Troubleshooting DSfW sysvolsync

  • 7013046
  • 14-Aug-2013
  • 08-Jan-2019

Environment

Novell Open Enterprise Server 11 SP1 (OES11 SP1)
Domain Services for Windows
DSfW

Situation

How to troubleshoot sysvolsync
Troubleshooting DSfW sysvolsync
Troubleshooting sysvolsync

Resolution

1) Verify that port 22 is not blocked by the firewall on all DSfW servers, and that the sshd service is running and listening on port 22.

2) Enable debugging TID 7008500

3) Check for duplicate objectsids TID 7011617
If a duplicate objectsid exists on a DC object in the domain controllers container, it will cause a failure.

4) Examine the /var/log/messages for errors

5) Check the /var/opt/novell/xad/log/kdc.log for errors regarding "Decrypt integrity check failed " for Domain Controllers
    Reset the Domain Controllers password from the server using the setpassword command if the Decrypt integrity check failed" error is seen for the Domain Controller. The following command should be sufficient for the majority of configurations:

# /opt/novell/xad/sbin/setpassword -NDSOf -r -u DOMAINSERVER$ -k /var/opt/novell/xad/ds/krb5kdc/krb5.keytab 

   ...where DOMAINSERVER$ is the name of the domain controller, in all caps, followed by the $ dollar sign.

    For mixed case Domain Controllers (DomainServer) or hyphenated names (Domain-Server)
    /opt/novell/xad/sbin/setpassword -NDSOf -r -E DomainServer,domainSERVER,DOMAINserver -k /var/opt/novell/xad/ds/kerb5kdc/krb5.keytab -u DOMAINSERVER$
    /opt/novell/xad/sbin/setpassword -NDSOf -r -E Domain-Server,domain-SERVER,DOMAIN-server -k /var/opt/novell/xad/ds/kerb5kdc/krb5.keytab -u DOMAIN-SERVER$

6) Verify the /etc/ssh/sshd_config has "GSSAPIAuthentication yes"
grep GSSAPIAuthentication /etc/ssh/sshd_config

7) dig -t SRV _ldap._tcp.dc._msdcs.<domain-name> +short
You can find out the shortname by doing grep workgroup /etc/samaba/smb.conf
Example:
dig -t SRV _ldap._tcp.dc._msdcs.dsfw-s1.dsfw.lan dsfw-s1

8) From the PDC and the ADC receiving the error use dig and nslookup for each servers A record
dig <dsfw-server-name.domain-name>
Example:
dig dsfw-s1.dsfw.lan
nslookup dsfw-s1.dsfw.lan

9) wbinfo -i for each DSfW server
wbinfo -i dsfw-s1$

10) Check the command "id <hostname of pdc>$" works correctly in the PDC
example for DSfW server with a name of dsfw-s1
id dsfw-s1$

11) Examine the /etc/hosts file to be sure the servers IP address and name are correct.  If other DSfW servers are listed ensure their entries are correct.
<IP Address> <Server.DomainName> <ShortName>
Example for server dsfw-s1 with domain name of dsfw.lan
192.168.0.10 dsfw-s1.dsfw.lan dsfw-s1