Promoting a consumer to master

Similar Messages

• Promote consumer to master

  DS 5.1 sp1 on solaris 8
  I would like to know the official steps to promote a consumer to a master.
  Thanks
  Frank

  This is an outline of the steps - at this point its all manual, making use of the console for configuring everything and takes about 30 mins from start to finish on a single supplier/3 consumers configuration. Just need to ensure that no updates occur on the servers while this is being performed.
  For each replication subtree:
  1. Delete old referrals from the new Supplier and all consumers as follows - export data using db2ldif, delete out old referral lines staring with "nsds50ruv: {replica...", import the data back in using ldif2db.
  2. Reset suffix settings (set Enable Databases) and referrals (delete old supplier referrals) on all servers.
  3. Configure changeLog on the new Supplier
  Re-start ns-slapd - if there are no errors at this point, you're good to go.
  4. Configure Replica on the New Supplier
  5. Set up replication agreements on the new Supplier - can say "Do Not Initialize consumer" if all servers were in sync to start with.
  6. Enable whatever supplier settings you need on the new supplier, e.g. schema checking, etc.
  Try it and let me know if it works for you...
  Mala.

• Cannot import OD archive on standalone server to promote to OD master

  According to page 169 of th OD server manual, I should be able to restore an OD archive on a standalone server - which will then promote it to OD master. The "..." in the Archive/Restore window is shaded and will not allow me to choose a file to restore from. Tried dragging it in too... didn't work.
  Any ideas?
  Thanks.

  Hi
  It also says on Page 168:
  Instead of restoring an Open Directory master from an archive
  you may get better results by promoting a replica to be the master.
  The replica may have more recent directory and authentication data than the archive.
  Restoring an LDAP database in my view should be done after promotion to Open Directory Master. If the DNS Service is not configured and running then I can’t see how restoring the LDAP database to a Standalone server will restore that service. I also happen to think that if you restore an LDAP database from an OD Master that was having problems then you could possibly be restoring the problem again. Nothing needs to be restored to a Replica as the Replica will pick up what it needs from the Master. Page 169 of the Manual also says:
  An Open Directory master requires properly configured DNS so it can
  provide single sign-on Kerberos authentication.
  Tony

• Non-AD Integrated Secondary DNS Promote to Master?

  Hello. We currently run a non-domain joined 2012 R2 DNS server for our external .com domain. I would like to stand up a secondary in our DR datacenter, but am wondering how I would promote it to master in the event our current master were to fail? Both platforms
  are Server 2012 R2.
  ns1.domain.com = master
  ns2.domain.com = secondary
  In the event ns1 experienced a failure, I'd like to be able to promote ns2 to become master (authoritative) for the .com domain to allow record changes.

  Hi,
  According to your description, my understanding is that primary DNS server has been down, and you want to change the secondary DNS server (not domain member and configured for external name resolution) to primary DNS server.
  If there is one DNS server in your domain, I am wondering if it is an AD-Intergraded zone. And if the secondary DNS server has a full transferred secondary zone.
  In general, compared the secondary DNS server with primary DNS server, you may find that the secondary one do not have a  folder in forwarder lookup zones named
  _msdcs.<domain.com>, according zone transfer we may copy this folder and RRs. But considering the primary DNS server is down, we need to manually copy these date to secondary DNS server.
  If the primary zone is not AD-Integrated, open path %systemroot%\system32\dns\
  on primary DNS server and copy the file _msdcs.domain.com.dns/domain.com.dns
  to the corresponding path on secondary DNS server, then create primary zone using this exiting file. All RRs will be displayed once the zone has been created. 
  For AD-Integrated primary zone, we need to back up the zone by command lines and then restore it to the secondary DNS server, detailed steps you may reference:
  https://technet.microsoft.com/en-us/library/jj649877.aspx
  https://technet.microsoft.com/zh-cn/library/ff807395(v=ws.10).aspx
  Or you may also try to manually add the folder _msdcs.domain.com.dns, including its sub folders and RRs. And remember to change the secondary zone type to primary.
  And remember to redirect DNS clients to use the secondary DNS server as the primary one.
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Error in log file of consumer.

  hi
  i have following error in log file of consumer. i have no idea why i appear.
  [08/Oct/2003:10:56:00 -0500] - ERROR<5398> - Entry - conn=-1 op=-1 msgId=-1 - Duplicate value addition in attribute "nsslapd-referral" of entry "cn=\22dc=alltel,dc=com\22,cn=mapping tree,cn=config"
  Thanking you,
  kumar

