ACS replication issue on VMware ESX 3.5
I have just installed ACS 4.2 on two VMware hosts. I've configured database replication but it won't work. The error message is "shared secret mismatch". This error message occurs if a NAT device is in the path (which it isn't in this case) or if the tcp header is otherwise changed during transmission. I'm wondering if VMware is adding something to the TCP header. Has anyone come across this problem before or has anyone successfully implemented ACS replication when both hosts are on VMware?
Thanks.
Hi,
I see that you are getting "shared secret mismatch error" under database replication logs. Just wanted to inform you that this is not because of nat'ed device. This happens when we have different keys for AAA servers on primary and secondary ACS.
The primary server must be configured as an AAA server and must have a key.
The secondary server must have the primary server configured as an AAA
server and its key for the primary server must match the primary servers own
key. The shared secret key should be same on the both the ACS's.
I am sending you one link for Setting Up Replication for Cisco Secure ACS, I
am sure this example with screen shots gives you better understanding.
Please visit the below suggested ULR:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration
_example09186a00800e518a.shtml
If that doesn't resolve the issue, please let me know if you see any server with this ip address 127.0.0.1.
HTH
JK
-Plz rate helpful posts-
Similar Messages
-
Yesterday we had two ACS 4.0 servers installed on Windows 2000 Domain Controllers that were working great. ACS1 was the primary server and replication was configured to send to ACS2. ACS2 replication was configured to receive from ACS1.
We lost ACS2 yesterday so I installed ACS 4 on a 2003 Domain Controller (ACS3). I installed ACS3, went into network configuration and added ACS1 as an AAA server.
I then logged onto ACS1 and added ACS3 as an AAA server and configured ACS3 as a replication partner.
It is not replicating - if I look at the log I get
ERROR, ACS 'ACS3' has denied replication request
I do not have the primary as a replication on the secondary.
I have some screen shots of the configuration from ACS2 and I've duplicated everything I've could (except for name and IP).
Any ideas on what I can try next?I had what seems to be the same issue.
In my case I have two ACS SE 1113 appliances, but the issue could still be the same with your Windows servers.
The appliance has two NIC's - I had both of the NIC's connected. Although the appliance only allows you to use the Primary NIC (the bottom one) ACS still detected the Secondary NIC and creates an additional "AAA Server" entry under the "Network Configuration" tab called "self". You should only have one "self" entry in your AAA Server list, not two.
Unfortunately I couldn't find a way to undo this. So I disconnected the Secondary NIC (the top one) and used the recovery CD to reload both of my ACS devices. Now everything works just fine.
- Nate -
ACS 4.2 Database replication issue
Hello Experts,
Hope you are all doing well. I need your help in ACS database replication, I want to do replication between ACS servers. The issue i am facing is that there is no error in ACS replication log. It just says outbound replication started. and sits there no other error message is shown. I can successfully telnet secondary server's destination port 2000. But when i hit the replication button from primary server, i do not observe any hit count on my ASA ACL on which i allowed tcp 2000 for destination secondary server.I also checked my syslog server if there is any traffic denied between these 2 ACS servers but found nothing. I also did wireshark captures on the interfaces but no traffic is initiated when i press replicate now button. Initially i thought its a machine issue, but same behavior is shown when i swapped primary----to secondary. There are other applications running on both the servers which requires JAVA. Like Cisco IME etc. Can it be JAVA issue? Please help me out. i am using Release 4.2(0) Build 124 on both servers.Attached below is the Replication LOG snapshot,
Regards,
Rizwan.https://supportforums.cisco.com/discussion/11382366/problems-witch-acs-42-replication
https://supportforums.cisco.com/discussion/11363046/replication-problem-acs-ver-42 -
Excuse me, does any body can help me?
Wich is better the ACS Server with VMware ESX or the Appliance for a multitenant environmet with ip overlaping
I need to know if the ACS support the AAA functions but from equal ip segments (ip overlaping) on diferent places.... with diferent client networks.
We are implementing the ACS on a central site (our NOC), so each field engineer will be AAA from diferent sites, same ip networks and diferent places....
We need to implement support activities where our field engineer get access on a cisco device on the client premises, but the point is that we have a field engineer force wich get access on each device on diferent places.
