NetWare® Administration
Related Titles from RELATED TITLES Tony Redmond, Microsoft Exchange Server for Windows 2000: Planning, Design and Implementation, ISBN 1-55558-224-9, 1072pp Kieran McCorry and Donald Livengood, Microsoft Exchange 2000 Infrastructure Design: Co-existence, Migration and Connectivity, ISBN 1-55558-245-1, 512pp Jerry Cochran, Mission-Critical Microsoft Exchange 2000: Building Highly Available Messaging and Knowledge Management Systems, ISBN 1-55558-233-8, 320pp Micky Balladelli and Jan DeClercq, Mission-Critical Active Directory: Architecting a Secure and Scalable Infrastructure, ISBN 1-55558-240-0, 512pp Mike Daugherty, Monitoring and Managing Microsoft Exchange 2000 Server, ISBN 1-55558-232-X, 432pp For more information on or to order these and other Digital Press titles please visit our website at www.digitalpressbooks.com! At www.digitalpressbooks.com you can:
Join the Digital Press Email Service and have news about our books delivered right to your desktop
Sample chapters on featured titles for free
Read the latest news on titles
Question our expert authors and editors
Download free software to accompany select texts
NetWare® Administration NetWare 4.0–6.0
Mark W. Foust
Boston • Oxford • Auckland • Johannesburg • Melbourne • New Delhi
Copyright © 2001 Butterworth–Heinemann A member of the Reed Elsevier group All rights reserved. Digital Press™ is an imprint of Butterworth–Heinemann. All trademarks found herein are property of their respective owners. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Recognizing the importance of preserving what has been written, Butterworth–Heinemann prints its books on acid-free paper whenever possible. Library of Congress Cataloging-in-Publication Data Foust, Mark. p. cm. Includes index. ISBN 1-55558-XXX-X (pbk. : alk. paper)
British Library Cataloging-in-Publication Data A catalogue record for this book is available from the British Library. The publisher offers special discounts on bulk orders of this book. For information, please contact: Manager of Special Sales Butterworth–Heinemann 225 Wildwood Avenue Woburn, MA 01801-2041 Tel: 781-904-2500 Fax: 781-904-2620 For information on all Butterworth–Heinemann publications available, contact our World Wide Web home page at: http://www.bh.com. 10
9
8
7
6
5
4 3
2
1
Printed in the United States of America
Contents
1
Preface
ix
Acknowledgments
xi
The Novell Client
1
1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 Supplement 1 Supplement 2 2
Client requirements Client installation ACU Client property choices Windows NT Client choices How NetWare clients resolve network names Microsoft’s TCP/IP stack Windows IP stack tools Highlights of recent client versions Anatomy of a WIN9x client boot NetWare client utilities Tools to help with client and workstation issues Log files Novell-specific client troubleshooting utilities Troubleshooting slow logins and client best practices The future of the NetWare client NetWare Client DOS Command Line Utilities Novell Client32 Properties
What Can Be Done @ the NetWare Server 2.1 2.2 2.3 2.4
Next-generation NetWare 6 Entering the NetWare server environment Server innerworkings Protocols
2 3 5 8 10 12 12 16 21 22 25 37 38 39 40 51 53 75 145 145 148 159 172 v
vi
Contents
2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 Supplement 1 Supplement 2 Supplement 3 3
NDS Management 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17
4
Server console commands and NLMs SET commands Server SET commands Printing Pervasive SQL (formerly BTRIEVE) Novell’s SMS backup software Server troubleshooting In ConsoleOne/NetConsole Keystrokes available on the server Patching/updating the NetWare server Hardware vendor support for NetWare Microsoft tools for NetWare administration/migration Server Console Commands and NLMs SET Commands Login Script Variables
