---------------------------------------------------------------------- NOV-NDS6.DOC -- 19980327 -- Email thread on NetWare Directory Services ---------------------------------------------------------------------- Feel free to add or edit this document and then email it back to faq@jelyon.com Date: Wed, 19 Nov 1997 10:19:06 +0200 From: Mike Glassman - Admin Subject: NDS Problem ?? - changing servers I know what you are going thru as I just did the same myself last weekend on a major operational server - 21GB of data on SFT III servers. Just so you know, NCOPY does not copy the rights over between servers, you need a tool such as TBACKUP.EXE for that (Works wonderfully) which can backup and restore the rights. These are the steps to take in order to make the changes you want. A note prior to this is that you do NOT have to have the new server in a new tree, on the contrary, it is preferable to have both servers in the same tree, in the same container but with different names. Steps for changing over servers : ================================= 1. Install new server into SAME tree as server to be changed with new name 2. Map drives to the root of each volume to be copied 3. Disable login on the server to be changed 4. Use Ncopy to copy over all the Dir's and files on all volumes except SYS: (including empty Dirs). 5. Manually perform a copy of files from old SYS to SYS on new server 6. Run TBACKUP /s on the root of every volume on the old server. This creates a batch file called trestore.bat. copy this file to the root of each corresponding volume on the new server. You don't need to copy tbackup.exe. 7. In autoexec.ncf, change the name of the old server (DO NOT change the internal IPX number at this time). Down the server, bring it back up. 8. Go into NWADMIN and change the names of associated volumes of the old server to the old servers new name. 9. Wait a few minutes and then check that if you double click the old volumes under their new name, you don't get an error message (in nwadmin), and check NDS sees the new server. 10 Change the new servers name to the old servers name in autoexec.ncf (No changing of internal IPX number at this time), down and bring back up. 11 Change associated volumes names in nwadmin to correspond to new servers name, perform double clicking and NDS check operations here too. 12 Log into new server and run trestore.bat on the root of each volume 13 Run nwadmin for iw411 and check that all your users have the NEW servers name in the ENVIRONMENT/Default Server section. Note: If users had the old servers name in this area, it will have automatically changed to show the old servers NEW name so you will have to change it back to show the new servers name. You can do this on all users at once using the Multiple objects change option. 14 Check if your old server held any replica information such as Master copies or read/write copies. If yes, create R/W copies that correspond to these on the new server, then change them to be Masters if necessary on the new server. This is important if you need to have bindary emulation set. No replicas means no bindary emulation. 15 WAIT a few minutes and check your NDS for ANY messages. If all is clear, delete any replica references on the old server so it holds nothing. 16 Remove NDS from the old server to totaly break the link to the NDS 17 MANUALLY (ack) recreate any printers, queues, print servers that were on the old server under the new one as they as usuall, do NOT transfer safely. (I have always dreamed of a utility that would be able to transfer all the printer info across, it's one of those "never happen" dreams it seems. I had to recreate 200 of these things after my move.....but it all works now). And that is that. It's long, and seems scary, but if you go about it step by step, you'll find that your system works fine at the end, just as it should. The important things here are : NEVER change a server name and an internall IPX number at the same time unless you are seeking NDS sync troubles. And troubles you will have. NEVER move past a step that concerns NDS changes before making sure that the NDS is ok. NDS is a finiky child and sulks on a regular basis over any small thing. A happy NDS is a happy SysAdmin. Remember that NDS follows your changes step by step and changes itself accordingly. If it sees you change the old server name it will change all associations and keep them on the old server EVEN if your new server has the same name as your old server used to have. Painfull but very logical ! After recreating printers, queues etc, remember that their numbers in the print server assosiaction table have changed, so if you perform nprinter loads using a # and not a printer name, better check the numbers still correspond. And that's the end of "class-101-NDS changing of servers". Oh, by the way, the utility TBACKUP.EXE works perfectly, and is well worth the download. It's one of those tools that we often ask how we worked without. ------------------------------ Date: Fri, 21 Nov 1997 21:45:06 +0100 From: "Arthur B." Subject: Re: Separating Two v 4.10 Trees >I have merged two v 4.10 trees and now I want to separate them. >so that they both have separate roots (their origial state) See TID 2912566 at