Troubleshooting eDirectory on Linux and Solaris

This section includes information for troubleshooting eDirectory on Linux or Solaris networks.

eDirectory

Novell Public Key Infrastructure Services

NMAS on UNIX

LDAP Services

Novell Import Convert Export Utility

Installation and Configuration

Using ndsrepair

Using ndstrace

eDirectory

Repeated eDirectory logins can use up the available memory. Disable the "Login Update" attribute using ndsimonitor to overcome this problem.

Novell Public Key Infrastructure Services

PKI Operations Not Working

If PKI operations on ConsoleOne are not working, it could be because Novell PKI Services are not running on the Linux or Solaris host. Start the PKI Services by entering npki -1.

If you cannot create certificates, you need to ensure that the NICI module has been properly installed. See Initializing the NICI Module on the Server. To verify if NICI is initialized, see Verifying Whether NICI Is Installed and Initialized on the Server.

LDAP Search from Netscape Address Book Fails

If you are using an export version of the Netscape browser and a KMO key size larger than 512 bits associated with the LDAP server object, the LDAP search from the Netscape Address Book might fail.

Use a domestic version of the Netscape browser in such cases.

Removing the configuration of an eDirectory server that is acting as a treekey server in a multiserver tree after having moved the existing eDirectory objects to a different server, fails with the error code for "Crucial Replica."

To complete the operation, change the Key Server DN attribute in the W0 object under Security Container > KAP to another server in the tree that has downloaded the treekey from this server.

To change the server holding the Key Server DN attribute,

From ConsoleOne, select the Security Object > KAP > W0.

Right-click W0 > select Properties > Other.

Select a different server for the attribute NDSPKI:SD Key Server DN.

While Uninstalling the eDirectory Server holding the CA, the KMOs created on that server will be moved to another server in the tree and become invalid

You should recreate the CA and KMOs for the tree.

We recommend that you do not uninstall the eDirectory server on which the CA for the tree has been created.

The Certificate Authority does not get created on a Solaris or Linux machine where ConsoleOne 1.3.2 is installed on the Windows ConsoleOne

To create Certificate Authority, in the dialog box to create Certificate Authority in ConsoleOne, uncheck the Allow Private Key to be Exported radio button.

NMAS on UNIX

Unable to Log in Using Any Method

After installing and configuring NMAS, restart NDS Server.

After reinstalling a method after you have uninstalled a previous instance of that method, restart NDS Server.

The User Added Using the ICE Utility is Unable to Login Using Simple Password

While adding users with simple passwords through the Novell Import Conversion Export utility, use the -l option.

LDAP Services

This section identifies some common problems you might experience with LDAP Services for eDirectory and how to solve them.

Ensure that the LDAP server is up before issuing a request from an LDAP client. To do so, look for the following message in the /var/nds/ndsd.log:

LDAP v3 for Novell eDirectory 8.6.1 started

For more information, see LDAP Services for Novell eDirectory.

LDAP Clients Cannot Bind to LDAP Services for eDirectory

If an LDAP client cannot bind to LDAP Services for eDirectory, check the following:

Is the user entering the correct username and password?

Is the user entering an LDAP form of the name?

Has the password expired?

Has the server been reconfigured?

LDAP Server Isn't Using a New Configuration

Processing LDAP server configuration updates can be affected by currently bound LDAP clients.

Configuration changes are updated dynamically. The LDAP server checks for configuration changes periodically (every thirty minutes). When a change is detected, new clients cannot bind to the LDAP server during the reconfiguration process.

The LDAP server stops processing new LDAP requests for any clients currently bound and waits for any active LDAP requests to complete before updating the configuration.

LDAP operations fail when a tree is renamed using the ndsmerge utility. To work properly, the LDAP server must be refreshed or restarted after a tree is renamed.

Failure of Secure LDAP Connection

Ensure the following:

The Certificate Authority and the Key Material object (KMO) have been created for the LDAP server.

The KMO has been associated with the LDAP server.

The specified CA expiration date has not elapsed. Verify whether the system date exceeds the expiration date.

The LDAP server is listening on the secure LDAP port. The default is 636.

SSL is enabled for LDAP server object in ConsoleOne.

