Professional Documents
Culture Documents
Allan Hurst
Partner & Technical Principal KIS allanh@kiscc.com 650.207.0215
Ver 2.7 March 23, 2006
Acknowledgements
My thanks to the following Novell people (past and present) who have provided me with SLP & OES information over the past few years: Bart Chandler Reid Oakes Marci Orler Paul Schabert Howard Shapiro Jason Williams Eric Wing
2
Novell, Inc.
Housekeeping
Cell phones, pagers, Treos, Blackberries set them all to stun (silent or off), please. No noise is good noise. (Dont make me come down there!) If you have a question, its absolutely OK to ask. Itll help if you raise your hand first to get my attention. Ill try to answer on the fly. Please fill out your evaluation form. This session was created (and revised) based on evaluations from prior events. Its OK to have fun in here. Honest.
3
Novell, Inc.
Partner, Technical Principal & Director of Linux Strategy Master CNE with 18+ years of Novell experience. One of four partners at KIS, a Novell Platinum Partner located in Fremont, California. Runs the Novell Enterprise Systems Group (responsible for network planning, migrations, upgrades, moves, re-architecting, clean-up, DNS, and Linux strategy). Runs The WAP Squad. (WAP stands for ?) With Dirk Smith, is a member of the (infamous) Crash Dummies team specialists in analyzing and preventing server crashes.
Novell, Inc.
sporadic errors when browsing the local network slow logins intermittent server communication time sync errors.
Novell, Inc.
Up-Front Disclaimers
Doesnt work under IPX? It wont work any better under IP. Making your network Pure IP ready is a long-term project. Its not a sin to run IPX AND IP on the same wire. Honest. Get IP working before making plans to remove IPX from the wire. Often, just the (pre-SLP) cleanup process speeds up the network. Most of this process (80%!) is just prep work that doesnt involve SLP at all. (But it needs to be done if you want to use SLP.) Actually configuring SLP only takes about 5 minutes!
Novell, Inc.
Reaching Pure IP
Configure Client Workstations for SLP UA Operation What well cover here: Configure Servers for SLP SA and DA Operation
eDir
Novell, Inc.
What have I been using all this time? (IPX & SAP)
IPX-based protocol Broadcast-based Flexible and easy for smaller networks Not easily routable Limited in types of information provided No provision for service expiration
Novell, Inc.
What is SLP?
The basis for Pure IP operation IP-based Replacement for IPXs SAP Allows dynamic advertising of services An open standards based protocol
(RFCs 2165, 2608, 2609, 2614)
Novell, Inc.
An SLP service is just an application running on a server, which other machines on the network can access. (For example: NDS, REMOTE.NLM, NDPS, SCMD.) When a server starts up, services (applications) register with SLP to make themselves available to the network. SLP maintains the service name and IP address of the host offering the service, along with an expiration date/time. Each service has a unique URL (Uniform Resource Locator)
RCONSOLE NDPS
SLP
10
Novell, Inc.
SAP & IPX don't scale well. SLP improves workstation login and drive mapping performance on your network. OES/Linux doesn't support IPX, and never will.* eDirectory 8.8 achieves significant performance gains over earlier versions because it contains no IPX code at all.*
these particular nuggets of information.
*Thank you to Novell's OES Product Manager -- Jason Williams -- for pointing out
11
Novell, Inc.
SAP
IP-based Pulls info off of the wire using unicasts & multicasts Allows rich set of attributes Specifies an expiration time for each service
IPX-based Pushes info onto the wire using broadcasts Provides a very limited set of attributes Services drop off the wire
12
Novell, Inc.
SAP
IP services register themselves in the SLP database SLP advertises nothing; the SLP DA simply listens for requests SLP supports wide variety of attribute information SLP uses multicast, which is routable (SLP can fall back to broadcast mode if needed) Has mechanism to actively remove expired services.
