Directory Server SMF tripping over itself (crosspost)

Similar Messages

• Directory Server SMF tripping over itself

  We have a working instance of DSEE6.3.1 under Solaris 10 managed via SMF (using the manifest generated by dsadm/dscfg -- I forget which).
  # svcs -a | grep ldap-user
  online         10:47:08 svc:/application/sun/ds:ds--data-ldap-user-instanceAfter a forced shutdown, DSEE starts up and does a self-recovery (as it should). When that's complete, the slapd process is running and the startup script exits with status 221 (ie. Not 0) -- however slapd is running.
  SMF notices that it's !0 and tries to restart DSEE... by issuing another start. This second start then exits almost immediately saying "slapd already running" but this time exits with 0 -- are we ok? No... cos SMF then notices that all the processes it just started have gone away so it calls "stop" followed by another "start".
  This is where it gets a bit hazy as it looks like DSEE never shut down cleanly again so the whole process repeats itself ad infinitum (although I suspect that's a separate issue). :-(
  I guess what I'm asking is -- is there a way to stop SMF from doing that: perhaps treat exit=221 as non-fatal and perform a service check?
  Log file below:
  [ Feb 26 21:40:42 Enabled. ]
  [ Feb 26 21:40:50 Executing start method ("/opt/SUNWdsee/ds6/bin/dsadm start --exec /data/ldap/user/instance
  Failed to start Directory Server instance '/data/ldap/user/instance'
  Waiting for Directory Server instance '/data/ldap/user/instance' to start...
  Waiting for Directory Server instance '/data/ldap/user/instance' to start...
  Waiting for Directory Server instance '/data/ldap/user/instance' to start...
  Waiting for Directory Server instance '/data/ldap/user/instance' to start...
  Directory Server instance '/data/ldap/user/instance' has detected a disorderly shutdown or a change in cache
  size
  Recovery phase is starting, this may take a while...
  Waiting for Directory Server instance '/data/ldap/user/instance' to start...
  Waiting for Directory Server instance '/data/ldap/user/instance' to start...
  Waiting for Directory Server instance '/data/ldap/user/instance' to start...
  Waiting for Directory Server instance '/data/ldap/user/instance' to start...
  Waiting for Directory Server instance '/data/ldap/user/instance' to start...
  Waiting for Directory Server instance '/data/ldap/user/instance' to start...
  Waiting for Directory Server instance '/data/ldap/user/instance' to start...
  ns-slapd wrote the following lines in the error log (/data/ldap/user/instance/logs/errors):
  ##[26/Feb/2010:22:00:07 +0000] - Sun-Java(tm)-System-Directory/6.3.1 B2008.1121.0156 (64-bit) starting up
  ##[26/Feb/2010:22:00:09 +0000] - WARNING<20488> - Backend Database - conn=-1 op=-1 msgId=-1 -  Detected Diso
  rderly Shutdown last time Directory Server was running, recovering database.
  ##[26/Feb/2010:22:01:38 +0000] - Database recovery is 0% complete.
  ##[26/Feb/2010:22:01:51 +0000] - Database recovery is 100% complete.
  ##[26/Feb/2010:22:01:59 +0000] - WARNING<20805> - Backend Database - conn=-1 op=0 msgId=-1 -  search is not
  indexed base='cn=changelog' filter='(replicationcsn>=4b87f656000000000000)' scope='sub'
  [ Feb 26 22:02:17 Method "start" exited with status 221 ]
  [ Feb 26 22:02:17 Executing start method ("/opt/SUNWdsee/ds6/bin/dsadm start --exec /data/ldap/user/instance
  Directory Server instance '/data/ldap/user/instance' is already running (pid: 352)
  [ Feb 26 22:02:18 Method "start" exited with status 0 ]
  [ Feb 26 22:02:18 Stopping because all processes in service exited. ]
  [ Feb 26 22:02:18 Executing stop method ("/opt/SUNWdsee/ds6/bin/dsadm stop --exec /data/ldap/user/instance")
  Directory Server instance '/data/ldap/user/instance' stopped
  [ Feb 26 22:02:20 Method "stop" exited with status 0 ]
  [ Feb 26 22:02:20 Executing start method ("/opt/SUNWdsee/ds6/bin/dsadm start --exec /data/ldap/user/instance
  Failed to start Directory Server instance '/data/ldap/user/instance'
  .......................... repeat ........................

