The health of directory services is vital to any organization. Regular health checks will keep your directory running smoothly and will make upgrades and troubleshooting much easier.
In general, if your network doesn't change often (servers and partitions are only added every couple of months; only simple changes are made frequently), perform health checks once a month.
If your network is more dynamic (partitions or servers are added weekly, your organization is reorganizing), perform health checks weekly.
Adjust the frequency of health checks as your environment changes. Factors that influence the timing of your health checks include the
A complete health check includes checking
Running different versions of NDS on the same version of NetWare can cause synchronization problems. If your version of NDS is outdated, download the latest software patch from NDS Patches and Files
All NDS servers must maintain accurate time. Time stamps are assigned to each object and property. They ensure the correct order for object and property updates. Using time stamps, NDS determines which replicas need to be synchronized.
Partition continuity ensures that all replicas for a partition can be updated with directory changes.
For step-by-step instructions to complete these checks, see the appropriate section for your operating system:
To maintain eDirectory, perform the following operations for every NetWare server. Perform Step 9 after business hours and only when errors occur during Step 1 through Step 10.
You need to perform all ten steps for every server, even if your tree is very large with many partitions. However, if you must abbreviate maintenance, perform all ten steps on servers holding the master replica for each partition, starting with the Master replica server for the Tree partition and working down the tree.
Check the version of DS.NLM.
DS.NLM should be the same version on every NetWare 4.1x and NetWare 5.x server in the tree.
You can view the version of DS.NLM for each server known to the server you are using by performing the time synchronization in Step 2.
In DSREPAIR, click Available Options > Advanced Options > Time Synchronization to update time synchronization.
Time synchronization is critical for directory services functions.
Display server-to-server synchronization.
Type the following from the server console:
This activates the trace screen for directory services transactions.
This filter lets you view the synchronization of objects.
This initiates synchronization between servers. To view the directory services trace screen, select Directory Services from the Current Screens list > press Ctrl+Esc. If there are no errors, a line displays All processed = YES. This message is displayed for each partition contained on this server.
A server must have a replica to display any directory services trace information.
If the information cannot fit on a single screen, use the following commands:
This sends the DSTRACE screen to the SYS:SYSTEM\DSTRACE.DBG file.
This resets the file to 0 bytes, deleting previous entries.
This is done once eDirectory completes synchronizing all partitions. Map a drive to SYS:SYSTEM > open the DSTRACE.DBG file in a text editor. Search for -6, which shows any eDirectory errors during synchronization, such as -625. or Search for Yes, which shows successful synchronization for a partition.
In DSREPAIR, click Available Options > Advanced Options > Report Synchronization Status to report replica synchronization.
A server must have a replica for this operation to display replica synchronization status.
In DSREPAIR, click Available Options > Advanced Options > Check External References to check external references.
This option displays external references and obituaries and shows you the states of all servers in the back link list for the obituaries.
Check the replica state.
Check the replica ring.
Open DSREPAIR on the server holding the master replica of each partition and one of the servers holding a read/write replica to check for replica ring mismatches.
Click Available Options > Advanced Options > Replica and Partition Operations > View Replica Ring.
Verify that the servers holding replicas of that partition are correct.
To check the schema, type the following at the server console:
This activates the trace screen for directory services transactions.
This displays schema information.
This initiates schema synchronization.
To view the directory services trace screen, select Directory Services from the Current Screens list > press Ctrl+Esc. Check for the following message:
SCHEMA: All Processed = YES
A server must have a replica to display any directory services trace information.
Repair the local database.
You might want to perform this task after hours.
In DSREPAIR, click Available Options > Advanced Options > Repair Local DS Database.
Check Yes on Check Local References and Rebuild Operational Schema.
All of the other options on this page can be checked No.
This option locks the directory services database. DSREPAIR displays a message stating that authentication cannot occur with this server when directory services is locked. (Users are not be able to log in to this server.) For this reason, this operation may need to be performed after business hours.
DSTRACE, if left running, requires server resources. After completing the DSTRACE checks, enter the following DSTRACE commands to turn it off:
Set DSTRACE=nodebug
Set DSTRACE=+min
Set DSTRACE=off
To maintain eDirectory, perform the following operations each week for every Windows NT/2000 server. Perform Step 9 after business hours and only when errors occur during Step 1 through Step 10.
For very large trees and for a large number of partitions, you still need to perform all ten steps for every server, but for an abbreviated version, perform all ten steps on servers holding the master replica for each partition, starting with the master replica server for the Tree partition and working down the tree.
Check the version of DS.DLM.
DS.DLM should be the same version on every NT 3.51 and NT 4 server in the tree.
You can view the version of DS.DLM for each server known to the server you are using by performing the time synchronization in Step 2.
Update time synchronization.
Time synchronization is critical for directory services functions.
Display server-to-server synchronization.
A server must have a replica to display any eDirectory server trace information.
Go to the NDSCONSOLE > select DSTRACE.DLM > click Start.