NDS Administration Guide NDS versions and types Which NDS version should you use? NDS terminology SYS:_NETWARE hidden directory How to manipulate the NDS directory LDAP support NDS objects Repairing NDS NDS health check NDS dependence on SLP NDS dependence on time sync The NDS security model Login script variables NDS design guidelines NDS tuning and optimization Tools for NDS
IP and IPX Management 4.1 4.2 4.3
NetWare 6 TCP/IP improvements IP packet types IP management utilities
172 173 178 178 185 186 190 198 200 200 202 208 211 273 276 339 340 340 341 344 369 371 382 385 386 387 387 390 395 398 399 401 405 413 414 414 415
Contents
vii
4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 5
Installing a NetWare Server 5.1 5.2 5.3
6
Patching is upgrading Pre-install checklist Licensing—NLS Migration Paths NT to NetWare 5.1 migrations Customizing an installation CD with a support pack Upgrading NDS Response file syntax
Other Novell Products 7.1 7.2 7.3 7.4 7.5
8
Minimum hardware requirements Step-by-step instructions Third-party tools
Upgrading a NetWare Server 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8
7
Best practices SLP Name resolution INETCFG Configuration files related to TCP/IP LAN drivers and protocol modules IP management through your browser IP services NetWare 5 TCP/IP APIs IP utilities and troubleshooting tools Subnet addressing Links
Installing Novell products Managing Novell’s products Novell products Novell’s support lifecycle product forecast Other Novell products
432 434 461 466 470 472 475 480 490 491 501 504 505 505 508 530 533 534 536 546 547 547 557 560 561 565 566 566 566 622 623
NetWare Security
625
8.1 8.2
625 660
NetWare “out of the box” Websites relating to NetWare security
Contents
viii
9
Contents
ADMIN Tips, Tricks, and Third-Party Utilities 9.1 9.2 9.3 9.4 9.5 9.6 9.7
From one consultant to another NetWare versus NT Administrator common tasks and tools Server tuning Customer hardware best practices Tuning the Network/NetWare traffic management Lost facts
663 663 665 667 672 680 681 695
Appendix
703
Index
719
Preface
I have always been a bit disappointed with technical books. So many times I’m told of good ideas, but rarely am I told how to actually do something. Worse, many books will try to convince you of the need to secure your servers, but give very little in the way of specific recommendations. I set about to write this book with that in mind. I spent a couple of years supporting NetWare installations working for American Airlines SABRE. They had the largest supported NetWare base in the world. They would sell their reservation system software coded into NetWare 2.15c. They actually got the source code from Novell and wrote into the source code! I then went on to other admin duties and finally ended up working for Novell. I was honored to be asked into their consulting group. At the time I was one of only about 60 consultants in the world. I thought I knew NDS and NetWare pretty well. I had my MCSE and had done a lot of work on NetWare implementations. Wow, did I get a shock. The release of NetWare 5 and complex NDS implementations showed me how little I really knew. I, however, went on a quest to find out how things worked in NetWare and to find the best practices. Neither of these was denied me, nor was not readily available at the time. This book is a culmination of my experiences, frustrations, and triumphs. The information I have included will show you both how things work and specifically what you need to do to make your implementation better. Let me know how I did (
[email protected]). I wish you good reading.
ix
This Page Intentionally Left Blank
Acknowledgments
This book would not be what it is without the generous contributions of: My wife—thanks for sharing “your time” with the writing of this book. I love you. Jeff Johnson took hours of his own time to read and critique my work. Many suggestions in the book come directly from his experience. I must say that he is probably the most adept Novell/NetWare administrator that I have met. Oscar Sanchez looked over Chapter 7 using his keen sales and consulting ability to correct some of the content. There are others that I can’t name, but appreciate also.
