HPE Community
HPE OneView
1819774 Members
3354 Online
109606 Solutions
New Discussion

Re: Changing Domain Controllers

 
bradawk1
Trusted Contributor

‎10-13-2023 04:02 AM - last edited on ‎10-15-2023 09:07 PM by

‎10-13-2023 04:02 AM - last edited on ‎10-15-2023 09:07 PM by

Changing Domain Controllers

We have our OneView appliances connected to the corporate active directory.  As the domain controllers age, they get replaced with newer systems.  So, our appliances wind up pointing to systems that are no longer domain controllers.  So, I developed this code to check them:

DCs=$(/usr/bin/dig SRV _ldap._tcp.my.org +noall +answer | awk '{ print $8 }' | sed -e '/^$/d' | grep -v 'noall' | sort -t \- -k 2,2 -k 1,1)
for SERVER in $(curl --insecure --silent --header "X-API-Version: ${currentVersion}" --header "auth: ${sessionID}" --request GET ${Oneview}/rest/logindomains | jq -r '.members[] | .directoryServers[] | .directoryServerIpAddress'); do
   if [[ $(echo ${DCs} | grep -c ${SERVER}) -gt 0 ]]; then
      echo "This is a good domain controller, ${SERVER}."
   else
      echo "This is no longer a good domain controller, ${SERVER}."
   fi
done

My question now is, how do I delete a bad domain controller and add in a new one?  Do I just make a new connection to AD with a new list of domain controllers, or can I delete one and just add one?

0 Kudos
Reply
4 REPLIES 4
ChrisLynch
HPE Pro

‎10-13-2023 04:36 PM

‎10-13-2023 04:36 PM

Re: Changing Domain Controllers

You just update the directoryServers collection. The updated list should can't valid domain controller addresses.
I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
bradawk1
Trusted Contributor

‎10-16-2023 04:09 AM

‎10-16-2023 04:09 AM

Re: Changing Domain Controllers

I tried with:

LDOM=$(curl --insecure --silent --header "X-API-Version: ${currentVersion}" --header "auth: ${sessionID}" --request GET ${Oneview}/rest/logindomains | jq -r '.members[] | .directoryServers[] | .uri' | head -1)
#
# Get two or three domain controllers from the list:
echo ${DCs} | tr ' ' '\n'
DC1="<domain controller 1>"
DC2="<domain controller 2>"
DC3="<domain controller 3>"
DATA='{directoryServers": [{"directoryServerIpAddress":"'${DC1}'","directoryServerSSLPortNumber":"636"},{"directoryServerIpAddress":"'${DC2}'","directoryServerSSLPortNumber":"636"},{"directoryServerIpAddress":"'${DC3}'","directoryServerSSLPortNumber":"636"}]}'
curl --insecure --silent --header "X-API-Version: ${currentVersion}" --header "auth: ${sessionID}" --request PUT ${oneView}${LDOM} | jq -r '.'

and got back:

{
  "errorCode": "AUTHN_LOGINDOMAIN_SELF_DELETE_EDIT_NOT_ALLOWED",
  "message": "Cannot delete or edit the directory settings of the current user.",
  "details": "A user belonging to a directory cannot delete or edit it.",
  "messageParameters": [],
  "recommendedActions": [
    "Login as a user of different directory and retry."
  ],
  "errorSource": "loginDomain",
  "nestedErros": [],
  "data": {}
}

So, I changed my login domain to the local domain and tried again.  This time I got:

{
  "errorCode": "AUTHN_EMPTY_LOGINDOMAIN_NAME",
  "message": "Directory service name cannot be empty.",
  "details": "Directory service name cannot be empty.",
  "messageParameters": [],
  "recommendedActions": [
    "Specify a unique directory service name."
  ],
  "errorSource": "directoryName",
  "nestedErrors": [],
  "data": {}
}

I'm assuming a need more in the JSON supplied?  Just trying to determine what is missing.

0 Kudos
Reply
bradawk1
Trusted Contributor

‎10-17-2023 05:07 AM

‎10-17-2023 05:07 AM

Re: Changing Domain Controllers

Does anyone know how to determine the directoryName or directory service name?  I'm not finding that reference in the logindomains output.  So, not really sure what it is asking for?

0 Kudos
Reply
bradawk1
Trusted Contributor

‎10-17-2023 05:31 AM

‎10-17-2023 05:31 AM

Re: Changing Domain Controllers

I got a little further.  I have at this point:

DCs=$(/usr/bin/dig SRV _ldap._tcp.my.org +noall +answer | awk '{ print $8 }' | sed -e '/^$/d' | grep -v 'noall' | sort -t \- -k 2,2 -k 1,1)
for SERVER in $(curl --insecure --silent --header "X-API-Version: ${currentVersion}" --header "auth: ${sessionID}" --request GET ${Oneview}/rest/logindomains | jq -r '.members[] | .directoryServers[] | .directoryServerIpAddress'); do
   if [[ $(echo ${DCs} | grep -c ${SERVER}) -gt 0 ]]; then
      echo "This is a good domain controller, ${SERVER}."
   else
      echo "This is no longer a good domain controller, ${SERVER}."
   fi
done
#
LDOM=$(curl --insecure --silent --header "X-API-Version: ${currentVersion}" --header "auth: ${sessionID}" --request GET ${Oneview}/rest/logindomains | jq -r '.members[] | .directoryServers[] | .uri' | head -1)
DSN=$(curl --insecure --silent --header "X-API-Version: ${currentVersion}" --header "auth: ${sessionID}" --request GET ${Oneview}/rest/logindomains | jq -r '.members[] | .name')
DTYPE=$(curl --insecure --silent --header "X-API-Version: ${currentVersion}" --header "auth: ${sessionID}" --request GET ${Oneview}/rest/logindomains | jq -r '.members[] | .authProtocol')
#
# Get two or three domain controllers from the list:
echo ${DCs} | tr ' ' '\n'
DC1="<domain controller 1>"
DC2="<domain controller 2>"
DC3="<domain controller 3>"
DATA='{"name": "'${DSN}'","authProtocol": "'${DTYPE}'",directoryServers": [{"uri":"'${LDOM}'","directoryServerIpAddress":"'${DC1}'","directoryServerSSLPortNumber":"636"},{"uri":"'${LDOM}'","directoryServerIpAddress":"'${DC2}'","directoryServerSSLPortNumber":"636"},{"uri":"'${LDOM}'","directoryServerIpAddress":"'${DC3}'","directoryServerSSLPortNumber":"636"}]}'
curl --insecure --silent --header "X-API-Version: ${currentVersion}" --header "auth: ${sessionID}" --request PUT ${oneView}${LDOM} | jq -r '.'

but this time I got:

{
  "errorCode": "UNEXPECTED_EXCEPTION",
  "message": "An unexpected error occurred.",
  "details": "An unexpected and unhandled runtime exception occured.",
  "messageParameters": [],
  "recommendedActions": [
    "Please contact your authorized support representative and provide them with a support dump."
  ],
  "errorSource": null,
  "nestedErrors": [],
  "data": {}
}
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.