  Well, one way around it is to write your own start script and manage the exit codes yourself.
  I have some doubts about the autorestart configuration of DS, especially in a case like this where the server seems to be crashing. Realistically, you can end up worse off if your server has crashed by automatically restarting it. Your data may be corrupt, and the process may eventually stay up (especially if you work around the current issue), but the DS is not really healthy and it does need an administrator to investigate what's wrong with it. It may also return inconsistent or simply bad data to clients. All in all, I would prefer an instance in such a state to stay down and trigger alarms, assuming it has failover peers that can take on its workload.

• Issue w/ Case Differences Using the IBM Directory Server MA

  We have the following issue using the IBM Directory Server MA using FIM 2010 R2 (Version 4.1.3479.0).
  We provision a new object, e.g., uid=jdoe,ou=users,o=contoso, into an instance of IBM Directory Server
  The object is created in IBM Directory Server as uid=jdoe,ou=users,o=contoso
  A Full Import on the IBM Directory Server MA runs and confirms the export
  Subsequent imports, sync, and exports run successfully
  <Time passes>
  A Full Import on the IBM Directory Server MA runs, and this object shows up as a staging-error (uid=jdoe,ou=Users,o=contoso)
  Subsequent imports and syncs report errors on this object (staging-error)
  Note that we do not manipulate the anchor (DN) of this object once it is created in IBM Directory Server. Other attributes are synchronized, but the object is never renamed/moved. This case change does not happen with all of the objects brought
  in during the Full Import, but the number of instances do increase periodically. At this point, it does look like the import is changing from a lowercase "u" to an uppercase "U" but not vice versa.
  I found a related
  TechNet article containing the following remark:
  "IBM Directory Server does not guarantee that the case of a DN component will match in all instances. On a synchronization or import from IBM Directory Server, this can manifest itself as an unexpected update. For example, if you create
  O=TEST, and then create the user cn=MikeDan,O=TEST, this might be imported from IBM Directory Server as
  cn=MikeDan,O=test. Because of the case difference, FIM treats this as an update on subsequent full imports."
  Unfortunately, the article does not propose a resolution.
  Has anyone encountered this issue? More importantly has anyone resolved this or found an acceptable workaround?
  Note that deleting the connector space is not an acceptable workaround. :)

  I remember experiencing this issue when we were on 5.0, and I believe it persists through 5.1 as well.
  There is a comment in the 5.2 release notes that something similar was fixed:
  Changing case sensitive attribute values failed in MMR. (4624693)
  If I had to take a wild guess, I would say that the server does some internal checking to see if the value has changed, possibly based on the attribute syntax, to avoid replicating "changes" that really don't change anything except case. I doubt that all your custom attributes are case-sensitive, though. Enabling replication probably "turns on" this behavior, which doesn't go away even if replication is disabled.
  In any case, you're probably out of luck unless/until you upgrade to 5.2.

