TUT218-SLP Made Easy 2006 Ver 2.7
86
Ver 2.7 – March 23, 2006 TUT218: “Pure IP” Made Easy Allan Hurst Partner & Technical Principal KIS [email protected] 650.207.0215
Transcript of TUT218-SLP Made Easy 2006 Ver 2.7
Ver 2.7 – March 23, 2006
TUT218: “Pure IP” Made EasyAllan HurstPartner & Technical [email protected]
© Novell, Inc.
2
Acknowledgements
My thanks to the following Novell people (past and present) who have provided me with SLP & OES information over the past few years:
Bart ChandlerReid OakesMarci OrlerPaul SchabertHoward ShapiroJason WilliamsEric Wing
© Novell, Inc.
3
Housekeeping
Cell phones, pagers, Treos, Blackberries … set them all to “stun” (silent or off), please. No noise is good noise. (“Don’t make me come down there…!”)If you have a question, it’s absolutely OK to ask. It’ll help if you raise your hand first to get my attention. I’ll try to answer on the fly. Please fill out your evaluation form. This session was created (and revised) based on evaluations from prior events.It’s OK to have fun in here. Honest.
© Novell, Inc.
4
Who is this Guy, Anyway?
Allan Hurst / KIS• Partner, Technical Principal & Director of Linux Strategy• Master CNE with 18+ years of Novell experience.• One of four partners at KIS, a Novell Platinum Partner located in
Fremont, California.• Runs the “Novell® Enterprise Systems Group” (responsible for
network planning, migrations, upgrades, moves, re-architecting, clean-up, DNS, and Linux strategy).
• Runs “The WAP Squad”. (“WAP” stands for … ?) • With Dirk Smith, is a member of the (infamous) “Crash Dummies”
team … specialists in analyzing and preventing server crashes.
© Novell, Inc.
5
Who Are You?
• Network administrator and/or manager.• Probably experienced with Novell® products.• May be seeing weird network issues, such as:
– sporadic errors when browsing the local network– slow logins– intermittent server communication – time sync errors.
© Novell, Inc.
6
Up-Front Disclaimers
• Doesn’t work under IPX? It won’t work any better under IP.• Making your network “Pure IP ready” is a long-term project. • It’s not a sin to run IPX AND IP on the same wire. Honest.• Get IP working before making plans to remove IPX from the
wire.• Often, just the (pre-SLP) cleanup process speeds up the
network. • Most of this process (80%!) … is just prep work that doesn’t
involve SLP at all. (But it needs to be done if you want to use SLP.)
• Actually configuring SLP only takes about 5 minutes!
© Novell, Inc.
7
Reaching “Pure IP”
Got Pure IP?
Remove IPX From the Wire
Configure Client Workstations for SLP UA Operation
Configure Servers for SLP SA and DA Operation
DNS Server IP DHCP Time NICI / SAS / PKI eDir
Migrate to NDPS/iPrint
What we’ll cover here:
© Novell, Inc.
8
What have I been using all this time? (IPX & SAP)
• SAP = Service Advertising Protocol
– IPX-based protocol
– Broadcast-based
– Flexible and easy … for smaller networks
– Not easily routable
– Limited in types of information provided
– No provision for service expiration
© Novell, Inc.
9
What is SLP?
• SLP = Service Location Protocol
– The basis for “Pure IP” operation
– IP-based Replacement for IPX’s SAP
– Allows dynamic advertising of services
– An open standards based protocol(RFCs 2165, 2608, 2609, 2614)
© Novell, Inc.
10
What Are SLP Services?
• An SLP service is just an application running on a server, which other machines on the network can access.
• (For example: NDS, REMOTE.NLM, NDPS, SCMD.)• When a server starts up, services (applications) register with
SLP to make themselves available to the network.• SLP maintains the service name and IP address of the host
offering the service, along with an expiration date/time.• Each service has a unique URL (Uniform Resource Locator)
SLPRCONSOLE
NDPS
© Novell, Inc.
11
Why do I need SLP?
• SAP & IPX don't scale well.
• SLP improves workstation login and drive mapping performance on your network.
• OES/Linux doesn't support IPX, and never will.*
• eDirectory 8.8 achieves significant performance gains over earlier versions because it contains no IPX code at all.*
*Thank you to Novell's OES Product Manager -- Jason Williams -- for pointing out these particular nuggets of information.
