News aggregator
AD Authoritative Restore - A cautionary tale
AD Authoritative Restore - A cautionary tale
Scenario is an AD to eDir two-way sync of users, groups and OU's. Two-way sync is what the customer wanted so that either side could be administrated. A Microsoft administrator inadvertently deletes 50 or so accounts (don't ask). Naturally they are gone from eDirectory at this point as well. The administrator decides to do an Active Directory Authoritative Restore to quickly get the users back into both systems but decides to do the entire domain instead of the 50 users (don't ask).
The result was all objects in AD are deleted and recreated from the other Domain Controllers with their previous GUID and other AD features intact. However, the AD to eDirectory driver naturally sees the delete events and acts upon them, deleting hundreds of users, groups and empty OU's. from eDirectory. The AD restore recreates the users, groups and OU's after several forced migrate objects procedures. Things eDirectory unique attributes like login scripts with the eDirectory OU's are lost as well as file system trustee assignments. Backlink issues galore. Not a good day or week for that matter.
Options to avoid this again:
1.Set the Driver Health Policy to shut down after X number of delete events are queued.
2.Don't allow delete events to occur on the driver. Change delete to deactivate account.
3.Use work-flow system of Role Based Services for manual approval of of delete events.
4.Ensure all AD administrators understand the repercussions of an Authoritative Restore.
Scenario is an AD to eDir two-way sync of users, groups and OU's. Two-way sync is what the customer wanted so that either side could be administrated. A Microsoft administrator inadvertently deletes 50 or so accounts (don't ask). Naturally they are gone from eDirectory at this point as well. The administrator decides to do an Active Directory Authoritative Restore to quickly get the users back into both systems but decides to do the entire domain instead of the 50 users (don't ask).
The result was all objects in AD are deleted and recreated from the other Domain Controllers with their previous GUID and other AD features intact. However, the AD to eDirectory driver naturally sees the delete events and acts upon them, deleting hundreds of users, groups and empty OU's. from eDirectory. The AD restore recreates the users, groups and OU's after several forced migrate objects procedures. Things eDirectory unique attributes like login scripts with the eDirectory OU's are lost as well as file system trustee assignments. Backlink issues galore. Not a good day or week for that matter.
Options to avoid this again:
1.Set the Driver Health Policy to shut down after X number of delete events are queued.
2.Don't allow delete events to occur on the driver. Change delete to deactivate account.
3.Use work-flow system of Role Based Services for manual approval of of delete events.
4.Ensure all AD administrators understand the repercussions of an Authoritative Restore.
Categories: Novell Support Forums - New Posts
Detect add/del member from group object
Hi,
I'm using IDM 3.51 and I need something to manage attribute on a group.
We extend some group object to add "MemberUID" attribute.
Now I would like to create a loopback rules in the Event transform do do this.
1) detect if the class is "group" (that's fine I can handle that part :))
2) detect change of the attribute "member" (that's seem to be fine also)
3) detect if we "add-value" the attribut (a new member)
Then add the same member in the "memberUID" attribute also.
If the modify attribute is "remove-value" then I have to delete the value in the "memberUID" attribute also..
That's seem to be simple, but I'm stuck at line 3 where I should detect the type of modification.. I don't see any way to detect if it's a "add" or "remove" operation attribute.
I filter or trig on the Group object because all attributes operations is done on the Group object only.
Hope that's clear
If you have any idea let me know.. Thanks
Jean-Guy
I'm using IDM 3.51 and I need something to manage attribute on a group.
We extend some group object to add "MemberUID" attribute.
Now I would like to create a loopback rules in the Event transform do do this.
1) detect if the class is "group" (that's fine I can handle that part :))
2) detect change of the attribute "member" (that's seem to be fine also)
3) detect if we "add-value" the attribut (a new member)
Then add the same member in the "memberUID" attribute also.
If the modify attribute is "remove-value" then I have to delete the value in the "memberUID" attribute also..
That's seem to be simple, but I'm stuck at line 3 where I should detect the type of modification.. I don't see any way to detect if it's a "add" or "remove" operation attribute.