• Sun Directory Server 6.0 doesn't use client certificate

  Hi All,
  From a program, if I try to connect twice to a directory server 6.0 over SSL, first with simple anonymous bind and 2nd with client certificate, both the time it goes through, but 2nd time it doesn't use the client certificate. From the access log we get to know that it's not using the client certificate as it is expected for the 2nd attempt.
  Here is the sample code that I have -
  int main()
      int ret;
      char host[] = "xxx";
      int port = 1234;
      char path[] ="/home/xxx/certs";
      int version = LDAP_VERSION3;
      ret = ldapssl_client_init(path, NULL);
      if(ret) printf("ldapssl_client_init failed"), exit(1);
      LDAP *handle = ldapssl_init(host, port, 1);
      if(!handle) printf("ldapssl_init failed"), exit(1);
      ret = ldap_set_option( handle, LDAP_OPT_PROTOCOL_VERSION, &version);
      if(ret) printf("ldap_set_option failed"), exit(1);
      ret = ldap_simple_bind_s(handle, NULL, NULL);
      if(ret) printf("ldap_simple_bind_s failed"), exit(1);
      ret = ldap_unbind_s(handle);
      if(ret) printf("ldap_unbind_s failed"), exit(1);
      printf("1. Successfully connected and disconnected\n");
      ret = ldapssl_clientauth_init(path, NULL, 1, path, NULL);
      if(ret) printf("ldapssl_clientauth_init failed"), exit(1);
      LDAP *ldaph = NULL;
      ldaph = ldapssl_init(host, port, 1);
      if(!ldaph) printf("ldapssl_init failed"), exit(1);
      ret = ldap_set_option( ldaph, LDAP_OPT_PROTOCOL_VERSION, &version);
      if(ret) printf("ldap_set_option failed"), exit(1);
      ret = ldapssl_enable_clientauth(ldaph, (char*) "", (char*) "password", (char*) "nickname");
      if(ret) printf("ldapssl_enable_clientauth failed"), exit(1);
      struct berval* sc = NULL;
      ret = ldap_sasl_bind_s(ldaph, NULL, LDAP_SASL_EXTERNAL, NULL, NULL, NULL, &sc);
      if(ret) printf("ldap_sasl_bind_s failed"), exit(1);
      ret = ldap_unbind_s(ldaph);
      if(ret) printf("ldap_unbind_s failed"), exit(1);
      printf("2. Successfully connected and disconnected\n");
      return 0;
  }Any help/pointers in this regard will be highly appreciated.
  Thanks in advance.
  Regards,
  // Rahul

  The program works absolutely fine. Both the times it binds to the directory server. But the 2nd time it doesn't use the client certificate as we expect.
  Here is the output -
  1. Successfully connected and disconnected
  2. Successfully connected and disconnected
  and here is the access log contents -
  [13/Jul/2010:17:31:45 +0530] conn=1074 op=-1 msgId=-1 - fd=39 slot=39 LDAPS connection from 1.2.3.4:1234 to 1.2.3.4
  [13/Jul/2010:17:31:45 +0530] conn=1074 op=-1 msgId=-1 - SSL 128-bit RC4
  [13/Jul/2010:17:31:45 +0530] conn=1074 op=0 msgId=1 - BIND dn="" method=128 version=3
  [13/Jul/2010:17:31:45 +0530] conn=1074 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn=""
  [13/Jul/2010:17:31:45 +0530] conn=1074 op=1 msgId=2 - UNBIND
  [13/Jul/2010:17:31:45 +0530] conn=1074 op=1 msgId=-1 - closing from 1.2.3.4:1234 - U1 - Connection closed by unbind client -
  [13/Jul/2010:17:31:45 +0530] conn=1075 op=-1 msgId=-1 - fd=40 slot=40 LDAPS connection from 1.2.3.4:1234 to 1.2.3.4
  [13/Jul/2010:17:31:45 +0530] conn=1074 op=-1 msgId=-1 - closed.
  [13/Jul/2010:17:31:46 +0530] conn=1075 op=-1 msgId=-1 - SSL 128-bit RC4
  [13/Jul/2010:17:31:46 +0530] conn=1075 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=EXTERNAL
  [13/Jul/2010:17:31:46 +0530] conn=1075 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn=""
  [13/Jul/2010:17:31:46 +0530] conn=1075 op=1 msgId=2 - UNBIND
  [13/Jul/2010:17:31:46 +0530] conn=1075 op=1 msgId=-1 - closing from 1.2.3.4:1234 - U1 - Connection closed by unbind client -
  [13/Jul/2010:17:31:46 +0530] conn=1075 op=-1 msgId=-1 - closed.
  Thanks and Regards,
  // Rahul

• What does Directory Server offer over OpenLDAP

  We need to deploy an LDAP solution that out of the gate has HA functionality in a mission critical environment.
  I was wondering what Directory Server offers over OpenLDAP and other LDAP deployments.
  We will not be using this for authentication, but merely a lookup to see if an account exists. Our mail servers will query LDAP to confirm an account exists before accepting the mail. So we will be doing 5,000 - 50,000 queries an hour (with a 10-15 minute caching) against a pair of LDAP servers to query if the email record exists on our system. Down the road we may add other functionality but right now the requirement is very simple but up time is critical as this can be a point of failure for incoming mail.

