain object and Domain users group if the revision count is in sync. If they are out of sync the program will show "fail". When you double click the domain object the program shows the result from each server (as with option 1).
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com