© Novell, Inc.
12
SLP Versus SAP (I)
• IP-based• “Pulls” info off of the wire
using unicasts & multicasts• Allows rich set of attributes• Specifies an expiration time
for each service
• IPX-based• “Pushes” info onto the wire
using broadcasts• Provides a very limited set
of attributes• Services “drop off the wire”
SLP SAP
© Novell, Inc.
13
SLP Versus SAP (II)
• IP services register themselves in the SLP database
• SLP advertises nothing; the SLP DA simply listens for requests
• SLP supports wide variety of attribute information
• SLP uses multicast, which is routable (SLP can “fall back“ to broadcast mode if needed)
• Has mechanism to actively remove expired services.
• SAP service registers stored on each server
• Broadcasts server name, address, and SAP type regularly (as soon as IPX is bound on an interface)
• Advertises only service name, type and address
• Broadcast protocol is not routable
• No mechanism for actively removing services
SLP SAP
© Novell, Inc.
14
How SAP Works – Finding A Server.
1. Client broadcasts “Get Nearest Server!” to entire network.
IPX workstation
ServerServer
Server2. Every server broadcasts “Give Nearest Server!” to entire network.
3. Client begins login process with selected server.(Unicast)
© Novell, Inc.
15
How SLP Works – Finding A Server.
1. Client sends “Where are you?” multicast to all DAs.
User Agent
IP Workstation (UA)
Server (SA) Server (SA and DA)Server (SA)
2. DA and client send “Here I am”, server request and service response back and forth . (All unicasts.)
3. Client begins login process with selected server.(Unicast)
© Novell, Inc.
16
Network Load of IPX/SAP vs. IP/SLP
4 Broadcasts0 Multicasts
1 Unicast
0 Broadcasts1 Multicast4 Unicasts
IPX using SAP Pure IP using SLP
For finding a server on a 3-server, 1-workstation network, the scores are:
Try increasing the above numbers to 5 servers and 100 workstations, and figure out how many broadcasts would suck up your network bandwidth!
© Novell, Inc.
17
SLP Versus SAP (I)
• IP-based• “Pulls” info off of the wire
using unicasts & multicasts• Allows rich set of attributes• Specifies an expiration time
for each service
• IPX-based• “Pushes” info onto the wire
using broadcasts• Provides a very limited set
of attributes• Services “drop off the wire”
SLP SAP
© Novell, Inc.
18
Agent Types (Secret & Otherwise)
SLP Agent TypesUser Agent (“UA”)
> Makes requests for services needed by application
Server Agent/Service Agent (“SA”)> Runs on every server running SLP> Registers available services (cache)> Listens for Service Requests> Has specified expiration interval per service
Directory Agent (“DA” or “SLP DA”)> Stores SLP service records in eDirectory™ and/or cache> SA registers services with DA > UA requests services from DA
© Novell, Inc.
19
Directory Agent (“DA”)
The Directory Agent is responsible for processing the following SLP protocol messages:
– Service Registration
– Service Deregistration
– Service Type Request
– Service Request
– Attribute Request
– Directory Agent Advertisements
© Novell, Inc.
20
Directory Agent (What’s it do?)
• The DA maintains a database of URLs representing network services.
• The DA provides the interface between SLP and NDS.
• SAs and UAs interact with DAs to advertise and locate network services.
• NDS provides a common, real-time data storage location for SLP collected by DAs.
• Oddly enough, the DA is the only agent that is not required in an SLP-based network.
• UAs and SAs can still find each other multicast if there's no DA present.)
© Novell, Inc.
21
Server SLP Registration Process
1. Server tries contacting DA specified in DHCP.
2. SA tries contacting the statically configured DA.
3. SA multicasts to find a DA.
Once contact is made, then ...
4. SA sends service registration information to DA via unicast:
– Service type
– Service lifetime
– Service attributes
© Novell, Inc.
22
How SLP Works – Registration
Server sends serviceregistration to DA.(Via unicast.)
User Agent
Server AgentDirectory AgentUser Agent
© Novell, Inc.
23
How SLP Works - Directory Agent
2. DA sends service response back to UA. (Via unicast.)
1. UA sends service request to DA. (Via unicast.)
User Agent
User Agent
Server AgentDirectory AgentUser Agent
© Novell, Inc.