  Did you promoted/demoted a server? ( like from consumer to master , master to consumer , hub to consumer/master OR disabled replication and re-enabled with another unique ID and recreated replication agreements again?
  IF YES, find out the current Unique ID in all the related server and delete the old serverIDs in the nsslapd-rererral.
  Also the error will tell you for which server it is trying to update the duplicate entry. Mostly , that entry will be the old value as I explained before.
  I have seen this before and mostly by doing above it gets corrected. I recommend that you should think before doing it.
  In any case dont forget to update us since this is a tricky situation to me.
  -Kunal

• Multi master replication between 5.2 and 6.3.1

  I have a setup in which I have a master running version 5.2 and about 15 consumers ( slaves) all of which have been upgraded to 6.3.1 . I now want to create a multi master topology by promoting one of these consumers to be a master and still keep the 5.2 in use as we have a bunch of other applications that depend on the 5.2 instance. Our master has two suffixes. The master server is also the CA cert authority for all the consumers . After reading the docs I narrowed down the procedure to be
  1. Promote one of the 6.3.1 consumers to hub and then to master using the dsconf promote-repl commands. The problem here is that I am not sure how I can create a single consumer that can slave both the suffixes. We currently have them being slaved to different consumers.
  Also do I need to stop the existing replication between the 5.2 master and the would be 6.3.1 master to promote to hub and master.
  2. Set the replication manager manually or using dsconf set-server-prop on the new 6.3.1 master .
  3. Create a new replication agreement from 5.2 to 6.3.1 master without initializing. (using java console)
  4. Create new replication agreement from 6.3.1 to 5.2 (using command line)
  5. Create new repl agreements between the new 6.3.1 master and all the other consumers. For this do I need to first disable all the agreements between 5.2 and 6.3 or can I create new agreements without disabling the old ones?
  6. Initialize 6.3.1 from the 5.2 master.
  My biggest concern at this point is surrounding the ssl certs and the existing trusts the consumers have with the 5.2 master. Currently my 5.2 server acts as the CA authority for our certificate management with the ldap slaves. How can I migrate this functionality to the new server and also will this affect how the slaves communicate to the new master server ?
  Thanks in advance.

  Thanks Marco and Chris for the replies.
  I was able to get around the message by first manually initialzing the new slave using an ldif of the ou from the master , using dscc to change the default replication manager account to connect and finally editing the dse.ldif to enter the correct crypt hash for the new repl manager password. After these steps I was able to successfully set up replication to the second ou and also promote it to hub and master ( I had to repeat the steps after promotion of the slave to master as somehow it reset replication manager settings when I did that).
  So right now, I have a 5.2 master with two ou's replicating to about 15 consumers.
  I promoted one of these to be a second master (from consumer to hub to master). Replication is setup from 5.2 to 6.3 master but not the other way round.
  I am a little bit nervous setting up replication the other way round as this is our production environment and do want to end up blowing up my production instance. The steps I plan on taking are , from the new master server
  1. dsconf create-repl-agmt -p 389 dc=xxxxx,dc=com <5.2-master>:389
  2. dsconf set-repl-agmt-prop -p 389 dc=xxxxx,dc=com <5.2-master>:389 auth-pwd-file:<passwd_file.txt>
  I am assuming I can do all of this while the instances are up. Also in the above, does create-repl-agmt just create the agreement or does it also initalize the consumer with the data ? I want to ensure I do not initialize my 5.2 master with my 6.3 data.
  Thanks again

• Changing an OD-master's IP

  Hi there
  I just replied to this thread
  http://discussions.apple.com/thread.jspa?threadID=2597349&tstart=0
  claiming that it seems quite impossible to change a server's IP address if already promoted to an OD master (and that it seems easier to start from the scratch).
  Any suggestions to do it (and - especially - HOW) are very welcome
  Regards
  Roman

  Hi
  The changeip command in 10.7 is no longer required and similarly the scutil commands. Although scutil can still be used successfully.
  Apple recommend you change the Computer Name first in the Sharing Preferences Pane and then use the Server App to finalise the changes. If it was me I would export or archive the LDAP Database first using whatever method seems appropriate to you, demote to Standalone, make the changes and re-promote again. Import or restore the LDAP database afterwards. Even if you don't go for demotion/re-promotion I would still export or archive the LDAP database first. Similarly any other databases that are LDAP related just in case.
  HTH?
  Tony

• Error in log file (WWC-41439)

