---------------------------------------------------------------------- NOV-NDS2.DOC -- 19960522 -- Email thread on NetWare Directory Services ---------------------------------------------------------------------- Feel free to add or edit this document and then email it back to faq@jelyon.com Date: Sun, 14 Jan 1996 18:34:08 GMT From: Teo Kirkinen Subject: Re: ReInstalling Nw4-Server >After a drive-crash we now have to re-install our server for the students. >We have most of the files on tape (ArcServe 5) including NDS. But we >also have a couple of servers that hold the NDS. Don't re-install the server in the NDS until you are absolutely sure about the least bad way of doing it! You will be really sorry, if you do it in the wrong way. Here is a reference for a technical document about backing up and restoring the nds. It also discuss crash-recovering procedures: http://netwire.novell.com/home/server/techlit/techlit.htm ------------------------------ Date: Mon, 15 Jan 1996 19:21:42 -0500 From: Debbie Becker Subject: Re: 4.1 backup and TSANDS.NLM >My PowerSave backup software requires that TSANDS.NLM loads >to backup the NDS...I get the following...Login to NDS TSA denied >(invalid username or password)... >I am logged in as ADMIN at the root... The ADMIN user is created under the first Organization container. Unless you moved it, you should be logging in as .CN=ADMIN.O=ORGNAME Try using distinguished naming (period in front, all info spelled out) as some programs won't recognize the name otherwise -- SBACKUP won't, for example... ------------------------------ Date: Tue, 16 Jan 1996 13:59:37 GMT+0001 From: "Szekeres Bela, Jr." Subject: Re: monitor password (reply) >I understand that Novell is needed if the last supervisory account >or it's password is lost. Maybe I should try every bindery-based >password-setting NLM before that on the Master-replica of the >[root]-partition ;-) You can set the bindery context to the container, which contains the Admin and use the SETPASS.NLM. ------------------------------ Date: Wed, 17 Jan 1996 08:21:24 +0100 From: Henno Keers Subject: Re: getting Bindery mode without typing LOGIN {username} /B > How can you change the NET.CFG to login in BINDERY MODE on a 4.1 server > using VLMs.I can only access BINDERY MODE by typing "LOGIN {username} /B In file net.cfg: NetWare DOS Requester NetWare Protocol = BIND ------------------------------ Date: Fri, 19 Jan 1996 23:30:25 -0500 From: Debbie Becker Subject: Re: DsRepair Switches -M and -MR >What do -M and -MR switches on dsrepair do? >For which version of dsrepair are they applicable? Noticed a mention of these for DS Error -637 (Previous_Move_in_Progress). The -M and -MR switches appear to be affective with DSREPAIR versions used by NetWare 4.1 (prior to that, you used the -A parameters). Once an object has been moved from one context in the Directory to another, the Directory will not allow that object to be moved again until all replicas of that object have been updated. The length of time for a move to complete will vary—depending on the size of the replica, the number of replicas, and condition of the communication links between all the servers holding the replicas. This error can be caused by a moved object which lost the original object (the primary obituary) or by a broken partition. You need to leave the object in its current context until it can be moved again. This may require that the object be left in its new context for several minutes. If the object still cannot be moved, load the 4.1 DSREPAIR with -m (LOAD DSREPAIR -M) and then run Repair Local Database (For 4.0x DSREPAIR, type LOAD DSREPAIR -A, Select Options, toggle A until it reads "Find obituaries for move and move-inhibit"). View the DSREPAIR.LOG file which will display objects which have move obituaries. Verify that the problem objects and all their attributes have successfully moved to the new location (by running NWAdmin or Netadmin and viewing the objects). If so, load the 4.1 DSREPAIR with -MR (load the 4.0x DSREPAIR with -A, Select Options, then toggle A until it reads "Purge obituaries for move and move-inhibit") which will then delete the move obituaries for those problem objects. Use SET DSTRACE=+J and SET DSTRACE=*F to verify that the purger ran successfully. ------------------------------ Date: Sun, 21 Jan 1996 03:01:28 -0800 From: rgrein@halcyon.com (Randy Grein) To: netw4-l@bgu.edu Subject: Re: NDS VOL Space Restrictions >I have the following questions regarding the setting of Volume space >restrictions in Netware 4.1: > >1. Is there a command line utility that can be used to set all users >within a specific context to a certain space restriction for a volume? >(like there used to be for Netware 3.x) None that I'm aware of. Of course, it wouldn't be hard for someone to make one, and if everything is in the same container the bindery one should work. >2. Is it possible to setup VOL space restrictions in the USER >TEMPLATE so they can be assigned when users are created? Apparently not. >3. Can users other than ADMIN be given the 'right' to change VOL >space restrictions for certain users/volumes without having to be >ADMIN equivalents? (i.e. what properties need to be given to the user >or granted at the VOL level to allow a sub-manager to do this for >users within his/her context? Sure can, the question is finding the appropriate right to grant. Last time I looked up something like this, someone wanted to be able to grant just the right to change passwords, and it took 2 hours to find and test. >I haven't been able to make this task easy yet like it used to be in >Netware 3.x. Be patient, Bill. Things will get better. ------------------------------ Date: Mon, 22 Jan 1996 15:26:39 +0000 From: Richard Letts Subject: Re: Experiences from Novell's ESC? >This question is mainly for European readers of this list: have >you had god or bad experiences from Novell's European Support >Center (ESC)? > >We have waited for five weeks for a solution for our NDS-tree's >"hole". Our network with 20 Netware 4.1 servers run fine but >we cannot add new servers or partitions to our [root]-partition. > >In Finland we cannot get any support directly from Novell but >have to consult an independent Netware Support Center who >relays our problems to ESC. But still five weeks is quite a >long time, especially when I have known from the beginning >that somebody from Novell will have to dial into our network >and fix the problem. Here at the University of Salford, we have a group (SUNS) who operate as a reseller in novell's chain of support for the UK Higher Education Community. (At least those sites who obtain their NetWare though SUNS). This is relevant in case other sites get different support from SUNS than we do... We have had two problems with our NDS, both of which require novell to dial-in an fix. Novell have a dedicated team for this task. In both cases it took about a week to get the problem escalated up to them. - firstly they ask if you have all of the patches loaded (NO: load all the patches and see if that fixes the problems) - then they ask if you to apply a set of engineering patches (May fix the problem) - then they send you a huge questionaire (spend a day completing it) - then they ask you to setup a pc/Anywhere dial-in PC that they can login as admin on - then they dial-in and hack your NDS. The first time they dialled in, it took them almost a week to fix the problem, as they tree was shot to pieces (almost). This was exacerbated by us fiddling trying to fix the problem. (If dsprepair doesn't fix the problem in unattended mode then it's probably best to call novell in) The second dial-in only took them two days to do, as it was only affecting one fileserver. ------------------------------ Date: Mon, 22 Jan 1996 15:01:11 -0500 From: Debbie Becker Subject: DSDOC.EXE Just in case you don't have access to CompuServe -- The NetWare 4.1 Directory Services document (Envoy format) can be found at: ftp.novell.com/pub/updates/nwos/nw410/dsdoc1.exe ------------------------------ Date: Tue, 23 Jan 1996 12:03:01 -0500 From: Debbie Becker Subject: Re: Can't set bindery context >This Sunday I reinstalled an HD for the SYS: volume. >After the installation I could not set the bindery context. >This is on a 4.02 server. I have one other 4.02, two 4.01 >servers and one 3.11 server.... Let's look at the errors first: -631 is Illegal_Replica_Type -- In order to set bindery context, you have to have a Read/Write or Master replica of the partition containing the bindery context container present on the server. This error is common when the replica isn't present. -654 is Partition_Busy -- If you've started some sort of partitioning operation (merge, for example) and tell it to merge again, you'll get this message. Means your partition is in a state of flux at present. If you don't remember starting partitioning operations, I've heard it suggested that you run PTEST (on 4.0x servers) to stop the operation. (On 4.1 servers you can tell it to cancel operations in DSREPAIR). It's possible that you're having problems because you didn't make sure that Directory Services was aware that you were removing a server. In future, to play it safe, I'd: Remove replicas from the server to be downed. Remove server from the Directory tree (use Partition Manager). Remove server from the replica ring on the other servers. Uninstall Directory Services on the server to be downed. Down the server. Take a coffee break. Bring the server up. Reinstall Directory Services. Take a coffee break. Replace replicas on the server. Missing some of these steps can cause you problems some times! Probably wouldn't *hurt* to upgrade to the same version of 4.0x, but I don't know that this has hurt you. (You have more replication issues with a mixed 4.1/4.0x environment). ------------------------------ Date: Tue, 23 Jan 96 14:18:27 -0500 From: Billy Smith Subject: Novell FAQ Addition I heard from Novell recently that in a Netware 4.1 environment if Directory Services are constantly locked and you need to remove them then use the following switch with INSTALL.NLM. LOAD INSTALL -DSREMOVE Run though the routine to remove DS (*3 Times*) and presto DS is gone. ------------------------------ Date: Wed, 24 Jan 1996 23:07:20 GMT From: Kevin Kinnell Subject: Re: Multiple servers, Logins >>I have two servers, each governed by the same nds structure. >>Is it necessary to have a user to be logged into each of these >>servers to access their resources... > >One of the advantages of NetWare 4 is the ability to use a single login. >Once you're logged in, you can MAP to directories and CAPTURE to queues >on other servers. Just be sure to setup the file system access rights and >make the user a queue user so that it will work! The servers have to be in the same tree, of