With this scenary we need to decide wich is better: The appliance or the ACS Server with VMware ESX
ACS Server with VMware ESX
CSACS-5.1-VM-K9
CSACS-5-ADV-LIC
CSACS-5-LRG-LIC
CSACS-5-BASE-LIC
CON-CSSPS-5ADVLI
CON-CSSPS-5LRGLC
CON-CSSPS-51VMK
APPLIANCE
CSACS-1120-K9
CAB-AC
CSACS-5-BASE-LIC
CSACS-5.0-SW-K9
CON-OSP-CS1120K9Just a quick question - have you looked at superwaba
and wabajump? Superwaba is basically Java for pocket
pc and palm, but wabajump allows you to compile to
palm (not pocket pc). You can also use Eclipse for
development in an applet - much quicker than deploying
to device/virtual device. Small memory footprint as
well.
Cheers
Andy StrattonThank you Andy. I'll try it. Have you tried to use Websphere Studio Device Developer ?
I've tried version 5.5 but i found it not too comfortable.
I'd like to know personal experiences of the whole stack of components and tools involved
in the development process. We're trying to design the best environment for it.
Kind Regards
J.L Perez -
We have 2 ACS appliances that are separated by a WAN.
Both appliances are at the same software version and I have replication set up per Cisco's (as well as others') directions.
When I run replication, I get the error "Cannot replicate to 'ciscoacs2' - server not responding".
If I try replication in the other direction, I get the same error.
I can ping both appliances and access the web interface from both subnets.
There is a firewall between them, but I have port 2000 open and I do not see any other deny messages relating to the ACS replication in the firewall logging.
I ran a sniffer on the receiving appliance's port and got the following:
10.127.101.5 10.127.80.63 TCP evb-elm > cisco-sccp [SYN] Seq=0 Win=65535 Len=0 MSS=1380
10.127.101.5 10.127.80.63 TCP evb-elm > cisco-sccp [ACK] Seq=1 Ack=1 Win=65535 Len=0
10.127.80.63 10.127.101.5 TCP cisco-sccp > evb-elm [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
10.127.101.5 10.127.80.63 TCP evb-elm > cisco-sccp [RST] Seq=25 Win=0 Len=0
10.127.80.63 10.127.101.5 TCP [TCP Dup ACK 1515#1] cisco-sccp > evb-elm [ACK] Seq=1 Ack=1 Win=65535 Len=0
Logging on the devices themselves is terrible, so I really have no idea what would be causing replication to fail.
Thanks.
JasonOne update if it will help. I've been doing some research and I found that ACS replication doesn't like NAT and replication will fail if the IP address is changed through NAT.
While NAT is running on the firewall that our ACS appliance is behind, there is a static mapping to basically keep the NAT address the same. So NAT is being applied, but NAT is just giving it the same address.
I don't know if the NAT process is what's causing the problem? Based on the sniff I posted earlier, the source address of 101.5 is the IP of the ACS appliance.
Taking the device out from behind the firewall could be an option, but it would be a last resort because we would then need to reconfigure all of our equipment to point to the new address, and we have a lot of equipment.
Thanks.
Jason -
How to tell what was the latest patch installed on VMware ESX Server 3i, 3.5.0, 207095
Hello Guys,
I have been running an old server that was installed as a test system on a DELL workstation - Optiplex GX620 (32 bit).
During the installation I had to confirgure the file: /usr/lib/vmware/installer/Core/TargetFilter.py to change the following line:
"return interface.GetInterfaceType() == ScsiInterface.SCSI_IFACE_TYPE_IDE" to read:
"return interface.GetInterfaceType() == ScsiInterface.SCSI_IFACE_TYPE_ISCSI" this made it worked and I have been using it for 3 years now. However, at this time I was hoping to update it with the latest patches and updates and I cannot figure out if I have ESXi or just ESX, nor what was my last update and what is required next.
I have used this command to get the following output:
# vmware -v
VMware ESX Server 3i 3.5.0 build-207095
... I believe the 3i indicates that I have an ESXi 3.5.0 but is build-207095 the same buid as ESXi 3.5.0 Update 5?
If not, how do I go about updating it? What is the KB # I should download?
I can manage it using vSphere Client 5.5 and I can SSH into it using Putty.
Note: When I run... "# esxupdate --bundle=ESXe350-201302401-I-SG.zip update" from within the folder where its at in the datastore, nothing happens... just a new line is scrolled.
Also...
# esxupdate query
<?xml version="1.0"?>
<query-response>
<installed-packages>
<package ID="ESX-207095">
<name>firmware</name>
<version>3.5.0</version>
<rel>207095</rel>
</package>
<package ID="ESX-CLIENT-204907">
<name>viclient</name>
<version>2.5.0</version>
<rel>204907</rel>
</package>
<package ID="ESX-TOOLS-207095">
<name>tools</name>
<version>3.5.0</version>
<rel>207095</rel>
</package>
</installed-packages>
</query-response>
/vmfs/volumes/525300ce-5ff6ad3d-e2ed-0014222aedb7/Patches/ESXe350-201302401-O-SG #
... is there any further update for this system? I believe so as the Heartbleed patch etc. was not around when I was installing this server back in 2010.Hello Richardson Porto,
I wanted to tell you that I appreciate the help so far.