  Hi,
  When i installed Oracle Portal, i had the error WWc-41439 when i tried log in Oracle Portal. I revised the log file and i saw the following error.(I have isntalled Oracle Portal 3.0., Oracle Database 8.1.7 on windows NT).
  STEP 24 : Installing SSO packages to public
  INSTALL_ACTION : installSSOLayer()..\..\bin\sqlplus portal30_sso/portal30_sso@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))(CONNECT_DATA=(SID=or8i))) @..\..\portal30\admin\plsql\sso\ssoinsg.sql
  STEP 25 : Associating Login Server & Oracle Portal
  INSTALL_ACTION :assocNewLoginServer: Portal Url Prefix: http://pablo/pls/portal30/
  INSTALL_ACTION :assocNewLoginServer: SSO URL Prefix: http://pablo/pls/portal30_sso/
  INSTALL_ACTION : assocNewLoginServer: ..\..\bin\sqlplus portal30_sso/portal30_sso@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))(CONNECT_DATA=(SID=or8i))) @..\..\portal30\admin\plsql\sso\ssoseedl.sql portal30 http://pablo/pls/portal30/ portal30_sso http://pablo/pls/portal30_sso/ NO
  INSTALL_ACTION : assocNewLoginServer: ..\..\bin\sqlplus portal30_sso/portal30_sso@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))(CONNECT_DATA=(SID=or8i))) @..\..\portal30\admin\plsql\sso\ssoinsgp.sql portal30
  INSTALL_ACTION : assocNewLoginServer:..\..\bin\sqlplus portal30/portal30@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))(CONNECT_DATA=(SID=or8i))) @..\..\portal30\admin\plsql\sso\ssoseedw.sql portal30 portal30_sso http://pablo/pls/portal30_sso/ http://pablo/pls/portal30/
  INSTALL_ACTION : STEP 19 : assocNewLoginServer:..\..\bin\sqlplus portal30/portal30@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))(CONNECT_DATA=(SID=or8i))) @..\..\portal30\admin\plsql\wwc\secpsr.sql
  INSTALL_ACTION : STEP 19 : assocNewLoginServer:..\..\bin\sqlplus portal30/portal30@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))(CONNECT_DATA=(SID=or8i))) @..\..\portal30\admin\plsql\wwc\secps.sql portal30_sso_PS N N N N
  INSTALL_ACTION : assocNewLoginServer:..\..\bin\sqlplus portal30_sso/portal30_sso@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))(CONNECT_DATA=(SID=or8i))) @..\..\portal30\admin\plsql\sso\ssoinsrp.sql portal30
  INSTALL_ACTION : assocNewLoginServer:..\..\bin\sqlplus portal30_sso/portal30_sso@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))(CONNECT_DATA=(SID=or8i))) @..\..\portal30\admin\plsql\sso\ssoseedu.sql portal30
  Installing and running diagnostics
  INSTALL_ACTION:installDiagnostics() : ..\..\bin\loadjava -resolve -verbose -thin -user portal30/portal30@localhost:1521:or8i ..\..\portal30\admin\plsql\wwc\Diagnose.class
  C:\ORACLE\iSuites\assistants\opca>REM
  C:\ORACLE\iSuites\assistants\opca>REM $Header: runljava.bat@@/main/3 \
  C:\ORACLE\iSuites\assistants\opca>REM Checked in on Fri Nov 17 15:32:36 PST 2000 by meoropez \
  C:\ORACLE\iSuites\assistants\opca>REM Copyright (c) 2000 by Oracle Corporation. All Rights Reserved. \
  C:\ORACLE\iSuites\assistants\opca>REM $
  C:\ORACLE\iSuites\assistants\opca>REM
  C:\ORACLE\iSuites\assistants\opca>Rem For running the Loadjava from the Configuration Assistant.
  C:\ORACLE\iSuites\assistants\opca>..\..\bin\loadjava -resolve -verbose -thin -user portal30/portal30@localhost:1521:or8i ..\..\portal30\admin\plsql\wwc\Diagnose.class
  INSTALL_ACTION : Running Diagnostics ..\..\bin\sqlplus portal30/portal30@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))(CONNECT_DATA=(SID=or8i))) @..\..\portal30\admin\plsql\wwc\secdiag.sql
  SQL*Plus: Release 8.1.7.0.0 - Production on Dom Abr 20 20:23:37 2003
  (c) Copyright 2000 Oracle Corporation. All rights reserved.
  Conectado a:
  Oracle8i Enterprise Edition Release 8.1.7.0.0 - Production
  With the Partitioning option
  JServer Release 8.1.7.0.0 - Production
  Creating Table 'wwsec_diagnostic$'
  Creating Sequence 'wwsec_diagnostic_seq'
  Diagnostics Report v 1.01: Oracle Portal v 3.0.9.8.0
  As of 20-Abr-2003 20:23:41 Schema Name: PORTAL30 SSO Schema Name: portal30_sso
  Proxy Server Settings:
  HTTP Server:
  HTTP Server Port:
  No Proxy Servers for Domains beginning with:
  URL Connection Time-Out (seconds):
  PORTAL30.wwsec_enabler_config_info$
  Login Server URL : http://pablo/pls/portal30_sso/portal30_sso.wwsso_app_admin.ls_login
  DAD          : portal30_sso
  Host connection : *** FAILED ***
  Unable to find the Schema Name for the Login Server
  Recommendations:
  Please check the DAD settings for the Login Server
  Desconectado de Oracle8i Enterprise Edition Release 8.1.7.0.0 - Production
  With the Partitioning option
  JServer Release 8.1.7.0.0 - Production
  INSTALL_ACTION : End of Installation.
  How i resolve the problem?
  Is there somebody in the same situacion?
  Thank you