I filter or trig on the Group object because all attributes operations is done on the Group object only.
Hope that's clear
If you have any idea let me know.. Thanks
Jean-Guy
Categories: Novell Support Forums - New Posts
PC has patch, but showing not patches in PM
I updated a PC this morning using patch management, the patch goes on fine. But when I check patch management it still shows as it not being patched. I've cleared the cache, ran inventory scan numerous times. The inventory shows the right version, but some reason its not talking to PM. Is there anything else I can do so it reports correctly to patch management?
Categories: Novell Support Forums - New Posts
\ appearing after user name
I'm having a rather strange problem. I'm running a Novell Open Enterprise Server, Netware 6.5, Server Version 5.70.08, Support Pack Revision 08 with eDirectory 8.8 SP4, NDS Version 8.8 SP4. The server is located in a High School and is part of a tree that extends over most of the county, but all of the students log into the server that is physically on site.
For some reason, a few accounts have been coming up with \ after the user name. On machines with LDAP loaded it immediately comes up with an error saying it's and illegal eDirectory name. I can find no rhyme or reason to the error, as all of the accounts are created with templates, and I noticed one of the errors came right in the mist of creating five other accounts, with only one having the \ at the end of the name. In another case an account that was working suddenly appeared with the \ at the end of the name, preventing the student from logging into the server. I can delete and recreate the account, which seems to solve the problem except for one user as I left his original account on the server so I could examine the problem, then suddenly his second account developed the same problem. Where he was for example JoSmith I made another account for him as JohSmith and both now come up as JoSmith\ and JohSmith\ Of course he now cannot login. I'm not seeing this problem with the rest of the 1500 or so students and have verified that the problem is repeatable with and without LDAP configured, on Versions 4.91 SP2, SP4 and SP5. All of our machines are running Windows XP with SP3 loaded and virus protection behind our enterprise class firewall. Even so I checked and I'm not seeing any sign of virus activity. I have also checked with the other schools and I seem to be the only server with this problem. Anyone have any ideas?
For some reason, a few accounts have been coming up with \ after the user name. On machines with LDAP loaded it immediately comes up with an error saying it's and illegal eDirectory name. I can find no rhyme or reason to the error, as all of the accounts are created with templates, and I noticed one of the errors came right in the mist of creating five other accounts, with only one having the \ at the end of the name. In another case an account that was working suddenly appeared with the \ at the end of the name, preventing the student from logging into the server. I can delete and recreate the account, which seems to solve the problem except for one user as I left his original account on the server so I could examine the problem, then suddenly his second account developed the same problem. Where he was for example JoSmith I made another account for him as JohSmith and both now come up as JoSmith\ and JohSmith\ Of course he now cannot login. I'm not seeing this problem with the rest of the 1500 or so students and have verified that the problem is repeatable with and without LDAP configured, on Versions 4.91 SP2, SP4 and SP5. All of our machines are running Windows XP with SP3 loaded and virus protection behind our enterprise class firewall. Even so I checked and I'm not seeing any sign of virus activity. I have also checked with the other schools and I seem to be the only server with this problem. Anyone have any ideas?
Categories: Novell Support Forums - New Posts
Sentinel Agent
Hi,
I am installing Sentinel Agent on SLES10 SP3 64 bits and is happening the following error when you start the service:
des-fs01:~/Sentinel-Agent_6.1r1 # /etc/init.d/sentagent start
Starting sentagent Unable to read from file /usr/local/sbin/sentsubagefailednf
des-fs01:~/Sentinel-Agent_6.1r1 #
The file sentsubagent.conf is not exist in /usr/local/sbin folder.
Someone already used the sentinel agent to collect events from syslog connector?
Tanks.
I am installing Sentinel Agent on SLES10 SP3 64 bits and is happening the following error when you start the service:
des-fs01:~/Sentinel-Agent_6.1r1 # /etc/init.d/sentagent start
Starting sentagent Unable to read from file /usr/local/sbin/sentsubagefailednf
des-fs01:~/Sentinel-Agent_6.1r1 #
The file sentsubagent.conf is not exist in /usr/local/sbin folder.