For more information, see Ensuring Secure eDirectory Operations on Linux and Solaris Systems.

Novell Import Convert Export Utility

If an LDAP server is refreshed or unloaded, while a Novell Import Conversion Export operation is running, thee "LBURP operation is timed out" message displays on the Novell Import Conversion Export screen. The server recovers later, when the LBURP operation times out.

ndsmerge Utility

The PKI servers are not active after a merge operation. They must be restarted using the npki -l command.

Merge operations might not be successful on different versions of the product. If your server is running an older version of NDS or eDirectory, update to the latest version of eDirectory, then continue the merge operations.

The merging of two trees will not succeed if containers with similar names subordinate to a tree are present in both the source and target trees. Rename one of the containers, then continue with the merge operation.

During the graft operation, error message -611 Illegal Containment might appear. Modify the schema by running ndsrepair(1). Run ndsrepair -S, then select Optional Schema Enhancements.

ndstrace Utility

When you turn on the ndstrace(1) screen, an error message might be displayed indicating that a primary object is invalid for the reference link. You can ignore this message if eDirectory is functioning correctly.

ndsindex Utility

While adding indexes, if you select an attribute that is not defined in the eDirectory schema, the index is displayed in the Bringing Online state forever. Remove this using the Delete option in the ndsindex utility.

ndsbackup Utility

While backing up eDirectory, "NDS Error: Connect to NDS server failed" might be displayed. This might be cause by eDirectory listening on a port other than the default port 524. Enter the port number on which eDirectory has been configured on the command line.For example, if eDirectory is configured on port number 1524, enter the following:

ndsbackup sR 164.99.148.82:1524

Installation and Configuration

Installation Not Successful

Check for the following error message in the /var/adm/messages directory:Unable to bind to SLP Multicast Address. Multicast route not added?

This message is displayed if the Linux or Solaris machine is not configured for a multicast route address.

Add the multicast route address and restart the slpuasa daemon.

If the "-632: Error description System failure" error message appears during installation, exit from the installation process.
Set the n4u.base.slp.max-wait parameter to a larger value, such as 50, in the /etc/nds.conf file, then restart the installation process.

If you are installing eDirectory into a NetWare 5.1 tree, upgrade the eDirectory Master to NetWare 5.1 Support Pack 2a.
For more information, see Installing eDirectory for NetWare.

If you tried to upgrade an eDirectory for Solaris 2.0 installation and it was not successful, the installation might not complete the second time.
Delete the /var/nds/.n4s_upgrade file and try the installation again.

During installation, if the "Tree Name Not Found" error message is displayed, do the following:

Installation Takes a Long Time

When you are installing eDirectory into an existing tree and the installation takes a long time to complete, look at the DSTrace screen on the server. If the "-625 Transport failure" message is displayed, you need to reset the address cache.

To reset the address cache, enter the following command at the system console:

set dstrace = *A

Unable to Install into an Existing Tree over the WAN

You need a NetWare 5 or later server to install eDirectory on a Linux or Solaris system over the WAN.

Use the following procedure:

Enter the following command at the server console to run the Directory Agent (DA) on the NetWare server:

slpda

On the server containing the master replica, edit the DA_ADDR parameter in slpuasa.conf:

DA_ADDR = IP_address_of_the_NetWare_server_where_the_DA_is_ running

Restart the slpuasa daemon.

Install eDirectory over the WAN on the Linux or Solaris system.

Run nds-install to add the product packages.

Do not configure the product. See Linux and Solaris Packages for Novell eDirectory for more information.

Edit the/etc/nds.conf and add the following parameters:

n4u.uam.ncp-retries = 5 n4u.base.slp.max-wait = 20

Edit the /etc/slpuasa.conf to add the following parameter:

DA_ADDR = IP_address_of_the_NetWare_server_where_ the_DA_is_running

Run ndsconfig to configure eDirectory.

Using ndsrepair

Use the ndsrepair utility at the server console to do the following:

Correct eDirectory problems such as bad records, schema mismatches, bad server addresses, and external references.

Make advanced changes to the eDirectory schema.

Perform the following operations on the eDirectory database:

Check the structure of the database automatically without closing the database and without database intervention.