course...if you have separate but identical trees it won't work at all. You'll want to make sure you set the preferred tree in NET.CFG, and that NDS comes before BIND on the protocol line. (Bitter experience.) If you are having people log into the *servers* instead of the tree, make sure that you have read/write replicas of the partitions they log into on both servers (a master replica counts as a read/write.) But much better to just log in to the tree. ------------------------------ Date: Wed, 24 Jan 1996 21:49:12 GMT From: Guenther Merkens Subject: Re: NDS master replica down >I have a problem: > >I have three Netware 4.1 servers, one of them have the master replica of >the NDS and the other two have Read/Write replica. > >The server with the master replica goes down (i.e. sys-volume crashes) >- I have ARCserve 5.01g running on other server (with R/W replica) and I >want to restore the server from backup. >- I start to install new Netware 4.1 server with same name and internal IPX >number and when it comes to the NDS IXm offered to connect to existing tree. >That will fail because there is NO MASTER REPLICA available. >- I have to have NDS up and running because ARCserve asks for a username and >password when I want to restore. >- If I try to change one of the R/W-replica servers to master replica (with >the partition manager of NWADMIN (v4.10.2)) it fails because master replica >server is not available and I get the following ERROR MESSAGE: > > UNEXPECTED DIRECTORY SERVICES ERROR > RETURN CODE: 80687:-699 > >How can I restore the server with the master replica???? What you have to do to get a consistent NDS again, is that you change the replica-type on one of the other servers with R/W replica to a master replica, before you can install the server in the tree again. Because this is not possible with PARTMGR or NWADMIN, you have to start DSREPAIR on the server. Make sure you're using the latest DS.NLM (4.89a) and DSREPAIR on both remaining servers and backup all information on the remaining servers (NDS/Data). In DSREPAIR choose "Advanced options menu/Replica and partition operations", then select one of the R/W partitions and press Return. In the following menu select "Designate this server as the new master replica" and press Return again. From now on you have a master-replica again. Now you have to remove the information in the NDS about the Replica of the server that does no more exist: Select the Partition in the "Replica and partition operations" press return and then select "View replica ring", then select the non existing server and choose "Remove this server from the replica ring". Normally the other remaining server must have the same information about the Partitions and replicas now. "Report synchronization status" should, after some time, show no more errors (if not, better get somebody who did some experiments before installing NetWare 4.1). Now you can install the Server back into the tree again without having to restore any NDS-info with Arcserve. Use the Tape just to get back software and data on the crashed volumes. This is not totally accurate because I don't know very much about your environment and if you depend on the servers working, get somebody with more experience, even if it costs some $. ------------------------------ Date: Thu, 25 Jan 1996 18:32:00 MET From: "Arthur B." Subject: Re: DS Merge >When attempting to merge the trees of two NW4.1 servers I get an error >which states that the schemas are different in the two trees... There are only [four] things to really worry about when doing a DSMERGE: 1. DSRepair shows no real errors on both servers 2. At the level of merge all the O=xxx are unique 3. Time is synchronised 4. Not many users logged in and/or heavy workload When I did my DSMerge I got a whole bunch of 'errormessages' (which go off the screen instantly). The only one I was interested in was the one about time synchronisation. When that was over I did the merge and was left with a subordiante replica on one of the servers. That was fixed by using the partition manager. End of problem for me. However, since every NDS-tree is unique I shouldn't just go based upon the vision of one man. Ask around and make sure you know what you're doing before doing it. That's probarly the best advice to give ;) ------------------------------ Date: Fri, 26 Jan 1996 02:34:55 -0500 From: Debbie Becker Subject: Re: Corrup DS Tree - Please help >My DS Tree corrupted and the Admin account was somehow changed... >Last week someone mentioned a utility to restore the admin account. >Would you please list it again. I'm aware of MAKESU which is on Novell's NETWIRE/NOVUSERS. Creates a new user object with Supervisor right to the [Root]. ------------------------------ Date: Fri, 26 Jan 1996 10:17:36 -0500 From: Debbie Becker Subject: Re: Problem with /b >I have a Netware 4.1 50 user network. Now they want Pegasus >and they have to connect with /b. I can't connect any user with >bindery mode. Your bindery context looks like it should take care of everything from that standpoint (OU=USERS.O=RSRS;OU=GROUPS.O=RSRS;OU=PROGRAMS.O=RSRS;OU=FORMS.O=RSRS) I've found inconsistent results using /B. I can always get in, it just takes me more than one try sometimes. Things I've found: Be sure to use the common name (i.e., DBECKER, not .DBECKER.CORP.INTERMEDIA) ... in bindery mode the system doesn't recognize all those long names...just sees the short username. If I've logged in from a workstation as DBECKER (in .CORP.INTERMEDIA) and then logout and try to login as JPLESA (in .SALES.INTERMEDIA), I've found that I sometimes get an error message. Try it again and it works....who knows why!! ------------------------------ Date: Fri, 26 Jan 1996 03:56:11 -0500 From: Debbie Becker Subject: Re: NDS master replica down >I have three Netware 4.1 servers, one of them have the master replica >of the NDS and the other two have Read/Write replica. > >The server with the master replica goes down.. >How can I restore the server with the master replica? I agree with Gunether's comments on how to handle the situation now. In future, if you should have a SYS: volume containing a Master replica crash, the following may help you avoid problems: - Change a Read/Write replica to the Master - On another server, delete the server from the Directory (use Partition Manager) - Delete the server's volume objects from the Directory - Remove the downed server from the replica ring on other servers, if necessary (most of the time this will happen automatically when you delete it from the Directory, but sometimes it hangs in and causes errors) - Once you've replaced the hard drive, install NetWare the same way as you did before (including NDS install). - Add server to the replica ring by replacing a replica. - Let things settle down and change the replica to a Master. --------- Date: Fri, 26 Jan 1996 09:35:05 -0600 From: Joe Doupnik Subject: Re: NDS master replica down >>I have three Netware 4.1 servers, one of them have the master replica of >>the NDS and the other two have Read/Write replica. >> >>The server with the master replica goes down.. > >>How can I restore the server with the master replica? > >I agree with Gunether's comments on how to handle the situation now. In >Debbie Becker --------- Debbie, As usual, your NDS advice is good stuff. Since "server down" situations are common I wonder if anyone in Provo or elsewhere has thought of the obvious: servers hold what they represent to the net and when they go down those representations should go with them, in toto. The problem we have now is the replicated pieces of the NDS structure are actually convenient copies of the true material, caches, yet they do not vanish with the true version when the true version vanishes. Worse, they will be mistaken for the real thing. I see this as a major design mistake in NDS. Yes, synchronizing (revalidating) when a server starts up again is sticky business. We know that when a server enters the NDS tree it exchanges opaque numbers with neighbors to represent a successful validation. It can forget those numbers after a rebuild but its neighbors don't, and thus it reappears on the net as an imposter. To me that seems like a half baked security algorithm. After a rebuild the server should perform the same operations as originally to reenter the tree, its old self was gone completely (replica/cache is invalid, purge entries), and imposters could not exist. It's that "replica masquerading as the real thing" stuff again. I'm not trying to start a debate here. Rather, I'm trying to indicate some very common sense deductions about NDS. Joe D. ------------------------------ Date: Fri, 26 Jan 1996 04:59:32 -0500 From: Debbie Becker Subject: Re: DS Merge >When attempting to merge the trees of two NW4.1 servers >I get an error which states that the schemas are different in >the two trees... ...Is there a means by which the schema can be >edited to secure a match between two trees... You can update the schema using the DSREPAIR utility. Load DSREPAIR Choose "Advanced Options" Choose "Global Schema Update" Login as your ADMIN object (i.e., .ADMIN.ORGNAME) You'll have a choice of Updating all Servers, Updating the Master Server Only or Import Remote Schema ------------------------------ Date: Sat, 27 Jan 1996 14:47:25 -0600 From: Joe Doupnik Subject: Re: DS Repair Experience >My DS Tree is corrupt and I plan to run DS Repair on it. My concern >is that the DS Repair could cause more problems because of the >corruption. I have two 4.01 servers and three 4.02 servers. The >master replica is on a 4.02 server. > >My plan is to down the other servers and run the dsrepair on the >master. If all goes well, restart the other servers and watch the >dstrace for a while. > >Has anyone lost the tree completely because of DS Repair? Ok. Here is some advice, and Debby will undoubtedly add some good stuff when she sees your message. Mine is simple. Go to updates\nwos\nw401 and \nw402 and get the NDS hints and kinks files which try to talk you through dsrepair and related activities. Best to stay relaxed and calm because your brain will be washed and scrubbed by this material. But it has lots of useful information found almost nowhere else. Before "adjusting" the tree please make disaster recover class tape backups of everything, and ensure they are valid. While NW 4 is pretty resistant to losing user files it is extremely fragile about NDS material. Thus you may find yourself in the position of removing NDS and reinstalling it (load Install option), and in so doing one does not want to lose the whole server by mistakes. Then, it helps to have an impression about just what's "wrong" with the tree so you aim in the right direction. My own choice is to have all servers running and then apply dsrepair while I can watch. If servers