24
Prerequisites to Configuring SLP
• You need a good foundation to build a strong house…
• …which makes it a real pity that most network “homes” are built on top of chicken wire and facial tissue.
• Let’s look at what needs to be done before attempting to configure SLP.
© Novell, Inc.
25
SLP Requires A Stable, Working TCP/IP Infrastructure
• Correct, static IP information for all:– Servers (you’d be amazed at what I find each day)– Routers (what’s really in your routing table?)– Switches (“plug-and-play” units often aren’t set correctly)– Printers (usually set up for DHCP at the factory)
• This includes:– Verified and documented IP Addresses– Correct subnet masks– Correct default gateway/default routes– Any needed static routes
© Novell, Inc.
26
NetWare® vs. OES/Linux
• Most NetWare® systems currently in service have “inherited” configuration errors.
• We're going to review potential NetWare configuration problems right now.
• My experience suggests that OES/Linux has none of these errors to correct. OES/Linux installs very cleanly.
• So, Linux People ... please be patient with us for a few minutes...
© Novell, Inc.
27
TCP/IP Files to Check on NetWare®
SYS:etc\hostname192.168.129.10 beast.allanh.com
SYS:etc\resolv.cfgdomain allanh.comnameserver 192.168.129.10nameserver 64.81.79.2
SYS:etc\hosts127.0.0.1 loopback lb localhost 192.168.129.10 beast.allanh.com BEAST castle 192.168.129.11 ifolder.allanh.com ifolder
© Novell, Inc.
28
No More Stinkin’ Autotypes!
• Automatic speed sensing … is EVIL.• Automatic duplex detection … is ROTTEN.• Automatic frame typing … is HEINOUS.• This includes:
– Servers*– Workstations– Printers– Routers & Switches*
• Explicitly define Speed/Duplex/Frametype on all servers!*
* Note: Some Cisco devices with recent versions of IOS may work better with autospeed/autoduplex.
© Novell, Inc.
29
Gigabit NICs From Broadcom
Problem:– Broadcom’s older NetWare® drivers have known problems with
IP packet checksums. This causes packet loss, time falling in and out of sync at random, servers dropping off the network, NDS communication problems, and more.
– Affected drivers: older versions of Q57.LAN, B57.LAN, N57.LAN, x57.LAN, etc.
– Note: This is not a problem with OES on SLES.
Solution:– Update with the latest version of x57.LAN (use Google)– Add “checksum=off” to “LOAD x57.LAN…” lines in
NETINFO.CFG
© Novell, Inc.
30
What Every DNS Server Should Know
You need at least one internal DNS server. It must know: – Each NetWare® /OES server name, which must:
…point to the primary address of the server
…match the IP address and hostname (sys:etc\hostname)
The tree name:…should point to the server with the master replica of [root]
From any workstation or server, you should be able to resolve:– Any NetWare/OES server … by short name and FQDN
> ping fs1 -and- ping fs1.acme.com
– The NDS/eDirectory™ tree name> ping acmetree
© Novell, Inc.
31
Keep Inside/Outside DNS Separate!
• Keep internal and external DNS servers on separate boxes.
• The only “A”, “MX” and “CNAME” records that should be on your external DNS server, are ones that you really want the rest of the world to know about.
• Don’t publish your internal servers’ “A” records on your external DNS.
• The best way to avoid being hacked is to avoid being found in the first place.
© Novell, Inc.
32
Who’s Afraid of DNS?
• Scared of setting up your own DNS server on NetWare®? (It’s easy. Honest.)
• Download a copy of Allan’s favorite “how-to” guide:
http://www.more.net/technical/netserv/servers/novell/nw5dnsdhcp.pdf
• (Oh, just search Google for “nw5dnsdhcp.pdf”)
• Still scared of DNS? Ask me when and where my next “Demystifying DNS” presentation will take place.
© Novell, Inc.
33
So, What if DNS Fails…?
• If DNS fails, keep your servers talking to each other by creating a HOSTS file!
– Create a master HOSTS file that includes all of the NDS server entries from your internal DNS, plus the tree name.
– Copy the master HOSTS file to all NetWare® servers – Update and recopy the master file to all NetWare servers each
time you add or change server names or IP addresses.• Some people find utilities such as ZENworks for
Servers to be useful for pushing HOSTS files out to multiple servers.