Check the database index.

Repair the database without closing the database and locking out users.

Reclaim free space by discarding empty records.

Syntax

To run ndsrepair, use the following syntax:

ndsrepair {-U| -P| -S| -C| -E| -N| -T| -J <entry_id>} [-A <yes/no>] [-O <yes/no>] [-F filename] [-Ad]

ndsrepair -R [-l <yes/no> [-u <yes/no>] [-m <yes/no>] [-i <yes/no>] [-f <yes/no>] [-d <yes/no>] [-t <yes/no>] [-o <yes/no>] [-r <yes/no>] [-v <yes/no>] [-c <yes/no>] [-A <yes/no>] [-O <yes/no>] [-F filename]

IMPORTANT: The -Ad option should not be used without prior direction from Novell Technical Services personnel.

Table 145. ndsrepair Options

Option	Description
-U	Unattended Full Repair option. Instructs ndsrepair to run and exit without further user intervention. This is the suggested means of repair unless you are told by Novell Technical Support to perform certain operations manually. You can view the log file after the repair has completed to determine what changes ndsrepair has made.
-P	Replica and Partition Operations option. Lists the partitions that have replicas stored in the current server's eDirectory database files. The Replica options menu provides options to repair replicas, cancel a partition operation, schedule synchronization, and designate the local replica as the master replica. For more information, see Replica and Partition Operations Option.
-S	Global Schema Operations option. This option contains several schema operations that might be necessary to bring the server's schema into compliance with the master of the Tree object. However, these operations should be used only when necessary. The local and unattended repair operations already verify the schema.
-C	Check External Reference Object option. Checks each external reference object to determine if a replica containing the object can be located. If all servers that contain a replica of the partition with the object are inaccessible, the object will not be found. If the object cannot be found, a warning is posted.
-E	Report Replica Synchronization option. Reports replica synchronization status for every partition that has a replica on the current server. This operation reads the synchronization status attribute from the replica's Tree object on each server that holds replicas of the partitions. It displays the time of the last successful synchronization to all servers and any errors that have occurred since the last synchronization. A warning message is displayed if synchronization has not completed within twelve hours.
-N	Servers Known to This Database option. Lists all servers known to the local eDirectory database. If your current server contains a replica of the Tree partition, this server displays a list of all serves in the eDirectory tree. Select one server to cause the server options to be executed.
-J	Repairs a single object on the local server. You will need to provide the Entry ID (in hexadecimal format) of the object you want to repair. You can use this option instead of using the Unattended Repair (-U) option to repair one particular object that is corrupted. The Unattended Repair option can take many hours depending on the size of database. This option will help you save time.
-T	Time Synchronization option. Contacts every server known to the local eDirectory database and requests information about each server's time synchronization status. If this server contains a replica of the Tree partition, then every server in the eDirectory tree will be polled. The version of eDirectory that is running on each server is also reported.
-A	Append to the existing log file. The information is added to the existing log file. By default, this option is enabled.
-O	Logs the output in a file. By default, this option is enabled.
-F filename	Logs the output in the specified file.
-R	Repair the Local Database option. Repairs the local eDirectory database. Use the repair operation to resolve inconsistencies in the local database so that it can be opened and accessed by eDirectory. This option has suboptions that facilitate repair operations on the database. This option has function modifiers which are explained in Table 146, Function Modifiers Used with the -R Option.

The function modifiers used with the -R option are described below:

Table 146. Function Modifiers Used with the -R Option

Option	Description
-l	Locks the eDirectory database during the repair operation.
-u	Uses a temporary eDirectory database during the repair operation.
-m	Maintains the original unrepaired database.
-i	Checks the eDirectory database structure and the index.
-f	Reclaims the free space in the database.
-d	Rebuilds the entire database.
-t	Performs a tree structure check. Set it to Yes to check all the tree structure links for correct connectivity in the database. Set it to No to skip the check. The default is Yes.
-o	Rebuilds the operational schema.
-r	Repairs all the local replicas.
-v	Validates the stream files.
-c	Checks local references.

