You must verify that the SDI Domain Key servers meet minimum configuration requirements and have consistent keys for distribution and use by other servers within the tree. These steps are crucial. If you don't follow them as outlined, you could cause serious password issues on your system when you turn on Universal Password.
We recommend that eDirectory 8.7.3 or later be installed on your SDI Domain Key servers.
At a Windows server command prompt, run sdidiag.exe.
sdidiag.exe ships with the Windows version of eDirectory 8.7.3 or later. The file is available as part of a security patch (sdidiag22.exe) associated with TID 2974092.
Log in as an Administrator by entering the server (full context), the tree name, the user name, and the password.
Check to make sure all your servers are using 168-bit keys.
Follow the instructions in TID 3364214 to ensure that this requirement is met.
Enter the command CHECK -v >> installation folder\sdinotes.txt.
The output to the screen displays the results of the CHECK command.
If no problems are found, go to Step 5: Upgrade at Least One Server in the Replica Ring to eDirectory 8.7.3 or Later.
or
Follow the instructions written to the installation folder\sdinotes.txt file to resolve any configuration and key issues, then continue with Step 6.
Verify that the SDI Domain Key Servers are running NICI 2.6.x or later.
The version must be 264xx.xx or later.
If the version is earlier, you must do one of the following:
Update the servers' NICI to version 2.6.x, which requires eDirectory 8.7.3 or later.
You can download NICI from the Novell Downloads Web site. Select NICI from the Product or Technology drop-down list, then click Search.
Update the SDI Domain Key servers to eDirectory 8.7.3 or later.
Remove the servers as SDI Domain Key Servers and add an eDirectory 8.7.3 or later server. See Section 2.5, Step 5: Upgrade at Least One Server in the Replica Ring to eDirectory 8.7.3 or Later.
(Optional) After completing one of the options above, you might want to re-run the SDIDIAG CHECK command. See Step 4.
For more information on using SDIDIAG, see TID 3364214.
To remove a server as an SDI Domain Key Server, complete the following procedure:
At a Windows server, open a command prompt box and run sdidiag.exe.
sdidiag.exe ships with the Windows version of eDirectory 8.7.3 or later. The file is available as part of a security patch (sdidiag22.exe) associated with TID 2966746.
Log in as an administrator with management rights over the Security container and the W0.KAP.Security objects by entering the server (full context), the tree name, the user name, and the password.
Enter the command RS -s servername.
For example, if server1 exists in container PRV in the organization Novell within the Novell_Inc tree, you would type .server1.PRV.Novell.Novell_Inc. for the servername.
To add a server as an SDI Domain Key Server, complete the following procedure:
From a Windows server, open a command prompt box and run sdidiag.exe.
Log in as an Administrator by entering the server (full context), the tree name, the user name, and the password.
Enter the command AS -s servername.
For example, if server1 exists in container PRV in the organization Novell within the Novell_Inc tree, you would type .server1.PRV.Novell.Novell_Inc. for the servername.