NOTE: This is NOT a “replacement” for DNS. You still need a properly configured Internal DNS server.
© Novell, Inc.
34
NDS Health & SLP
If your NDS tree is unhealthy, SLP won’t make it work any better. This means …
– Time must be in sync.– Obituaries must be processing.– There must be no errors in DSREPAIR.
Do a basic NDS health check before setting up SLP!
In “DSREPAIR –A”, run:– Time Synchronization– Report Synchronization Status– Advanced / Check External References
© Novell, Inc.
35
Make Time for Time (I)
Good time synchronization is essential to a healthy tree.
Select one of these time models, and stick to it:Single – SecondaryReference – Primary – Secondary
Use configured time sources only.
IP addresses are most foolproof for internal time sources. (Especially if you don't have good DNS yet.)
© Novell, Inc.
36
Make Time for Time (II)
Point your Single/Reference server to an external time source.
My favorite external time source is “pool.ntp.org” or “us.pool.ntp.org”, which are pools of public NTP servers.
In your timesync.cfg file, this would look like:pool.ntp.org:123
For more information on the Network Time Project, visit http://www.ntp.org
Can't get port 123 opened up on your firewall? Consider using a GPS time signal. Google “gps network time”.
© Novell, Inc.
37
Encryption? On MY network?
• All of these modules must be configured correctly and working on all NW 5.x & 6.x servers in your tree:
– NICI - Novell® International Cryptographic Infrastructure– SAS - Secure Authentication Service– PKI - Public Key Infrastructure
• You also need to make sure these are in order:– Tree CA – Your tree’s Certificate Authority– Server CA – Each NW5/6 server’s Certificate Authority
• NetWare® PKI broken? Use “PKIDIAG.NLM”!(Find it by searching Novell FileFinder for “PKIDIAG2”)
Note: NetWare 5.0 doesn’t have NICI installed by default. (Only NetWare 5.1 and above installs NICI by default.)
© Novell, Inc.
38
Patch THIS!
All NetWare® servers must be patched to a minimum of:– NetWare 4.11/4.2 … NW4SP9.exe– NetWare 5.0 … NW50SP6A.exe – NetWare 5.1 … NW51SP8.exe– NetWare 6 … NW6SP5.exe (or NW6SP5E.exe for English only)– NetWare 6.5 … NW65SP4.exe or NW65SP5.exe
These SLP modules must be the same revision across all servers for each version of NetWare:
– Slp.nlm– Slptcp.nlm– Slpda.nlm
Note: These modules usually reside in “C:\NWSERVER”.
© Novell, Inc.
39
Updating Client Software
For proper SLP operation, you should be on reasonably current versions of the Novell Client:
NT/2000/XP = Client 4.91 SP2 (or later)95/98 = Client 3.4 (or later)
IMPORTANT: If you have fairly old versions of client software, and everything’s working OK with IPX … update your workstations’ client software AFTER you’ve set up and tested everything on the server side.
© Novell, Inc.
40
No More Prerequisites!
• OK … now that you have a healthy network, let’s talk about exactly what SLP services are, and how they work.
© Novell, Inc.
41
Scoped vs. Unscoped
• There are two modes for setting up scopes:
– An “Unscoped” scope is a general default scope. It's all of the service URLs that aren't tied to a specifically defined scope.
> In SLP version 1, default scope is called the “Unscoped scope”.
> In SLP version 2, it is called the “Default Scope”.
– A “Scoped” Scope is a Scope Unit that has been defined with a specific Scope Name.
Note: Make your life easier by using only SCOPED scopes!
© Novell, Inc.
42
SLP Agents – Defaults
• By default, all clients and servers are both User Agents and Service Agents (“double agents”).
• Multicast groups:– Service Agents listen on 224.0.1.22– (UAs multicast to 224.0.1.22 when searching for a service.)– Directory Agents listen on 224.0.1.35– (UAs and SAs multicast to 224.0.1.35 when searching for a
DA.)– If multicast fails, SLP will “fall back” to using IP broadcasts
unless specifically configured to not do so.– SLP uses TCP & UDP Ports 427. (See TID #10050135)
© Novell, Inc.
43
SLPDA in eDirectory™
• SLP Directory Agent Object…
– Is a leaf object that represents a single instance of a DA.
– Defines the DA’s configuration, scope, and security.