When the NDS Server Trace Utility window appears, click Edit > Options.
HINT: Keep this window open. You will be referring back to it numerous times during the next few steps.
Check the Replication Process check box > click OK.
Go to the NDSCONSOLE > select DS.DLM > click Configuration.
When the NDS Configuration dialog box appears, click the Triggers tab > click Replica Sync.
Refer back to the NDS Server Trace Utility screen and look for this message: All processed = YES.
If the information does not fit on the screen, or if you want to save this information so you can review it later, follow these directions to create a log file for ease of viewing and storing the information:
In DSREPAIR, click Repair > Report Synchronization to report replica synchronization.
A server must have a replica for this operation to display replica synchronization status.
In DSREPAIR > click Repair > Check External References to check external references.
This option displays external references and obituaries and shows you the states of all servers in the back link list for the obituaries.
Check the replica state.
Check the replica ring.
Open DSREPAIR on the server holding the master replica of each partition and one of the servers holding a read/write replica to check for replica ring mismatches.
In DSREPAIR, select and expand a partition in the tree view, then expand a replica.
You should now be able to see all the servers in the replica ring.
Verify that the servers holding replicas of that partition are correct.
Check the schema.
A server must have a replica to display any eDirectory server trace information.
Return to the NDS Server Trace Utility window.
If you've closed the window, go to NDSCONSOLE > select DSTRACE.DLM > click Start.
In the NDS Server Trace Utility window, click Edit > click Options > check the Schema check box > click OK.
Return to the NDSCONSOLE > select DS.DLM > click Configuration.
In the NDS Configuration dialog box > click the Triggers tab > click Schema Sync.
Return to the NDS Server Trace Utility window and look for this message: SCHEMA: All Processed = YES. When this message appears, click OK in the NDS Configuration dialog box.
Repair the local database.
You might want to perform this after hours.
In DSREPAIR > click Repair > Local Database Repair.
Check the Check Local References and Rebuild Operational Schema check boxes and next to Check Local References and Rebuild Operational Schema > uncheck all other options > click Repair > click Yes.
This option locks the directory services database. DSREPAIR displays a message stating that authentication cannot occur with this server when directory services is locked (users are not be able to log in to this server). For this reason, this operation may need to be performed after business hours.
To turn DSTRACE off, go to NDSCONSOLE > select File > select Exit.
DSTRACE, if left running, requires server resources. After completing the DSTRACE checks, you should turn DSTRACE off.
To maintain eDirectory, perform the following operations each week for every Linux or Solaris system. Perform Step 8 after business hours and only when errors occur during Step 1 through Step 9.
For large trees and for a large number of partitions, you still need to perform all ten steps for every server, but for an abbreviated version, perform all ten steps on servers holding the master replica for each partition, starting with the master replica server for the Tree partition and working down the tree.
Load ndsrepair > enter ndsrepair -T at the terminal to check the version of the eDirectory daemon (ndsd).
The eDirectory daemon should be the same version on every UNIX server in the tree.
Display server-to-server synchronization.
A server must have a replica to display any eDirectory server trace information.
Start the ndstrace utility.
HINT: Keep this utility open. You will be referring back to it numerous times during the next few steps.
Enter the following command to enable replica synchronization messages:
dstrace SKLK
Enter the following command to initiate an immediate replica synchronization:
set dstrace=*H
Check the ndstrace messages and look for this message: All processed = YES.
If the ndstrace messages do not fit on the screen, or if you want to save this information so you can review it later, create a log file for ease of viewing and storing the information by following these directions:
Enter the following command to enable ndstrace messages to be logged to the file:
dstrace file on
If you want to reset the log file size to zero, enter the following command at the ndstrace command line:
set dstrace =*R
After the ndstrace messages are logged to a file, enter the following command to disable the messages from logging to a file:
dstrace file off
When a new file is created, you can save all the ndstrace messages in this file, which can be reviewed at a later date.
Report replica synchronization.
A server must have a replica for this operation to display replica synchronization status.
Enter the following command to check external references.
ndsrepair -C
This option displays external references and obituaries and shows you the states of all servers in the back link list for the obituaries.
Check the replica state and replica ring.
Check the schema.
A server must have a replica to display any eDirectory server trace information.
Repair the local database.
You might want to perform this after hours.
Enter the following command:
ndsrepair -R
Enable the Rebuild Operation Schema (-o) and Check Local Reference (-c) suboptions of the ndsrepair utility.
These options lock the directory services database. NDSREPAIR displays a message stating that authentication cannot occur with this server when directory services is locked. Users are not be able to log in to this server. For this reason, this operation may need to be performed after business hours.
Enter the exit command to exit NDSTRACE.
The tools and techniques used to keep eDirectory healthy are documented in the new Novell Certified Directory Engineer Course 991: Advanced NDS Tools and Diagnostics. In this course you learn how to:
To learn more about this course, visit the Novell Education Web site.
Novell Consulting Services also provides eDirectory health checks for customers. For more information, visit the Novell Customer Services Web site.