SAP service registers stored on each server Broadcasts server name, address, and SAP type regularly (as soon as IPX is bound on an interface) Advertises only service name, type and address Broadcast protocol is not routable
13
Novell, Inc.
IPX workstation
14
Novell, Inc.
1. Client sends Where are you? multicast to all DAs. IP Workstation (UA)
15
Novell, Inc.
Try increasing the above numbers to 5 servers and 100 workstations, and figure out how many broadcasts would suck up your network bandwidth!
16
Novell, Inc.
SAP
IP-based Pulls info off of the wire using unicasts & multicasts Allows rich set of attributes Specifies an expiration time for each service
IPX-based Pushes info onto the wire using broadcasts Provides a very limited set of attributes Services drop off the wire
17
Novell, Inc.
Runs on every server running SLP Registers available services (cache) Listens for Service Requests Has specified expiration interval per service
Stores SLP service records in eDirectory and/or cache SA registers services with DA UA requests services from DA
18
Novell, Inc.
Service Registration Service Deregistration Service Type Request Service Request Attribute Request Directory Agent Advertisements
19
Novell, Inc.
The DA maintains a database of URLs representing network services. The DA provides the interface between SLP and NDS. SAs and UAs interact with DAs to advertise and locate network services. NDS provides a common, real-time data storage location for SLP collected by DAs. Oddly enough, the DA is the only agent that is not required in an SLP-based network. UAs and SAs can still find each other multicast if there's no DA present.)
20
Novell, Inc.
21
Novell, Inc.
User Agent
22
Novell, Inc.
User Agent
23
Novell, Inc.
You need a good foundation to build a strong house which makes it a real pity that most network homes are built on top of chicken wire and facial tissue. Lets look at what needs to be done before attempting to configure SLP.
24
Novell, Inc.
Servers (youd be amazed at what I find each day) Routers (whats really in your routing table?) Switches (plug-and-play units often arent set correctly) Printers (usually set up for DHCP at the factory) Verified and documented IP Addresses Correct subnet masks Correct default gateway/default routes Any needed static routes
This includes:
25
Novell, Inc.
We're going to review potential NetWare configuration problems right now. My experience suggests that OES/Linux has none of these errors to correct. OES/Linux installs very cleanly. So, Linux People ... please be patient with us for a few minutes...
26
Novell, Inc.
SYS:etc\resolv.cfg
domain allanh.com nameserver 192.168.129.10 nameserver 64.81.79.2
SYS:etc\hosts
127.0.0.1 loopback lb localhost 192.168.129.10 beast.allanh.com BEAST castle 192.168.129.11 ifolder.allanh.com ifolder
27
Novell, Inc.
Automatic speed sensing is EVIL. Automatic duplex detection is ROTTEN. Automatic frame typing is HEINOUS. This includes:
* Note: Some Cisco devices with recent versions of IOS may work better
28
Novell, Inc.
Broadcoms older NetWare drivers have known problems with IP packet checksums. This causes packet loss, time falling in and out of sync at random, servers dropping off the network, NDS communication problems, and more.
Affected drivers: older versions of Q57.LAN, B57.LAN, N57.LAN, x57.LAN, etc. Note: This is not a problem with OES on SLES.
Solution:
Update with the latest version of x57.LAN (use Google) Add checksum=off to LOAD x57.LAN lines in NETINFO.CFG
29
Novell, Inc.
point to the primary address of the server match the IP address and hostname (sys:etc\hostname)
ping acmetree
30
Novell, Inc.
Keep internal and external DNS servers on separate boxes. The only A, MX and CNAME records that should be on your external DNS server, are ones that you really want the rest of the world to know about. Dont publish your internal servers A records on your external DNS. The best way to avoid being hacked is to avoid being found in the first place.
31
Novell, Inc.
Scared of setting up your own DNS server on NetWare ? (Its easy. Honest.)
(Oh, just search Google for nw5dnsdhcp.pdf) Still scared of DNS? Ask me when and where my next Demystifying DNS presentation will take place.
32
Novell, Inc.