– Multiple DAs cannot share a single object.
– Assigning the DA adds an eDirectory™ attribute to the NCP_SERVER class definition called “SLP Directory Agent DN”. This points the Server object to the DA object.
© Novell, Inc.
44
SLP Scope Unit in eDirectory™
• Scope Unit Container Object– NDS storage container for SLP service information.– Holds all SLP Service objects for a specific scope.– Unscoped Scope is the default before SLP v2
• SLP Scopes are just logical groupings of available services.
– Directory Agents are assigned to service one or more scope units.
– UAs can be configured to use specific scopes defined by DAs servicing that scope.
© Novell, Inc.
45
SLP Service Object
• SLP Service Object
– Each SLP Service Object represents a service registration.
– Is subordinate to the SLP Scope Unit object.
– Stored in the appropriate SLP Scope object according to their scope
– Rough IPX analog: SAP entries seen in DISPLAY SERVERS
© Novell, Inc.
46
SLP Services
FS1: display slp services
DISPLAY SLP SERVICES Usage: display slp services [<service type>/<scope>/<predicate query>]/
Example 1: ‘display slp services’Example 2: ‘display slp services bindery.novell//(svcname-ws=abc*)/’
Searching Network. . . . service:nwserver.novell:///FS1 service:bindery.novell://FS1 service:ndap.novell:///acme1 service:ndap.novell:///acme2 service:timesync.novell:///10.200.200.102 service:portal.novell://10.200.200.102:8008/FS1
Displayed 6 of 6 Total URL’s for: “(All)/(default)/(Not specified)”
Command:
display slp services (Sort of a Pure IP version of “display servers”)
© Novell, Inc.
47
SLP in Small Networks
• No Directory Agents• No scopes Service Agent
Service Agent
Service Agent
Service Agent
Note: Allan doesn’t recommend this method …it usually creates trouble later.
Unicast replies
User Agent General SLP multicastrequest to 224.0.1.22
© Novell, Inc.
48
Medium-Sized Network(Try it, you‘ll like it.)
UA Multicasts to find a DA.
DA responds to UA with unicast.
DA answers UA on behalf of SAs.
DAs are implemented
SAs register their service with DAs
Service Agent
Service Agent
Service Agent
Service Agent
User Agent Directory Agent
© Novell, Inc.
49
Large-Sized Network(For the very, very brave of heart.)
Scope One
Scope Two WAN
Services are grouped into scopes
The UAs are configured with one or more DA addresses.
SLP queries to remote services may cross the WAN link.
DA Elbonia
Directory Agent
DA Kalamazoo
Directory Agent
UA
UA
UA
UA
UA
UA
SA
SA
SA
SA
SA
SA
© Novell, Inc.
50
Implementing SLP: Workstations
• The Novell Client™ includes an SLP User Agent. – SLP UA is installed automatically when one of the IP protocol
options is chosen during client installation. – SLP must be available for the client to function.– No SLP = No Browsing! (A hint that SLP's not OK.)
• Static parameter configuration is performed in the Novell Client Configuration property pages, under the Service Location tab.
• It's easiest, however, to use DHCP to configure SLP.
© Novell, Inc.
51
Implementing SLP: Workstations
If you need to configure SLP information statically for each workstation, here's where you do it.
© Novell, Inc.
52
Static Workstation SLP Config
• Scope List– Which SLP scopes the workstation will use.
• Directory Agent List– Which DAs a client is statically configured to talk with.– Note: Use SLPINFO /D to find out which DAs the client has
discovered dynamically and what their status is (Active or Inactive).
© Novell, Inc.
53
Automatic SLP Workstation Config
Use DHCP. This should be enabled by default.
DHCP SLP configuration is faster & easier than having to touch each workstation to statically configure SLP.
© Novell, Inc.
54
SLP & DHCP
• Even if the workstation's IP address is statically configured, SLP can still receive an SLP Scope and DA configuration from a DHCP server.
• This is done using something called a “DHCP INFORM” packet ... ask Laura Chappell for details.
• Warning: if your DHCP hands out SLP info using DNS names (or IP addresses) for DA machines that don’t yet exist, the clients will appear to hang during login and drive mapping.
• This is why I suggest setting up DNS before DHCP.
© Novell, Inc.