  Did you promoted/demoted a server? ( like from consumer to master , master to consumer , hub to consumer/master OR disabled replication and re-enabled with another unique ID and recreated replication agreements again?
  IF YES, find out the current Unique ID in all the related server and delete the old serverIDs in the nsslapd-rererral.
  Also the error will tell you for which server it is trying to update the duplicate entry. Mostly , that entry will be the old value as I explained before.
  I have seen this before and mostly by doing above it gets corrected. I recommend that you should think before doing it.
  In any case dont forget to update us since this is a tricky situation to me.
  -Kunal

• Error in log file CallbackDispather

  We've been seeing a random occurance of the following error:
  Thu May 17 04:27:12 EDT 2001:<I> <Kernel> Address: '39942' in use by: 'weblogic.common.CallbackDispatcher@9c06',
  can not
  install 'weblogic.rmi.internal.BasicRemoteInvokable@9c06'
  Thu May 17 04:42:48 EDT 2001:<I> <Kernel> Address: '40135' in use by: 'weblogic.common.CallbackDispatcher@9cc7',
  can not
  install 'ClientContext - id: '#|website|19910.989894283938', bound: 'false', dead:
  'false''
  Thu May 17 07:19:22 EDT 2001:<I> <Kernel> Address: '42099' in use by: 'weblogic.common.CallbackDispatcher@a473',
  can not
  install 'ClientContext - id: '#|website|20892.989894283938', bound: 'false', dead:
  'false''
  I happens sometimes about an hour appart sometimes 12 hour or so hours aart. There
  doesn't seem to be any pattern. What would cause this?
  We are running on a
  E450 4 Proc box, WLS 5.1 SP6
  In front of it we have E250 2 proc, iPlanet 4.1 SP5
  Behind it we have E4500 8 proc, Oracle 8.1.5
  Were using the oci driver.
  We started seeing these after making a code change, where we set the auto commit
  to false and explictly committed all transactions. Obviously something with this
  has an effect. Can anyone help us understand what and why.
  Thanks in advance.

  Did you promoted/demoted a server? ( like from consumer to master , master to consumer , hub to consumer/master OR disabled replication and re-enabled with another unique ID and recreated replication agreements again?
  IF YES, find out the current Unique ID in all the related server and delete the old serverIDs in the nsslapd-rererral.
  Also the error will tell you for which server it is trying to update the duplicate entry. Mostly , that entry will be the old value as I explained before.
  I have seen this before and mostly by doing above it gets corrected. I recommend that you should think before doing it.
  In any case dont forget to update us since this is a tricky situation to me.
  -Kunal

• LDAP + DNS + noob=Massive Pain (LONG)