If DNS fails, keep your servers talking to each other by creating a HOSTS file!
Create a master HOSTS file that includes all of the NDS server entries from your internal DNS, plus the tree name. Copy the master HOSTS file to all NetWare servers
Update and recopy the master file to all NetWare servers each time you add or change server names or IP addresses.
Some people find utilities such as ZENworks for Servers to be useful for pushing HOSTS files out to multiple servers.
NOTE: This is NOT a replacement for DNS. You still need a properly configured Internal DNS server.
33
Novell, Inc.
Time must be in sync. Obituaries must be processing. There must be no errors in DSREPAIR.
34
Novell, Inc.
Use configured time sources only. IP addresses are most foolproof for internal time sources. (Especially if you don't have good DNS yet.)
35
Novell, Inc.
For more information on the Network Time Project, visit http://www.ntp.org Can't get port 123 opened up on your firewall? Consider using a GPS time signal. Google gps network time.
Novell, Inc.
36
Encryption? On MY network?
All of these modules must be configured correctly and working on all NW 5.x & 6.x servers in your tree:
SAS - Secure Authentication Service PKI - Public Key Infrastructure Tree CA Your trees Certificate Authority Server CA Each NW5/6 servers Certificate Authority
Novell, Inc.
Patch THIS!
All NetWare servers must be patched to a minimum of:
NetWare 4.11/4.2 NW4SP9.exe NetWare 5.0 NW50SP6A.exe NetWare 5.1 NW51SP8.exe NetWare 6 NW6SP5.exe (or NW6SP5E.exe for English only) NetWare 6.5 NW65SP4.exe or NW65SP5.exe
These SLP modules must be the same revision across all servers for each version of NetWare:
Novell, Inc.
39
Novell, Inc.
No More Prerequisites!
OK now that you have a healthy network, lets talk about exactly what SLP services are, and how they work.
40
Novell, Inc.
An Unscoped scope is a general default scope. It's all of the service URLs that aren't tied to a specifically defined scope.
>
In SLP version 1, default scope is called the Unscoped scope. In SLP version 2, it is called the Default Scope.
>
A Scoped Scope is a Scope Unit that has been defined with a specific Scope Name.
41
Novell, Inc.
By default, all clients and servers are both User Agents and Service Agents (double agents). Multicast groups:
Service Agents listen on 224.0.1.22 (UAs multicast to 224.0.1.22 when searching for a service.) Directory Agents listen on 224.0.1.35 (UAs and SAs multicast to 224.0.1.35 when searching for a DA.) If multicast fails, SLP will fall back to using IP broadcasts unless specifically configured to not do so. SLP uses TCP & UDP Ports 427. (See TID #10050135)
42
Novell, Inc.
SLPDA in eDirectory
Is a leaf object that represents a single instance of a DA. Defines the DAs configuration, scope, and security. Multiple DAs cannot share a single object. Assigning the DA adds an eDirectory attribute to the NCP_SERVER class definition called SLP Directory Agent DN. This points the Server object to the DA object.
43
Novell, Inc.
NDS storage container for SLP service information. Holds all SLP Service objects for a specific scope. Unscoped Scope is the default before SLP v2
Directory Agents are assigned to service one or more scope units. UAs can be configured to use specific scopes defined by DAs servicing that scope.
44
Novell, Inc.
Each SLP Service Object represents a service registration. Is subordinate to the SLP Scope Unit object. Stored in the appropriate SLP Scope object according to their scope Rough IPX analog: SAP entries seen in DISPLAY SERVERS
45
Novell, Inc.
SLP Services
Command: FS1: display slp services display slp services (Sort of a Pure IP version of display servers)
DISPLAY SLP SERVICES Usage: display slp services [<service type>/<scope>/<predicate query>]/ Example 1: display slp services Example 2: display slp services bindery.novell//(svcname-ws=abc*)/ Searching Network. . . . service:nwserver.novell:///FS1 service:bindery.novell://FS1 service:ndap.novell:///acme1 service:ndap.novell:///acme2 service:timesync.novell:///10.200.200.102 service:portal.novell://10.200.200.102:8008/FS1 Displayed 6 of 6 Total URLs for: (All)/(default)/(Not specified)
46
Novell, Inc.