Global Schema Operations

You can use the ndsrepair -S ([-Ad] advanced switch) option to display a list showing all the schema operations that you can perform. The following table shows the available options:

Table 147. Global Schema Operation Options

Option	Description
Request Schema from Tree	Requests the master replica of the root of the tree to synchronize its schema to this server. Any changes to the schema will be propagated to this server from the master replica of the Tree object for the next 24 hours. If all servers request the schema from the master replica, network traffic can increase.
Reset Local Schema	Invokes a schema reset that clears the time stamps on the local schema and requests an inbound schema synchronization. This option is unavailable if executed from the master replica of the Tree partition. This is to ensure that all servers in the tree are not reset at the same time.
Post NetWare 5 Schema Update	Extends and modifies the schema for compatibility with Post NetWare 5 DS changes. This option requires that the server where ndsrepair is run contains a replica of the Tree partition, and that the state of the replica is On.
Optional Schema Enhancements	Extends and modifies the schema for containment and other schema enhancements. This option requires this server to contain a replica of the Tree partition, and the replica state must be On. In addition, all NetWare 4.x servers in the tree must have the following versions of eDirectory: NetWare 4.10 server must have NDS 5.17 or later NetWare 4.11/4.2 servers must have NDS 6.03 or later Previous versions of NDS will not be able to synchronize these changes
Import Remote Schema (Advanced Switch Option)	Select an eDirectory tree that contains the schema you want to add to the schema of the current tree. Once you select a tree, the server that holds the master replica of the Tree partition is contacted. The schema from that server will be used to extend the schema on the current tree.
Declare a New Epoch (Advanced Switch Option)	When you declare a new schema epoch, the master replica of the Tree partition is contacted and illegal time stamps are repaired on the schema declared on that server. All other servers will receive a new copy of the schema including the repaired time stamps. If the receiving server contains a schema that was not in the new epoch, objects and attributes that use the old schema will be changed to the Unknown object class or attribute.

Replica and Partition Operations Option

Enter the following command to display information about each replica stored on the server:

ndsrepair -P

Select the required replica. The following options are displayed:

Repair All Replicas

Repairs all replicas displayed in the replica table.

Repair Selected Replica
Repairs only the selected replica listed in the replica table.

IMPORTANT: Repairing a replica consists of checking each object in the replica for consistency with the schema and data according to the syntax of the attribute. Other internal data structures associated with the replica are also checked. If you have not repaired the local eDirectory database in the last 30 minutes, you should do so before repairing any replicas.

Schedule Immediate Synchronization
Schedules the immediate synchronization of all the replicas. This is useful if you are viewing the ndstrace screen and want to view eDirectory information for the synchronization process without having to wait for it to run as normally scheduled.

Cancel Partition Operation
Cancels a partition operation on the selected partition. This option might be necessary if an operation appears to be incomplete or is not completing due to problems in the eDirectory tree, such as a missing server or bad communication links. Some operations might not be canceled if they have progressed too far.

Designate This Server as the New Master Replica
Designates the local replica of the selected partition as the new master replica. Use this option to designate a new master replica if the original master replica is lost.

Report Synchronization Status of All Servers
Reports replica synchronization status of all partitions on the current server. It displays the time of the last successful synchronization to all servers and any errors that have occurred since the last synchronization.

Synchronize the Replica on All Servers
Determines the complete synchronization status on every server that has a replica of the selected partition. This helps you determine the health of a partition. If all of the servers with a replica of the partition are synchronizing properly, then the partition is considered healthy. Each server performs an immediate synchronization to every other server in the replica ring. Servers do not synchronize to themselves. Therefore, the status for the current server's own replicas is displayed as Host.

Repair Ring, All Replicas
Repairs the replica ring of all the replicas displayed in the replica table.

Repair Ring, Selected Replica
Repairs the replica ring of selected replica listed in the replica table.

IMPORTANT: Repairing a replica ring consists of checking the replica ring information on each server that contains a replica of a given partition and validating remote ID information. If you have not repaired the local eDirectory database in the last 30 minutes, you should do so before repairing all or selected rings. You can repair the local database using the -R option. For more information, see -R.