xi
This Page Intentionally Left Blank
1 The Novell Client
In this chapter I reveal the workings of the intrusive NetWare workstation client software. I say intrusive because if you’ve had any history with this piece of software, you know what a bear it can be to support. I lay out the client by explaining each piece, then go into detail in the two accompanying supplements. The first supplement explains the client DOS command line utilities (these are for administrators, not end users). I know that those of you who use ZENworks or ZENworks for Desktops or SMS will especially love Supplement 2 because I list all of the client property choices along with their registry keys. I have never seen a book give this information before. My favorite part is the tuning and optimization section in this chapter. I give specific recommendations to speed your client because I know that you often fight with slow client logons. Tuning and optimization advice alone is worth many times the price of the book—I know, because when I worked for Novell, they charged hundreds of dollars an hour for this kind of information. If you enjoy the tuning and optimization section, please note that I have also included the same kind of information for NDS (Chapter 3) and the NetWare server (Chapter 9). The function of the NetWare client is to harness the power of Novell’s NetWare platform and Novell Directory Services (NDS). The client’s job is to package workstation requests in a manner the NetWare server can understand and respond to efficiently. The server speaks NetWare Core Protocols (NCPs) for native file and print functions, therefore, the client must, too. NetWare 5 allows this presentation-level protocol to travel on the back of either IPX or IP—it was IPX only in all earlier versions of NetWare. Soon Novell may replace NCP with the WEBDav, SOAP and/or other open protocol standards (though it is a mystery how they could support something like ZENworks without an NCP client). Without a client piece on your 1
2
1.1 Client requirements
workstation talking NCP, you are confined to use FTP services from Novell and an FTP client to fileshare. Microsoft provides an NDS and bindery client that works with NetWare over IPX only. I do not recommend using it. Microsoft only writes to about 25% of the NCPs versus Novell’s Client. You will not be able to harness the features and power of your NetWare investment with another client. Realize that the Novell client is very intrusive on Windows 3.x and Windows 9x platforms because they are not serious network business operating systems—Windows NT workstation, Windows 2000 and Windows XP are. The client software sits on top of the desktop OS and, therefore, must compensate for the lack of network services in the Win 3.x and 9x versions— thus the annoying DOS full-screen network messages that require a Ctrl+ Enter to get back to the GUI. Working for Novell, I was asked many times by clients to fix client problems. The two that constantly came up were: 1.
How do we get a clean uninstall of the client? I have never seen any good uninstall program from Novell. The UNC32.EXE does not completely remove client software and registry pieces. To uninstall best, take a before and after snapshot of a workstation.
2.
How do I upgrade the client through ZENworks or Microsoft’s SMS? Realize that any client upgrade currently cannot be packaged in a software distribution system without running the full executable. Novell’s client software must run the executable to discover hardware settings that “customize” the client to your workstation. For ZENworks, look on the client CD \AOT\CLIENTUPDATE\TEMPLATE\README.TXT
1.1
Client requirements The basic hardware requirements for the Windows 95/98 Novell client are:
The client needs to be an Intel (or compatible) box with at least an 80486 processor.
14MB of free disk space is required for the typical client installation. Custom installations may take up to 28MB of disk space.
1.2 Client installation
3
The client workstation needs at least 16MB of RAM. I recommend at least 32MB of RAM be installed on the client workstation.
A NIC is required for network connectivity.
Windows 95 original version is not supported by the Novell Clients—you will need at least Support Pack 1 for Windows 95
The latest version of the NetWare client(s) is available at http://www.novell.com/download. There is a clients.txt file that you can download and check to see if you have the latest versions.