Unicast replies
Service Agent
Service Agent Note: Allan doesnt recommend this method it usually creates trouble later.
47
Novell, Inc.
Medium-Sized Network
(Try it, youll like it.)
Service Agent
48
Novell, Inc.
Large-Sized Network
(For the very, very brave of heart.) Services are grouped into scopes
Scope One
UA UA UA DA Elbonia SA
Directory Agent
SA SA
Scope Two
UA UA UA
49
WAN
SA DA Kalamazoo
The UAs are configured with one or more DA addresses. SLP queries to remote services may cross the WAN link.
Directory Agent
SA SA
Novell, Inc.
SLP UA is installed automatically when one of the IP protocol options is chosen during client installation. SLP must be available for the client to function. No SLP = No Browsing! (A hint that SLP's not OK.)
Static parameter configuration is performed in the Novell Client Configuration property pages, under the Service Location tab. It's easiest, however, to use DHCP to configure SLP.
50
Novell, Inc.
If you need to configure SLP information statically for each workstation, here's where you do it.
51
Novell, Inc.
Scope List
Which SLP scopes the workstation will use. Which DAs a client is statically configured to talk with. Note: Use SLPINFO /D to find out which DAs the client has discovered dynamically and what their status is (Active or Inactive).
52
Novell, Inc.
Use DHCP. This should be enabled by default. DHCP SLP configuration is faster & easier than having to touch each workstation to statically configure SLP.
53
Novell, Inc.
Even if the workstation's IP address is statically configured, SLP can still receive an SLP Scope and DA configuration from a DHCP server. This is done using something called a DHCP INFORM packet ... ask Laura Chappell for details. Warning: if your DHCP hands out SLP info using DNS names (or IP addresses) for DA machines that dont yet exist, the clients will appear to hang during login and drive mapping. This is why I suggest setting up DNS before DHCP.
54
Novell, Inc.
DHCP Option 78 = SLP Directory Agent IP Address DHCP Option 79 = SLP Service Scope
Note: You can hand out more than one SLP DA or SLP scope via DHCP. If you want to do some primitive SLP load balancing, use different DA orders for alternating subnets.
55
Novell, Inc.
56
Novell, Inc.
57
Novell, Inc.
1. NDS Workstation queries the DS database to find IP address for services that are registered in DS through a directory agent. (This option only works if user's already connected to the tree!) 2. Workstation uses its local HOSTS file on NT/2K/XP, or NWHOST on Win9x. (This option only works if you have server/tree names and ip addresses in the workstations host file that match the server/tree specified in the NetWare Client login screen.)
3. DNS Workstation asks DNS to resolve the server/tree name to an IP address. (This is why we put the NDS tree name into DNS during our preparation earlier.) 4. SLP. Novell TID says: "Requires no configuration on the client.
58
5. SLP via DHCP. The client gets SLP information from DHCP.
Novell, Inc.
Note: By default, NetWare servers will use DHCP to obtain SLP information. I dont recommend leaving this default in place; it can easily lead to mysterious ABENDs whenever TCP/IP loads.
59
Novell, Inc.
The file SLP.CFG (NetWare ) or SLP.CONF (Linux) is used to tell the server what SLP Directory Agents to work with.
This file can also be used to define service scope filtering and registration. This isn't generally needed on most networks. On NetWare servers running SLPDA.NLM, the SLP.CFG file doesn't do anything unless you're pointing two DAs at each other for purposes of faulttolerance or merging of SLP scopes.
60
Novell, Inc.
At the console prompt, the SET SCOPE LIST = command defines in which scope SLP Services for this server should be registered:
SET SCOPE LIST = HQ_SLP_SCOPE
Novell, Inc.