  Sun Directory Server Enterprise Edition contains more than just an LDAP Server. It is a complete Directory Service solution.
  It has a complete set of documentation and various levels of supports are offered.
  Feature-wise, Multi-Master Replication offers high-availability with very limited down-time, disaster recovery.
  DSEE does scale to hundreds of millions of entries and many tens of thousands of requests per seconds.
  It is used in many industries (Banking, Telco, Automobile...) for user authentication, security, profiles and much more.
  Regards,
  Ludovic.

• Urgent help on Sun One Directory server 5.1

  Hi All,
  Am trying to access sun one directory server using the JAVA api provided by the tool itself. Developed an application to access that server and perform several operation.
  When I try to unassign a user from a group, all the users from that group are getting unassigned. Can there me any scenario in which this can happen. The user(no an admin user) who is used to connect to the LDAP server has all privileges to do operations on that group. More over this issue is very inconsistent, we could notice only once in separate environment (once per environment) and there hence cannot
  be reproducible.
  Below is snippet which remove a user from a group.
  LDAPAttribute attr = new LDAPAttribute( "uniquemember", userEntryDN );
  LDAPModification ldapMod = new LDAPModification( LDAPModification.DELETE, attr );
  ldapConnection.modify( myEntryDN, ldapMod );
  Any help on will be greatful.
  Thanks in advance
  -Sri

  TTT

• Server can't see itself on network, other devices can

  When I create a Network user either using Server app or Workgroup manager home folder is not created. I started digging and I found that all devices on the network can see and access server's afp, but server can't see itself on network. On everyone's computer's "server" is shown inside finder, but if I open server's finder I can only see other's computers but I can't see server.
  I've tried opening afp://(IP ADDRESS), afp://(DOMAIN), afp://localhost and none of this work inside server. DNS is fine, users can log and see files, etc. The only thing not working is afp from within the server and therefore user's accounts can't be created.
  As a background I have a mac mini running under Mountain Lion with OS Server. I had an issue with Open Directory on which I couldn't edit/create/delete any user so I erased the OD Database and started over again.
  Any idea will be very appreciated.
  Thanks All !!!

  Thanks a lot for your quick response, I'm not sure if I'm doing this correctly but if I use anything with afp.XXXX I get an error saying afp.XXXX.com not found (NXDOMAIN) but also I don't have any server named "afp".
  If I use it without "afp." I get:
  Using domain server:
  Name: 192.168.3.254
  Address: 192.168.3.254#53
  Aliases:
  (server).com has address 192.168.3.254
  or if I use 192.168.3.1 (main router) I get the public IP since everything is forwarded to that server (is the onlyone on the network).
  For checking DNS I used changeip -checkhostname and I get:
  Primary address     = 192.168.3.254
  Current HostName    = (server).com
  DNS HostName        = (server).com
  The names match. There is nothing to change.
  dirserv:success = "success"
  When I connect my clients to VPN I don't have any DNS issues.
  I also thought it was a DNS problem but FTP, Web, and everything else works within the server, within the network and for external networks, AFP is the onlything not working.
  Please let me know if you need any information, I really appreciate your help since this is anoying and I can't create folders for new users even if I use "createhomedir" command.
  Thanks!!