View Replica Ring
Displays a list of all servers that contain a replica of the selected partition. This set of servers is called the replica ring. The replica ring list shows information about the type of replica and current status for each server in the ring. Select a server after viewing the replica ring to view server options.
Server Options
- Synchronize the Replica on the Selected Server
  Determines the complete synchronization status on the selected server that has a replica of the selected partition. This helps you determine the health of a partition. If the server with a replica on the partition is synchronizing properly, the partition is considered healthy. The server is immediately synchronized to every other server in the replica ring. The server does not synchronize with itself. Therefore, the status for the current server's own replica is displayed as Host.
- Send All Objects to Every Replica in the Ring
  Sends all objects from the selected server in the replica ring to all other servers that contain a replica of the partition. This operation can generate a lot of network traffic. Use this option to ensure that the selected partition's replica on the selected server in the replica ring is synchronized with all other servers in the replica ring. This operation cannot be performed on a server that contains only a subordinate reference replica of the partition.
- Receive All Objects from the Master to This Replica
  Receives all objects from the master replica to the replica on the selected servers. This operation can generate a lot of network traffic. Use this option to ensure that the selected partition's replica on the selected server in the replica ring is synchronized with the master replica. This operation cannot be performed on a server that contains only a master replica.
- View Entire Server's Name
  Used to view the complete server name when the width of the server name is too long to view from within the server table.
- Remove This Server from Replica Ring
  (Advanced switch option.) Removes a selected server from the selected replica stored on the current server. If a server appears in the replica ring but it is no longer part of the eDirectory tree or no longer contains a replica of the partition, delete the Server object using ConsoleOne. Once the Server object has been deleted, the object should eventually be excluded from the replica ring.
  
  WARNING: Misuse of this operation can cause irrevocable damage to the eDirectory database. You should not use this option unless directed by Novell Technical Services personnel.

View Entire Partition Name

Determines the complete distinguished partition name when the width of the partition is too long to view from within the replica table.

Repair Time Stamps and Declare a New Epoch

(Advanced switch option.) Provides a new point of reference to the master replica so that all updates to replicas of the selected partition are current. This operation is always performed on the master replica of a partition. The master replica does not need to be in the local replica on this server. Time stamps are placed on objects when they are created or modified and must be unique. All time stamps in a master replica are examined. If any time stamps are post-dated to the current network time, they are replaced with a new time stamp.

Destroy the Selected Replica on This Server

(Advanced switch option.) Removes the selected replica on this server. Using this option is not recommended. Use this option only when all other utilities are unable to delete the replica.

Delete Unknown Leaf Objects

(Advanced switch option.) Deletes all objects in the local eDirectory database that have the unknown object class and maintain no subordinate objects. This option marks Unknown objects for deletion. The deletion will later be synchronized to other replicas in the eDirectory tree.

WARNING: Use this option only when the objects cannot be modified or deleted using ConsoleOne.

Options on Servers Known to This Database

The following repair options are available for servers:

Repair All Network Address

Checks the network address for every server in the local eDirectory database. This option searches the SLP directory agent, depending on the transport protocol available, for each server's name. Each address is then compared to the Server object's network address property and the address record of each replica property of every partition Tree object. If the addresses are different, they are updated to be the same.

Repair Selected Server's Network Address
Checks the network address for a specific server in the local eDirectory database files. This option searches the SLP directory agent, depending on the transport protocols currently bound for the server's name.

View Entire Server's Name
Displays the complete name of the server when the width of the server name is too long to view from within the server's table. This option is the same as the -P option. For more information, see -P.

Examples

To perform an unattended repair and log events in the /root/ndsrepair.log file, or to append events to the log file if it already exists, enter the following command:

ndsrepair -U -A no -F /root/ndsrepair.log

To display a list of all global schema operations along with the advanced options, enter the following command:

ndsrepair -S -Ad

To repair the local database by forcing a database lock, enter the following command:

ndsrepair -R -l yes

NOTE: The input for the ndsrepair command can be redirected from an option file. The option file is a text file that can contain replica and partition operation-related options and suboptions that do not require authentication to the server. Each option or suboption is separated by a new line. Make sure that the contents of the file are in the proper sequence. If the contents are not in the proper sequence, the results will be unpredictable.