  I am running 10.4.11 as a home server/gateway. There are two NIC's. The first is connected directly to the modem via ethernet, the second goes to a switch for the LAN. When I set up this server I started small with AFP,DHCP, DNS, Firewall, and Web. I pointed my domain to my ip. Set up the DNS, for this example let's call the domain I am hosting homepages.com. I called the server ns1.homepages.com. I used AFP to mount the directory for the apache root and started to drop my html/php in there. Then i started up mySQL installed phpMyAdmin. Things worked. Upgraded to php5. This was frustrating but in the end, all went well. Then I added a second domain in the DNS. I selected the IP of the second NIC for this second domain because I wanted to name the computers here in my home office as i have a couple of part time employees and thought that names would be easier than IP addresses. I called the server server.home.art, with home.art being the domain. Other computers obviously had names like scanner.home.art or filemaker.home.art or entertainment.home.art, you get the idea. Now it has become rather cumbersome to manage the part time folks all on separate machines, all with local users and all with permission issues to deal with. So I started to ask around and I was told that the Open Directory service could help out. So I promoted the server to Master and immediately ran into problems. You can see a thread over at afp548 here:
  http://www.afp548.com/forum/viewtopic.php?showtopic=19082
  I guess my biggest problem here is my internal vs. external domain. When I originally promoted this to Master the Kerbos Realm and Search base were crazy, they were being pulled from the IN.ARPA from my ISP. That didn't work because the client machines couldn't resolve that, they were looking for the internal domain, home.art. It took me quite awhile to figure that out. So after many, many, many promotions/demotions of the Open Directory and many uses of changeip I am still getting errors. Either when I try and promote the server to Master or from clients. The clients range from network users being shook off with no errors to the error that started the above thread, "home directory is on an AFP volume and cannot be mounted."
  I was finally able to get my hostnames to agree with the external name, the ns1.homepages.com but then I have massive problems with the clients on the LAN connecting to the server. I REALLY want to use the Kerberos Realm: HOME.ART but it really doesn't like that. When I promote it that way it hangs when, gives me errors both in the GUI and in the logs. If I use the NS1.HOMEPAGES.COM, everything starts smoothly but then the clients have problems.
  Is there anyway to get the DNS for the internal to the Keberos Realm instead of the external? I have tried to demote the server to stand alone, save and restart. Then use "sudo changeip - myip myip ns1.homepages.com server.home.art". And then restart the machine. Premote it Master but the Keberos Realm still shows as NS1.HOMEPAGES.COM. The seach base changes to dc=server, dc=home, dc=art, But when I input a Password and "Create" the master I get an "service encountered an error" and "settings is not available, this is a one time alert" and then multiple errors in the logs, namely slapconfig:
  Creating Kerberos directory
  Creating KDC Config File
  Creating Admin ACL File
  Creating Kerberos Master Key
  Creating Kerberos Database
  Creating Kerberos Admin user
  WARNING: no policy specified for [email protected]; defaulting to no policy
  Adding kerberos auth authority to admin user
  Finally, when I demote the server, changeip the name back to the ns1 name and promote the server back AND still can't login into accounts I get errors like this in kadmin:
  Jan 13 20:36:48 ns1.homepages.com kadmin.local[1575](info): No dictionary file specified, continuing without one.
  This error hits the log in three every 4 minutes.
  Or in LDAP Log I see errors like this:
  Jan 13 20:32:23 ns1 slapd[580]: Entry (uid=hollbo,cn=users,dc=ns1,dc=homepages,dc=com): object class 'posixAccount' requires attribute 'homeDirectory'\n
  Jan 13 20:32:23 ns1 slapd[580]: entry failed schema check: object class 'posixAccount' requires attribute 'homeDirectory'\n
  Jan 13 20:36:50 ns1 slapd[580]: SASL [conn=112] Failure: no user in database\n
  Jan 13 20:37:01 ns1 slapd[580]: SASL [conn=126] Failure: no user in database\n
  Jan 13 20:39:24 ns1 slapd[580]: SASL [conn=139] Failure: no user in database\n
  Jan 13 20:41:14 ns1 slapd[580]: SASL [conn=160] Failure: no user in database\n
  Jan 13 20:42:46 ns1 slapd[580]: SASL [conn=172] Failure: no user in database\n
  Jan 13 21:11:38 ns1 slapd[580]: slapd shutdown: waiting for 0 threads to terminate\n
  Jan 13 21:11:38 ns1 slapd[580]: bdb(dc=ns1,dc=homepages,dc=com): Locker still has locks\n
  Jan 13 21:11:38 ns1 slapd[580]: bdblocker_idfree: 16 err Invalid argument(22)\n
  Jan 13 21:11:38 ns1 slapd[580]: bdb(dc=ns1,dc=homepages,dc=com): apple-category.bdb: unable to flush: No such file or directory\n
  I'm really confused and have recieved so many errors that I am beginning to wonder if I have fiddled so much that I have created serious problems with Kerberos. I don't know whether that is possible or not but I could really use some advice on this.
  thanks