1.2
Client installation When the client CD is loaded on a workstation a GUI starts. You are walked through the install via a wizard. You have few choices during the install, but basically they are: Installation Options—Typical or Custom Typical: Novell will make default choices for you Custom: You choose the client product options listed later Other Product Installs—Add on modules to the Novell NetWare client Novell Client (NT and WIN2000 only): Chosen by default Novell Distributed Print Services (NDPS): Support for Novell’s newest enterprise print services Novell IP Gateway: Support for NetWare servers that are running gateway services Novell Target Service Agent: Support for backing up this workstation from the server Novell Workstation Manager (since client version 2.5): Support for NDS management of this workstation and user accounts—this particular module can be the weak link in chain when troubleshooting slow workstation logins. Verify that all ZENworks and search policies as well as all client and server patches are in place as one of the workstation manager’s duties is to contact NDS to find information (otherwise it may “tree-walk” excessively to find information) Novell SNMP Agent (WIN9x only): Support for Simple Network Management Protocol agent Chapter 1
4
1.2 Client installation
Host Resources MIB for the Novell Client (WIN9x only): Support for SNMP applications to poll this client for inventory information Network Management Responder for the Novell Client (WIN9x only): Supports OS, BIOS and ODI information and services to a network manager Novell Remote Access Dialer (WIN9x only): Support for NWIP and NWCAP for dial up networking Novell NDS Provider – ADSI (WIN9x only): Supports Microsoft’s Active Directory Applications communication with NDS ZENworks Application Launcher Service (NT and WIN2000 only): Support for application installs via ZENworks Protocols—Choices IP only: Enables the check box for removing IPX if present— Support for Pure IP (only available for NetWare server versions 5 & 6) IP with IPX Compatibility: Loads IP with the CMD module— compatibility mode driver—which will use the IP protocol for all NCP calls and tunnel any IPX traffic inside an IP packet if, and only if, a legacy IPX application is loaded on the client workstation—see the chapter on IP for more information. This module would require the CMD module loaded on the server, too. IP and IPX: Support for both protocols—this is the best option to migrate off of IPX, but costs the most network traffic. IPX: Legacy IPX protocol support Note: Remember that each IPX frame type you load on the client (or server) will SAP; therefore, if your server has 5 services to advertise and 3 IPX frame types, you will cause the server to broadcast 15 SAPs per minute minimum.
1.2.1
Important release notes Note that the client CD includes several important text files at the root of the CD. INST_LOG file—Sample login scripts to use for ACU installs
1.3 ACU
5
DOSWIN—Novell Client for DOS and Windows 3.x Release notes NWIP—NetWare IP support notes—this is not the Pure IP that is in NetWare 5 READ95—Release notes for WIN9x README—ZENworks for Desktops starter pack release notes WINNT—Release notes for WINNT \AOT\CLIENTUPDATE\TEMPLATE\README.TXT—Application object templates to deploy the workstation client update through ZENworks Note: The client CD also comes with Netscape Navigator and Adobe Acrobat Reader. The NetWare 5.x server CD comes with instructions to make a DOS IP client—use this for staging servers/clients over the wire.
1.3
ACU Use the Automated Client Install Utility for upgrading many clients at once. The Automated Client Upgrade utility is for updating many clients at once through a utility that runs during the normal end-user login process. A client machine will login and run the login script, which will compare the current client version to the newest available version manually made available on a file server by an administrator. If the client version stamps match, the user sees nothing. If the version stamps do not match, the upgrade process starts immediately. The user, by administrator’s choice, may not interfere with the installation—except to turn off the machine, which will cause the client to reinstall at the next login anyway. As an administrator, you have the option to display a small banner announcement. Use this banner to ask end-users for their patience during the short install process—after which the workstation will reboot automatically. Implementing the ACU is a snap. Novell provides a GUI utility called NCIMAN.EXE, to manipulate a text file used to customize the many client choices and properties for the install. If your environment requires the use
Chapter 1
6
1.3 ACU
Figure 1.1 NCIMAN.EXE is used to configure all possible client options into a text file. The ACU client installation process will read this configuration file. This utility is appropriate for larger installations.
of several differing client installs, you may use the NCIMAN.EXE to create a customized install text file for each. (See Figure 1.1.)
1.3.1
NCIMAN The ACU is subject to some problems. Most notably, I have had many problems with clients that are using VLANs. Look up issues in Novell’s TIDs. The ACU.EXE file can be found with your downloaded, extracted client—in the same directory as the SETUP.EXE file. The ACU is easy to set up and involves the following methodology: 1.
Create a shared directory on a server with Read and File Scan rights. Copy the client files to it. Copy the .CAB files from WIN95 and/or WIN98 to the directory—both WIN95 and WIN98 can exist in the same directory as they have different .CAB file names. If you have different versions of WIN95— OSR1 and OSR2—you will need to separate the .CAB files into different directories and create the login script variable to read the Windows 95 version, then have the client start the proper Windows version client install.