Also wanted to point out to you, that the KB indicated above is older than Update 5, which from your instructions is what I have installed. That KB is for U2.
Now, the document definitely has step by step instructions on installing, querying etc. But my problem is ... NOT ALL COMMANDS WORK FOR ME!
This is why I am here because all the instructions I have been reading does not work with my flavor of ESX 3.5.0, 207095... WHY? It has me stumped.
For example, here are some commands the doc asked me to do and they failed: (Note that I had to unzip the folder on my windows box and upload it to /tmp using vSphere Client)
/tmp # ls
ESX350-201302402-BG ESX350-201302402-BG.zip vmhsdaemon-0
/tmp # unzip ESX350-201302402-BG.zip
-ash: unzip: not found -----------------------THIS COMMAND WAS NOT FOUND ?
/tmp # cd ESX350-201302402-BG
/tmp/ESX350-201302402-BG # esxupdate info
Invalid command info -----------------------THIS COMMAND WAS INVALID ?
/tmp/ESX350-201302402-BG # esxupdate update -----------------------NOTHING HAPPENED HERE ?
/tmp/ESX350-201302402-BG # ls -lh
-rw------- 1 root root 321.3k Dec 13 15:24 VMware-esx-scripts-3.5.0-988599.i386.rpm
-rw------- 1 root root 1.6k Dec 13 15:24 contents.xml
-rw------- 1 root root 701 Dec 13 15:24 contents.xml.sig
-rw------- 1 root root 1.4k Dec 13 15:24 descriptor.xml
drwxr-xr-x 1 root root 512 Dec 13 15:24 headers
/tmp/ESX350-201302402-BG #
NOTE: All these commands were run sequentially and I just copied and paste it from my SSH Client (PuTTy.exe)
Is there a toolkit I need to install to have these commands or what really am I missing here? Host is in Maintenance Mode and the 1 VM that's on it is off!
I am going to start a new discussion with this NEW ISSUE, since the Heading of this DISCUSSION has already been SOLVED! Thanks again! -
Nexus 1000v, VMWare ESX and Microsoft SC VMM
Hi,
Im curious if anybody has worked up any solutions managing network infrastructure for VMWare ESX hosts/vms with the Nexus 1000v and Microsoft's System Center Virtual Machine Manager.
There currently exists support for the 1000v and ESX and SCVMM using the Cisco 1000v software for MS Hyper-V and SCVMM. There is no suck support for VMWare ESX.
Im curious as to what others with VMWare, Nexus 1000v or equivalent and SCVMM have done to work around this issue.
Trying to get some ideas.
ThanksAaron,
The steps you have above are correct, you will need steps 1 - 4 to get it working correctly. Normally people will create a separate VLAN for their NLB interfaces/subnet, to prevent uncessisary flooding of mcast frames within the network.
To answer your questions
1) I've seen multiple customer run this configuration
2) The steps you have are correct
3) You can't enable/disable IGMP snooping on UCS. It's enabled by default and not a configurable option. There's no need to change anything within UCS in regards to MS NLB with the procedure above. FYI - the ability to disable/enable IGMP snooping on UCS is slated for an upcoming release 2.1.
This is the correct method untill the time we have the option of configuring static multicast mac entries on
the Nexus 1000v. If this is a feature you'd like, please open a TAC case and request for bug CSCtb93725 to be linked to your SR.
This will give more "push" to our develpment team to prioritize this request.
Hopefully some other customers can share their experience.
Regards,
Robert -
How to install prime NCS 1.1 for Vmware ESXİ Hypervisor 5.0
Dear,
Im trying to install prime NCS 1.1 for Vmware ESXİ Hypervisor 5.0 (that is free copy)
I deployed correctly OVA image which i downloaded cisco.com however power on server and then screen is black and work nothing.
and open console wasnt working.
Physical server installed ESXi is HP Blade server.
I enabled processor virtualization Blade server's BIOS.
NCS 1.1 OVA image is Linux based so i cant install Vmware Tools.during the console wasnt working how i install Vmware Tools and run the server and also NCS 1.1 ??
Regards.
EmreOnce installed and started successfully (e.g. admin has issued "ncs start" from the console and all services are running, can be verified by issuning "ncs status" also from console command line), the NCS server should be listening on port 443 and thus requires you to access it via https.