Using ndstrace

The ndstrace utility has three main parts:

Basic functions

Debug messages

Background processes

Basic Functions

The basic functions of ndstrace are used to:

View the status of the ndstrace screen in Linux or Solaris

Initiate limited synchronization processes

To start the ndstrace screen, enter the following command at the server prompt:

/usr/bin/ndstrace

To initiate the basic ndstrace functions, enter commands at the server prompt using the following syntax:

ndstrace command_option

Table 148 lists the command options that you can enter.

Table 148. ndstace Commands

Option	Description
ON	Starts the eDirectory trace screen with basic trace messages.
OFF	Disables the trace screen.
ALL	Starts the eDirectory trace screen and displays all the trace messages.
AGENT	Starts the eDirectory trace screen with the trace messages that are equivalent to the ON, BACKLINK, DSAGENT, JANITOR, RESNAME, and VCLIENT flags.
DEBUG	Turns on a predefined set of trace messages typically used for debugging. The flags set are ON, BACKLINK, ERRORS, EMU, FRAGGER, INIT, INSPECTOR, JANITOR, LIMBER, MISC, PART, RECMAN, REPAIR, SCHEMA, SKULKER, STREAMS, and VCLIENT.
NODEBUG	Leaves the trace screen enabled, but turns off all debugging messages previously set. This option also leaves the messages set to the ON command option.

Debugging Messages

When the ndstrace screen is enabled, the information displayed is based on a default set of filters. If you want to view more or less than the default, you can manipulate the filters using the debugging message flags. The debugging messages help you determine the status of eDirectory and verify that everything is working well.

Each eDirectory process has a set of debugging messages. To view the debugging messages on a particular process, use a plus sign (+) and the process name or option. To disable the display of a process, use a minus sign (-) and the process name or option. The following are some examples:

Table 149. Debugging Messages

set ndstrace = +SYNC	Enables the synchronization messages
set ndstrace = -SYNC	Disables the synchronization messages
set ndstrace = +SCHEMA	Enables the schema messages

You can also combine the debugging message flags by using the Boolean operators & (which means AND) and | (which means OR). The syntax for controlling the debugging messages at the server console is as follows:

set ndstrace = +trace_flag [trace_flag]

set ndstrace = +trace_flag> [&trace_flag]

Table 150 describes the trace flags for the debugging messages. You can enter abbreviations for each of the trace flags. These abbreviations or alternatives are listed within parentheses in the table.

Table 150. Trace Flags for Debugging Messages

Trace Flag	Description
ABUF	Messages and information related to inbound and outbound packet buffers that contain data being received in conjunction with, or in response to, an eDirectory request.
ALOC	Messages to show the details of memory allocation.
AREQ	Messages related to inbound requests from other servers or clients.
AUTH	Messages and error reports relating to authentication.
BASE	Debug error messages at the minimum debugging level.
BLNK	Backlink and inbound obituary messages and error reports.
CBUF	Messages related to outbound DS Client requests.
CHNG	Change cache messages.
COLL	Status and error reports concerning an object's update information when the update has been previously received.
CONN	Messages that show information about the servers your server is trying to connect to, and about errors and timeouts that might be causing your server not to connect.
DNS	Messages about the eDirectory-integrated DNS server processes.
DRLK	Distributed reference link messages.
DVRS	Messages to show DirXML^TM driver-specific areas that eDirectory might be working on.
DXML	Messages to show details of DirXML events.
FRAG	Messages from the NCP fragger which breaks eDirectory messages into NCP-sized messages.
IN	Messages related to inbound requests and processes.
INIT	Messages related to the initialization of eDirectory.
INSP	Messages related to the integrity of objects in the source server's local database. Use of this flag increases the demands on the source server's disk storage system, memory, and processor. Do not leave this flag enabled unless objects are being corrupted.
JNTR	Messages related to the following background processes: janitor, replica synchronization, and flat cleaner.
LDAP	Messages related to the LDAP server.
LMBR	Messages related to the limber process.
LOCK	Messages related to the use and manipulation of the source server's local database locks.
LOST	Messages related to lost entries.
MISC	Messages from different sources in eDirectory.
MOVE	Messages from the move partition or move subtree operations.
NCPE	Messages to show the server receiving NCP-level requests.
NMON	Messages related to iMonitor.
OBIT	Messages from the obituary process.
PART	Messages related to partition operations from background processes and from request processing.
PURG	Messages about the purge process.
RECM	Messages related to the manipulation of the source server's database.
RSLV	Reports related to the processing of resolve name requests.
SADV	Messages related to the registration of tree names and partitions with Service Location Protocol (SLP).
SCMA	Messages related to the schema synchronization process.
SCMD	Messages showing the details of Schema-related operations. It gives details of both inbound and outbound synchronization.
SKLK	Messages related to the replica synchronization process.
SPKT	Messages related to eDirectory NCP server-level information.
STRM	Messages related to the processing of attributes with a Stream syntax.
SYDL	Messages showing more details during the replication process.
SYNC	Messages about inbound synchronization traffic (what is being received by the server).
TAGS	Displays the tag string that identifies the trace option that generated the event on each line displayed by the trace process.
THRD	Messages to show when any background processes (threads) begin and end.
TIME	Messages about the transitive vectors that are used during the synchronization process.
TVEC	Messages related to the following attributes: Synchronize Up To, Replica Up To, and Transitive Vector.
VCLN	Messages related to the establishment or deletion of connections with other servers.