2.
(Optional) Use a text editor to modify applicable settings in the [FILES], [REQUESTER], [TCP/IP], [NWIP], [SNMP], [HOSTMIB], [TSA],[SETUP] and [driverTranslationTable] sections of the INSTALL.CFG file—or a configuration filename of
1.3 ACU
7
your choice—to include the desired filenames, requester information, and settings. Note: Some sections in the INSTALL.CFG file contain an “Override local settings =” parameter. If the parameter is set to FALSE, the values in that section will be updated only on workstations that don’t explicitly define those values. If the parameter is set to TRUE, those values will override the existing values or place them as new values. 3.
Edit login scripts.
Note: You can also use NAL objects to simplify the upgrade process. Go to http://support.novell.com and see the relevant TIDs. More information about the ACU process can be found in Novell’s documentation site—www.novell.com/documentation—and TIDs.
1.3.2
NDIS versus ODI drivers Novell now recommends using the Microsoft NDIS drivers for your client. They are 32-bit, versus the older 16 and 32-bit Novell ODI drivers. You can force the client install to install the NDIS drivers with the following switch: SETUP /N
or if you are using the Automated Client Upgrade utility: SETUP /ACU /N
If you want to switch an already installed ODI driver, search the Novell TIDs on NDIS. Microsoft supplies the latest NDIS drivers on their FTP site. ftp://ftp.microsoft.com/Services/whql/ndis/ ftp://ftp.microsoft.com/Services/ whql/drivers/. Note: Loading the NDIS drivers sometimes requires removing the older client software first. Be sure to remove the relevant registry keys (covered later in this chapter) and the ODI files in the WINDOWS directory.
Chapter 1
8
1.4 Client property choices
1.3.3
Client workstation time The workstation time is automatically synched with the server time upon each login—with workstation’s time calculated against its own time zone setting. Change the client time zone setting by double-clicking on the time displayed in the systray ➝ Time Zone. The server will give Greenwich Mean Time (GMT), which the workstation will take and calculate according to each individual workstation’s time zone setting. A user that travels across time zones will be responsible to change his workstation’s time zone.
1.4
Client property choices The NetWare client can be “tuned” through the many client property choices. I doubt many administrators have used more than 5 or 6 of these parameters. Still, the impressive offering of choices enables granular control over your environment. The client versions starting from 2.2 may be used with NetWare 5.x—though it is not until client 3.0 that the IP protocol can be used to natively talk to the server—through NCP. The property choices differ according to the installed client version. The client version 3.21 is explained here and the accompanying supplements. Changing the client properties can be fairly simple. There are many ways to change the client configuration:
1.4.1
Pre-install via an unattended text file—can be made with NCIMAN.EXE
Post install via ZENworks for Desktops
Post install via a login script registry hack
Post install via a policy file CONFIG.POL
Post install other desktop management software
Setting properties on multiple clients after the install Beginning with ZENworks and NetWare 5, you can use NetWare Administrator to configure client properties for multiple workstations. The properties that you set in NetWare Administrator are pushed down to the client workstations at scheduled times or when specified events occur, such as when a user logs in.
1.4 Client property choices
9
To set the properties on multiple workstations after installation: NetWare Administrator ➝ Create a container, user, or workstation package and associate that package with an object in the tree ➝ Open the package that you want to set properties for ➝ Click Page Options ➝ Set the properties that you want to change ➝ Close the property pages ➝ Schedule the time or event when the properties will be pushed down to the workstations. For instructions on using the Scheduler, see the ZENworks online help included with NetWare Administrator. The workstations do not need to be logged in to the network for the update to take place. However, they do need to be powered on. Use the Scheduler to specify what to do if a workstation is not on when the update takes place. See the online help for more information.
1.4.2
Novell Client32 properties In the supplement to this chapter, I have provided the many client choices along with most of their registry settings.