• Sun Directory Server 5.2 installation problem on AIX 5.2

  Hi,
  Am newbie to sun ds5.2 and I got stuck during installation for last 2 days. Could you pls guide to resolve this issue. Please error msg below
  Checking disk space...
  The following items for the product Directory Server will be installed:
  Product: Directory Server
  Location: /Sun/mps
  Space Required: 141.70 MB
  Sun ONE Directory Suite
  Sun ONE Directory Server
  Sun ONE Directory Console Support
  Sun ONE Administration Services
  Sun ONE Administration Server
  Sun ONE Administration Console
  Sun ONE Server Console
  Sun ONE Server Console Core
  Java Runtime Environment
  Sun ONE Server Basic Libraries
  Ready to Install
  1. Install Now
  2. Start Over
  3. Exit Installation
  What would you like to do [1] {"<" goes back, "!" exits}? 1
  Installing Directory Server
  |-1%--------------25%-----------------50%-----------------75%--------------100%|
  [slapd-bmpdev4]: starting up server ...
  error:server:The server could not be started due to invalid command syntax or
  operating system resource limits.
  system_errno:2
  Configuration of the Directory Server failed.
  Warning creating dbswitch.conf
  Warning creating ssusers.conf
  Error Directory Server configuration failure
  Checking connection to the Configuration Directory Server... failed.
  The Admininistration Server cannot be configured.
  Error Administration Server configuration failure
  Error Configuration of the server(s) failed.
  Installation Details:
  Product Result More Information
  1. Directory Server Partially Installed. Refer to "Details..." for more
  information. Available
  2. Done
  Enter the number corresponding to the desired selection for more
  information, or enter 2 to continue [2] {"!" exits}: 2
  thanks
  Bala

  You are correct. Dir 5.2 is not certified for AIX 5.2. It does install though. Like a previous reponse stated. Check the permissions for the user you are installing with and the file system you are installing to. Make certain you have enough disk space. My install took 150 MB of disk space. Finally, Dir 5.2 creates the file "/var/adm/sw/productregistry" during install. If you do not have permissions to /var/adm/sw, you may have troubles.
  Tim
  Computer Systems Engineer
  Komatsu Canada Limited

• Directory Server setup issues.

  I recently installed the new OS X Server on my new iMac. I have two iPhones, two iPod touches, the iMac and an Air that I want to serve. I registered macserved.com and have a static IP. As far as I can tell, the domain and DNS is set up correctly (to serve internal DNS). I had a wordpress blog running for a while and can access it both internally and externally. MySQL was a pain in the butt to configure, but I figured it out. When I started the config for Profile and OD however, I get this error:
  An error occurred while configuring iMac as a directory server. Please check your network configuration and try again.
  So I first checked my hostname:
  Primary address     = 192.168.0.6
  Current HostName    = macserved.com
  DNS HostName        = macserved.com
  The names match. There is nothing to change.
  dirserv:success = "success"
  A little dig output:
  ; <<>> DiG 9.8.3-P1 <<>> macserved.com
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27076
  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;macserved.com.                              IN          A
  ;; ANSWER SECTION:
  macserved.com.                    10800          IN          A          192.168.0.6
  ;; AUTHORITY SECTION:
  macserved.com.                    10800          IN          NS          macserved.com.
  ;; Query time: 2 msec
  ;; SERVER: 192.168.0.6#53(192.168.0.6)
  ;; WHEN: Fri Dec  7 19:24:36 2012
  ;; MSG SIZE  rcvd: 61
  I'm not certain it is a DNS issue, but I'm fairly new to DNS setup so I cannot rule it out.
  Where should I start looking? What should I be looking for in the logs? I'm cool with scraping everything and starting over as well. Right now I have zero invested in it (no files that need saved, etc) but I would PREFER not to reformat/reinstall OS X though.

  I figured it out! My certificates were hosed. I rm -rf the Authority in Library/ and recreated the certs after DNS was setup properly. Works great now aside from a few other website issues, but that is another thread :-)