61
Unlike NetWare , to set up scopes, you place the scope name in this file.
Novell, Inc.
DISPLAY SLP DA
Displays the list of SLP Directory Agents and their current status
Novell, Inc.
64
Novell, Inc.
The default configuration is not appropriate, because you can't tell where services will register. By default, objects will be created in the same context as the server object. Manually configure your SLP DA it's not difficult!
65
Novell, Inc.
4. Load SLPDA.NLM on the DA server console (and in AUTOEXEC.NCF). 5. Edit SYS:ETC\SLP.CFG on all NON-DA servers to point to the DA server 6. Go into MONITOR on ALL servers, explicitly define the SLP Scope AND set SLP Discovery Option = 4.
66
Novell, Inc.
Novell, Inc.
Configuring SLP should be a pretty short process. In general, I prefer to use ConsoleOne 1.3.6e or NWAdmn32 for SLP configuration.
Bonus Tip: ConsoleOne too slow? Set your anti-virus program to not scan .JAR files on ConsoleOne directories, especially on workstations*. Real-time antivirus scans of .JAR files can substantially increase ConsoleOne load times.
68
Novell, Inc.
Novell, Inc.
As of the current revision of this session (3/20/06), the OES/Linux DA does not store SLP info in eDirectory. If an OES/Linux SLP DA machine is restarted, it must collect SLP information all over again. This deficiency is scheduled to be corrected in a future OES version or SupportPack.
70
Novell, Inc.
These will allow workstations to find the tree and server quickly. These will also allow servers to resolve each others' names quickly.
71
Novell, Inc.
This type of name makes it easy to figure out which is the scope, and which is the scope unit.
72
Novell, Inc.
73
Novell, Inc.
74
Novell, Inc.
75
Novell, Inc.
One DA is sufficient for up to 5,000 workstations. Two DAs (for fault-tolerance) are sufficient for most networks. Factors to consider in determining how many DAs to install are:
NDS replication traffic The number and placement of servers & clients Your WAN topology Your administration policy
76
Novell, Inc.
SLP Version 2
There are two versions of SLP:
NW 5.x supports SLP Version 1. Later patch levels of NetWare 5.1, and NetWare 6.x & OpenSLP (Linux) support SLP Version 2.
Macintosh clients need SLP v2 to browse an IP-based network. SLP v2 DAs do support SLP v1 for backwards compatability. Version 1's Unscoped requests are known as DEFAULT in Version 2.
77
Novell, Inc.
Novell, Inc.
Demonstration!
79
Novell, Inc.
Configure Client Workstations for SLP UA Operation What we've covered : Configure Servers for SLP SA and DA Operation
NDS
80
Novell, Inc.
4. Four Deadly Words: Not Recently Patched Servers. 3. Trying to distribute SLP info via an NT 4.0 DHCP server. 2. Missing tree name and/or server names in DNS. And, the number one hurdle to Pure IP 1. Managers who insist that you skip any of the above steps!
81
Novell, Inc.
SLP TIDs
TID 10014396 - SLP Terms and Configuration Reference This handy document contains pointers to...
TID 10025313 - Frequently Asked Questions about SLP TID 10014466 - Configuring SLP for a NetWare Client
TID 10027163 - Configuring SLP for a NetWare Server TID 10062474 - SLP Design and Implementation Guidelines TID 2942940 Client Login Process IP/SLP TID 2948052 Troubleshooting IP Login Issues TID 10095033 - Linux SLP Quickstart TID 10097551 - How to setup your Linux Desktop for SLP
82
Novell, Inc.
AppNotes
March 1999
Dynamically Discovering Services on an IP Network using SLP
April 2000
Understanding and Configuring SLP Directory Agents and Scopes
83
Novell, Inc.
Thank You!
IO315: OES For The Experienced NetWare Administrator TUT204: A Preventative Approach to Server Crashes (with Dirk Smith)
84
Novell, Inc.
Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.