As you use the debugging messages in ndstrace, you will find that some of the trace flags are more useful than others. One of the favorite ndstrace settings of Novell Technical Services^TM is actually a shortcut:

set ndstrace = A81164B91

This setting enables a group of debugging messages.

Background Processes

In addition to the debugging messages, which help you check the status of eDirectory, there is a set of commands that forces the eDirectory background processes to run. To force the background process to run, place an asterisk (*) before the command, for example:

set ndstrace = *H

You can also change the status, timing, and control for a few of the background processes. To change these values, place an exclamation point (!) before the command and enter a new parameter or value, for example:

set ndstrace = !H 15 (parameter_value_in_minutes)

The following is the syntax for each statement controlling the background processes of eDirectory:

set ndstrace = *trace_flag [parameter]

set ndstrace = !trace_flag [parameter]

Table 151 lists the trace flags for the background processes, any required parameters, and the process the trace flags will display.

Table 151. Trace Flags for Background Processes

Trace Flag	Parameters	Description
*A	None	Resets the address cache on the source server.
*AD	None	Disables the address cache on the source server.
*AE	None	Enables the address cache on the source server.
*B	None	Schedules the back link process to begin execution on the source server in one second.
!B	Time	Sets the interval, in minutes, for the back link process. The default interval is 1500 minutes (25 hours). The range is 2 to 10080 minutes (168 hours).
*CT	None	Displays the source server's outbound connection table and the current statistical information for the table. These statistics do not give any information about the inbound connections from other servers or clients to the source server.
*CTD	None	Displays, in comma-delimited format, the source server's outbound connection table and the current statistical information for the table. These statistics do not give any information about the inbound connections from other servers or clients to the source server.
*D	Replica rootEntry ID	Removes the specified local entry ID from the source server's Send All Object list. The entry ID must specify a partition root object that is specific to the server's local database. This command is usually used only when a Send All Updates process is endlessly trying to show updates and failing because a server is inaccessible.
!D	Time	Sets the inbound and outbound synchronization interval to the specified number of minutes. The default interval is 24 minutes. The range is 2 to 10080 minutes (168 hours).
!DI	Time	Sets the inbound synchronization interval to the specified number of minutes. The default interval is 24 minutes. The range is 2 to 10080 minutes (168 hours).
!DO	Time	Sets the outbound synchronization interval to the specified number of minutes. The default interval is 24 minutes. The range is 2 to 10080 minutes (168 hours).
*E	None	Re-initializes the source server's entry cache.
!E	None	Schedules the inbound and outbound synchronization processes to begin execution.
!EI	None	Schedules the inbound synchronization process to begin execution.
!EO	None	Schedules the outbound synchronization process to begin execution.
*F	None	Schedules flat cleaner process, which is part of the janitor process, to begin execution on the source server in five seconds.
!F	Time	Sets the interval, in minutes, for the flat cleaner process. The default interval is 240 minutes (4 hours). The range is 2 to 10080 minutes (168 hours).
*G	Replica rootEntry ID	Rebuilds the change cache of the specified root partition ID.
*H	None	Schedules the replica synchronization process to begin execution immediately on the source server.
!H	Time	Sets the interval, in minutes, for the heartbeat synchronization process. The default interval is 30 minutes. The range is 2 to 1440 minutes (24 hours).
*HR	None	Clears the in-memory last sent vector.