• Ubuntu Karmic authentication against Snow leopard open directory server

  Hi,
  I'm looking for help. I've tried to configure an installation of Karmic to authenticate against our office's open directory server running on an osx snow leopard server. Currently `getent password` show all users including those from the open directory server when running the command as both root and normal users. However authentication against the open directry users fails with the following messages in the /var/log/auth.log:-
  Dec 7 22:42:05 [hostname] getent: nss_ldap: failed to bind to LDAP server ldap://server.domain.com: Invalid credentials
  Dec 7 22:42:05 [hostname] getent: nss_ldap: could not search LDAP server - Server is unavailable
  (I've changed the hostname and ldap url)
  /etc/ldap.conf has:-
  base dc=server,dc=domain,dc=com
  ldap_version 3
  rootbinddn cn=diradmin,dc=server,dc=domain,dc=com
  bind_policy soft
  pam_password md5
  /etc/ldap.secret is set to the password of the diradmin user and has a permission mask of 600
  /etc/pam.d/common-passwd :-
  password sufficient pam_ldap.so md5
  password required pam_unix.so nullok obscure md5
  password optional pam_smbpass.so nullok use_authtok tryfirstpass missingok
  /etc/pam.d/common-auth:-
  auth [success=2 default=ignore] pam_unix.so nullok_secure
  auth [success=1 default=ignore] pam_ldap.so usefirstpass
  auth requisite pam_deny.so
  auth required pam_permit.so
  /etc/pam.d/common-account:-
  account [success=2 newauthtokreqd=done default=ignore] pam_unix.so
  account [success=1 default=ignore] pam_ldap.so
  account requisite pam_deny.so
  account required pam_permit.so
  /etc/pam.d/common-session
  session [default=1] pam_permit.so
  session requisite pam_deny.so
  session required pam_permit.so
  session required pam_unix.so
  session optional pam_ldap.so
  session optional pamckconnector.so nox11
  Does anyone have any ideas where to go from here?
  Message was edited by: zebardy

  Hi
  It's easy enough to 'connect' any version of OS X Server to any other version of OS X Server. Use the Join button in the Users & Groups Preferences Pane. Alternatively use the Directory Utility itself.
  You seem to be misunderstanding what an Open Directory Master and Replica are? They are not what I think you think they are. They are not a 'back-up' of each other if you're providing more than the shared Directory Service.
  An OD Replica maintains a read-only copy of the LDAP Database (Usernames, Passwords and Policies etc) that's stored on the OD Master and nothing more. If the Master was to go offline for any reason the Replica can be quickly promoted to a Master Role and continue to provide information for the shared directory. This assumes it has easy and quick access to the Volume storing networked home folders? The LDAP Database in that case would then become writable. Later on and whenever you've fixed the problem with the old Master it can quickly be demoted and made a Replica of the now new Master.
  Although this is for 10.6 Server (it is nevertheless still applicable) everything you need to know about Master and Replica relationships is here:
  http://manuals.info.apple.com/en_US/OpenDirAdmin_v10.6.pdf
  Page 55 onwards.
  From Page 64:
  "The Open Directory master and its replicas must use the same version of Mac OS X Server. . ."
  If your OD Master is also providing Mail, Calendar and Contact Services then none of these will be replicated. You will have to maintain a backup of these databases yourself using whatever method you deem fit for your needs.
  HTH?
  Tony

• Open Directory Server "not responding"

  This is strange, and I'm not sure what if anything is wrong...
  My server is an OD Master. LDAP, Password Server, and Kerberos all report running. AFP authentication is set to Kerberos (only). Authenticated directory binding is enabled. Client computers are bound to the directory server. They connect via AFP, a ticket is created (viewable in Ticket Viewer), everything works fine (apparently).
  However... in System Preferences/Accounts/Login Options, there's a red dot (not Leica) next to the directory server IP, and if I click on Edit it says "The server is not responding". This is the case for all client computers, not just one. Not sure when it started; when I set it up they were all green of course.
  So, what does this "server is not responding" mean? Given that clients can do everything they need to do, can/should I consider this a non-issue?

