NDS Health Check Procedures
Articles and Tips: tip
01 May 2002
To maintain and to put in place preventative measures for Novell Directory Services, you should perform the following operations once a week for a dynamic tree and once a month for a static tree on every NetWare server (this Health Check frequency is a general rule).
To determine whether you have a dynamic tree or a static tree, read the end of this document. Step 10, Repair local DS database, should be performed after business hours and/or when errors occur during Steps One through Nine. These health checks have been designed for the following versions of NetWare and NetWare Directory Services:
Novell NetWare 4.11
NetWare 5.0
NetWare 5.1
Novell Directory Services version 8
The information found in this TID was also formerly in TIDs #2913292 and #2921544
Note: For very large trees and for a large number of partitions, it is still advisable to perform all 10 steps for every server. But for an abbreviated version, perform all 10 steps on the MASTER replica server for each partition, starting with the MASTER replica server for the [Root] partition and working down the tree.
Step 1: Checking DS Versions (DSRepair)
The DS.NLM should be the same version on every NetWare 4.1x and/or NetWare 5.x server in the tree (all DS versions 6.x, 7.x, and 8.x), and should be the latest server versions available. (All servers in the tree need to be patched with the latest available support packs).
Performing a time synchronization check within DSRepair (DSREPAIR.NLM | Time Synchronization) will report in a list format the DS.NLM version for each file server in the tree. Otherwise, you can type:
Modules DS.NLM <Enter>
at each server console prompt.
Note: CD Towers are exceptions to this requirement.
Step 2. Time Synchronization (DSRepair)
Time synchronization is critical for Directory Service functions. This operation can be performed by selecting Time Synchronization from the "Available Options" menu in DSREPAIR.
Step 3. Server-to-Server Synchronization (DSTRACE)
A server must have a replica to display any Directory Services trace information. From the file server console prompt, type the following:
SET DSTRACE=ON (this activates the trace screen for Directory Services transactions)
SET DSTRACE=+S (this makes it so you can see the synchronization)
SET DSTRACE=*H (this initiates synchronization between file servers)
The Directory Services trace screen can be viewed by selecting Directory Services from the list of Current Screens that you see when you press <Ctrl> <Esc> simultaneously. If there are not any errors, you will see a line displaying "All processed = YES." This message will be displayed for each partition contained on this server.
If the information is more than can fit on a single screen, use the following commands
SET TTF=ON (To Trace the Synchronization to a File. SYS\:SYSTEM\DSTRACE.DBG)
SET DSTRACE=*R (resets the file to 0 bytes)
SET TTF=OFF (once NDS has completed synchronizing all partitions)
You can then map a drive to your server's SYS:SYSTEM directory and bring the DSTRACE.DBG file up in a text editor. Search for "-6**" (this will show any NDS errors during synchronization, such as -625), or "YES" (this will show successful synchronization for a partition).
Step 4. Replica Synchronization (DSRepair)
A server must have a replica for this operation to display the replica synchronization status. To see this information, choose following path: DSREPAIR.NLM | Available Options| Report synchronization status.
Step 5. External References (DSRepair)
From the "Available Options" menu in DSRepair, select "Advanced options menu," then select "Check External References." This option will display external references and obituaries and will show you the states of all servers in the back link list for the obituaries.
Step 6. Replica State (DSRepair)
From the "Available Options" menu in DSRepair, select "Advanced Options Menu," then select "Replica and Partition Operations," and verify that the replica state is ON.
Step 7. Remote Server IDs (DSRepair)
From the "Available Options" menu in DSRepair, select "Advanced Options Menu," then select "View Remote Server ID List." Press <Enter> and this should bring up the "Remote Server ID Options" menu; select the "Verify All Remote Server IDs" option.
This option executes authentication from server to server using the remote server's ID. This option also verifies this server's ID on the other servers.
Note: For NetWare 5, use DSREPAIR | Advanced options menu | Replica and partition operations | select a partition | Repair selected replica. This will give you the line "OK - authenticated to server," which is the same as the option listed above for NetWare 4.
Step 8. Replica Ring (DSRepair)
In order to check for replica ring mismatches, run DSRepair on the server that is holding the MASTER replica of each partition and also on one of the servers that is holding a Read/Write replica. From the "Available Options" menu, select the "Advanced Options Menu," select "Replica and Partition Operations," then select "View Replica Ring" and verify that the correct servers are holding replicas of that partition.
Step 9. Schema (DSTRACE)
A server must have a replica to display any Directory Services trace information. From the file server console prompt, type the following:
SET DSTRACE=ON (this activates the trace screen for Directory Services transactions)
SET DSTRACE=+SCHEMA (this will display schema information)
SET DSTRACE=*SS (this initiates schema synchronization)
The Directory Services trace screen can be viewed by selecting Directory Services from the list of Current Screens that is made available when you press the <ctrl> and <esc> keys simultaneously. Check for the message "SCHEMA: All Processed = YES."
Step 10. Repair Local Database (DSRepair)
Note: Administrators may opt to perform this as an after-hours operation!
Suggested procedure is as follows: from the server console prompt, type
LOAD DSREPAIR <Enter>
Select the Advanced Options Menu, then the Repair Local DS Database option. Accept the defaults on this page. This option will lock the Directory Services database. DSREPAIR will display a message stating that authentication cannot occur with this server with Directory Services locked; i.e., users will not be able to login to this server during this operation. For this reason, this operation may need to be performed after business hours.
Step 11. Disaster Recovery
For disaster recovery, load DSREPAIR -RC. This switch will create a database dump file (SYS:\SYSTEM\DSREPAIR.DIB for DS version 6 and 7 and SYS:\SYSTEM\DSR_DIB\00000000.$DU for DS version 8). You will need assistance from Novell Support staff to restore this file.
If left running, DSTRACE requires server resources. After completing the DSTRACE checks, enter the following DSTRACE commands to turn it off:
Set DSTRACE=nodebug
Set DSTRACE=+min
Set DSTRACE=off
Determining If You Have a Dynamic or Static Tree
Read the following to determine if you have a dynamic or static tree.
Static NDS Tree.
A static tree has minimal routine changes. For example:
You make only simple changes, such as adding or deleting user objects.
You create a partition or add a server every couple of months.
Because you make fewer changes to a static NDS tree, you only need to perform NDS health checks once a month.
Dynamic NDS Tree
. A dynamic tree has frequent non-routine changes. For example:
You create a partition or add a server weekly.
You are in the process of developing the tree. For example, if you were upgrading a NetWare 3 or 4 network to a NetWare 5 or 6 network, your company would have a dynamic NDS tree during the upgrade process.
You are undergoing a period of change. For example, if your company were reorganizing, selling off part of its business, or merging with another company, you would have to modify the NDS tree.
If your company has a dynamic NDS tree, you should perform an NDS health check once a week. However, as the pace of change decreases and the NDS tree becomes static, you can begin to perform NDS health checks less frequently.
* Originally published in Novell AppNotes
Disclaimer
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.