See step 2 here. -
How well does OAS on RHES on VMWare ESX work?
We're currently running OAS 9.0.4 on RHES 3, but are considering using VMWare ESX. Possibly upgrading to OAS 10gR3 and RHES 4.
Are there any particular problems or issues running OAS on VMWare? I'm aware of Oracle's stated support position about VMWare, i.e., any new problem must be reproducible on a standalone machine.
I'm basically wondering if this setup will work well or not, before we commit to this direction.
Thanks in advance for any input.Have you had any responses? We are looking at doing this for our production environment as well. Also, I am not sure if you were aware that Oracle on June 29th has changed their position on VMWare. Instead of requiring users to show that a problem is reproduible on a standalone machine, Oracle will do this and if they cannot then Oracle will forward the problem onto VMWare tech support for resolution.
Thanks. -
Prime LMS 4.1 and VMWARE ESX 5.0
Can Cisco Prime LMS 4.1 be deployed on VMware ESX server 5.0 or not ?
No LMS 4.1 is not supported on ESXi 5.0. LMS 4.1 supports the following Virtualization Systems:
•VMware ESX server 3.0.x
•VMware ESX Server 3.5.x
•VMWare ESX Server 4.0.x
•VMWare ESX Server 4.1
•VMWare ESXi Server 4.0
•VMware ESXi Server 4.1
•Hyper V Virtualization (As an installable in Windows 2008)
For more details check:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.1/install/guide/prereq.html#wp1119955
On a side note, though a OVF/OVA file may be an issue, but you can try to install LMS 4.1 on a virtualized Win/Sol guest OS host, where it should work mostly. But for any issues further, Cisco or TAC may refer to this as an unsupported installation, for any t/s or support.
Else, you may upgrade to LMS 4.2 which is supported on ESXi 5.0.
-Thanks -
Running OSD Capture on VMWare ESX 5.5
In SCCM 2012 r2, I create capture media (.iso). I then create a VM in VMWare ESX 5.5 and attempt to capture the OS (server 2012 r2) After rebooting into WinPE the process fails with an error
"Failed to find the configuration path"
Running IPConfig from the command prompt in WinPE produces nothing, so I assume the network drivers are an issue. The VM initially had a VMNet3 nic which I read might have driver issues, so we removed that nic and added the intel 1000E nic (only other
choice I believe) and that failed as well.
We then found the VMNet3 driver in the VMWare Tools ISO, imported those into SCCM, added those to the boot image and created new capture media with that boot image. STILL ipconfig returns nothing and we get the same failure (during hardware initialization
after rebooting into winPE the error pops up.
Here are the logs from the VM
SMSTS - convertBootTologicalPath failed 0x8007003 (partition(2)) - does this 29 times and then fails says giving up and then says Failed to find the configuration path
Setupapi.offline.log - Unable to unload hive key … loaded by another process
Any ideas?What NIC is the ESXi using? VMNet3 or Intel 1000E?
Is there DHCP in place so that the machine can actually get an address?
Why are you using capture media, why aren't you using standard build & capture method for creating your reference image?
You can obtain the correct drivers from the machine itself, if you just install VMware tools on it and use this tool:
https://gallery.technet.microsoft.com/ConfigMgr-Driver-Injector-aae7d17d to grab the corrected drivers for your boot image and for creating driver pack for ESXi 5.5 -
Solaris Cluster 3.3 on VMware ESX 4.1
Hi there,
I am trying to setup Solaris Cluster 3.3 on Vmware ESX 4.1
My first question is: Is there anyone out there setted up Solaris Cluster on vmware accross boxes?
My tools:
Solaris 10 U9 x64
Solaris Cluster 3.3
Vmware ESX 4.1
HP DL 380 G7
HP P2000 Fibre Channel Storage
When I try to setup cluster, just next next next, it completes successfully. It reboots the second node first and then the itself.
After second node comes up on login screen, ping stops after 5 sec. Same either nodes!
I am trying to understand why it does that? I did every possibility to complete this job. Setted up quorum as RDM from VMware. Solaris has direct access to quorum disk now.
I am new to Solaris and I am having the errors below. If someone would like to help me it will be much appreciated!
Please explain me in more details i am new bee in solaris :) Thanks!
I need help especially on error: /proc fails to mount periodically during reboots.
Here is the error messages. Is there any one out there setted up Solaris Cluster on ESX 4.1 ?