  Thanks Classic and Chris. Good questions.
  The server isn't behaving as expected. Following Classic's suggestion, I tried binding without SSL. I didn't expect it to work, I thought SSL was required. (Under OD Settings/Policies/Binding, "Encrypt all packets (requires SSL or Kerberos)" is checked.) But with SSL unchecked, I was prompted for diradmin username/password. I entered the correct credentials, but they were rejected. So I tried leaving the credentials blank. That bound the client to the directory successfully (green dot). But "Enable authenticated directory binding" is checked.
  With the green dot, I tried connecting to the server over AFP, but could not. Only when I manually copied in the Kerberos file was I able to successfully connect to AFP. (Shouldn't the Kerberos file be created automatically at some point?)
  So, clearly something is wrong with SSL, and also perhaps with my settings. (The server should only allow binding with authentication and over SSL, but it does not, and it does allow unauthenticated binding without SSL.)
  OD Overview confirms that Kerberos is running. Not connected to an AD domain (nor should be).
  Running the kadmin.local command gives me a very long list of items that look like e.g. service/[email protected] or service/LKDC:[email protected] One of the services listed is "afpserver". (There are also listings for a number of services that aren't run on the server.)
  AFP is restricted to two groups; the username I'm using for AFP connections is a member of one of those groups.

• Active Directory server is not available

  i have just setup and started testing a new exchange 2007 on my network. we did not have a exchange before, so this is a new install.
  my domain, xxx.com is a windows 2000 native AD. the exchange 2007 is a win 2003 sp1 x64, it is also a DC and has all roles assigned to it
  in my network i have
  dc01 win2000 sp4  dc (gc)
  dc02 win2000 sp4 dc (gc)
  exch01 win 2003 sp1 dc, rid, pdc, fmso, gc, infrastucture and naming
  the install went well, and i have been testing it for the past 2 weeks this dummy accounts. test smtp connectors, etc. all was working fine. to the point that i have started planing the migration of the users
   today i did some mods to IIS for a owa free SSL from startcom (as well as the root CAs). i have remove it since.
  i now get the following errors when i start the console, or shell. :
  Active Directory server exch01.xxx.com is not available. Error message: A local error occurred.
  It was running command 'get-ExchangeAdministrator'.
  The following error(s) were reported while loading topology information:
  get-ExchangeServer
  Failed
  Error:
  Active Directory server exch01.xxx.com is not available. Error message: A local error occurred.
  A local error occurred.
  get-UMServer
  Failed
  Error:
  Active Directory server exch01.xxx.com is not available. Error message: A local error occurred.
  A local error occurred.
  HELP.. i have no idea what it does not like.
   exbpa does not report anything, i even get it to connect to the exch01 for it AD access.
  Any ideas??
  Thanks
  Paul Gartner
  (over all i like what i have been seeing in ex2007) 

  i think that you might be confusing "AD user account" and "profile". you DO NOT delete administrator from your AD Users and Computers. you only delete the Profile (\documents and settings\administrator folder). you can NOT do this while you are logged on using the administrator account.
  be sure to backup any data in your my documents and any favorites
  create another user that is in the domain admin group of your active directory, log on with that account and verify that the exchange tools works. then follow this to remove the profile.
  >1). Logon the Exchange server by using another admin account.
  >2). Open Control Panel, select System.
  >3). Select Advanced tab and click the Settings button of User Profile.
  >4). Delete the Profile of user which encounters this issue.
  >5). Click OK.
  >6). Restart the server and logon it by using Administrator account.
  > 
  once this is done, logon with your administrator account and try the tools again, they should work.tn
  Paul Gartner

• Can't access my Directory Server using the Console installed on a machine

  can't access my Directory Server using the Console installed on a remote server, lookied into knowledge base article 4693, but still same any idea ?

  I too am having problems accessing Directory server from Netscape Console installed on Winxp.
  If I try to open Directory server it doesn't give any error. No windows nothing.
  If I try th same from the machine on which it is installed everything is fine. What is strange is that it did open a couple of times. But at the same time I can open the admin server, Netscape Messaging server from the xp box. Searching all over for a solution. Any help/pointers would be greatly appreciated.
  Config details:
  iDS4.13, iMS 5.0, running on Sol 8 box
  Netscape Console 4.2 on WinXP.
  Thanks

• Installation/Config Problem with Sun Directory Server Control Center (6.0)