55
Making DHCP “SLP-Friendly”
Don't host DHCP on NT 4.0 boxes. NT 4.0 isn't capable of handing out the DHCP options required for SLP.
Configure DHCP to hand out these options in addition to whatever else you're handing out to each subnet:
– DHCP Option 78 = SLP Directory Agent IP Address– DHCP Option 79 = SLP Service Scope
Note: You can hand out more than one SLP DA or SLP scope via DHCP.
If you want to do some primitive SLP load balancing, use different DA orders for alternating subnets.
© Novell, Inc.
56
Workstation SLP Discovery Process(The Simple Version)
1. Workstation seeks the DA configured by DHCP (if it exists)
2. Workstation seeks the statically configured DA (if it exists)
3. Workstation multicasts to find DAs on the network
4. (if no DAs found) Workstation multicasts to find SLP services - probably from each Service Agents (servers) because no DA is responding.
5. Somewhere along the way … DNS is also tried before SLP gives up and passes the baton to IPX/SAP … if IPX is loaded/running.
Failure to discover a DA often results in a mysterious “pre-login delay” of anywhere from 2 to 30 seconds at each workstation.
This problem is very common in NetWare® based networks without configured SLP.
© Novell, Inc.
57
Troubleshooting Workstation SLP
At a command prompt, type: SLPINFO /D /S
© Novell, Inc.
58
How Workstations Find Servers(Derived from Novell® TID 10014700)
• 1. NDS … Workstation queries the DS database to find IP address for services that are registered in DS through a directory agent. (This option only works if user's already connected to the tree!)
• 2. Workstation uses its local HOSTS file on NT/2K/XP, or NWHOST on Win9x. (This option only works if you have server/tree names and ip addresses in the workstation’s host file that match the server/tree specified in the NetWare® Client login screen.)
• 3. DNS … Workstation asks DNS to resolve the server/tree name to an IP address. (This is why we put the NDS tree name into DNS during our preparation earlier.)
• 4. SLP. Novell® TID says: "Requires no configuration on the client.“
• 5. SLP via DHCP. The client gets SLP information from DHCP.
© Novell, Inc.
59
How Servers Find SLP DAs
• Static configuration (slp.cfg)
• DHCP configuration (On a server? Yes, on a server.)
– Note: By default, NetWare® servers will use DHCP to obtain SLP information. I don‘t recommend leaving this default in place; it can easily lead to mysterious ABENDs whenever TCP/IP loads.
• Dynamic Discovery (multicast)
© Novell, Inc.
60
Configuring Servers For SLP
• The file SLP.CFG (NetWare®) or SLP.CONF (Linux) is used to tell the server what SLP Directory Agents to work with.
• This file can also be used to define service scope filtering and registration. This isn't generally needed on most networks.
• On NetWare servers running SLPDA.NLM, the SLP.CFG file doesn't do anything … unless you're pointing two DAs at each other for purposes of fault-tolerance or merging of SLP scopes.
© Novell, Inc.
61
Configuring NW Servers for SLP
The SLP.CFG file defines the Static DAs that the server will register services with. You can use DA IP addresses or internal DNS names:
At the console prompt, the “SET SCOPE LIST =” command defines in which scope SLP Services for this server should be registered:
#Static Directory AgentsDA IPV4, 192.168.0.100DA IPV4, fs1.fubar.com
SET SCOPE LIST = HQ_SLP_SCOPE
© Novell, Inc.
62
Configuring OES/Linux for SLP
The /ETC/SLP.CONF file defines not only the SLP DAs, but also basic information about the OES server itself:
Unlike NetWare®, to set up scopes, you place the scope name in this file.If this will be a Directory Agent, activate or add the following line”:
net.slp.DAAddresses = 10.0.1.3, 10.0.1.5net.slp.useScopes = ABC_HQ_SLP_SCOPE
net.slp.isDA = true
© Novell, Inc.
63
Troubleshooting NetWare® SLP
DISPLAY SLP DADisplays the list of SLP Directory Agents and their current status
DISPLAY SLP SERVICESDisplays a list of all SLP services known by that server.The following command line options can also be set in MONITOR.NLM:
SET SLP DA Discovery Options = value (0-8, Default 15)0x01 = Use multicast DA advertisements0x02 = Use DHCP discovery0x04 = Use static file SYS:ETC\SLP.CFG Strongly Recommended0x08 = Scopes Required
SET SLP Scope List = value This parameter specifies a comma-delimited scope policy list.