Someone already used the sentinel agent to collect events from syslog connector?
Tanks.
Categories: Novell Support Forums - New Posts
IDM drivers and SP8 for NW65
Were currently running NW65SP6, edir 8.7369, and IDM 3.5.1. I need to upgrade our Service Pack from SP6 to SP8. Two questions:
Once I upgrade the master replica/Identity Vault to SP8 do I need to upgrade to upgrade the Service Pack of the two other trees?
Are there any know issues I should be aware of concerning the IDM drivers?
Once I upgrade the master replica/Identity Vault to SP8 do I need to upgrade to upgrade the Service Pack of the two other trees?
Are there any know issues I should be aware of concerning the IDM drivers?
Categories: Novell Support Forums - New Posts
Apache serves page weird
Hi All,
I've got a web site we're trying to move off of IIS and on to Apache on Netware.
The problem is that the page formatting is off when served by Apache.
Here's an example of the page that has issues:
San Dieguito Academy (IIS)
San Dieguito Academy (Apache on Netware)
I upgraded to NW6.5SP8 hoping it -might- fix the issue, but it didn't.
Has anyone seen this behavior before?
Thanks,
Matt
I've got a web site we're trying to move off of IIS and on to Apache on Netware.
The problem is that the page formatting is off when served by Apache.
Here's an example of the page that has issues:
San Dieguito Academy (IIS)
San Dieguito Academy (Apache on Netware)
I upgraded to NW6.5SP8 hoping it -might- fix the issue, but it didn't.
Has anyone seen this behavior before?
Thanks,
Matt
Categories: Novell Support Forums - New Posts
Group Membership not giving file rights
Any ideas?
I have a user who is a member of several groups. Each group has file/folder rights associated but when I check the users effective rights to those folders - nothing (which corresponds to the reality). Other users in the group can see the folders and if I check the membership of the groups the user appears there (not a case of the user object thinks it has a set of memberships and the group thinks the user isn't a member). NO IRF's are involved and the user is a member of the only group to have rights to the folder. I'm deeply confused here, if the user is a member of a group which has rights to a folder on the file system then the user has the rights to that folder that the group has. Any idea what's wrong?
Pete
I have a user who is a member of several groups. Each group has file/folder rights associated but when I check the users effective rights to those folders - nothing (which corresponds to the reality). Other users in the group can see the folders and if I check the membership of the groups the user appears there (not a case of the user object thinks it has a set of memberships and the group thinks the user isn't a member). NO IRF's are involved and the user is a member of the only group to have rights to the folder. I'm deeply confused here, if the user is a member of a group which has rights to a folder on the file system then the user has the rights to that folder that the group has. Any idea what's wrong?
Pete
Categories: Novell Support Forums - New Posts
Groupwise Object API - Track Changes to Contacts Appointment
Hi All
We are using the Groupwise Object API to integrate Novell Groupwise and another application. We have written a connector to synchronize the Contacts and Appointments between the 2 applications.
We have a requirement that when a user changes the Contact in Groupwise we have to sync it back to the other application.
Our connector polls the groupwise every 30 mins and checks for changes or new contacts and then sync it. It would do this for a set of User ID'S in groupwise. This connector is a trusted application.
How do we identify the changes in a contact from Object API.
How do we identify deletion in contacts from Object API
Thanks and Regards
S.Chandrasekhar
We are using the Groupwise Object API to integrate Novell Groupwise and another application. We have written a connector to synchronize the Contacts and Appointments between the 2 applications.
We have a requirement that when a user changes the Contact in Groupwise we have to sync it back to the other application.
Our connector polls the groupwise every 30 mins and checks for changes or new contacts and then sync it. It would do this for a set of User ID'S in groupwise. This connector is a trusted application.
How do we identify the changes in a contact from Object API.
How do we identify deletion in contacts from Object API
Thanks and Regards
S.Chandrasekhar
Categories: Novell Support Forums - New Posts
Third Party Certificate without creating CSR...
...we purchased a Multi-Domain cert from Go Daddy. The CSR was created from a linux box (the Sys Admin purchased this for some of our sites, and then GW Web was included to be certified.