  Ok Let me try this again. (My butterfingers have caused more problems with my server configuration than I can tell you).
  *The nightmare that can be Open Directory:*
  It is often best to just start over with a clean install of the server software when your OD keeps failing as you describe. This is no fun, and is time consuming, but it is more likely to give you success. (Hopefully you are paid by the hour and your boss is supportive). If you choose this route, make sure you take the following steps. During the "setup assistant" process, make the server a stand-alone server at first and *do not turn on any other services*.
  Once your server is up and running, set up your DNS configuration. DNS *absolutely must be configured correctly and queries for your OD by domain name should resolve to the machine.* If DNS isn't working, OD won't work. And you *cannot use the bonjour zeroconf/mDNS* with OD.
  The DNS zones must
  *allow recursion*
  *should not allow zone transfers*.
  Your DNS servers field in the network configuration system preference pane should point to the internal LAN DNS server IP address (If you are using DNS on the same machine as your OD, then point it to that machine's private IP address).
  Start DNS
  Restart the computer.
  With OS X 10.4 and higher, setting up your zones is much easier and less prone to error than earlier versions, but verification is important.
  Once you are rebooted, there are a number of tools you can use to test the DNS configuration.
  Check your zone files by opening terminal and typing (in your case) *sudo named-checkzone art /var/named/art.zone* or *sudo named-checkzone home.art /var/named/home.art.zone* . As you can see, the zone file is named whatever you called your zone name with the ".zone" on the end. You next need to verify that the configuration file is correct for dns. Do this by typing *sudo named-checkconf /etc/named.conf*
  Use Network Utility to perform a lookup on your server's domain name and a reverse lookup by typing in your server's IP address. If both come back without errors and look similar to a lookup of a public nameserver that you know is functional.
  Do a search here or on the web in general regarding the errors you may receive if any from these commands. Mac OS X server 10.4 uses BIND9, so the number of sites with tutorials and information about errors and configuration issues are vast.
  It is valuable to know that the location of the zone files and configuration files vary somewhat depending on the version of Linux/Unix. For instance, Debian installs put the entire batch of files in /etc/bind and separates the named.conf file from the local configuration (named.conf.local) and options named.conf.options and splits up the zone files for the localhost into groupings based on IP address octets) while Mac OS X puts the configuration files in /etc/named.conf, /etc/rndc.key, and puts the zone files in /var/named/ Regardless, the content of these files completely compatible.)
  Then you can convert the server to an open directory master. If the dialog shows the correct info for your server (DC=HOME,DC=ART) you should be good to go.
  To reiterate: if DNS is configured correctly, OD should also work properly, especially if you start with a virgin server.
  *Throwing Caution to the Wind*
  Reinstalling everything from scratch is going to result in the most durable solution. With that in mind, why not take some time to learn a bit about how the system is laid out by really mucking it up. If you are methodical enough, you may actually solve your problem in the process.
  OD stores files in certain locations in the /private/var/db/openldap and /private/etc/openldap folders. In /private/etc/openldap there are loose files in the root and a folder called schemas. The latter folder should remain unchanged from first install. It just contains the descriptors for various configurations. The files "ldap.conf and ldap.conf.default" should be relatively untouched. The slapd.conf and slapd-related files are what contain the info you need. Specifically the slapd_macosxserver.conf file. This is the only file that should contain information specific to your Open Directory configuration.
  The OD database is stored in /var/db/openldap
  Your kerberos information is stored in a number of files including /etc/krb5.keytab and /var/krb5kdc. Also information is stored in the kerberos.mit files in your /Library/Preferences folder.
  I won't tell you what to do with these files. But if you demote your server to standalone, reboot in single user mode (hold the command-s at startup, and follow the instructions to /sbin/fsck -fy and /sbin/mount -rw / at the command prompt) and move (mv) any of the files to backup folders ore rename folders so the software does not find them (except /etc/openldap/ldap.conf, ldap.conf.default, and schemas). You use the mv command to do this. mv allows you to move and rename files. It does not create new folders, so you need to do that ahead of time using mkdir if that is your plan of attack. The format of the command is fairly straightforward: if you wanted to rename the folder /var/db/openldap to a backup name you would type *mv /var/db/openldap /var/db/openldap.backup* . To move all the files within a given folder without moving the enclosing folder itself (say /tmp/501) to a new one (say /Users/administrator/Desktop/tmpBackup), you would type *mkdir /Users/administrator/Desktop/tmpBackup; mv /tmp/501/* /Users/administrator/Desktop/tmpBackup* The semi-colon tells the shell that you are starting a new command.
  Beyond this, you will have to just experiment. If anything, the half-hour you spend mucking up your system will be an invaluable learning experience even if you end up having to reinstall the OS and Server software from scratch).
  I hope this is helpful for you.