are off line during the process they can't synchronize with the rest, and that merely creates further problems when they return to life. Slow, keep your wits about you and fingers crossed, do as little as possible to NDS, are my survial rules in this area. In the end you may have to call Novell for their intervention. Joe D. --------- Date: Sun, 28 Jan 1996 14:19:42 -0500 From: Debbie Becker Subject: Re: DS Repair Experience >>My DS Tree is corrupt and I plan to run DS Repair on it. My concern >>Has anyone lost the tree completely because of DS Repair? > >Ok. Here is some advice, and Debby will undoubtedly add some > Joe D. I'd first ask, how do you know that NDS is corrupted? Error messages or inconsistent behavior (you assign rights, they disappear; objects become unknown; users are asked for passwords when none are required -- but you *do* require them, don't you?!?) If it's just inconsistent behavior, I wouldn't worry overly much. Remember that NDS is a "loosely consistent" database, which means that it's in a state of flux a good bit of the time. Often just waiting for a while will allow things to "settle down" and everything will be okay. *Don't_be_in_a_hurry*!! The worst messes I've seen were by people who kept trying to "fix" one thing after another without taking the time to allow for complete synchronization. If not, check the following: * Make sure you have the latest versions of Directory Services and DSREPAIR (for each of your OS versions) * Use DSTRACE to identify problems. At the console, type: SET DSTRACE = ON (Turns on DS screen) SET TTF = ON (Ports Trace to log file) SET DSTRACE = *R (Resets Trace log file to 0 bytes) SET DSTRACE = *H (Forces immediate synchronization) * Toggle to the DS Screen and watch to see what's happening. After you think it's been through at least one full synchronization cycle, type: SET DSTRACE = OFF (Closes log file and DS screen) * Check out the error messages. They will fall into the following categories: Communication errors, Synchronization errors, Control errors. For explicit info on these messages, get that DSDOC file, print it out (all 300 pages) and keep it! Most of the messages are pretty clear and have instructions on what to do to clear up the problem. * Make repairs to a Master replica and then to Read/Write replicas. Concentrate first on Communications, then Synchronization, then Control (in cases with multiple errors). * Leave your servers up! You're only going to complicate things if you down them. * Take lots of coffee breaks! If you deal with one error, give the system plenty of time to synch/settle before proceeding to the next. In practice, I often just go ahead and run DSREPAIR *once* if I'm having inconsistent behavior and haven't seen any error messages in DSTRACE. There are very few conditions in which Novell warns you to only run DSREPAIR only one time (for fear of damaging the hidden backed up data that Novell can restore to you). You also might consider the update to 4.1 which, in my experience, has been much more robust than 4.01/4.02 (both of which I've had loaded here at home). I've had to work really hard to cause big problems in 4.1! ------------------------------ Date: Sun, 28 Jan 1996 14:19:06 -0500 From: Debbie Becker Subject: Re: Server Down Comments Joe D. wrote: >Debbie, >As usual, your NDS advice is good stuff. Thanks! I feel the same way about your hardware/OS advice -- wish I was half as competant in that arena! >Since "server down" situations are common I wonder if anyone in >Provo or elsewhere has thought of the obvious: servers hold >what they represent to the net and when they go down those >representations should go with them, in toto. The problem we >have now is the replicated pieces of the NDS structure are >actually convenient copies of the true material, caches, yet >they do not vanish with the true version when the true version >vanishes. Worse, they will be mistaken for the real thing. >I see this as a major design mistake in NDS. Yes, synchronizing >(revalidating) when a server starts up again is a sticky business. I'm not sure that I'd want all the R/W copies of a replica to disappear when the Master replica goes -- that would wipe access to that part of the tree. Nor do I want the Master to disappear if someone blows away a R/W (not, heaven knows, that this could *ever* happen out there in the real world!) >We know that when a server enters the NDS tree it exchanges >opaque numbers with neighbors to represent a successful >validation. It can forget those numbers after a rebuild but its >neighbors don't and thus it reappears on the net as an imposter. >To me that seems like half baked security algorithm. After >a rebuild the server should perform the same operations as >originally to reenter the tree, its old self was gone completely >(replica/cache is invalied, purge entries) and imposters could not exist. I do agree that there's a real mess when a server with the Master replica goes down (unless folks know the zillion and one steps to take to clear the server out of the tree). There should certainly be an easier way to do so...ie., if a Master replica goes away for a certain period of time a R/W replica is changed to the Master and references to the server are removed from the replica ring...when the server comes back online it can be replaced on the replica ring and given a replica without the messiness involved currently. Perhaps "Green River" (aka 4.11) will address some of these issues...we can but hope! ------------------------------ Date: Mon, 29 Jan 1996 05:53:44 GMT From: Michael Farace Subject: Re: Problem with [LOGIN]/b Try chaning your Set Bindery context to list the context where the server exists first. Also, if you have multiple 4.1 servers, you MUST have a R/W or Master Replica on the server you want to login into via bindery mode. ------------------------------ Date: Mon, 29 Jan 1996 10:33:00 -0500 From: Debbie Becker Subject: Re: NDS HELP >I have just set up a new 4.1 server and am trying to learn NDS. > >I am reading the help files, books and everthing else possible. >There are two other individuals in our county with 4.1 experience but >we are all at about the same beginning point. (1 is the dealer.) > >We all have extensive prior knowledge of Netware and feel secure >about everthing but NDS. > >Q1. Any recommendations for books that might help.-Realize part of >the problem is the concept. > >Q2. What procedure due you use to set up trustee rights. I cannot >seem to figure this out from 3.12 >4.1 (it cannot be that hard) New Riders Press has some good books. I've got "NetWare Professional Reference" by Karanjit Siyan, "NDS Troubleshooting" by Peter Kuo and Jim Henderson and "Inside NetWare 4.1" by Doug Bierer. Also was pleasantly surprised by Novell's book "QuickPath to NetWare 4.1 Networks". Additionally, download that DSDOC Envoy document and print it out -- really terrific and up-to-date info in here. What trustee rights were you concerned with, file system or NDS? If file system, you can use NWAdmin and assign by either Directory/file or by NDS object (User/Group/Organizational Role/Organizational Unit/Organization). To assign by Directory, double-click on the volume object. This drops down the little green folders that represent your directories. Double-clicking on the directories "opens" them, showing you subdirectories and files. Highlight the directory or file you want to assign rights to and use the "Object, Details" option. Pick the "Trustees of this Directory/File" button on the right. Use the "Add" button to add a trustee (you'll have to search through the tree using the browse button). Assign rights (below) and click "Ok" to save them. Remember that you can assign rights to lots of NDS objects and think of container objects (Organizations, Organizational Units) as big groups when doing this -- if everyone in the Organization needs to use the word processing program, make the Organization the trustee of that directory -- easier to track and faster than using smaller groupings. To assign by NDS object (User in this example), highlight the User object and pick "Object, Details". Pick the "Rights to Files and Directories" button on the right. You can "Find" what assignments have been made for the User previously using the "Find" button and determining how large a search you want (i.e., all subcontexts from the [Root], which would cover all volumes in the network, or a small subset of that). You can also "Show" trustee assignments on a particular volume by using the "Show" button and finding the volume you're interested in. Use the "Add" button to add an assignment. Find the volume and directory you want to assign rights to and then add those rights and click "Ok". Assign by directory when you want to assign rights to multiple objects; assign by object when you have a specific assignment you need to make. You assign trustee rights to the root of a volume by highlighting the volume object and using the "Object, Details" option. Pick the "Trustees of the Root Directory" button on the right to get to the screen to add a trustee. This is a basic breakout, but you should be familiar already with how to plan inheritance, etc. from your 3.x work. Do keep in mind that any object with the Supervisor object right to a Server object (whether it's explicitly granted, inherited, or security equivalent) will have Supervisor right to all volumes on that server. This means don't give Supervisor object right (or Write All Properties right) lightly -- if I have either of those rights to a container, I will have Supervisor file system right to all volumes on all servers in the container! ------------------------------ Date: Mon, 29 Jan 1996 14:09:13 -0500 From: DeepakBhatia Subject: Re: Restoring Admin Check out Makesu on NetWire in Library NovUser This is a NetWare NLM utility to allow you to create a new DS user that has Supervisor rights to the [Root] object. You do not have to first authenicate into the NDS tree as Admin. This is useful when the Admin user object is lost and you can no longer manage the tree. Or send an email to 71333.1700@compuserve.com Peter Kuo (above address) is the author of the utility. ------------------------------ Date: Fri, 2 Feb 1996 10:07:25 +0100 From: "David W. Hanson" Subject: Re: 4.11 or 3.12 >We have a small network of 10 PC's still running netware 2.2. In the >near future we intend to buy a new server and upgrade to 3.12 or 4.1. >What are the disadvantages, if any, of using 4.1 on a small network, >I have heard conflicting advice regarding the relative speed of 4.1 >over 3.12? Also what are the most important points to look for in a >server to use on a small network? Any advice would be gratefully received. The main disadvantage is that NDS was designed to be a distributed database replicated on