Verify a Domain Services for Windows Install

  • 7001884
  • 14-Nov-2008
  • 06-Feb-2013

Environment

Novell Open Enterprise Server 2 SP1 (OES2SP1)
Novell Open Enterprise Server 2 SP2 (OES2SP2)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Novell Open Enterprise Server 11 (OES11)
Novell Open Enterprise Server 11 SP1 (OES11SP1)
Domain Services for Windows
DSFW

Situation

After successfully install Domain Services for Windows you will need to verify DSFW is working properly.

Resolution

Reboot the server to export all the paths have have the paths take effect.  Otherwise export the eDirectory Paths by entering the following command:
. /opt/novell/eDirectory/bin/ndspath (there is a space between the . and /)

Reboot the server or restart all the DSFW services.  The xadcntrl command may not be exported the server is rebooted after the initial install of DSFW.  If you see an error for one or more services while running xadcntrl, reboot the server.
/opt/novell/xad/bin/xadcntrl reload

If installing a child domain or an additional domain controller, the DSFW DNS server listed in the /etc/resolv.conf must also be restarted
rcnovell-named restart

Verify the eDirectory database is open and that the ndspath properly exported the paths for eDir commands by issuing the following command:
ndsstat

Check that all the services necessary for Domain Services for Windows are running
xadcntrl validate

Verify LDAP is functioning and that Administrator is provisioned.  A provisioned user will have an attribute of saMAccountName and the value will be the users ID.  Be sure to export the LDAPCONF.  If not then use the -e  parameter and point to an exported cert or us -x.  If using -x the required TLS needs to be unchecked from the ldap group object and nldap needs to be restarted (nldap -u AND nldap -l)
export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
ldapsearch -Y EXTERNAL -LLL -b (base context to search) sAMAccountName
EXMAPLE:
    ldapsearch -Y EXTERNAL -LLL -b cn=Administrator,cn=users,dc=mydomain,dc=com sAMAccountName

results should be as follows:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=Administrator,cn=Users,dc=
mydomain,dc=com
sAMAccountName: Administrator

Check the /etc/resolve.conf contains a DSFW nameserver and domain search entry for this server.
less /etc/resolv.conf
Should return something like this:
nameserver 10.10.10.10
nameserver 69.111.95.106
nameserver 206.196.151.153
search mydomain.com

Verify the /etc/hosts has only one entry with the server's primary IP address
less /etc/hosts

Verify DNS is working
nslookup mydomain.com
nslookup -query=any _ldap._tcp.dc._msdcs.mydomain.com

Verify that the local KDC is working.  You should be able to authenticate with out any errors
/opt/novell/xad/bin/kinit Administrator@mydomain.com

Locate the domain controller for a domain and get the DC capabilities
/opt/novell/xad/sbin/provision --locate-dc mydomain.com
Should see something like this:
Domain Services for Windows Server Provisioning Tool
Copyright (c) 2001-2007 Novell, Inc. All rights reserved.

           DC: \\dsfwserver.mydomain.com
      Address: \\10.10.10.10
     Dom Guid: c1eada0d-391c-4ca9-b488-0bdaeac11c38
     Dom Name: mydomain.com
  Forest Name: mydomain.com
 Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
        Flags: PDC GC DS LDAP KDC TIMESERV CLOSEST WRITABLE GTIMESERV DNS_DC DNS_DOMAIN DNS_FOREST

Verify the xadsd is working
rpcclient -k ncalrpc: -c dsroledominfo
Should see something like this:
Machine Role = [5]
Directory Service is running.
Domain is in native mode.


Verify the xadsd is working via netbios.
rpcclient -k localhost -c dsroledominfo
Should see something like this:
Machine Role = [5]
Directory Service is running.
Domain is in native mode.


If you get the following error:
ads_krb5_mk_req: krb5_get_credentials failed for cifs/dsfwserver.mydomain.com@MYDOMAIN.COM (Ticket expired)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Ticket expired
failed session setup with NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

Then issue another ticket by running:
kinit Administrator@mydomain.com

Finally join a workstation to the domain and log into the domain with Administrator or another provisioned user in the domain.