Highlighted
Absent Member.
Absent Member.
376 views

basic eDirectory Health Check


Good day,

I have asked to perform some basic health checks on my customers
eDirectory environment, and I would like to know what beyond the
"ndsrepair" options are available?

I have not really used iMonitor very much, not much more than the
basics, and I did just start investigating the "ndscheck" tool.
https://www.netiq.com/documentation/edir88/edirin88/data/bqq7dom.html ,


Is there some documentation available especially on iMonitor that I can
start working through?

Basically we are seeing (or at least it is being reported ) that users
are being asked to change their passwords, though they are not close to
expiring, and users are having some password sync issues. When looking
in iMonitor I don't see any "Errors" but I do see that the "Oldest
Successful Sync" was 50 minutes (though with the size of the customer
that might not be out of the ordinary)

Thanks for any assistance offered,

-DS


--
dschaldenovell
------------------------------------------------------------------------
dschaldenovell's Profile: https://forums.netiq.com/member.php?userid=205
View this thread: https://forums.netiq.com/showthread.php?t=50824

Labels (1)
0 Likes
7 Replies
Highlighted
Absent Member.
Absent Member.

Re: basic eDirectory Health Check

On 05/12/2014 07:24 AM, dschaldenovell wrote:
>
> Good day,
>
> I have asked to perform some basic health checks on my customers
> eDirectory environment, and I would like to know what beyond the
> "ndsrepair" options are available?


iMonitor is the way to go for everything, unless you want to do a time
sync check, though arguably I'd stop using ndsrepair for that and instead
use the ntp commands like ntpq instead since time is, and always has been,
an OS function.

> I have not really used iMonitor very much, not much more than the
> basics, and I did just start investigating the "ndscheck" tool.
> https://www.netiq.com/documentation/edir88/edirin88/data/bqq7dom.html ,


Run the reports. They can be useful, especially for obituaries when
comparing the time for that to run vs. how long ndsrepair takes to get the
same data.

> Is there some documentation available especially on iMonitor that I can
> start working through?


Besides the iMonitor documentation? Have you done a health check before
at all?

> Basically we are seeing (or at least it is being reported ) that users
> are being asked to change their passwords, though they are not close to
> expiring, and users are having some password sync issues. When looking
> in iMonitor I don't see any "Errors" but I do see that the "Oldest
> Successful Sync" was 50 minutes (though with the size of the customer
> that might not be out of the ordinary)


Anything less than an hour is fine. If you want it to go down right now,
run 'set dstrace=*h' in ndstrace.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: basic eDirectory Health Check

On Mon, 12 May 2014 13:24:02 +0000, dschaldenovell wrote:

> I have asked to perform some basic health checks on my customers
> eDirectory environment, and I would like to know what beyond the
> "ndsrepair" options are available?


One of the ways I've always done health checks (since iMonitor came out,
anyways) is to go to a server that holds a copy of [Root] and click
"Agent Health".

Then go to "Known Servers" and you'll see a list of all the servers in
the tree. Go to "Agent Health," check the status, and then go back (alt
+left arrow) and do the next server.

Not any issues that are reported, drilling deeper if necessary to
diagnose and identify the issues.

Jim

--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell/SUSE/NetIQ Knowledge Partner
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: basic eDirectory Health Check


Password sync issues are frequently due to timesync problems, in my
experience. Run ndsrepair -T and post the output here please.

In iMon you should look for Maximum Ring Delta; if that's more than an
hour you have a Transitive Vector problem and need to run ndsrepair -ANT
on all servers in the affected replica ring at the same time.


--
ataubman
------------------------------------------------------------------------
ataubman's Profile: https://forums.netiq.com/member.php?userid=301
View this thread: https://forums.netiq.com/showthread.php?t=50824

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: basic eDirectory Health Check


Good day,

When I ran the ndsrepair -T I did receive a pair of errors, Total Errors
: 2

I can see a wide and varied mixture of eDirectory versions, the customer
is really all over the board with their patching procedures, is there
something specific that your seeking, and I can provide that as needed.
We have a huge tree, and the output is quite long.

If I understand the above ndsrepair switches options,

-A Append to the Existing Log File
-N Servers known to this Database
-T Time Synchronization

Does the above command bring all the servers (in the affected Replica
Ring) back into time, or does that clear up the Transitive Vector
problem?

Thank you,


--
dschaldenovell
------------------------------------------------------------------------
dschaldenovell's Profile: https://forums.netiq.com/member.php?userid=205
View this thread: https://forums.netiq.com/showthread.php?t=50824

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: basic eDirectory Health Check

On Thu, 15 May 2014 15:04:01 +0000, dschaldenovell wrote:

> Total Errors :
> 2


What were the errors that were reported?

Jim



--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell/SUSE/NetIQ Knowledge Partner
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: basic eDirectory Health Check

On Thu, 15 May 2014 15:04:01 +0000, dschaldenovell wrote:

> Good day,
>
> When I ran the ndsrepair -T I did receive a pair of errors, Total Errors
> : 2


Post the output. It's probably important. These errors will need to be
resolved before you can continue.


> I can see a wide and varied mixture of eDirectory versions, the customer
> is really all over the board with their patching procedures, is there
> something specific that your seeking, and I can provide that as needed.


Different versions are generally ok. Only if you find something really
old or weird would I worry about that.


> We have a huge tree, and the output is quite long.


Use pastebin.com or susepaste.org and put the URL here. It's ok, we don't
mind it being long.


> If I understand the above ndsrepair switches options,
>
> -A Append to the Existing Log File
> -N Servers known to this Database
> -T Time Synchronization


-ANT is an option unto itself that deals with repairing transitive vector
errors. You may or may not need it. I'd want to see the errors from the
Timesync check resolve before I'd try to fix anything else.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: basic eDirectory Health Check


Again, please post the whole output from the -T run. The errors are less
important that whether anyone's not in perfect timesync.

-ANT is not a cumulative of A N and T , amusing idea though that is! See
https://www.novell.com/support/kb/doc.php?id=7000563 . This is only
relevant if you have a Ring Delta issue, as I said.


--
ataubman
------------------------------------------------------------------------
ataubman's Profile: https://forums.netiq.com/member.php?userid=301
View this thread: https://forums.netiq.com/showthread.php?t=50824

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.