* cluster check (ver 1.0)
Report Date: 2011.02.28 at 16.04.46 EET
2011.02.28 at 14.04.46 GMT
Command run on host:
39bc6e2d- sun1
Checks run on nodes:
sun1
Unique Checks: 5
===========================================================================
* Summary of Single Node Check Results for sun1
===========================================================================
Checks Considered: 5
Results by Status
Violated : 0
Insufficient Data : 0
Execution Error : 0
Unknown Status : 0
Information Only : 0
Not Applicable : 2
Passed : 3
Violations by Severity
Critical : 0
High : 0
Moderate : 0
Low : 0
* Details for 2 Not Applicable Checks on sun1
* Check ID: S6708606 ***
* Severity: Moderate
* Problem Statement: Multiple network interfaces on a single subnet have the same MAC address.
* Applicability: Scan output of '/usr/sbin/ifconfig -a' for more than one interface with an 'ether' line. Check does not apply if zero or only one ether line.
* Check ID: S6708496 ***
* Severity: Moderate
* Problem Statement: Cluster node (3.1 or later) OpenBoot Prom (OBP) has local-mac-address? variable set to 'false'.
* Applicability: Applicable to SPARC architecture only.
* Details for 3 Passed Checks on sun1
* Check ID: S6708605 ***
* Severity: Critical
* Problem Statement: The /dev/rmt directory is missing.
* Check ID: S6708638 ***
* Severity: Moderate
* Problem Statement: Node has insufficient physical memory.
* Check ID: S6708642 ***
* Severity: Critical
* Problem Statement: /proc fails to mount periodically during reboots.
===========================================================================
* End of Report 2011.02.28 at 16.04.46 EET
===========================================================================
Edited by: user13603929 on 28-Feb-2011 22:22
Edited by: user13603929 on 28-Feb-2011 22:24
Note: Please ignore memory error I have installed 5GB memory and it says it requires min 1 GB! i think it is a bug!
Edited by: user13603929 on 28-Feb-2011 22:25@TimRead
Hi, thanks for reply,
I have already followed the steps also on your links but no joy on this.
What i noticed here is cluster seems to be buggy. Because i have tried to install cluster 3.3 on physical hardware and it gave me excat same error messages! interesting isnt it?
Please see errors below that I got from on top of VMware and also on Solaris Physical hardware installation:
ERROR1:
Comment: I have installed different memories all the time. It keeps sayying that silly error.
problem_statement : *Node has insufficient physical memory.
<analysis>5120 MB of memory is installed on this node.The current release of Solaris Cluster requires a minimum of 1024 MB of physical memory in each node. Additional memory required for various Data Services.</analysis>
<recommendations>Add enough memory to this node to bring its physical memory up to the minimum required level.
ERROR2
Comment: Despite rmt directory is there I gor error below on cluster check
<problem_statement>The /dev/rmt directory is missing.
<analysis>The /dev/rmt directory is missing on this Solaris Cluster node. The current implementation of scdidadm(1M) relies on the existence of /dev/rmt to successfully execute 'scdidadm -r'. The /dev/rmt directory is created by Solaris regardless of the existence of the actual nderlying devices. The expectation is that the user will never delete this directory. During a reconfiguration reboot to add new disk devices, if /dev/rmt is missing scdidadm will not create the new devices and will exit with the following error: 'ERR in discover_paths : Cannot walk /dev/rmt' The absence of /dev/rmt might prevent a failover to this node and result in a cluster outage. See BugIDs 4368956 and 4783135 for more details.</analysis>
ERROR3
Comment: All Nics have different MAC address though, also I have done what it suggests me. No joy here as well!
<problem_statement>Cluster node (3.1 or later) OpenBoot Prom (OBP) has local-mac-address? variable set to 'false'.
<analysis>The local-mac-address? variable must be set to 'true.' Proper operation of the public networks depends on each interface having a different MAC address.</analysis>
<recommendations>Change the local-mac-address? variable to true: 1) From the OBP (ok> prompt): ok> setenv local-mac-address? true ok> reset 2) Or as root: # /usr/sbin/eeprom local-mac-address?=true # init 0 ok> reset</recommendations>
ERROR4
Comment: No comment on this, i have done what it says no joy...
<problem_statement>/proc fails to mount periodically during reboots.
<analysis>Something is trying to access /proc before it is normally mounted during the boot process. This can cause /proc not to mount. If /proc isn't mounted, some Solaris Cluster daemons might fail on startup, which can cause the node to panic. The following lines were found:</analysis>
Thanks! -
10.9: Server Replication Issue
Hi ther guys,
I have seen several posts about this replication issue since 2012, i have 2 fresh install systems 10.9 Server app 3.0.2 on both boxes DNS shows correctly setup but im totaly lost on where to continue.