multiple servers. This replication is your primary NDS backup. Unless you have multiple servers, you lose an important part of the NDS design. That said, 4.1 works fine on a small network in terms of perfomance. ------------------------------ Date: Sat, 3 Feb 1996 12:08:36 -0500 From: Debbie Becker Subject: Re: NDS 1-server replicas??? >This is probably a simple question to answer, but I was wondering >A) if it's possible to create an NDS replica with a one-server (NW4.1) >network,a nd B) if so, how to do so properly... Well you *will* have one replica -- your Master -- but that's all you can have unless you have multiple servers. (The utilities will tease you by letting you request an additional replica and going to a certain point, then telling you that you can't do that!) Use an SMS-compliant backup to backup your NDS, or pull down some of the utilities that can be used to make NDS into a regular file (Palindrome's DSARC/DSREST, etc.). I'm in the same boat, so I know what you mean! --------- Date: Sat, 3 Feb 1996 16:11:19 GMT From: "Craig P. Nelsen" Subject: Re: NDS 1-server replicas??? >This is probably a simple question to answer, but I was wondering >A) if it's possible to create an NDS replica with a one-server (NW4.1) >network, and B) if so, how to do so properly. > >The reason I'm asking is that I've had an invalid trustee once, >and the server is still down (currently due to hardware problems, since I >decided to upgrade the main drive, given that I have to reinstall from >scratch anyway). I'd really rather not have to go through it again. An idea I had to solve this problem is to set up a small netware 4.1 server using the 2 user license copy that you get with some of the add on products or from the admin class. It works good as a backup to the master partition. Not much in the way of hardware or memory is needed. I just used a 486-66 with 16 meg and a 120 meg SCSI drive and a 16 bit net card. ------------------------------ Date: Sun, 4 Feb 1996 10:29:26 GMT From: Guenther Merkens Subject: Re: NDS 1-server replicas??? >[To have a live backup of the NDS...] set up a small netware 4.1 >server using the 2 user license copy that you get with some of the add >on products or from the admin class. It works good as a backup to the >master partition. Not much in the way of hardware or memory is needed. >I just used a 486-66 with 16 meg and a 120 meg SCSI drive and a 16 bit >net card. For storing replicas you don't need a license at all; install a server from the CDROM without license and it will let one user log in and it will take any replica you want it to take. Don't forget: SET Reply To Get Nearest Server=OFF (better: override nearest server) ------------------------------ Date: Tue, 6 Feb 1996 17:31:04 GMT From: Teo Kirkinen Subject: Re: # of user objects in a ou >We plan on having several thousand user objects in a ou container. >Is there any problem with that many objects? I wouldn't put more than 5000-6000 objects in a OU or in a partition even if there were good reasons to structure the NDS that way. 5000 is a practical limit with NW 4.1 that Novell's support center has told us. With NW 4.0x the limit was 1500 but it was because of the limitations of NWADMIN, not the NDS database itself. As we are a university with 35000 students, we tried to run two servers with 14000 users in their OU for half a year before we redesigned the NDS. During those months we experienced many interesting problems that caused several days of downtime for thousands of users. Somewhere between 5000 and 8000 user objects there is some design or implementation limitation that makes the NDS slow and unstable. If you have even a minor problem with the NDS (say a Page Fault Processor Exception) it will take several hours, maybe 1-2 days before the servers become usable again. So our rule is: two servers for each 5000 user objects: one small server for the master-replica and one larger server with a RW- replica and the home directories and applications. ------------------------------ Date: Fri, 9 Feb 1996 09:54:46 -0500 From: Debbie Becker Subject: Re: NDS Partitioning >Does anyone have any knowledge regarding when to >partition the NDS tree? I realize that partioning by location >saves overhead and quickens the response time for users >in that partition. > >My network consists of 55 servers all located within a mile >of each other connected to a fiber backbone. I know by >partitioning it saves on NDS traffic as well, but does having >only one partition have any advantages? Biggest advantage to having one partition is simplicity. Have read/heard recommendations of no more than 5000 objects in one partition -- utilities will handle many more than this, but trying to manage huge numbers of objects could be a little tedious. >I'm not so concerned about performance as I am reliability and >fault tolerance....Is there a recommended number of replicas to >have to protect the tree in case of failure? Recommendations are for at least three replicas of each partition. No more than eight, however, or you start adding too much NDS traffic. >One of my biggest concerns about 4.1 is being able to restore in >case of failure. I have read the FAQ and it sounds like it is a real >problem to restore a partition and NDS tree. How are people >dealing with this? Replication is your best form of fault tolerance. Restore NDS from backup only as a *last resort*! If a server with a replica should crash, you need to make sure that the Master of the replica is on another server (make a Read/Write partition into a Master if necessary). Remove the downed server from the Directory tree (using Partition Manager). If you get errors concerning the server, remove it from the replica ring on all other servers in that replica ring (use DSREPAIR). Replace the drive, reinstall NetWare and Directory Services the way you did initially. Place a replica back on the server and give it time to synch. Restore the data files from backup. (Remember to restore NDS information - via the replica - *prior* to the file system restore -- this will maintain the rights information). ------------------------------ Date: Fri, 9 Feb 1996 10:43:16 -0500 From: Debbie Becker Subject: Re: Tree Merge w/Extended Schema >What are the required steps to ensure a proper merge of 2 >trees, where one of the trees has an extended schema? Load DSREPAIR. Pick Advanced Options. Pick Global Schema update and login as ADMIN. You'll have a choice of updating all server schemas, updating the root server schema or importing a remote schema. ------------------------------ Date: Fri, 9 Feb 1996 10:43:21 -0500 From: Debbie Becker Subject: Re: NDS search context command in net.cfg? >I find that the context approach in the nds is not as flexible as I >would like. For instance, it would be *VERY* useful if one could >put a command in the net.cfg whereby whenever a user issues a >network command (print, capture, etc.), netware would search for >the object in a pre-defined series of contexts. I'm involved in teaching this stuff and I can tell you that it's confusing enough to newcomers without adding in additional variables! I also (as a network administrator for a bunch of clients) have a *real* problem letting my users set up their own captures and mappings. (In fact, I have clients who have *removed* NetWare User from the desktops to stop this sort of thing. My experience has been that 99% of users just want everything to work! If they tell it to print to the laser by Susie's desk, that's where they want it to print -- the last thing they want to do is to go out and capture that themselves. (In fact, most users seem only to want to login -- and don't even like being asked to use passwords!) The 1% who want to make their own captures and mappings will figure out where the printers/queues/volumes are without having to have it search mapped. That said, Novell has set up some email addresses to send your wish lists to: for NDS enhancements mail to enhnds@novell.com ------------------------------ Date: Fri, 9 Feb 1996 16:37:31 CST From: Josh Buysse Subject: Re: MS 32bit Client login bug? >I am finding that sometimes it uses my current (and good), Novell 4.1 >system login script. Other times (most of the time), it uses an old one >(from where does it get it, or where has it stored it, I do not know), >that I was experimenting with last weekend. The old script doesn't >contain a correct pointer to the WIN95 (ie V7.00) dos directory on the >server. So I can't run a DOS window. > >That is all figured out, but my my question is why am I using two >differnt scripts (ratio ~ 3:1)? Is one of your servers having DS problems? The best guess that I can come up with is that a replica of your partition is only synchronized to last weekend. Try "set dstrace=on set dstrace=*H " on all of your servers. DSTrace will create another screen at the server console, and write some info to it. What you want to look for are the words "All processed=YES". If you don't see that, you have a problem... Make sure to shut off dstrace after doing this (ie, set dstrace=off). ------------------------------ Date: Sat, 10 Feb 1996 23:00:20 -0500 From: Debbie Becker Subject: Re: NDS Question >I hope you don't mind a one-on-one question about NDS. I'm looking >for the actual NDS files on my server. I've heard that they are in the >_NETWARE directory, but I can't seem to find it. I thought they were >on the SYS volume. Any pointers on how to see these files?? No problem! Load RCONSOLE to your server. Use the ALT-ESC key combo to bring up the available options window. Do a Directory Scan on: SYS:_NETWARE That's the only way you'll be able to see the files -- and seeing is all you can do! The files shown are: PARTITIO.NDS List of each of the partitions used within the local database. ENTRY.NDS Records pertaining to bindery schema and user created objects. Object name and its location within the schema, bindery or tree are included. VALUE.NDS Attribute records used by any object within the entry database. BLOCK.NDS Holds data overflow from value record. Streams Files Login scripts, printer control files and print (numbered) job definitions. File name references record in the value database. MLS.