http://support.novell.com ------------------------------ Date: Mon, 1 Dec 1997 15:09:58 +0000 From: Richard Letts Subject: Re: Back-Up Software >Could someone recommend to me a EXCELLENT software to use on my NW 4.11 >(with NDS) to back-up several servers, and NDS ? Firstly, you don't backup the NDS, you replicate it. Anyone who trys to sell you a product that claims to backup the NDS is selling snake-oil. There are just too many darned timestamps which are important in the NDS to make a restore from a backup have any meaning. About the only time this isn't true is a single-server tree. I've used sbackup, emeritus tapeware and Cheyenne ArcServe. We now use Networker from Legato which has the interesting properties that: it's easy to use, the restore process works, and it doesn't abend our fileservers. ------------------------------ Date: Tue, 2 Dec 1997 17:51:37 +1300 From: "Baird, John" Subject: Re: Volumes missing in NDS >>I don't know why, but not all of my volumes appear in the NDS tree >>although they don't seem to have any problem, do you have any idea why >>this happens ? Is it serious ? Can I safely manually recreate the >>volumes in the NDS ? What happens if you delete a volume in the NDS ? >> >>That's quite confusing because you can actually perform file >>operations through the NDS and NWADMIN and this is a bit scary. > >No data will be lost if you delete the NDS object of a volume. And you >can recreate it using INSTALL.NLM, and selecting Directory Options -> >Upgrade mounted volumes into the Directory. True, but other things may be affected. For example, any "Home directory" attributes referencing the volume object will be deleted. If a directory map object points to a path on the volume, then I'd guess that the directory map object will be deleted as it must have an associated path which must incorporate a volume object. ------------------------------ Date: Wed, 3 Dec 1997 12:09:19 -0500 From: Christopher Lee Subject: Re: NDS Partitioning >I have inherited a small WAN, all 5 sites within the same county. There is >a full tree at each site which is creating alot of traffic on the wire >(T1public FRS). Each site is an OU, which was about the only thing done >right on this installation. I want to partition the tree at each OU like: > >[Root] >O=AA (Partition) >OU=Main Site >OU=Site B (Partition) >OU=Site C (Partition) >OU=Site D (Partition) >OU=Site E (Partition) > >The main thing I'm concerned about is, due to the nature of our business, >users move from site to site (i.e. context to context) no rhym or reason, >just necessary. Right now this is handled with Alias objects for these >users in each context. My concern is resource accessability. For >instance; will a user whose context is Site B, but is logging in at Site D, be >able to map to his/her home directory in Site B? Or be able to print to a >printer in another OU? Or any other "what if" I haven't thought of. >I would rather teach my 4yr old calculus than try to teach my users the >ideaology of contexts. What we did ( for one of our DoD customer ) is to create a "traveller" group containing all those frenquent travellers and give the group necessary rights to access all servers ( and appropriate printers ) throughout the organization. To reduce the WAN traffic, we setup our login script in such a way that users would only map back to their home server for CC:mail and their home directory and would utilize the local server for the rest of file and print services. ------------------------------ Date: Mon, 29 Dec 1997 09:32:20 GMT+1 From: Steinar Kleven Subject: Re: Group member, but not member of the group >A users object shows to be a member of a group, but the group object >does not list the user as a member. I do remember from the previous >thread the users still get the rights from the group, but this is not >what I need. This group is for e-mail announcements, and the users >not listed are not getting the messages. > >Is there a max number of members in a group? If so, is there a fix? I can only give you a clue for NDS groups, not old 3.x bindery ones. There are three possibilities with group membership in NDS. 1: Group is listed in "Group Membership" on user attributes 2: User has security equal to a group. 3: The user is listed in "Members of group" in group object As far as I know none of the above excludes (or includes) the other two options. The available tools often set all these attributes when you are assigning a user to a group, but that don't mean that it HAS to be done. I really don't know if there is a max number of members in a group, but I know we have one with 1700 members. If your need is higher I can't help you with that, sorry. Maybe you should use some other tool, or get an upgrade of your existing ones. ------------------------------ Date: Mon, 5 Jan 1998 13:23:33 +1300 From: "Baird, John" Subject: Re: Group member, but not member of the group >I can only give you a clue for NDS groups, not old 3.x bindery ones. > >There are three possibilities with group membership in NDS. >1: Group is listed in "Group Membership" on user attributes >2: User has security equal to a group. >3: The user is listed in "Members of group" in group object Under NW 4.10, a 4th step was introduced. The user should