SET SLP Reset = ONThis parameter forces the SA to send new service registers and forces the SA to send DA Advertise packets.
© Novell, Inc.
64
Troubleshooting OES/Linux SLP
/etc/init.d/slpd restartStops and starts the SLP Daemon service.
slptool findsrvs service:directory-agentLinux analogue of “DISPLAY SLP DA” command.
slptool findsrvtypes [followed by]
slptool findsrvs <srvtype>Linux analogue of “DISPLAY SLP SERVICES” command.
Running Novell® Linux Desktop?See TID #10097551 for info on setting up SLP on NLD.
© Novell, Inc.
65
Default NetWare DA Configuration
When loading SLPDA.NLM for the first time, you are prompted to create a default configuration. Please say “No”.The default configuation includes a scope of “unscoped” (NetWare® 5.x) or “DEFAULT” (NetWare 6.x), and automatically creates SLP objects in eDirectory™
The default configuration is not appropriate, because you can't tell where services will register. By default, objects will be created in the same context as the server object. Manually configure your SLP DA – it's not difficult!
© Novell, Inc.
66
Setting up the NetWare® DA
Allan’s Promised 5-Minute DA Setup:1. Create an OU container to hold the Scope Unit objects.
This gets the SLP info somewhere you can (a) find it easily, and (b) easily partition and replicate it for fault tolerance later.
2. Create an SLP Scope Unit. Provide a name for the Scope Unit and the name of the scope itself.
3. Create the SLP DA objectSelect a Host Server on which this SLP DA will run.Select an SLP Scope for this SLP DA to service.
4. Load SLPDA.NLM on the DA server console (and in AUTOEXEC.NCF).
5. Edit SYS:ETC\SLP.CFG on all NON-DA servers to point to the DA server
6. Go into MONITOR on ALL servers, explicitly define the SLP Scope AND set SLP Discovery Option = 4.
© Novell, Inc.
67
Setting up the OES/Linux DA
Allan’s Promised 5-Minute DA Setup:1. Create an OU container to hold the Scope Unit objects.
This gets the SLP info somewhere you can (a) find it easily, and (b) easily partition and replicate it for fault tolerance later.
2. Create an SLP Scope Unit. Provide a name for the Scope Unit and the name of the scope itself.
3. Create the SLP DA objectSelect a Host Server on which this SLP DA will run.Select an SLP Scope for this SLP DA to service.
4. Edit sys:etc/slp.conf and configure it appropriately.net.slp.DAAddresses = (address of the DA itself)net.slp.isDA = true
5. Start the slp service:/etc/init.d/slpd start
© Novell, Inc.
68
Configuring SLP in eDirectory™
Configuring SLP should be a pretty short process.
In general, I prefer to use ConsoleOne® 1.3.6e or NWAdmn32 for SLP configuration.
Bonus Tip: ConsoleOne too slow? Set your anti-virus program to not scan .JAR files on ConsoleOne directories, especially on workstations*.
Real-time antivirus scans of .JAR files can substantially increase ConsoleOne load times.
© Novell, Inc.
69
Typical SLP Configuration – OU’s
Notice the separate OUs for DNS/DHCP and SLP. These make it easy to split off these containers into their own partition. This is useful for creating fault tolerant DNS, DHCP, and SLP network services.The DNS/DHCP and SLP OU’s will each contain frequently changing information. If you partition them off, then only the servers that need the info (and which have NDS replicas) will have to exchange updates across the network.
© Novell, Inc.
70
NetWare® vs. OES/Linux SLP DA
• The NetWare® SLP DA stores collected SLP service information in eDirectory™.
• As of the current revision of this session (3/20/06), the OES/Linux DA does not store SLP info in eDirectory.
• If an OES/Linux SLP DA machine is restarted, it must collect SLP information all over again.
• This deficiency is scheduled to be corrected in a future OES version or SupportPack.
© Novell, Inc.
71
Typical SLP Configuration - DNS
Note the DNS “A” record entries for the eDirectory™ tree name (CASTLE), and the server name (BEAST).These will allow workstations to find the tree and server quickly.These will also allow servers to resolve each others' names quickly.
© Novell, Inc.