* Licensing files. If you have multiple licenses "stacked" you'll see MLS.000 for the first one, MLS.001 for the second one, etc. ------------------------------ Date: Wed, 14 Feb 1996 15:36:52 -0500 From: Paul Mujica Marchena Subject: Re: novelli: Admin can't Login. Try like this: Enter your login name: .admin.OU.CX when ou = united org. cx= context or: F:\>login .admin.OU.CX ------------------------------ Date: Fri, 23 Feb 1996 07:34:40 GMT From: Teo Kirkinen Subject: Re: ECB request failed. >Server 2 is the problem. When users login they first authenticate to >server 1 no problem, then when they authenticate to server 2 it can take >up to 30 seconds, but eventually completes. Once loged in doing a >map will pause for several seconds at the point where it is verifying a >maped drive on server 2. Logout also takes 30 seconds or so. Those slow logins that I have seen have often been caused by NDS problems, not network problems. Have you checked DSTRACE when somebody logs in. For example SET DSTRACE=ON SET DSTRACE=ALL SET DSTRACE=-DSA and you will get a lot going on the DSTRACE screen. The message "Received 1234 RIP's from address 12345678:1 and still going" on server 1' console, where the address is server 2' ipx address, would show that authenticating the resources from server 2 is slow because the NDS is busy. ------------------------------ Date: Mon, 26 Feb 1996 09:36:09 -0500 From: DeepakBhatia Subject: Re: Merging NDS Trees Make sure to match the schemas on the 2 trees before merging, and you will avoid a lot of headaches. Merging 2 Trees with Different Extended Schemas: Step 1: First ensure that both schemas are extended (if one of the two are extended you'll need to extend the other) First from the one that does not have the extension (run from its console DSREPAIR - Advanced Options ) import schema that is extended. After complete you've essentially extended the schema and updated it with any DELTAS (changes) that were present from the source you were importing from. Not to worry this will not do any adverse things to the existing schema. Step 2: Reverse the import procedure. Go to the console of the server that originally had the extension and import the other servers schema. This now ensures that both are at the same extended level (and you know it because you just did it). Step 3: Remove R/W Replicas from servers participating in merge. Remove any R/W replicas (even though we say have 3 for fault tolerance) on those servers that will participate in the merge. Just leave the Master partition and the partition info of the server objects that will be merging (make sense so far). This way we let DSMERGE just do that, merge and not have to worry about partitioning and additional Replica overhead (it'll also speed things up). If you miss a replica not to worry DSMERGE will still search and look for associated replica. Step 4: Proceed with DSMerge. Now we can proceed to merge the trees using DSMERGE. If some reason DSMERGE finds that the schemas are not at the same point it will backout. ------------------------------ Date: Mon, 26 Feb 1996 13:55:58 -0500 From: DeepakBhatia Subject: Re: NDS Backup >Is there a way to backup the NDS tree of any particular server to disk. Check out dsarc and dsrest - will let you backup and restore nds on a container basis. They are available from Palindrome's (Now Seagate) BBS or www site. www.palindrome.com BTW - NDS Partition replicas are placed on servers - NDS do not belong to a server. ------------------------------ Date: Tue, 27 Feb 1996 11:15:47 -0600 From: Arturo Garcia-Hernandez Subject: Re: Backing up NDS >It sound like if I run this NLM to backup NDS, it will lock the >Directory Services and copy it to a backup file. How do I unlock NDS >after I copy the backup file to tape? DSMaint is used for servers that will be off-line for hw upgrades for a short period of time, not for backing up purposes. In fact, when you run DSMaint "Preparing Ds...", DS services are no longer available but you can re-open the NDS using DSMaint again with the option: "Restoring ...". The file //sys/system/backup.ds -created with the first option will still be there, but it won't be a reliable backup after a while. If you want to have a good NDS backup, I would suggest you use another tool such as SBackup or Arcserve 6.0 (which be a very nice option but much more expensive). ------------------------------ Date: Mon, 4 Mar 1996 15:06:05 -0500 From: Debbie Becker Subject: Re: Help ! >Scenario: > >Joe in sales.virginia.acme travels to Utah (Connected via T1) and sits = >at a workstation and logs in wanting his applications mapped locally but = >maintain his home drive on his home server in Virginia. Joe's user = >object is in the tree once in sales.virginia.acme. There is a profile = >script in the two sales ou's only. What would be the easiest way to = >write the profile script to accomplish what Joe wants? Mind you, there = >are lots of Joes at both locations that travel back and forth quite = >often. > >[Root] > +ACME > | > +Virginia > | | > | +Sales > | =20 > +Utah > | > +Sales You can map to the users home directory just as you normally would, using the distinguished name. One way you could do this is to use an identifier to figure out which network you were logged into in order to map to local resources. Something like: IF "%NETWORK" = "EDC10005" THEN #CAPTURE Q=.LASER_Q.SALES.UTAH.ACME IF "%NETWORK" = "ABC12345" THEN #CAPTURE Q=.LASER_Q.SALES.VIRGINIA.ACME Same for the mappings to local volumes. ------------------------------ Date: Mon, 4 Mar 1996 15:06:06 -0500 From: Debbie Becker Subject: Re: 3.12 to 4.1 login >I am having trouble solving a problem. I have a user who has a login to a >4.1 server. The user is sometimes at a 3.12 server location. The user >wishes to login in from the 3.12 server to the 4.1 server. I have set >the correct bindery context on the server and in my test the user can >log in but -- the 4.1 server does not have a bindery login script so the >user is getting the default login script. The problem -- the 4.1 server >only has the nds login.exe file. How can I get a bindery login.exe to run >so that I can create the bindery login script. The 3.12 server is not in >my directory tree. Why don't you have your 3.12 user attach and login to the 4.1 server using Directory Services? Then you'll be able to take advantage of the container login script. If you can't do this for some reason, you'll have to go into NWAdmin and copy the container login script (highlight and use CTRL-C). Then open up a Windows text editor (i.e., Notepad) and paste the login script. Check to make sure that mappings, captures, etc. refer to physical volume names -- volume object names won't work with a bindery login. Save as SYS:PUBLIC\NET$LOG.DAT ------------------------------ Date: Wed, 6 Mar 1996 07:46:53 -0500 From: DeepakBhatia Subject: Re: 2 Trees, one WAN >I would like to transfer files from one netware 4.01 server to another >over a WAN ( Cisco router ). Will I be able to have a workstation that >can map 2 volumes on 2 separate servers ? The problem here is that these >2 servers are on different directory tree. nds login into 1st server on 1st tree enable bindery emulation on the server on the second tree, and bindery login thereafter. login fs1_on_tree1/.admin.context login fs2_on_tree2/supervisor /ns map drives transfer files or enable bindery emulation on both servers login fs1_on_tree1/supervisor /b login fs2_on_tree2/supervisor /ns map drives transfer files or use client 32 with win95 you will be attach to multiple trees ------------------------------ Date: Mon, 11 Mar 1996 11:41:11 -6 From: "Mike Avery" To: netw4-l@bgu.edu Subject: Re: Using Groups in NDS >I created a new group object called 'Win95' which has rights to the >network directories where the Windows 95 files are installed. In >various OU login scripts I have something like: > > IF MEMBER OF "Win95" THEN > MAP blah blah > MAP blah blah > END > >However, this conditional only seems to be true (and the mappings >assigned) when the group object is within the OU in question. If a >user object is contained in a different OU, but is a member of the >group Win95, the mappings are not assigned. What am I doing wrong? You need to specify the OU that contains the group.... or if member of ".CN=Cd-Rom_USERS.OU=CDS.OU=AUS.O=PLSR" then begin map root o:=auscds/groups:groups\cd-roms include o:cdmap.inc endif This will not work with shells that predate the VLM's. ------------------------------ Date: Sat, 16 Mar 1996 15:05:38 -0800 From: Randy Grein To: "NetWare 4 list" Subject: Re: ArcServe Question >We currently are using Arcserve version 4.0 and have been told >specifically that this version does not backup the NDS database >but everytime we perform a server backup the first thing it does >appears to be doing just that. Any ideas. Arcserve is backing up the emulated bindry. This won't do much good if you try to restore it, though. You really need to upgrade to either 6.0 or another product. In the meantime jump up on Palindrome (Seagate software)'s web site and get DSARC; NLM and EXE programs that ONLY get the directory and save it to a file that you can then save, copy, etc. ------------------------------ Date: Mon, 18 Mar 1996 12:21:49 EST From: Michael Yelland Subject: ATTENTION NDS USERS Are you having 'delaying on' messages? Here's how to find out: - set dstrace=all - set ttf=on - wait an hour - set ttf=off - search sys:system/dstrace.dbg for 'delaying on' no quotes - If yes, start to question the nds integrity If no, you may not have merged trees, or may not have ??? ------------------------------ Date: Thu, 4 Apr 1996 20:49:07 +-1000 From: Phil Montgomery Subject: Directory Schema Extensions For anyone who administers group directories and/or a shared mail (e.g. cc:Mail or Microsoft Mail) directory in a NetWare 4.1 environment:- We were sick of administering these separate to NDS, so have written an NDS Schema extension and NWADMIN snap-in, to add a GROUP_DIRECTORY and MAIL_DIRECTORY to each NDS user object. These can be managed (along with the HOME_DIRECTORY) via a NWADMIN snap-in 'Directories' page, and mapped during the login process in the same fashion as "%HOME_DIRECTORY". The program is completely free!! It was fun to write! If you want a copy download NETORIAX.ZIP from our web site at http://www.netoria.com or ftp at ftp.netpub.com/netoria/misc/netoriax.zip. ------------------------------ Date: Tue, 23 Apr 1996 10:52:24 -0400 From: Debbie Becker Subject: Re: {No subect) but now 4.1 rights >I have installed netware 4.1.02 and I have setup all the directory and >file rights to all respective groups created. I then assign each group >its members However after I have login as any user I choose, that user >still has full rights to the entire fileserver. When I check effective >rights for any user, it show me that that user has all rights to the any >volume on the server. It would appear that novell security is not >working properly! Sounds like you've run into the *one* situation where NDS rights flow into the file system. Check the following: Trustees of the server object -- does anyone (or any container - remember all users are security equivalent to their containers) have the Supervisor object right, or the Supervisor *or* Write All Properties right to the server? Trustees of the Container that the server resides in -- does anyone, any group, or any container