be added to the group's "Equivalent To Me" attribute. >I really don't know if there is a max number of members in a group, >but I know we have one with 1700 members. If your need is higher >I can't help you with that, sorry. There is no maximum that I'm aware of, but the bindery based NWReadPropertyValue function which would normally be used to retrieve the members of a group in bindery mode breaks at around 8,000 members as it uses a byte value for the segment number and so can cope with no more than 255 segments, each of which holds 32 member IDs. ------------------------------ Date: Tue, 6 Jan 1998 15:42:45 +1300 From: "Baird, John" Subject: Re: User object >Do you know the user object whether or not has "last logout time" >attribute? If yes, use which function call to get the parameter? There is no attribute recording the last logout time. However, both the most recent and 2nd most recent login times are stored in the "Login Time" and "Last Login Time" attributes respectively. If you have accounting enabled, then logout times can be retrieved from sys:system\net$log.dat. ------------------------------ Date: Thu, 8 Jan 1998 10:03:09 -0600 From: Brian Scott Subject: Re: Setting Up Administrator Rights >I am currently in the process of migrating from 3.12 to 4.11. In >3.12, all of my account admins needed to be supervisor equivalent in >order to maintain accounts. I would like to change this when I move >to 4.11. I would like to be able to split up the rights to have >admins that can maintain accounts in a container, but not have full >rights to the file system and vice versa. I've tested setting up >both groups and Org. Role objects and then made the trustee of the >container with all rights but S. Apparently this flows down and >gives them all rights to the file system. Do I need to setup an IRF? > What is the best way to set this up? Any good doc out there on >rights? I'm a little confused. There is only two places NDS rights and file system rights overlap (seems that there was a third but I can't remember it right now). 1. If the user has supervisor rights to the server object, then they have rights to the root of all volumes on that server. 2. If the user has supervisor rights to the volume object, then they have supervisor to the root of that volume. Check the users effective rights on theses objects ( server and volume ). If they have S rights to the object it's comming from somewhere. Check the trustees of the objects and see where it's comming from. IRF's are evil. They lead to chaos, unless they are used carefully and all rights are well documented. ------------------------------ Date: Thu, 8 Jan 1998 14:37:26 -0500 From: Debbie Becker Subject: Re: Setting Up Administrator Rights >There is only two places NDS rights and file system rights overlap >(seems that there was a third but I can't remember it right now). >1: If the user has supervisor rights to the server object, then they >have rights to the root of all volumes on that server. >2: If the user has supervisor rights to the volume object, then they >have supervisor to the root of that volume. Quick note: Supervisor Object (or All Properties) right to the *server* object will give the user(s) Supervisor file system right to all volumes on the server. NDS rights assignments to volume objects have *no* effect on file system access -- a common error. The server object is the link between NSD rights and file system >IRF's are evil. They lead to chaos, unless they are used carefully >and all rights are well documented. Not necessarily -- they do a really good job of keeping NDS admin people out of file systems if used properly. 1) Make a user (or preferably, two users) trustees of the server object. Give them Supervisor object right. 2) Set the IRF on the server object to block all rights except Browse object and Read and Compare All Properties. 3) Remember to document who the server supervisor users are -- older versions of DS would let you delete these user objects without warning you of their importance! ------------------------------ Date: Tue, 13 Jan 1998 11:41:56 -0500 From: Debbie Becker Subject: Re: Admin rights >>We have a situation here where a person manages 150 people and, >>therefore, needs supervisor access rights to those users' objects. I am >>trying to find a way to assign supervisor rights to that person without >>actually going through each and every user objects' ACL and grant the >>rights that way. Unfortunately, the container that the users are in has >>other user objects, so I can't do anything on the Container level basis. >>Does anyone know a way to do it? > >You could create a group object and put all the users that require access >into this group and then give this group the correct rights. If you're running 4.11, you can pick all of the users who your subadmin needs rights to, and run "Details on Multiple Users" to make subadmin the trustee of all of them. Earlier versions, go to subadmin, choose "Rights to Other Objects," Add all of the affected users and then (with all of them highlighted) assign necessary rights. ------------------------------ From: "Jonathan Hobday" Date: Tue, 13 Jan 1998 16:54:28 +0000 Subject: Netware 4.1 Hack : Admin pasword grace logins timed out and no b