Is there anyone out there that already resolved this?
domaintest2:~ admin$ sudo slapconfig -createreplica 192.168.2.17 diradmin
Password:
2014-01-08 01:05:11 +0000 slapconfig -createreplica
diradmin's Password:
2014-01-08 01:05:22 +0000 1 Creating computer record for replica
2014-01-08 01:05:26 +0000 command: /usr/sbin/slapconfig -delkeychain /LDAPv3/127.0.0.1 domaintest2.int$
2014-01-08 01:05:26 +0000 Added computer password to keychain
2014-01-08 01:05:26 +0000 Adding ldap and host service principals
Unable to obtain kerberos princ, using CRAM-MD5: -2
Unable to obtain kerberos princ, using CRAM-MD5: -2
2014-01-08 01:05:26 +0000 2 Creating ldap replicator user
2014-01-08 01:05:26 +0000 _ldap_replicator exists from previous replica - migrating
2014-01-08 01:05:26 +0000 NSString *_getReplicatorPasswordWithNode(ODNode *): no syncrepl attribute found in results
2014-01-08 01:05:26 +0000 Unable to get replicator password, recreating replicator
2014-01-08 01:05:27 +0000 GetLastServerID: Error creating DSLDAPContainer: 77014 Can't contact LDAP server (-1)
2014-01-08 01:05:27 +0000 ServerID for this replica 1
2014-01-08 01:05:27 +0000 SetLastServerID: Unable to create DSLDAPContainer: 77014 Can't contact LDAP server (-1)
2014-01-08 01:05:27 +0000 Error setting last server id
2014-01-08 01:05:28 +0000 command: /usr/bin/sntp -s time.apple.com.
2014-01-08 01:05:29 +0000 3 Updating local replica configuration
2014-01-08 01:05:29 +0000 4 Gathering replication data from the master
2014-01-08 01:05:29 +0000 5 Copying master database to new replica
2014-01-08 01:05:29 +0000 Removed directory at path /var/db/openldap/openldap-data.
2014-01-08 01:05:29 +0000 Starting LDAP server (slapd)
2014-01-08 01:05:30 +0000 slapd started
2014-01-08 01:05:30 +0000 Stopping LDAP server (slapd)
2014-01-08 01:05:31 +0000 command: /usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
2014-01-08 01:05:31 +0000 command: /usr/sbin/slapadd -c -w -l /var/db/openldap/openldap-data/backup.ldif
2014-01-08 01:05:31 +0000 command: /usr/sbin/slapadd -c -w -b cn=authdata -l /var/db/openldap/authdata/authdata.ldif
2014-01-08 01:05:31 +0000
2014-01-08 01:05:31 +0000 52cca45b slapd is running in import mode - only use if importing large data
52cca45b bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
2014-01-08 01:05:31 +0000 6 Starting new replica
2014-01-08 01:05:31 +0000 Starting LDAP server (slapd)
2014-01-08 01:05:31 +0000 slapd started
2014-01-08 01:05:31 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2014-01-08 01:05:31 +0000 command: /usr/bin/ldapsearch -x -LLL -H ldapi://%2Fvar%2Frun%2Fldapi -b cn=config -s base olcServerID
2014-01-08 01:05:31 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2014-01-08 01:05:31 +0000 Starting password server
2014-01-08 01:05:37 +0000 CFStringRef CopyHostGUID(DSLDAPContainerRef, CFStringRef): Could not get query results
2014-01-08 01:05:37 +0000 FATAL : Could not retrieve HOST GUID for parent
2014-01-08 01:05:37 +0000 FATAL : Could not retrieve HOST GUID for parent (error = 78)
2014-01-08 01:05:37 +0000 Deleting Cert Authority related data
2014-01-08 01:05:37 +0000 No intCAIdentity, not removing int CA from keychain
2014-01-08 01:05:37 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist
2014-01-08 01:05:37 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist
2014-01-08 01:05:37 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist
2014-01-08 01:05:37 +0000 Updating ldapreplicas on primary master
2014-01-08 01:05:37 +0000 Unable to create ODNode for domaintest1.int: 2100 Connection failed to the directory server.
2014-01-08 01:05:37 +0000 Primary master node is nil!