have the Supervisor object right, or the Supervisor *or* Write All Properties right to the container? If so, those rights will flow down into the server object and give them Supervisor file system rights to all volumes on the server. Trustees of the parent container (above the container that the server resides in) -- does anyone, any group, or any container have the Supervisor object right, or the Supervisor *or* Write All Properties right to the container? If so, those rights will flow down into the container which holds the server and then to the server object and give them Supervisor file system rights to all volumes on the server. Continue this checking back up to [Root]. ------------------------------ Date: Wed, 24 Apr 1996 09:53:00 -0500 From: Rick Zotz Subject: Re: Server stepping on Tree >Try using a preferred server statement in net.cfg or >append /ps SERVER_NAME to the VLM in startnet.bat. Well... this is Windows95, but the equivalent NDS and bindery settings in the Control Panel have been checked and rechecked. Our Windows 3.x and Mac clients don't have this problem of distinguising between an identically-named NDS tree, NDS organizational object, and NW3.x server. Joe D. nailed the problem on the head, however. Despite this obvious client bug, our staff should have had the sense to rename the old server when forming the NDS tree in the beginning. Thanks... ------------------------------ Date: Thu, 25 Apr 1996 06:19:00 EST From: Greg J Priestley Subject: Re: New server. how to copy NDS database >I am going to move the server from an IDE based system to a SCSII based >system. I think I took all the precautions for the transfer but I'm worried >about how to copy or move the NDS database from one server to another? Get the latest copy of the NDS utilities, 41NDS7.EXE, from the Novell Web site/FTP site. This comes with a utility called DSMAINT.NLM which allows you to "transfer" the NDS from one server to another and is designed to do what you are looking at. >Can I use the utility SBACKUP to do that?? In SBACKUP there is a option >which back-ups your NDS database for the worst case scenario. Can I use >that without creating major problems?? Don't use this wonderful product - sorry >Also, I get a second server to attach with the original network. Can I use >that server for storing the NDS database? First you have a licensing issue to resolve. Yes, the second Netware 4.1 server could hold a replica of the NDS but this should not be your only backup. ------------------------------ Date: Fri, 3 May 1996 08:01:09 -0600 From: Joe Doupnik Subject: Re: Replica's question >If we have this scenario: > > [Root] > > ! > O=myOrg > ! > ! > ------------------------------ > ! ! ! >OU=dep1 OU=dep2 OU=dep3 > > > and Root partition includes only Root and myOrg, and we have another 3 >partitions: dep1, dep2 and dep3. We have the 4 partitions each one in one >different server. What kind of replica's must I create in each server to >make possible that user1 in partition dep1 can be and "admin" in partition >dep3? Can this tree work with "full-duplex" between the 4 partitions with >only subordiante reference replicas? Can a user in partition dep1 work in >partition dep3 if the server in which is logged has not any replica of the >partition dep3? ------------- There is, I believe, some natural confusion of terms here. Partitions are merely convenient ways of storing pieces of the network-wide database. They do not determine the topology of the tree (containers and leaf nodes). So we forget about partitions for the moment. Users can be granted rights to objects in the tree. That's what you are trying to accomplish. Grant them. But now we need to come back to partitions to judge the consequences. If rights of a user exist in two or more partitions (after all, the data needs to be stored somewhere) then there are pointers between them. Those pointers need to be synchronized when changes occur, and that increases traffic a little. More importantly, there is serious trouble if all the copies of a particular database (unfortunately termed "replicas") are offline and those pointers are referenced. The common method of avoiding these "unsatisfied references" (my terminology) is to make more copies of the database. The fastest access place is in the user's natural context. But that creates lots of network traffic to stay synchronized with the master copy. The placement of database copies (i.e., those "replicas") is part of the black art of NDS design. It all depends on the network traffic such copies create. Too many copies create too much traffic; too many objects in one copy creates too much cpu overhead (and eventually serious trouble with NDS) updating each copy. Too few copies and they could all be off the air simultaneously. Those are the tradeoffs of partitioning. I'm sure Debbie will have more insightful remarks on the matter. Joe D. ------------------------------ Date: Fri, 3 May 1996 23:32:26 -0700 From: Randy Grein To: "NetWare 4 list" Subject: Re: Hidden object >But the biggest problem stays *when* are you going to do this? >On what grounds? I rather would have an util that can be run >on a periodic basis (once a week at least). >But also don't forget that a good hacker will install himself on your >server and wait at least a month or two before revisiting >(just to make sure his little backdoor is on most backups). >Another solution would be to have a util that makes an exportfile >from the DS as you view it (with *everything* in it) then purges >your DS and restores it using the exportfile. Thus making sure that >the DS you see is the DS in total. This could have drawbacks though... April Appnotes there is a utility you want: Auditware for NDS. It even finds those darn stealth objects you hate so much! Call Preferred Systems, Inc. at (203)937-3000 or U.S. at (800)222-7638. ------------------------------ Date: Thu, 9 May 1996 16:24:29 -0700 From: Corbin Glowacki Subject: DS Expert Free Starter Pack Offer NEWS For Immediate Release Contact: Tim Manning, 602.941.3639 NetPro Computing, Inc. Mike Pressendo, 602.274.1988 Gordon C. James Public Relations NetPro Announces "Free" Promotion Offer On Premium NDS Utility Software, DS Expert For NetWare 4.1 (Scottsdale, AZ -- May 9, 1996) -- NetPro Computing, Inc., a leading provider of enterprise network utilities, announces a special limited time offer on its latest network utility product - DS Expert for NetWare 4.1. From May 13, 1996 through July 31, 1996, NetPro will offer at no cost, its Two Server Starter Pack, previously valued at $1,299. The Starter Pack will be a full running version, not an evaluation copy, and will include a perpetual license and 90 days of technical support. This promotion is coupled with NetPro’s involvement in the 1996 Novellă International Road Tour which began May 2. DS Expert is designed to prevent costly and crippling network failures. It is the only network management tool available today that provides real- time, proactive Novell Directory Services (NDS) monitoring and troubleshooting from one site. DS Expert’s advanced technology alerts network professionals to problems before they become crises and directs them immediately to the source of the problem. "Most of our network links are wide area so we had a dire need to monitor our network tree. I realized the benefit of DS Expert right off the bat. It detects potential problems before they become major problems and has saved us time." Chris Patton, LAN Specialist According to NetPro’s Director of Sales and Marketing, Ed Gannon, "This promotion expresses our confidence in DS Expert’s ability to revolutionize the way corporations manage their NDS networks. The support from our customers and the press has been outstanding on this product. We want to extend that good will and build awareness so that every Netware 4.1 NDS network runs smoothly with the help of DS Expert." "We are excited to see a company with extensive global directory services experience like NetPro, building management, monitoring and optimizing tools for NetWare Directory Services," said Scott Wells, manager of developer programs for Novell’s NetWare Products Division. "These new NetPro products will make it even simpler to manage, administer and migrate to NetWare 4.1." NDS is the latest and most powerful networking solution for enterprise networks of all sizes. NDS is much like a "Yellow Pages" telephone directory that permits any object on the network to look up another object and find its location and the services it provides. NDS includes a comprehensive database that is a directory of information about every object on the network -- including users, printers, message servers, volumes and groups. Therefore, protecting this information becomes critical, and DS Expert responds with real-time downtime protection. "We did not know we had a problem with our network until we loaded DS Expert. It helped identify problems immediately before they became disasters and now saves me time in managing our wide area network. NetPro's tech support is unbelievable and made the transition to DS Expert seamless." Ed Easter, IT Network Specialist, CLECC The DS Expert Starter Pack includes three basic components, an NDS tree monitor, two intelligent server agents and a Windows client. The Starter Pack provides real-time view and print capability and an array of alerts for the entire NDS tree, across all NDS servers. Detailed optimization statistics and a full complement of NDS alerts are available on servers where intelligent agents are installed. Network professionals can download a free copy of DS Expert from the NetPro website at http://www.netpro.com or call 800-998-5090. Specific information about the free offer can be found at http://www.netpro.com/freeoffer. Full documentation is available at a suggested retail price of $69.95 and additional agents can be purchased at a suggested retail price of $499.00. NetPro Computing, Inc. is a third party developer and publisher of network software including virus protection and administrator utilities for Banyan and Novell networks. NetPro markets products worldwide from its Scottsdale, Arizona headquarters. # # # ------------------------------ Date: Sat, 11 May 1996 22:25:17 -0400 From: Debbie Becker Subject: Error message during DSMERGE >I would appreciate any help for the following error: > > Attribute "Partition Status" is unique to the source tree > >While trying to do a DSMERGE I receive this error. I am synchronized >and I checked my directory version and it is the same. It would appear that you have installed some application on one server that "extended" the schema on that server (the schema being the set of rules used by Directory Services to determine the types of objects that can be created -- some apps change these rules to