So without generating the CSR, is there a way to use this certificate since the KMO wasn't created during the CSR process? I've created a new KMO (Create Server Certificate in iManager), choose Custom and import the .pfx file. It then gives me an errror "Go Daddy Secure Certification Authority FailPKI Error -1226 A certificate was not found in the NDS tree certificate authority (CA) object or Server Certificate Object (also known as the Key Material Object).
NW6.5sp7, GroupWise 8, eDir 883
TIA,
Mick
So without generating the CSR, is there a way to use this certificate since the KMO wasn't created during the CSR process? I've created a new KMO (Create Server Certificate in iManager), choose Custom and import the .pfx file. It then gives me an errror "Go Daddy Secure Certification Authority FailPKI Error -1226 A certificate was not found in the NDS tree certificate authority (CA) object or Server Certificate Object (also known as the Key Material Object).
NW6.5sp7, GroupWise 8, eDir 883
TIA,
Mick
Categories: Novell Support Forums - New Posts
Deep Dive
Matt says:
"This year Novell is enhancing and expanding two of the most popular attractions at BrainShare - the Installation and Migration Depot and Novell Advanced Technical Training (ATT). Diving Deep is all about helping you take advantage of more in-depth, hands-on technical training opportunities that can have an immediate impact on how you do your job. Swim on over to this new Connection Magazine article to read more: "
http://www.novell.com/connectionmaga...hare_2010.html
"This year Novell is enhancing and expanding two of the most popular attractions at BrainShare - the Installation and Migration Depot and Novell Advanced Technical Training (ATT). Diving Deep is all about helping you take advantage of more in-depth, hands-on technical training opportunities that can have an immediate impact on how you do your job. Swim on over to this new Connection Magazine article to read more: "
http://www.novell.com/connectionmaga...hare_2010.html
Categories: Novell Support Forums - New Posts
IT Tech Talk
"One of the most popular and attended events at BrainShare is back! IT Tech Talk (formerly known as "Meet the Experts") will take place Wednesday night from 6:30 - 9:30 p.m. As always, you'll be able to mingle with our product engineers giving you an opportunity to discuss current and future product features and technologies. Heavy hors d'oeuvres and an open bar will be available."
Did you hear that?
Did you hear that?
Categories: Novell Support Forums - New Posts
Download a File Folder...
Hello,
Maybe a stupid question around the file folder ....
Is it possible to download in one step all the files inside a file folder ?
I did not find yet a way to download the file folder itself ...
Any idea ?
Tx for your help ...
Stephan
Maybe a stupid question around the file folder ....
Is it possible to download in one step all the files inside a file folder ?
I did not find yet a way to download the file folder itself ...
Any idea ?
Tx for your help ...
Stephan
Categories: Novell Support Forums - New Posts
Frozen Screen with ZCM Agent
On one of our PCs (Hotline PC) we have the problem that applications get frozen in the mid of our work. It happens that one application freezes. Mouse and keyboard are still operational.
Opening Task Manager and closing aplication works, but other application do not come back to operation. Stopping one after the other application is possible but PC never returns to operation.
That happens approx twice a day with different applications.
After Uninstalling the ZCM Agent the problem is gone. Reinstalling Agent on that PC and the problem comes back again.
Windows XP SP3 with ZCM Agent 10.2.1 Dual Monitor (extended desktop)
wkr Klaus
Opening Task Manager and closing aplication works, but other application do not come back to operation. Stopping one after the other application is possible but PC never returns to operation.
That happens approx twice a day with different applications.
After Uninstalling the ZCM Agent the problem is gone. Reinstalling Agent on that PC and the problem comes back again.
Windows XP SP3 with ZCM Agent 10.2.1 Dual Monitor (extended desktop)
wkr Klaus
Categories: Novell Support Forums - New Posts
POP3 Connector or Fetchmail
Hi,
we need to install NOWS SBE on a site and for various reasons, the servers must be shutdown every evening and restarted in the morning.
We would like to configure a popserver offsite from which groupwise can fetch mails that have arrived during the night. Also during the day of course.
