Preparing for an ADC Install of Domain Services for Windows.
This document (7009927) is provided subject to the disclaimer at the end of this document.
Environment
Open Enterprise Server 11 (OES11)
Open Enterprise Server 11 SP1 (OES11SP1)
Open Enterprise Server 2 SP3 (OES2SP3)Domain Services for Windows
DSfW
Situation
Here are some tips for a successful DSfW install of an Additional Domain Controller (ADC)
Resolution
The install of DSfW has to be done on a new OES2 server. The OES server can be configured on and existing SLES 10 server or a new install of SLES where OES is the add on product.
For OES2-SP2 or OES2-SP3 DSfW use SLES10-SP3.
For OES11 use SLES11-SP1.
eDirectory can not be installed on the server prior to installing DSfW.
/etc/hosts should have the domain name listed as well as the loopback address listed. If the 127.0.0.2 address also exists, please rem it out along with the IPv6 line (starts with ::1) or follow TID 7010075.
example of an /etc/hosts with a server named server1 and domain name of dsfwdomain.com:
127.0.0.1 localhost
192.168.0.6 server2.dsfwdomain.com server2
/etc/resolv.conf should list the first nameserver with the IP address of the PDC DSfW server. If DNS is to be configured on the ADC server, the second nameserver should be the ADC servers.
example:
nameserver 192.168.0.5
nameserver 192.168.0.6
nameserver 4.2.2.2
search dsfwdomain.com
If DNS is not running on the PDC the install will fail. DNS has to authoritive and primary for the zone.
Verify the time and time zone is correct.
Perform a eDirectory Health check as listed in TID 3564075.
When installing DSfW only select the DSfW pattern. All the necessary patterns will also be selected. Do not uncheck any of the other patterns.
In the eDirectory configuration section, for the "IP Address of an existing eDirectory server with a replica" enter the IP address of the PDC server of the domain. This usually means the IP address of the first DSfW server. If installing an ADC for a child domain be sure to use the IP address of the PDC for the child domain.
Verify uniquedomainid attribute is present on all objects within the domain. This can be done using ldapsearch or with iMonitor.
Check for objects with out the uniquedomainid using ldapsearch on the first DSfW server
This search will list of objects with out uniquedomainid attribute and send the list to /tmp/uniquedomainid.txt.
LDAPCONF=/etc/opt/novell/xad/openldap/openldap.conf ldapsearch -Y EXTERNAL -LLL -Q -b "" -s sub '(!(uniquedomainid=*))' dn uniquedomainid | tee /tmp/uniquedomainid.txt
The list might have objects that are not in the domain like the ou=configuration container or other partitions that are not part of the domain since the search is going a subtree search. If the base is specified as the domain name (dc=dsfwdomain,dc=com) the search be restricted to the domain on a dsfw server.
Some key objects to check for the uniquedomainid attribute are: krbtgt, domain controller object, and the container mapped to the domain.
ldapsearch can be used to check these individual objects.
Example of ldapsearches:
domain name = novell.com
container mapped to domain = o=novell
dsfw server = dsfw-s1
Example of a ldapsearch for the container mapped to the domain and successfully returning the uniquedomainid on the container mapped to the domain:
LDAPCONF=/etc/opt/novell/xad/openldap/openldap.conf ldapsearch -Y EXTERNAL -LLL -Q -b "o=novell" -s base dn uniquedomainid
dn: o=novell
uniquedomainid: 1049076
Example of a ldapsearch for the Domain Controller object and successfully returning the uniquedomainid on the Domain Controller object:
LDAPCONF=/etc/opt/novell/xad/openldap/openldap.conf ldapsearch -Y EXTERNAL -LLL -Q -b "cn=dsfw-s1,ou=domain controllers,dc=novell,dc=com" -s base dn uniquedomainid
dn: cn=DSFW-s1,ou=Domain Controllers,o=novell
uniquedomainid: 1049076
Example of a ldapsearch for the krbtgt object and successfully returning the uniquedomainid on the krbtgt object:
LDAPCONF=/etc/opt/novell/xad/openldap/openldap.conf ldapsearch -Y EXTERNAL -LLL -Q -b "cn=krbtgt,cn=users,dc=novell,dc=com" -s base dn uniquedomainid
dn: cn=krbtgt,cn=Users,o=novell
uniquedomainid: 1049076
For OES2-SP2 or OES2-SP3 DSfW use SLES10-SP3.
For OES11 use SLES11-SP1.
eDirectory can not be installed on the server prior to installing DSfW.