Situation: Customer set grace logins on admin. Logged in to Sbackup.nlm with admin while grace logins expired. No other accounts have NDS rights. NDS not backed up. After much thought and frustration: FIX: Set bindery context to admin level. Used SETPWD.NLM to change admin password. Result is you get one chance to login and change the password. Reasoning (I think(?)): Netware 4.1 emulates the bindery into NDS calls. The call that SETPWD makes is emulated to the NDS and set admin password. NDS call must reset the attributes when this call is made. It doesn't reduce the grace logins or set any other parameters but allows you a single login and warns that the login limit has been reached. You can get back in. ------------------------------ Date: Wed, 4 Mar 1998 00:27:41 +0200 From: Teo Kirkinen Subject: Re: Volume object in NDS - Unknown type >I have seen this issue occur when A server was removed from our tree >incorectly using the install -.... option. And then a new server was >installed using the same name. > >The old volume object remained even after a DsRepair and was also marked >with a '?'. Stranger yet, this volume object also appeared under >NdsManager, something that is not supposed to happen. The reason for this is quite simple: each object-type has several mandatory attributes defined in the schema of the tree. If a mandatory attribute is missing, the object is turned into a unknown object. A volume object has, for example, "host server" as a mandatory attribute. When the server is removed from NDS without removing the volumes (load install -dsremove can do that in several situations) there is nothing for the host server attribute of the volumes to refer to. ------------------------------ Date: Sun, 8 Mar 1998 01:06:11 -0600 From: Mobeen Azhar Subject: Re: Extending the NDS Schema >Are there any good utilities for extending the NDS Schema? Here's >what I want to do: > > - Create a containter object type with various text and list fields > - Create a few leaf object types for use in the new container type > >A need to build a database using NDS has come up, and a utility >would save a lot of time in the prototyping. The database will >potentially hold trillions of records across hundreds of NetWare 4.11 >(and eventually NetWare 5) servers. Try DSSNOOP.EXE from the Novell Consulting Services toolkit package. ------------------------------ Date: Wed, 18 Mar 1998 19:04:34 -0700 From: Joe Doupnik Subject: Re: Missing volume object >We have an annoying problem where the volume object for our user home >directories has mysteriously disappeared. Needless to say that makes >life a little difficult for assigning quotas and file rights. > >We have done the usual Vrepair & Dsrepairs. Vrepair gives a number >of persistent errors which seem to relate to the Mac file space, but >other than that no clues. That's not a good sign. The way to tell NDS about your volumes is via Load Install, Directory option, put mounted volumes into NDS option. Joe D. ------------------------------ Date: Thu, 19 Mar 1998 01:33:10 -0800 From: Randy Richardson Subject: Re: Please explain [Public] and [Root] objects >I would like to know what the [Root] and [Public] objects mean. I >gather [Root] means the entire tree, but [Public]? >Is it OK to delete these from trustee lists of users, etc. The "[Root]" object is the master container in your tree. Without this container, you wouldn't be able to create Organizations, Countries, Novonyx Messaging Servers, and other container objects that fit here, and of course, all their children (other container and leaf objects). The "[Public]" object acts like the Group object when it comes to Trustee File/Directory assignments on your volumes, and NDS object rights. All leaf objects are essentially members of this "[Public]" Group-like object, and you can't control its membership. --------- Date: Thu, 19 Mar 1998 21:05:38 +1100 From: Daryl Maunder Subject: Re: Please explain [Public] and [Root] objects Actually, [Root] is the top-level container in the tree (Someone once told me it is actually the Tree object itself), giving a right to [Root] gives it to all objects in the tree. [Public] applies to the same as [Root] plus users who have an attachment to a tree but have not yet logged in, i.e. an unauthenticated connection. Think of it as a Netware 3 server with [Public] having R F rights to the SYS:LOGIN directory. Be very careful what trustee rights you give to [Public]. --------- Date: Thu, 19 Mar 1998 06:58:56 PST From: Kevin Miller Subject: Re[2]: Please explain [Public] and [Root] objects A very _important_ point about the [Public] trustee is that rights assigned to it are given to everyone, even if they are not authenticated to the tree! This VERY DIFFERENT than an everyone group! If you want to grant file system rights to a large part of the tree, assign them at the organization or OU level. --------- Date: Thu, 19 Mar 1998 09:09:26 -0800 From: David Nelson Subject: Re: Admin for multiple O= >What is the correct way of creating >an Admin for an NDS tree with multiple Organizations? I can't create >a user object in the ROOT context, no?! >Is it the correct way to make one Admin from one O. trustee of the >other O:s? >My wish is to have one SuperAdmin that