72
Typical SLP Configuration – SLP OU
Expanded SLP container, showing the clearly-named SLP Scope Unit and SLP DA.I prefer “self documenting” names for eDirectory™ objects.This type of name makes it easy to figure out which is the scope, and which is the scope unit.
© Novell, Inc.
73
Typical SLP Config: SLP DA
© Novell, Inc.
74
Typical SLP Config: Scope Unit
Details of the SLP Scope Unit, showing both the scope name and the DA servicing the scope.Note the highlighted Scope Name can be either a scoped scope or simply “Unscoped”.
© Novell, Inc.
75
Typical SLP Configuration - Services
Double-clicking on the SLP Scope Unit reveals the SLP Services that have been registered with this scope’s DA. All SLP DAs have access to this information, since it’s stored and replicated in Directory Services.
© Novell, Inc.
76
How Many Directory Agents Do You Need?
• One DA is sufficient for up to 5,000 workstations.
• Two DAs (for fault-tolerance) are sufficient for most networks.
• Factors to consider in determining how many DAs to install are:
– NDS replication traffic– The number and placement of servers & clients– Your WAN topology– Your administration policy
© Novell, Inc.
77
SLP Version 2
There are two versions of SLP:– NW 5.x supports SLP Version 1.– Later patch levels of NetWare 5.1, and NetWare® 6.x &
OpenSLP (Linux) support SLP Version 2.
• Macintosh clients need SLP v2 to browse an IP-based network.
• SLP v2 DAs do support SLP v1 for backwards compatability.
• Version 1's “Unscoped” requests are known as “DEFAULT” in Version 2.
© Novell, Inc.
78
SLP/Pure IP: Rolling It Out
1. Infrastructure items checked.
2. Working DNS.
3. Working DHCP, handing out SLP information.
4. Stable NICI/SAS/PKI.
5. Healthy NDS/eDirectory™ Tree w/good Timesync.
6. Simple & Effective DA Configuration.
7. Updated Clients.
© Novell, Inc.
79
Demonstration!
© Novell, Inc.
80
Once More: Reaching “Pure IP”
Aha! Pure IP!
Remove IPX From the Wire
Configure Client Workstations for SLP UA Operation
Configure Servers for SLP SA and DA Operation
DNS Server IP DHCP Time NICI / SAS / PKI NDS
Migrate to NDPS/iPrint
What we've covered:
© Novell, Inc.
81
Top Ten(+1) Worst Pure IP Hurdles
11. Inconsistent/incorrect HOSTS & HOSTNAME files on servers.
10. Invalid/inconsistent default gateways on servers.
9. Servers not INETCFG’d (no defroutes or static routes).
8. Non-configured (or badly configured) time sources.
7. Corrupt or invalid Tree or Server Certificate Authority.
6. Autospeed/Autoduplex/Autoframe turned on (or x57.LAN driver).
5. Old versions of NetWare® Client.
4. Four Deadly Words: “Not Recently Patched Servers.”
3. Trying to distribute SLP info via an NT 4.0 DHCP server.
2. Missing tree name and/or server names in DNS.
And, the number one hurdle to Pure IP …
1. Managers who insist that you skip any of the above steps!
© Novell, Inc.
82
SLP TIDs
• TID 10014396 - “SLP Terms and Configuration Reference”
• This handy document contains pointers to... – TID 10025313 - “Frequently Asked Questions about SLP”– TID 10014466 - “Configuring SLP for a NetWare Client™”– TID 10027163 - “Configuring SLP for a NetWare Server”– TID 10062474 - “SLP Design and Implementation Guidelines”– TID 2942940 – “Client Login Process – IP/SLP”– TID 2948052 – “Troubleshooting IP Login Issues”– TID 10095033 - “Linux SLP Quickstart”– TID 10097551 - “How to setup your Linux Desktop for SLP”
© Novell, Inc.
83
AppNotes
March 1999Dynamically Discovering Services on an IP Network using SLP
April 2000 Understanding and Configuring SLP Directory Agents and Scopes
© Novell, Inc.
84
Thank You!
• Questions? Contact me at:Allan HurstKIS4027 Clipper CourtFremont, CA 94538 [email protected] http://www.kiscc.com tel 650.207.0215
• My other sessions at BrainShare 2006:– IO315: OES For The Experienced NetWare Administrator– TUT204: A Preventative Approach to Server Crashes
(with Dirk Smith)
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