/etc/hosts should have the domain name listed as well as the loopback address listed. If the 127.0.0.2 address also exists, please rem it out along with the IPv6 line (starts with ::1) or follow TID 7010075.
example of an /etc/hosts with a server named server1 and domain name of dsfwdomain.com:
127.0.0.1 localhost
192.168.0.6 server2.dsfwdomain.com server2
/etc/resolv.conf should list the first nameserver with the IP address of the PDC DSfW server. If DNS is to be configured on the ADC server, the second nameserver should be the ADC servers.
example:
nameserver 192.168.0.5
nameserver 192.168.0.6
nameserver 4.2.2.2
search dsfwdomain.com
If DNS is not running on the PDC the install will fail. DNS has to authoritive and primary for the zone.
Verify the time and time zone is correct.
Perform a eDirectory Health check as listed in TID 3564075.
When installing DSfW only select the DSfW pattern. All the necessary patterns will also be selected. Do not uncheck any of the other patterns.
In the eDirectory configuration section, for the "IP Address of an existing eDirectory server with a replica" enter the IP address of the PDC server of the domain. This usually means the IP address of the first DSfW server. If installing an ADC for a child domain be sure to use the IP address of the PDC for the child domain.
Verify uniquedomainid attribute is present on all objects within the domain. This can be done using ldapsearch or with iMonitor.
Check for objects with out the uniquedomainid using ldapsearch on the first DSfW server
This search will list of objects with out uniquedomainid attribute and send the list to /tmp/uniquedomainid.txt.
LDAPCONF=/etc/opt/novell/xad/openldap/openldap.conf ldapsearch -Y EXTERNAL -LLL -Q -b "" -s sub '(!(uniquedomainid=*))' dn uniquedomainid | tee /tmp/uniquedomainid.txt
The list might have objects that are not in the domain like the ou=configuration container or other partitions that are not part of the domain since the search is going a subtree search. If the base is specified as the domain name (dc=dsfwdomain,dc=com) the search be restricted to the domain on a dsfw server.
Some key objects to check for the uniquedomainid attribute are: krbtgt, domain controller object, and the container mapped to the domain.
ldapsearch can be used to check these individual objects.
Example of ldapsearches:
domain name = novell.com
container mapped to domain = o=novell
dsfw server = dsfw-s1
Example of a ldapsearch for the container mapped to the domain and successfully returning the uniquedomainid on the container mapped to the domain:
LDAPCONF=/etc/opt/novell/xad/openldap/openldap.conf ldapsearch -Y EXTERNAL -LLL -Q -b "o=novell" -s base dn uniquedomainid
dn: o=novell
uniquedomainid: 1049076
Example of a ldapsearch for the Domain Controller object and successfully returning the uniquedomainid on the Domain Controller object:
LDAPCONF=/etc/opt/novell/xad/openldap/openldap.conf ldapsearch -Y EXTERNAL -LLL -Q -b "cn=dsfw-s1,ou=domain controllers,dc=novell,dc=com" -s base dn uniquedomainid
dn: cn=DSFW-s1,ou=Domain Controllers,o=novell
uniquedomainid: 1049076
Example of a ldapsearch for the krbtgt object and successfully returning the uniquedomainid on the krbtgt object:
LDAPCONF=/etc/opt/novell/xad/openldap/openldap.conf ldapsearch -Y EXTERNAL -LLL -Q -b "cn=krbtgt,cn=users,dc=novell,dc=com" -s base dn uniquedomainid
dn: cn=krbtgt,cn=Users,o=novell
uniquedomainid: 1049076
Reset the Tree Admin and Administrators passwords or check that the Tree Admin and Administrators password expiration. By default the administrators password is set not to expire. That setting is only true when NMAS authentication is used. During the install a ncp authentication will be attempt for admin and administrator. If either of these users reports the password expiration date older than the current date then authentication will fail and result in a failed install.
To check the if the password is expired login to iManager | Directory Administration | Modify Object | select Administrator under the cn=users container | Restrictions tab | verify the data under "Date password expires:" is not older than the current date. If it is set the password for the user. Unless your password policy has a password history the same password can be used. See TID 7011732
Additional Information
LDAPSEARCH can be used on a eDirectory server aswell. Be user to use the eDirectory ldapsearch tool located at /opt/novell/eDirectory/bin/ldapsearch
example:
/opt/novell/eDirectory/bin/ldapsearch -x -LLL -h 127.0.0.1 -p 636 -D cn=admin,o=novell -w novell -E /etc/opt/novell/certs/SSCert.der -b "o=novell" -s base dn uniquedomainid
example:
/opt/novell/eDirectory/bin/ldapsearch -x -LLL -h 127.0.0.1 -p 636 -D cn=admin,o=novell -w novell -E /etc/opt/novell/certs/SSCert.der -b "o=novell" -s base dn uniquedomainid
Disclaimer
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7009927
- Creation Date:24-DEC-11
- Modified Date:16-APR-13
- NovellOpen Enterprise Server
- NetIQeDirectory
Did this document solve your problem? Provide Feedback