*I	Replica rootEntry ID	Adds the specified local entry ID to the source server's Send All Object list. The entry ID must specify a partition root object that is specific to the server's local database. The replica synchronization process checks the Send All Object list. If the entry ID of a partition's root object is in the list, eDirectory synchronizes all objects and attributes in the partition, regardless of the value of the Synchronized Up To attribute.
!I	Time	Sets the interval, in minutes, for the heartbeat synchronization process. The default interval is 30 minutes. The range is 2 to 1440 minutes (24 hours).
*J	None	Schedules the purge process, which is part of the replica synchronization process, to begin running on the source server.
!J	Time	Sets the interval, in minutes, for the janitor process. The default interval is 2 minutes. The range is 1 to 10080 minutes (168 hours).
*L	None	Schedules the limber process to begin running on the source server in five seconds.
*M	Bytes	Changes the maximum file size used by the source server's NDSTRACE.LOG file. The command can be used regardless of the state of the debug file. The <bytes> specified must be a hexadecimal value between 10000 bytes and 100MB. If the value specified is higher or lower than the specified range, no change occurs.
!M	None	Reports the maximum memory used by eDirectory.
!N	0\|1	Sets the name form: zero (0) specifies hex only, and one (1) specifies full dot form.
*P	None	Displays the tunable parameters and their default settings.
*R	None	Resets the TTF file, which is the SYS:SYSTEM\NDSTRACE. DBG file by default. This command is the same as the SET parameter NDS Trace File Length Set to Zero.
*S	None	Schedules the Skulker process, which checks whether any of the replicas on the server need to be synchronized.
!SI	Time	Sets the interval, in minutes, for the inbound schema synchronization process. The default interval is 24 minutes. The range is 2 to 10080 minutes (168 hours).
!SO	Time	Sets the interval, in minutes, for the outbound schema synchronization process. The default interval is 24 minutes. The range is 2 to 10080 minutes (168 hours).
!SIO	Time	Disables the inbound schema synchronization process for the specified number of minutes. The default interval is 24 minutes. The range is 2 to 10080 minutes (168 hours).
!SO0	Time	Disables the inbound schema synchronization process for the specified number of minutes. The default interval is 24 minutes. The range is 2 to 10080 minutes (168 hours).
*SS	None	Forces immediate schema synchronization.
*SSA	None	Schedules the schema synchronization process to begin immediately and forces schema synchronization with all target servers, even if they have been synchronized in the last 24 hours.
*SSD	None	Resets the source server's Target Schema Sync list. This list identifies which servers the source server should synchronize with during the schema synchronization process. A server that does not hold any replicas sends a request to be included in the target list of a server that contains a replica with its server object.
*SSL	None	Prints the schema synchronization list of target servers.
*ST	None	Displays the status information for the background processes on the source server.
*STX	None	Displays the status information for the backlink process (external references) on the source server.
*STS	None	Displays the status information for the schema synchronization process on the source server.
*STO	None	Displays the status information for the backlink process (obituaries) on the source server.
*STL	None	Displays the status information for the limber process on the source server.
!T	Time	Sets the interval, in minutes, for checking the server's UP state. The default interval is 30 minutes. The range is 1 to 720 minutes (12 hours).
*U	Optional ID of server	If the command does not include an entry ID, changes the status of any server that has been previously labeled "down" to "up." If the command includes a local entry ID, changes the status of the specified server from "down" to "up." Entry IDs are specific to the source server's database and must refer to an object that represents a server.
!V	A list	Lists the restricted eDirectory versions. If no versions are listed, there are no restrictions. Each version is separated by a comma.
*Z	None	Displays the currently scheduled tasks.