allow for the creation of their own objects). I know that several backup programs do this -- would appreciate any additional info anyone has on other apps that do this as well. The newer versions of DSMERGE allow you to import or export the schema from one tree to another. Alternatively, you could load the application which caused this on the other system. ------------------------------ Date: Sun, 12 May 1996 20:16:16 -0400 From: Debbie Becker Subject: Re: NW41/Netsync >I'm using ...attempting to use... my 2 user version of NW4 as a >management function for our NW3x boxes via Netsync. OK so far, after a >couple hilarious moments having to do with changing the name of the NW4 >server, after having set up netsync on both boxes and doing some admin >work for some NW3x users. > >Anyway ... Default bindery context pointed to the container where my >object resided, so of course, when the bindery was copied there, my >account was 'merged', or subsumed by the NDS object of the same names >properties. I encountered problems w/Novell Client32 upon login, >reporting 'unknown tree'. I noticed that NW4 mappings used a different >syntax, server name_volume:path. Well, the server name I used had an >underscore, and I thought a name change was in order. The bindery had >been synced at some point (300 sec default), I had done a few mappings >in my NDS leaf object script, and the 3x user login script still had the >old server name. We finally get to the point of this. I deleted the NW3 >server from NETSYNC4 config, and after fumbling with the set bindery >context command, reloading netsync3, appear to be back near square one, >with a new container for the NW3x object, the bindery context pointing >there and everything working. > >My question is how to bring another NW3 server into NW4 this way. I'm >aware I can specify 16 bindery contexts, but how do I tell netsync that >I want each bindery copied into a different container? I don't want to >just dump everything into the same container. Rather I want separate >NW3x containers with a copy of an NW3 server bindery therein. NetSync will move bindery info into the *first* container listed in your server's bindery context. If you want separate NW3x containers for each bindery, make sure you change the 4x server's bindery context prior to NetSync'ing each 3x server. ------------------------------ Date: Sun, 7 Jan 1996 21:10:57 -0500 From: Debbie Becker Subject: NDS Documentation Someone at Novell has put together a terrific piece of reference material on Directory Services. File is DSDOC.EXE on the NWOSFILES section of NETWIRE -- either on CompuServe or (I assume) on their NetWire Web site (netwire.novell.com, I think). It's in Envoy format with a viewer -- prints out really nicely, though -- I have mine in a notebk for future reference! ------------------------------ Date: Fri, 26 Jan 1996 02:10:17 -0500 From: Debbie Becker Subject: Re: NetWare 4.1 DS error message >Last week I installed NetWare 4.1 on a new file server. We >already had a NetWare 3.12 server on our network. I added a >server object to the directory tree for the 3.12 server and also >installed NetSync. Now, every hour I get the following message >on the 4.1 server console: > > DS-4.63-47 > Severity=1 Locus=17 Class=19 > Unable to communicate with server PLEXUS.PSI This is a harmless (but annoying) error. NetWare 4.1 servers can't synchronize with 3.1x servers, but (since it sees the server object in the tree) it tries to do so anyway. Novell is aware of this and we have hopes that they'll address it in future versions of the OS. ------------------------------ Date: Sat, 23 Mar 1996 09:31:40 -0500 From: Debbie Becker Subject: Re: NDS errors >I have recently added two servers as replicas in our partition of the >tree. The servers are connected to the SAME cable segment (thin >ethernet) in the following order; > > __________________________________ > | | | | > A B C D > >D is the server with the master replica and the cable is terminated >here. Server A can connect to D with no problem and vice-versa. But, >when servers B and C are involved, we keep getting "Unable to >communicate with server ...." errors at the server consoles, and >also -625 errors in dstrace. This causes synchronization problems >with the NDS. I have ensured that there are no cabling problems. > >The servers we have problems with (B and C) have PCI cards installed >- servers A and D do not. Is there any known problems with PCI cards? >Or, could the fact that we only have 16Mb of RAM installed in these >two servers have an effect. Or, could it be that I need to change >some of the Communication settings at the console (such as max >packet receive buffers)? -625 error is a TRANSPORT_FAILURE error which indicates an inability to communicate across the network. Check for SAP filtering of DS SAP types of 26B and 278. Check cabling, LAN card and LAN drivers. This error is almost always a LAN issue. Occasionally, a change of server name, move of server object, or change in internal IPX number can cause this error. If you think one of these may be your problem, run DSREPAIR with the option to repair network addresses on the source server to check the internal IPX of the target server -- the change may not have been completed successfully. ------------------------------ Date: Sat, 23 Mar 1996 16:13:32 MDT From: "John L. Stevens" Subject: Re: Novell 4.1 Disk Compression >>From: Debbie Becker >>Well, if you mean that you didn't enable compression when you created >>the volume, I'm afraid it's a little late now. Compression can *only* be >>enabled when the volume is created. The only way to do it after the fact >>is to backup everything on the volume, blow it away, recreate it >>(enabling compression when you do so), and then restore your data -- not >>a solution I'm personally real fond of! > >From: John Baird >Compression can be turned on at any time - Turning it off is a little >more problematic! Now if you are still confused about the right answer you may consult the "Red Books" 'Supervising the Network II' on page 537. The NOTE states, "Once file compression in enabled for a volume, you can't disable it unless you first re-create the volume" Page 538 discribes how to enable compression on a volume that was turned off. With that in mind, an 'oops, I should have left it disable' will mean recreating the volume or setting the Enable File Compression=OFF which will suspend compression temporarily. ------------------------------ Date: Sat, 23 Mar 1996 18:58:36 -0800 From: Randy Grein To: "NetWare 4 list" Subject: Re: Plans for NDS... Green river is estimated to be out by September. MUCH better crash protection, New NWAdmin, graphic DSREPAIR, etc. DS will be moving to Federated partitions. The concept is slightly like Microsoft's Domain trusts, but only a little. Trees can be grafted together without actually being fully connected; this gives us the ability to remain separate yet easily still be part of a much larger tree. NEST devices are already out; nearly 30 are on the market with some 200 by the end of 96. This is pretty cool because it gives intellegent device manufactures a way to cheaply build communications into them. Nest Powerline technology is the killer here though; by sending network signals through the power lines you no longer need dedicated cabling for most uses! The signaling scheme is kind of complex, but they demoed the technology in quite a number of places. I'll be writing an article for Network VAR on the subject that should be out in October. ------------------------------ Date: Thu, 28 Mar 1996 17:31:28 +1200 From: J.Baird@ONO.LINCOLN.AC.NZ Subject: Re: NDS Phantom volume >Scenario, two disks in server D1 and D2, Volumes SYS: and DES: on >D1, free space available on D2. Need more space for SYS:, do not want >to span disks so - create TEMP: on D2, netcopy all files from DES: to >TEMP:, delete DES:, splice free space onto SYS:, rename TEMP: to DES: > >Everything works fine - but (there is always a but!), if I examine >the NDS using NWADMIN there is still a volume object called TEMP: >(click on it and am informed that it is not mounted). Stranger still, >when users of DES: volume login their home directory mapping is shown >as TEMP:users\. > >As I said, everything seems to work OK but I am baffled by the >mapping, the TEMP object is definitely shown as a volume object and >not an alias object, so where is this mapping coming from? I've >examined login scripts and the mapping for home directory is shown as >DES: - any illumination on this mystery much appreciated. When you created volume temp:, a corresponding NDS object was obviously created. Now the volume definition tables for TEMP contain the NDS object ID of the corresponding NDS object. Having renamed volume TEMP: to DES:, the object ID in the definition tables still points to volume object TEMP. I'm not sure how you are displaying the mappings but if you are using MAP.EXE, what it does try to find the volume object matching the physical volume via the volume definition tables so if you do map p:=sys:public it will report Drive P:= server_sys: \public To cure your problem, delete the volume object for DES, and rename the volume object for temp to whatever the volume object for des was called. If the volume definition tables end up with an invalid ID (e.g. if you deleted the volume object for TEMP) there does not appear to be any way to reset it - I cant figure how to do it and Developer Support haven't been any help on this. ------------------------------ Date: Thu, 28 Mar 1996 09:45:13 -0500 From: Rick Troha Subject: Re: NDS Naming Standards >We've been looking for NetWare 4.1 NDS naming standards- everything >from object name format (capitalization, length, delimiters, etc) >down into property details. Two Novell Application Notes you might want to get your hands on are: Implementing Naming Standards for NetWare Directory Services Feb. 1994 Applying X.500 Naming Conventions to NDS January 1996 Novell Application Notes can be ordered by calling 1-800-377-4136 ------------------------------ Date: Mon, 22 Apr 1996 23:13:00 -0700 From: Randy Grein To: "NetWare 4 list" Subject: Re: NDS Ping. >I have been running a lan sniffer on a Netware 4 Lan. The sniffer is >showing a large number of NDS Ping packets. Can somebody explain why or >what theses packets are and why they are sent out. Sure. They're keepalive packets. NDS has to be kept current on the existance of the servers in the tree, so they send small packets saying nothing more than "I'm here!". It's the same concept as SAP packets, except they are very small and should be sent just between partition replicas and the machines in that replica. They are not broadcasts. You can configure the time between pings as well as other parameters Consider, please the amount of