2014-01-08 01:05:37 +0000 Unable to locate ldapreplicas record: 0 (null)
2014-01-08 01:05:37 +0000 Error setting read ldap replicas array: 0 (null)
2014-01-08 01:05:37 +0000 Error setting write ldap replicas array: 0 (null)
2014-01-08 01:05:37 +0000 ODRecord *_getODRecord(ODNode *, NSString *, NSString *, NSArray *): ODNodeRef parameter error
2014-01-08 01:05:37 +0000 int _removeReplicaFromConfigRecord(ODNode *, NSString *): ODRecord not found
2014-01-08 01:05:37 +0000 Error synchronizing ldapreplicas: 0 (null)
2014-01-08 01:05:37 +0000 Removing self from the database
2014-01-08 01:05:37 +0000 Warning: An error occurred while re-enabling GSSAPI.
2014-01-08 01:05:38 +0000 Stopping LDAP server (slapd)
2014-01-08 01:05:39 +0000 Stopping password server
2014-01-08 01:05:39 +0000 Removed all service principals from keytab for realm DOMAINTEST1.INT
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/__db.001.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/__db.002.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/__db.003.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/__db.004.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/__db.005.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/__db.006.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/alock.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/authdata.ldif.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb.
2014-01-08 01:05:39 +0000 Removed directory at path /var/db/openldap/authdata.
2014-01-08 01:05:39 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf.
2014-01-08 01:05:39 +0000 Removed file at path /etc/openldap/slapd.conf.
2014-01-08 01:05:39 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config.
2014-01-08 01:05:39 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif.
2014-01-08 01:05:39 +0000 Removed directory at path /etc/openldap/slapd.d.
2014-01-08 01:05:39 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config.
2014-01-08 01:05:39 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif.
2014-01-08 01:05:39 +0000 Removed directory at path /etc/openldap/slapd.d.backup.
2014-01-08 01:05:39 +0000 Stopping password server
2014-01-08 01:05:39 +0000 Removed file at path /etc/ntp_opendirectory.conf.
2014-01-08 01:05:39 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.We're having the exact same issue, also between two 10.9 servers - any luck finding a resolution?
-
Active directory SYSVOL replication issues
Hello.
I have 2 domain controllers, both of them on the same site DC1 & DC2. I have added a new site with a DC3. When I have added DC3 to the domain, I have realized, SYSVOL was not initialized correctly. I went back to DC1 and found out, there's following
error in the event viewer:
Error: 4012 on DC1
The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter
(60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.
Error: 2213 on DC2
The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication
WMI method to resume replication.
This indicates a DFS replication issue between DC1 & DC2 and probably this would be the reason, why the SYSVOL was not properly initialized on DC3.
How can I restore correct DFS replication between DC1 & DC2? I've read
this article, but it's not clear to me, which of the 2 domain controllers has a good version of SYSVOL + I can not find a decent step-by-step article for reconnecting Windows 2012 domain controller.
Any idea, how I can proceed further here?Here's a complete documentation with resolution of my issue. I have created this documentation for my own purposes in our WIKI, so I will paste it here (I hope, it will help somebody else in the future):
The Problem
We have bought a new server for our domain. This server (NEWDC01) was promoted to be a domain
controller in the DOMAIN. After the promotion, I have added a single computer to the domain. When I have logged on the client to the domain, I realized, this computer is not using the new domain controller (NEWDC01)
for authentication, but DC02 domain controller instead. This is not intended. Local clients should use local domain controllers for authentication (assuming, the Active directory sites & services are configured properly). Further investigation revealed,
there are some replication errors on OLDDC01 & OLDDC02 servers. First I need to solve these replication errors. Then I can
add the NEWDC01 server to domain properly.
Analysis
There are several errors related to DFSR replication on both domain controllers:
Error: 4012 on OLDDC01
The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain.
This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder
until this error is corrected.
Error: 2213 on OLDDC02
The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database
is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.
In order to have active directory in a healthy condition, one must ensure, there’s a successful
replication between existing domain controllers up and running. If the replication does not work correctly, you can expect bunch of issues.
group policies and logon scripts are not applied correctly, or as intended
when you want to add a new domain controller to the domain, it will not work as expected (although, you will not see any specific errors after the
server is promoted to be a domain controller)
Active directory backup
I have scheduled an AD backup on OLDDC01 server using the ‘Windows Backup’ solution to make sure,
I can restore the AD / SYSVOL, in case something goes wrong. The backup is scheduled to be executed every day.
Active directory restore
In this particular case, I will talk only about SYSVOL restore. As indicated above, we must get
rid of the DFSR event viewer errors which you can find in event viewer. One of them is indicating, that the JET database was not shut down cleanly and autorecovery was disabled. The other error indicates, the SYSVOL volume is no longer replicated. I am not
sure, what is the reason, why the AD’s in the domain stopped to replicate. Probably it was an unclean server shutdown. The DFSR service stopped to replicate the SYSVOL share and I was not aware about that. When the replication did not run for more than ~99
days, the SYSVOL share was excluded from the DFSR replications.