• Replication fail-over and reconfiguration

  I would like to get a conversation going on the topic of Replication, I have
  setup replication on several sites using the Netscape / iPlanet 4.x server
  and all has worked fine so far. I now need to produce some documentation and
  testing for replication fail-over for the master. I would like to hear from
  anyone with some experience on promoting a consumer to a supplier. I'm
  looking for the best practice on this issue. Here is what I am thinking,
  please feel free to correct me or add input.
  Disaster recovery plan:
  1.) Select a consumer from the group of read-only replicas
  2.) Change the database from Read-Only to Read-Write
  3.) Delete the replication agreement (in my case I am using a SIR)
  4.) Create a new agreement to reflect the supplier status of the chosen
  replica (again a SIR for me)
  5.) Reinitialize the consumers (Online or LDIF depending on your number of
  entries)
  That is the general plan so far. Other questions and topics might include:
  1.) What to do when the original master comes back online
  2.) DNS round-robin strategies (Hardware assistance, Dynamic DNS, etc)
  3.) General backup and recovery procedures when: 1.) Directory is corrupted
  2.) Link is down / network is partitioned 3.) Disk / server corruption /
  destruction
  Well I hope that is a good basis for getting a discussion going. Feel free
  to email me if you have questions or I can help you with one of your issues.
  Best regards,
  Ray Cormier

  There is no failover in Meta-Directory 5.1, you can implement manual failover on the metaview by using multi-master replication with Directory Server. There are limitations and this is a manual process.
  - Paul

• Replicating the retorchange log

  I use the retrochangelog in my version 5.2 Directory server to pass updates to another Directory server outside of replication. The retrochangelog resides on a system that has serveral consumers for the data and I would like to replicate the changelog to one of these consumers. We do not use multimastering but are configured to promote a consumer to a master if we have to fail over. Is there a recommendation for setting up the retrochangelog replication to flow with this "standby" master stratagy.

  Thanks Gyanprakash. Wll disconnected resource trigger our custom approval process if we select the resource name properly in scope in operational level approval policy. Have you tried a disconnected resource with your custom approval process. Because i read the following lines in admin guide
  Oracle Identity Manager supports provisioning of disconnected resources by using the SOA worklist for manual provisioning of disconnected resources. After the role-based provisioning decision or SOA request approval is complete and the corresponding application instance is determined to be a disconnected application instance, a new SOA workflow is started. This new SOA workflow is assigned to the manual provisioning administrator.
  So i thought disconnected app instance will have its own approval process configured during the creation and it will route accordingly. So just wanted to clarify how to make disconnected app instance to trigger our approval. will approval policay take care of it as i am going to select the name of the disconnected app in the scope field.

• 10.4.8 Client takes long time to get to login window when bound to OD.

  I am working on a system in a school. We have a dual processor g5 xserve with 4 gb of ram, the raid card, and 3 500 gb drives.
  Fresh install of 10.4.8 with all the updates.
  Raid 5 split in 2 volumes, one for server and one for data.
  AFP service running.
  Local dns running.
  Promoted to open directory master.
  This is the following test scenario i have.
  there is a user called studenttest and he belongs to a group called cccarstarmembers and is in a workgroup called student.
  the studenttest users home folder exists in a sharepoint called students that is set up on the data partition.
  there is a sharepoint called cccarstar that holds data for some educational software we use. The owner is administrator with rw access, the group is cccarstarmembers with rw access and others have no access.
  The student workgroup only has a few changes like dock location just for testing purposes to verify that the work group is working properly.
  When i bind a newly built 10.4.8 client with all the updates to the od server it intermittantly takes a long time for the client to get to the login window when it is powered up. Sometimes it will get to the login window in 45 seconds and other times it will take 5 minutes. This is not consistant. if you unbind the client then the computer will behave properly consistantly.
  I have tried binding the client to the od master using the fully qualified domain name and the ip address with the same results.
  the search path on the server is "dc=osx1,dc=erm,dc=sd,dc=bc,dc=ca" and on the client it auto populates at cn=config,dc=osx1,dc=erm,dc=sd,dc=bc,dc=ca".
  I have changed the search path on the client to match the search path on the server with no success as this is what used to work for us on panther setups.
  But this school has a panther client i am working on at the same time with the same applications installed and system preference settings and when i bind it to the same od master with the same search path that is displayed on the server it works fine. all users work, all groups and work groups work.
  Dns appears to be working. lookup provides the correct forward and reverse lookup info on the server, if i use either the panther or tiger client and use lookup with the servers fully qualified domain name and ip address i get the correct answers back.
  I had this problem before where tiger gave me slow to login screen problems but panther wouldnt when bound, and apple told me that it was because i had afp guest access disabled on the server. Enabling it resolved the issue about 6 months ago at another site but this time when building the server i made sure it was on from the start even thoug it is off by default.
  Any suggestions, i am pulling my hair out and about 8 working hours from a deadline.

