Highlighted
khurni Trusted Contributor.
Trusted Contributor.
404 views

Slow sync of one partition only

Jump to solution

Well here goes.

We have no support with NetIQ/MF (not my decision)

3 Servers in the tree.  All are OES 11 SP2 64-bit

Server1= DS Master replica

Server2=RW replica server and runs our IDM engine/drivers

Server3=RW replica server

Long story short:

Yesterday passwords weren't able to be changed (Novell Client, iManager, or SSPR).  The NMAS policy is assigned to the "login" thingy in the Security Container.  The Security container is its own partition and hadn't been synced for 18 hours according to iMonitor.

ndsd.log showed that "maximum number of transaction exceeded" and gave all indication of KB 7002658

So ran that, bounced the server and things seemed to clear up over the next few hours.

However:

ONLY the IDM "null/loopback" driver reports (the eDir-eDir driver does not):

Code(-9006) The driver returned a "retry" status indicating that the operation should be retried later. Detail from driver: Code(-9011) eDirectory returned an error indicating that the operation should be retried later: novell.jclient.JCException: modifyEntry -659 ERR_TIME_NOT_SYNCHRONIZEDDirXML

 

Further, the helpdesk aren't able to unlock accounts (intruder lockout) and users cannot change passwords (these two are "random" as eventually it worked yesterday afternoon).  The error the staff get in iManager is that things aren't synchronized.

NDSREPAIR check sync status shows zero errors.

iMonitor reports (all day yesterday and today) that the security partition "oldest successful sync" almost never gets below 45 minutes, and it's max ring delta never drops below 14 minutes.  All of the other 58 partitions or so are fine and well below these values.

I have no idea why just this one partition is "slow" to sync, but of course it's the important one for passwords.

Any ideas/suggestions?

Labels (1)
1 Solution

Accepted Solutions
Knowledge Partner
Knowledge Partner

Re: Slow sync of one partition only

Jump to solution

Synthetic time is WAY easier to fix  by simply waiting especially since it is like 9 hours away.

Do NOT declare a new epcoh, if you can wait it out.

So if the objects in the Security are not changing, it does not matter if they are syncing or not.  I.e. No changes so it should not matter.

8 Replies
Knowledge Partner
Knowledge Partner

Re: Slow sync of one partition only

Jump to solution

Wow. You guys actually hit the 32 bit int limit on transactions?  Or at least got close enough to get the warning message. Wow.  HOw old is that tree, or conversely how busy is that tree.  That is cool.

As for the real problem, I doubt that the Security container syncing is an issue. What changes are occuring in that container that need to be updated to other replicas?  (Unless you individually assign password policies to users instead of containers).

 

0 Likes
khurni Trusted Contributor.
Trusted Contributor.

Re: Slow sync of one partition only

Jump to solution

Ha, actually have hit the limit once before (same tree), but it might've been NetWare at the time.

Very busy tree.

 

Anyhoo:

Pretty much other things seem to sync OK (ie, you make a change, it replicates over to eDir Vault and over to AD very quickly).

I think the issue (well maybe the indication of the issue) is that ONLY the .Security partition has a max delta ring of anything more than a few seconds.

So, on a whim I ran an NDSREPAIR -P and repaired just that partition.

It says there's illegal timestamps of:

July 3, 2019 19:30

I vaguely recall after bouncing the server, that it came up with time in the "future" for about 2 minutes before NTP syncd up.

So now I'm wondering if that's really the ultimate issue (although why other things don't have a problem I don't know).

Other partitions also have "illegal" timestamps of July 3rd, 2019 19:30

 

So if it's "future" timestamps, the question then becomes:

sit and wait until 19:30

or do the "I don't really wanna" repair timestamps and declare new epoch?

 

For the Security object, the NMAS policy (there's like 5 of them) that's the main one is assigned to the .Login Policy.Security

The "never expire password" is assigned to 78 individual user accounts.

There's another one assigned to a container

the IDM driver password policy is assigned to the IDM Drivers ou.

The DirXML password policy (from the olden days) is assigned to the IDM drivers object in the IDM drivers ou.

 

 

Knowledge Partner
Knowledge Partner

Re: Slow sync of one partition only

Jump to solution

Synthetic time is WAY easier to fix  by simply waiting especially since it is like 9 hours away.

Do NOT declare a new epcoh, if you can wait it out.

So if the objects in the Security are not changing, it does not matter if they are syncing or not.  I.e. No changes so it should not matter.

khurni Trusted Contributor.
Trusted Contributor.

Re: Slow sync of one partition only

Jump to solution

Thanks Geoff,

We have tomorrow off, so I'll know Friday morning if all is well/better.

Fingers crossed!

 

khurni Trusted Contributor.
Trusted Contributor.

Re: Slow sync of one partition only

Jump to solution

Just an FYI, things resolved themselves (LOL).

I have to double-check some of the time settings when I can put a change control item in, but I know two settings were 'no":

NTPD_FORCE_SYNC_ON_STARTUP = "no"

and

NTPD_FORCE_SYNC_HWCLOCK_ON_STARTUP = "no"

I'll change both to "yes" and bounce the server and get into the BIOS (well it's a VM in Vmware) to adjust/double-check the clock.

 

hwclick was set to -u

and sytohc = yes

 

0 Likes
Knowledge Partner
Knowledge Partner

Re: Slow sync of one partition only

Jump to solution

I had a server coming up on the wrong time before and it happened EVERY time that it was half an hour in the future that had the server rather sluggish for the users with eDir at a very high CPU.   It ended up being a virtualization time setting on vSphere for this guest that had gotten corrupted. Fixing that got it starting correctly.  I would recommend going over those time settings and re-saving them to make sure they are correct.

 

___
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
JoeSullivan Frequent Contributor.
Frequent Contributor.

Re: Slow sync of one partition only

Jump to solution

I've encountered the transaction limit 4 or so times in one environment.... poorly written application.

0 Likes
Knowledge Partner
Knowledge Partner

Re: Slow sync of one partition only

Jump to solution

Wow!  Really?  4 biillion transactions, 4 times.  That is astonishingly poorly written.

I.e. Thinking about how I might do it on purpose,   16 billion transactions would just take so long to accomplish.

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.