can control the whole tree. >There will be 4 organistaions in the tree, connected by WAN links. >Would it be better to create them as one org and have 4 OU:s? Make your life simpler and look at what you're doing. Create 1 Organization and put your "SuperAdmin" user under there. Then, create 4 Organizational Units for your sites and you've accomplished your requirements. Grant the "SuperAdmin" user object supervisory object and property rights to [Root], and you're good to go. ------------------------------ Date: Thu, 19 Mar 1998 16:45:37 -0500 From: KDL Rich Nagel Subject: Re: "Hidden" users/OUs >Is there a way to search for and delete "hidden" users and OUs in an >NDS tree? I mean hidden in the sense that only a user in a specific >OU has any rights at all to that OU. Admin can't even see it >NWAdmin95. You should be able to see the user at least indirectly if that user is a Trustee of another object. But if the user was created to be what I'll call a "Stealth" user, then it may be time to call Novell direct for help. I've created "Stealth" users in locations where I'm not really sure about the level of "network smarts" of the staff member administering the server in a branch, and so I give myself a backdoor. And at least directly, you're right, an Admin user or anyone else with Supervisor rights to the Root object still can't see the "Stealth" user. ------------------------------ Date: Fri, 20 Mar 1998 06:35:32 -0800 From: David Nelson Subject: Re: NDS across multiple platforms >Here's my question: If the NetWare servers are left in their file >serving role, what is needed to use NDS as the directory system over >the NetWare, NT, and Unix servers? Is this practical??? I can't answer specifically about UNIX servers. But, Novell offers two different ways of handling NT integration. One of them is called Novell Administrator for Windows NT (NA4NT) which allows you to manage users and groups on NT workstations or servers configured either as workgroups or domains via NDS. In essence, your NT boxes run what's called the Object Replication Service (ORS) and one of your file servers runs an NLM that the ORS interfaces with. Changes to your NT boxes can be made either through NWAdmin or User Mangler. NA4NT is really nice, but it does lack a lot of features and administrative granularity available with NT's User Mangler. The other product, NDS for NT, does basically the same thing, but on a larger scale. With NA4NT, where you more or less had two copies of every NT SAM (one on the NT box and one in NDS), NDS for NT will suck the SAM off the NT box and place it entirely in NDS. Specialized SAM DLLs written by Novell redirect all SAM requests to NDS for processing. >From what I've been told, NDS for NT is supposed to handle the other NT security features, policies, etc. that NA4NT doesn't. We're also starting to move in a direction of unified administration of our various platforms to ease our administration burdens. If you're going to use Novell for file and print services, then it's practical to unify the platforms via NDS; if you're going to use Novell solely for the purpose of unifying the platforms via NDS, I wouldn't think so. ------------------------------ Date: Fri, 20 Mar 1998 14:10:53 -0700 From: Joe Doupnik Subject: Re: Auditing the NDS Tree >Does anybody know of a utility that helps trace down who created objects >on the NDS Tree. -------- Look up the people who make DS Standard. Not cheap, not cheaply built. They make auditing software too. First class material. [Name PSI sticks in my mind, but no time to look today.] Joe D. --------- Date: Sat, 21 Mar 1998 07:20:43 -0500 From: Doug Black Subject: DS Standard DS Standard and its sister product AuditWare (?) are now both sold by CA/Cheyenne. Auditware would be the choice for examining who has what rights and why. DS Standard is for creating and modifying NDS tree structures. Check www.cheyenne.com for more details. ------------------------------ Date: Fri, 27 Mar 1998 12:40:31 -0600 From: "Jeffrey C. Ollie" Subject: Re: NDS for NT Question >In an implementation of NDS for NT, we do understand that the SAM >replication gets handled by the INW server. The question that we are >trying to get answered then, "Is that INW server then acting as a BDC for >that NT domain?" The reason that this is importnat to us is that we >would like to eliminate the need to have NT Servers at remote sites just >for the reason that the users need to authenticate into that domain >somehow. Currently each of those sites have INW (or are going to have) >and if the INW server can simulate a entry point for those NT users into >those NT domains, we would be home free. No, you'll need at least one NT server installed to operate as a domain controller for each domain you create in NDS. NDS for NT replaces very little on the NT server. There is a whole lot of code relating to communicating with clients and authentication that isn't replaced by NDS for NT. I would, however, *LOVE* to see this capability in a future release of NDS for NT. We may (for political reasons) have to go with Exchange Server instead of GroupWise and this capability would tremendously reduce the number of NT servers that we have to install/maintain. ------------------------------