  I've seen this a lot.
  This Knowledge Base article refers to Active Directory but we've seen this fix login delays with OD-only environments too:
  http://docs.info.apple.com/article.html?artnum=303841
  Another one of the causes is when you have multiple network mounts and your AFP service has guest access disabled. The loginwindow is trying to authenticate to each share with the username given and it is failing when that user account is not authorised for that share.
  Another can be the LDAP timeout value(s). Try adjusting these in the LDAPv3 plug-in.
  Also make sure your network ports have portfast/faststart set on the Mac ports. Sometimes because of STP the port isn't initialised fast enough for the OS when it's ready to start LDAP'ing.
  Let me know if any of this helps.

• Golden triangle authentication problem

  Hi,
  Im trying to set up the golden triangle on our AD/Mac network. I have bound to AD fine and now Im trying to set up an OD Master. After clicking "Kerberize Services" I click on "Remain connected and set up an Open Directory Master". Upon doing this I get
  Single Sign-On Unavailable
  Single Sign-ON (Kerberos v5) will not be enabled for your new Open Directory master because your networks DNS server does not provide forward and reverse mappings for your servers domain name, or because Single Sign-On is already configured on your server.
  To resolve this issue, close the assistant and correct your DNS or Single Sign-On configuration.
  My forward and reverse digs look fine and my "changeip -checkhostname" returns the correct results.
  Any ideas as why this happens?

  Hello Gareth, and welcome to the Apple Boards,
  Please bear with me as I point out a couple of things:
  1) You should post a new topic for your issue rather than hijack someone else's thread - it's just good form.
  2) The reason this question probably didn't draw any responses is that it is not Xserve specific and there are much better groups that are specifically about Directory Services where you will get more and better eyes on your issue.
  Please check out the OS X Server specific boards: http://discussions.apple.com/category.jspa?categoryID=96
  That being said - if you have a fresh Server in Standalone mode, bind it to AD before doing anything else and then promote it to OD Master it should just do the right thing. In 10.4 you had to just through hoops and drop to the command line but from 10.5 on OD should draw its information for set-up from AD if it is bound before it's promoted to Master. I haven't done it a bunch of times but I have done it a few and - if and only if your forward and reverse DNS is solid and working - this actually does work as advertised. If your box is already a Master you can demote it (THIS DESTROYS YOUR CURRENT LDAP - BACK IT UP) and then bind and promote. If you've run kerb on the box previously you might want to blow away your old keytabs just to be safe but it should still just work. And always, always, always double check that your DNS is rock solid in forward and reverse or it will not work.
  The best documentation for this process is a paper by Bombich (no surprise) and there's a little known paper at AFP548 called +OD AD Sandbox+ that is really worth a read, but read the entire thing before trying anything.
  =Tod

• Error value = 73, How to change the type of password?

  I want to use the famous wiki integrated in leopard, so I had to configure open directory and DNS.
  Well my problem come from that I can't configure open Directory, just after creating a new admin, I have no possiblity to change the type of password, there is just the type shadow, and I know that we had to choose open directory's type.
  Obviously, I'm authenticated in the workgroup manager
  Which services I had to turn on to use open directory's type?
  Or which mac I have to hit.
  THX

  Hi
  So I had to configure open directory and DNS
  What did you do or not do exactly?
  My problem come from that I can't configure open Directory
  You won't be able to configure Open Directory to allow different password types unless you either bind your Server to an existing KDC or make your Server the KDC. For the Server to be a KDC (Kerberos Distribution Center) it has to be an Open Directory Master. Successful promotion to an Open Directory Master Role absolutely depends on a correctly configured and running DNS Service - either on the server itself or on another server on the same network.
  There are plenty of posts in these forums outlining how to configure your Server in terms of DNS as well as how to promote to Open Directory Master. Apple themselves make available Admin Manuals that should assist:
  http://images.apple.com/server/macosx/docs/OpenDirectory_Adminv10.5.pdf
  http://images.apple.com/server/macosx/docs/NetworkServices_Adminv10.5.pdf
  Failing this these forums (as already mentioned) as well as:
  http://www.afp548.com
  Hope this helps, Tony