  Hi All,
  I have recently attempted an installation of Sun Directory Server EE 6.0 on a x86 Solaris 10 machine.
  I have selected to install Core Directory Server and Sun Directory Server Control Center with my installation.
  After installation, if I check the status of the SUNDSCC, I receive the following message:
  bash-3.00# ./dsccsetup status
  DSCC Application is not installed
  DSCC Agent is registered in Cacao
  DSCC Registry has been created
  Path of DSCC registry is /var/opt/SUNWdsee/dscc6/dcc/ads
  Port of DSCC registry is 3998
  I have also tried to re-start the Sun Java Web Console using the /usr/sbin/smcwebserver start command but that does not do anything.
  If i try to initialize the SUNDSCC usin the ./dsccsetup initialize command, the registry got created, but it still displays as "application not installed".
  I do not understand. I have already installed this application using the JES installer.
  please help!
  Regards,
  Saahil Goel

  I had a similar issue. Here is how I fixed it.
  Run dsccsetup status with the -v option. it will show you where it is trying to find the DSCC Application. Then do a find on your system to see where it is actually installed. Then simply copy it over to where dsccsetup is looking for it. Then do dsccsetup initialize. Below is what it looked like on my system when I did it:
  # ./dsccsetup status -v
  ## /usr/sbin/smreg is present
  ## /usr/sbin/smcwebserver is present
  ## /opt/server/sun/dscc6/dccapp is MISSING
  DSCC Application is not installed
  ## /opt/sun/cacao/bin/cacaoadm is present
  ## /opt/server/sun/dscc6/lib/jar/nquickmodule.jar is present
  ## Running /opt/sun/cacao/bin/cacaoadm list-modules -r
  DSCC Agent is registered in Cacao
  ## Running /opt/sun/cacao/bin/cacaoadm status
  ## Running /opt/sun/cacao/bin/cacaoadm list-modules
  ## Running /opt/sun/cacao/bin/cacaoadm get-param network-bind-address
  ## Running /opt/sun/cacao/bin/cacaoadm get-param jmxmp-connector-port
  ## /opt/server/sun/ds6/bin/dsadm is present
  DSCC Registry has been created
  Path of DSCC registry is /var/opt/sun/dscc6/dcc/ads
  Port of DSCC registry is 3998
  # find / -name dccapp
  /opt/server/dscc6/dccapp
  # cp -R /opt/server/dscc6 /opt/server/sun
  # ./dsccsetup dismantle
  DSCC Application is not registered in Sun Java(TM) Web Console
  Unregistering DSCC Agent from Cacao...
  Deleting DSCC Registry...
  All server registrations will be definitively erased.
  Existing server instances will not be modified.
  Do you really want to delete the DSCC Registry ? [y/n]y
  Server stopped
  DSCC Registry has been deleted successfully
  # ./dsccsetup initialize
  Registering DSCC Application in Sun Java(TM) Web Console
  This operation is going to stop Sun Java(TM) Web Console.
  Do you want to continue ? [y,n] y
  Stopping Sun Java(TM) Web Console...
  Registration is on-going. Please wait...
  DSCC is registered in Sun Java(TM) Web Console
  Restarting Sun Java(TM) Web Console
  Please wait : this may take several seconds...
  Sun Java(TM) Web Console restarted successfully
  Registering DSCC Agent in Cacao...
  Checking Cacao status...
  Deploying DSCC agent in Cacao...
  DSCC agent has been successfully registered in Cacao.
  Choose password for Directory Service Manager:
  Confirm password for Directory Service Manager:
  Creating DSCC registry...
  DSCC Registry has been created successfully
  Hope this helps.

• Activity on my DIRECTORY Server

  Hello
  I use SUNONE Directory server for authentication with COGNOS product.
  I would like to know the activity on my Directory server especially who accessing to the server (ip ? host ? name ? application ? ....
  On the admin console, in log item, we have actived 3 files "access", "audit" "error" but information is very simple
  Are there any way to log detailed information ?
  Are there any log level ?
  Thanks in advance.

  Detailed information can be obtained in access log. You can configure some properties regarding access log in DSCC or dsconf.
  There you'll see the IP addresses of the clients. You also might take a look on the logconv tool included in the product.
  Given the fact that you're using a product that uses LDAP, I infer that your main client would be your product and the final actual clients would connect to the product itself, not directly to ldap, therefore you'll see in the logs only activity of the cognos app.
  Regards