Find out the most accurate SYSVOL share in the domain
I have compared the content of the SYSVOL directories on both OLDDC01 and OLDDC02 servers: C:\Windows\SYSVOL\domain\Policies.
Both directories have 37 subdirectories. Each subdirectory corresponds to one group policy. This means, that the content is approximately the same, thus I can’t tell, which version is most recent. I do most of the GPO changes on OLDDC01, so I made a conclusion,
that this server contains the most recent version of the SYSVOL share.
There are 2 types of SYSVOL restores, you can do:
Authoritative restore
Non-authoritative restore
Non-authoritative restore
This is a more simple kind of a restore. You can perform this kind of restore, when you are sure,
that one of the domain controllers is authoritative (e.g. you presume, the SYSVOL share is intact and working properly). If you can identify such a working server, you can perform non-authoritative restore of the active directory on a broken domain controller.
Authoritative restore
In this case, you can designate a specific domain controller to be authoritative. You set a special
flag on this server, which will prohibit to overwrite it’s state from another domain controllers, when the replication is enabled on the server again. After you designate one server to be authoritative, you need to update all the another domain controllers
using the non-authoritative procedure.
In this article, you can find, how to perform authoritative vs. non authoritative AD resotre:
http://support.microsoft.com/kb/2218556.
In my case, I was not sure, which of the domain controllers had a more recent copy of AD, so I
have decided to make OLDDC01 authoritative (check the link above). Once this has been done, I have made a non-authoritative update on OLDDC02 server.
Everything was almost ready. The last step, I needed to execute was, I needed to fix the ‘JET’
event viewer error on SRVBK1. In the event log entry on the bottom, you can find following:
Recovery Steps
1. Back up the files in all replicated folders on the volume. Failure to do
so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.
2. To resume the replication for this volume, use the WMI method ResumeReplication
of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:
wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig
where volumeGuid="D37A9FC3-8B1D-11E2-93E8-806E6F6E6963" call ResumeReplication
For more information, see http://support.microsoft.com/kb/2663685.
Final words
After I have executed this command, the replication was again started between OLDDC01 and OLDDC02
servers. After I have started up the NEWDC01 server, I have realized, it has automatically replicated the contents of the SYSVOL share - almost immediately after the server was started up. I have again tried to login with the local client into DOMAIN domain
and now I see, that local client is using local Domain controller for authentication.
Everything seems to be OK now. -
Best Practices - VMware ESX 4.0 in a Cisco Environment?
Hello,
I'm presently designing a VMware ESX 4.0 deployment and integrating it with our Cisco environment. I've found the following document:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/vmware/VMware.html "VMware Infrastructure 3 in a Cisco Network Environment" and I was just wondering if there was a newer document applicable to ESX 4.x or if these best practices still applied?
I'm particularly interested in proper vlan design for the various port-groups with in ESX and etherchannel configuration between ESX hosts and Cisco switches.
Thanks,
RobWell, in that this is a Storage group, I'll answer froma storage noetworking point of view.
ESX hosts are no different to any other host, Just stick with the standard best practice of single initiator zoning and you'll be fine.
As a slight aside, from an array point of view, I've tended to configure all the pWWN's of the whole cluster into one "host" definition, as this makes LUN mapping easier.
Steven
Maybe you are looking for
-
How can I put a movie on my ipod without deleting other movies?
I have a movie (and extras) on my ipod nano that I downloaded years ago and placed my ipod. Unfortunately, that computer crashed and I no longer have the computer. I recently downloaded a digital copy of a movie that came with the DVD I bought on my
-
I got a new iphone4 today, inserted the new sim card, and plugged it into my macbook It then popped up with a message along the lines of 'you need the intunes 10.1 or newer to run this iphone4' so i downloaded the latest version of itunes (10.2.2) an
-
I have a weird problem. I have been using Photoshop CC 64 bit quite happily for the past few weeks. This morning I used it OK, but later when I clicked on Photoshop - nothing at all happens. No error message, no launch - nothing! The same when I we
-
Keywords not working correctly
I've spent a couple of days adding keywords to my project in FCP X but I'm wondering whether it's been a waste of time because now, the wrong clips are appearing when I click a keyword collection in the browser. The keywords are to do with training a
-
HP Mini 110 battery on 2133 Mini-Note
Is it possible to put battery from HP Mini 110 on 2133 Mini-Note?? Thanks in advance on every comment.