Is there something like the old POP3 connector that used to be available?
Or alternatively, is it possible to configure something like fetchmail on another box to pop the messages for the individual users and forward them to the groupwise server?
Thanks for any ideas.
b.
we need to install NOWS SBE on a site and for various reasons, the servers must be shutdown every evening and restarted in the morning.
We would like to configure a popserver offsite from which groupwise can fetch mails that have arrived during the night. Also during the day of course.
Is there something like the old POP3 connector that used to be available?
Or alternatively, is it possible to configure something like fetchmail on another box to pop the messages for the individual users and forward them to the groupwise server?
Thanks for any ideas.
b.
Categories: Novell Support Forums - New Posts
When to use a certain driver
If I look at the drivers available in Designer, I see several under the 'Services' tag, and other tags, that do not appear in the drivers packages as defined in Identity Manager Drivers: Integration Modules and Associated Drivers.
Where can I find a document that describes all these drivers and gives a comparison as to which should be used in what circumstances.
As simple examples:
When to use one of loopback, null, manual
What are ID-Provider and State Machine
Thanks for your help
Where can I find a document that describes all these drivers and gives a comparison as to which should be used in what circumstances.
As simple examples:
When to use one of loopback, null, manual
What are ID-Provider and State Machine
Thanks for your help
Categories: Novell Support Forums - New Posts
Third Party Certificate without creating CSR...
...we purchased a Multi-Domain cert from Go Daddy. The CSR was created from a linux box (the Sys Admin purchased this for some of our sites, and then GW Web was included to be certified.
So without generating the CSR, is there a way to use this certificate since the KMO wasn't created during the CSR process? I've created a new KMO (Create Server Certificate in iManager), choose Custom and import the .pfx file. It then gives me an errror "Go Daddy Secure Certification Authority FailPKI Error -1226 A certificate was not found in the NDS tree certificate authority (CA) object or Server Certificate Object (also known as the Key Material Object).
TIA,
Mick
So without generating the CSR, is there a way to use this certificate since the KMO wasn't created during the CSR process? I've created a new KMO (Create Server Certificate in iManager), choose Custom and import the .pfx file. It then gives me an errror "Go Daddy Secure Certification Authority FailPKI Error -1226 A certificate was not found in the NDS tree certificate authority (CA) object or Server Certificate Object (also known as the Key Material Object).
TIA,
Mick
Categories: Novell Support Forums - New Posts
Partitioning tree
I have a 8.x tree that does not span a WAN with approx 12,000 objects.
All servers are in one OU. There are OU's for org purposes.
Other than partitioning the Tree or ROOT, the O and the server OU am I missing something?
- T = <Tree>
- O= <Org>
- OU = Payroll
- CN = user1
- OU = Accounting
- OU = Bla Bla
- OU = Stuff
- OU = Workstations
- OU = Groups
- OU = Bla Bla Bla
- OU = <Servers>
All servers are in one OU. There are OU's for org purposes.
Other than partitioning the Tree or ROOT, the O and the server OU am I missing something?
- T = <Tree>
- O= <Org>
- OU = Payroll
- CN = user1
- OU = Accounting
- OU = Bla Bla
- OU = Stuff
- OU = Workstations
- OU = Groups
- OU = Bla Bla Bla
- OU = <Servers>
Categories: Novell Support Forums - New Posts
ROFLMAO
Categories: Novell Support Forums - New Posts
Admin Studio 9.0a will not allow Log on
I have installed Admin Studio 9.0a on a number of computers XP and Vista. I get to the point to where the software wants you to type in the server, username, and password to work. Every time a new windows comes up saying that the log in failed. I tried changing the address suggested by others on the forum but that did not work. I took the https off and even the http. I am able to go to the URL and log in with the user name and password I am using without issues. I have tried turning of the firewall, moving the computer to another office to see if its the network. I updated the software from Novell's site and nothing.
I am new to Novell so please use as much detail as possible. Thank you very much for your help.
I am new to Novell so please use as much detail as possible. Thank you very much for your help.
Categories: Novell Support Forums - New Posts