CURRENT information stored in NDS - server up, etc. They simply must communicate, otherwise NDS only assumes there's something there. ------------------------------ Date: Mon, 13 May 1996 03:34:59 -0400 From: Gabor Borsodi Subject: Re: Error message during DSMERGE >>I would appreciate any help for the following error: >> >> Attribute "Partition Status" is unique to the source tree >> >>While trying to do a DSMERGE I received the above error. >>I am synchronized. I checked my directory version and it is the same > >It would appear that you have installed some application on one server >that "extended" the schema on that server (the schema being the set of >rules used by Directory Services to determine the types of objects that >can be created -- some apps change these rules to allow for the >creation of their own objects). I know that several backup programs do >this -- would appreciate any additional info anyone has on other apps >that do this as well. There is an add on for NWAdmin to make it able to handle some GroupWise specific attributes. It also extends the schema. >The newer versions of DSMERGE allow you to import or export the schema >from one tree to another. Alternatively, you could load the application >which caused this on the other system. Dsrepair will do it as well. Also you can upgrade the schema on all servers in the tree. Somewhere in Advanced options, Global schema updates. ------------------------------ Date: Wed, 15 May 1996 21:15:59 -0700 From: Randy Grein To: "NetWare 4 list" Subject: Re: Bindery emulation questions >We are running 4.1 and are still basically in Bindery emulation on two >partitions of the NDS, on several servers in different >locations.Unfortunately, I have to support some bindery based clients, >and would like to give them access to both partitions. If I replicate both >partitions to both locations, set the bindery context for both context's >on both servers, would bindery based clients get access to all objects in >both bindery context containers? Yes ------------------------------ Date: Fri, 17 May 1996 22:00:19 -0600 From: Joe Doupnik Subject: Re: NW 4.1 >WHAT IF, in the course of building an NDS tree, you do not have a second >server to replicate the tree? --------- That's a good question, but under the circumstances a tiny one. The real question is what happens about tape backups when you have a real tree, and you don't want to hear the answer (punt). The problems with tape backups of NDS are many and are briefly reviewed in the list's FAQ. Did you look there yet? Please do so. A one server tree has no epoch mismatch problems because there are no conflicting replicas out there. You will have NDS name to internal number problems up the wazoo, so be prepared to regenerate lotsa stuff. Basically you will get back on the air. The solution to this long standing, um, er, "feature" of NDS is to wait for Green River. The SMS tools there (TSA410 and TSANDS) do permit tape restores to a real tree without damage (so says the design team, I haven't tried it). Soooo, right now Novell's *strong* advice is forget tape backups of NDS because they won't work. Replicate, stay on good terms with your network neighbors, and cross those fingers. By Green River time you can uncross the fingers and hopefully get by restoring from tape. One of the necessary skills with NDS at the management level is selecting the number of and placement of replicas to provide a balance between security, network traffic, and expenditure of your good will. Partitioning is the major tool to use here, since it's the traffic regulator. Joe D. ------------------------------ Date: Sat, 18 May 1996 10:23:26 +0100 From: Richard Letts Subject: Re: My NDS tree is paralyzing >I'm finding more & more ants coming into my pants! >My NDS tree is paralytic, it's dying! I'm sinking! STOP! In my experience when you think the tree is damaged you need to do two things, 1. Stop messing with the tree. You are probably causing more damage. 2. Arrange for Novell to dial-in and fix your tree. As soon as you get an error in the tree, or an inconsistancy concentrate on carefully expunging that problem before doing any more work on the tree. ------------------------------ Date: Sat, 18 May 1996 17:39:09 -0400 From: Debbie Becker Subject: Re: My NDS tree is paralyzing >I'm finding more & more ants coming into my pants! >My NDS tree is paralytic, it's dying! I'm sinking! > >1) Simplied tree structure: > > [ROOT] > | > +----------------------------------+ > | | > O=ADMIN O=SCH > | | > +----------+----------+ +-------------+ > | | | | > +----+----+ +----+----+ ou=sch_1 +----+----+ > |OU=dept_1| .... |OU=dept_4| |OU=sch_n | > +---------+ +---------+ +----+----+ > | > Legend: +-------+ server_n > | | Partition > +-------+ > >2) Story: > - Starts from the tree illustrated, everything was fine. > - Merged the ou=sch_n with [ROOT]. > Got error message like "NDS is busy sync ..." (I forget). > - Renamed sch_n to school_n. (No any error message!) > - The following day, I found school_n lost and sch_n comes out again! > - No more nds operations like Copy, Move and Delete can be done anymore > in O=SHC. Get message "NDS is busy sync..." always. > - Some weeks later, tried "Abort partition operation" in NWAdmin with > sch_n, it reported that the status of all replicas in sch_n "merge 0". > - Found just after that the status of all replicas in [root] were in > "merge 0", too! > - Then no more objects were allowed to be copied or moved between the > two Os. > - Last week, tried to remove the NDS from the server_n. FAILED. > It was reported that the "NDS is busy ..." > - Attempts to delete server_n from NDS failed as well. > > * We have 18 servers and 9 of them are nw410, which spanns across five > remote sites (linked w. 64K lines) > * The network were migrated from the nw311 network > * All nw31x servers are for Novell's MPR+, nwsaa, Gupta's sqlbase, etc. > * Links to the remote nw4.1 servers were broken from time to time for > unregular duration (varied from hours to days). > * In server_root, we see partition "school_n". But in all other servers, > only sch_n (the original name) are shown! (Showing from the dsprepair's > Replica Ring option) > * O=ADMIN branch works fine. And user objects in O=SCH can use the > recources in O=ADMIN. > >3) Actions taken: > - All nw4.1 servers were running the 410pt3, 410it6, ds4.89a and from > this week, all servers have ds4.89c and libup8 > - dsrepair has been done for many times in server_n, server_root, etc. > >4) My plan: > - Cut the TREE and plant it again! (but where to get the utilities to > record all objects and the rights, the TAs, etc?) Apparently a problem existed from the get-go (the "NDS is busy syncing" message you got when merging and now your partition(s) are locked up trying to sync. You will not be able to perform any significant partioning operations and (as you've noted) changes that you make in DS may "disappear" -- a classic sign of unsynchronized replicas. Problems: * You have lots of servers, some of which are across relative slow links. * Your servers are up and down erratically. When you merge a partition into the [ROOT] partition, *every* server with a replica of the [ROOT] partition *and* the partition being merged *must* be up and running, because each of them will receive a copy of the new [ROOT] partition. In other words, if five servers have a copy of the [ROOT] partition and five servers have a copy of the SCH_N partition, all ten of them will receive a copy of the newly updated [ROOT] partition. This can be a slow process at best and is made slower by: * large numbers of servers holding the two original replicas * servers with replicas across WAN links (especially slow ones) * servers being down. You will *not* be able to finish the partition merge if all servers with those replicas aren't up until the merge is completed. Steps: 1) Check the replica ring(s) for the [ROOT] and SCH_N partitions. 2) Make sure that all servers are up. 3) Leave them alone for a day. 4) Check synchronization status of the replicas. If any errors, check the DSDOC documentation that's been recommended so many times to see what the errors are and how to resolve them. 5) I've had some success in "pushing" a merge (after giving it a *long* time to complete) by using DSREPAIR, Advanced Options, Replica and Partition Operations. Choose the partition ([ROOT] or SCH_N) and Schedule Immediate Synchronization. Big rule - WAIT, WAIT, WAIT! Especially when dealing with lots of servers (some up, some down) and slow links. ------------------------------ Date: Sat, 18 May 1996 17:39:05 -0400 From: Debbie Becker Subject: Re: HELP! with NDS security Incidentally, I've heard from several sources that it's better to assign universal rights using the [ROOT] object -- apparently [PUBLIC]'s rights get blown away (except for the system defaults) every time you run DSREPAIR...haven't had a chance to test this, but makes sense to me... ------------------------------ Date: Wed, 22 May 1996 07:02:22 +-200 From: Patrick Medhurst Subject: Re: -700 nds error >My computers are busy,,, what is -700 error ? I have a list of codes >that stop at 699 and can't get to ftp right now...TIA -700 is "OBSOLETE API" if that helps at all... Other errors that aren't in the usual docs: -701 SYNCHRONIZATION DISABLED -702 INVALID PARAMETER -703 DUPLICATE TEMPLATE -704 NO MASTER REPLICA -705 DUPLICATE CONTAINMENT -706 INVALID SIGNATURE -707 INVALID RESPONSE ------------------------------ Date: Wed, 22 May 1996 19:23:18 -0400 From: Debbie Becker Subject: Re: Synthetic time >I have 4 servers in an NDS tree, with 1 server being a single reference >time server and the other 3 set as secondary reference. For some reason, >one of the servers is issuing the statment > >synthetic time being issued on partition "ACADIA" > >The server in question has a read/write replica to the NDS tree. I have >seen the error before when I've boot the server without network support, >but that's not the case this time since it can see the other servers >fine. If I run the time synchronization option in DSREPAIR it also >reports things are ok. Is this a serious problem, or am I overlooking >something simple? You often see this message when your server's hardware clock has been reset (backwards). Basically, NDS loads when the server boots, checks the time and then sees that it has information in DS that's timestamped later than the server time. Servers don't know how to cope with this "Time Warp" so they issue Synthetic Time error messages. You can rid yourself of them by loading DSREPAIR and choosing Advanced Options. Pick Replica/Partitioning Operations and choose the partition. Pick Repair Time Stamps and Declare a New Epoch (impressive sounding, no?). This will create new time stamps. ------------------------------