1.4.3
Frame type choices Protocol frame types choices have a direct bearing on network traffic. Choose wisely. I normally recommend Ethernet II for all IP and IPX traffic—read on. Ethernet—For Ethernet network packet support 802.2: Open-standard IPX packet frame type. This is the default choice for NetWare 4.x and above. 802.3: The worst choice of frame types. This non-standard protocol does not support check-summing on the packets. This is the default IPX choice for NetWare 3.x Ethernet II: Normal default for IP. IPX may be run on this frame type too. This frame type is considered the cleanest. Ethernet SNAP: Not used much anymore Token Ring—For Token-Ring network packet support Token Ring: Standard for IPX Token Ring SNAP: Standard for IP
Chapter 1
10
1.5 Windows NT Client choices
Frame type advice Standardize on the Ethernet II frame type for both IP and IPX. Ethernet II is the cleanest of all packet choices. Stay away from 802.3, if possible—it is the sloppiest and lacks some important data integrity features that 802.2 and Ethernet II supports. Do not let the client use the default auto frame type in: Control Panel ➝ Network ➝ IPX/SPX compatible protocol ➝ Advanced ➝ Frame type ➝ Auto
The client will broadcast 20 packets to find the frame type. The client then listen on the wire for the first frame type and binds it to the NIC card. This can be a problem for LANs with misconfigured devices—like printers—that broadcast many frame types. Also, imagine the traffic from: 1,000 workstations X 20 broadcasts at boot up = 20,000 broadcasts each morning processed by switches, routers and workstations (you get the idea)
When IPX is loaded, the Network box, in the control panel, will show Novell’s 32-bit client protocol and Microsoft’s IPX/SPX compatible protocol. The properties of each are explained. Again, each of these values is written in the Microsoft registry and may be edited there.
1.5
Windows NT Client choices Windows NT Client choices are almost exactly the same as the WIN9x client. The way that NT handles the choices is very different. For instance, a WIN9x client will proceed through an orderly sequence of name space providers, NT will blast all chosen methods at the same time. The NetWare client for NT/2000 supports the system policy editor. The policy file is a .POL file that contains Windows NT/2000 Client Policy settings. These are settings that are created and edited with NetWare Administrator or by using the Microsoft POLEDIT utility with the NT/ 2000 Client template. The policies are applied or written to the registry when a user logs in to the network. Novell Client for Windows NT/2000 software provides a custom policy template for use with the Windows NT/2000 System Policy Editor (POLEDIT.EXE). Use the System Policy Editor and the Novell Client for Windows NT/2000 template to create a policy file that specifies your environment’s customized values for Novell Client for Windows NT/2000 settings.
1.5 Windows NT Client choices
11
After ensuring that the settings in the policy file work correctly in a lab environment, save the policy file on every preferred server—e.g., SYS:\ POLICIES\WINNT\NTCONFIG.POL. The Novell Client for Windows NT/2000 settings are read from the policy file and then stored in the workstation registry every time a user logs in to the network. If no preferred server is specified, the policy file in the SYS:\POLICIES\ WINNT\NTCONFIG.POL directory of the server with the first connection is used. See the Microsoft Windows NT/2000 Resource Kit documentation for System Policy Editor information. To ensure that your policy will run, the following registry setting must be set to 1 (the default): \\HKLM\System\CurrentControlSet\Control\Update\ UpdateMode:DWORD:1
NetWare Administrator makes it possible to set up user and workstation policies. For more information, refer to the ZENworks online documentation for NetWare Administrator.
1.5.1
Differences between Windows 95/98 and Windows NT clients The Windows 95/98 client works in sequence, giving a prioritized sequence in which the client uses the Name Service Providers (NSP) to look for services. If one of the services fails, the client tries the next one. For example, if the workstation has both IP and IPX name service providers configured and you have IP as the default, the client will use the NWHOST file to resolve names. If IPX is the second choice in the Protocol Order box, the client will attempt the IPX name services that support IPX addresses. If you right-click on the Network Neighborhood icon and select the Novell NetWare Client Properties page, you can select the Protocol Preferences tab. There you can order how you want to initially connect to either IP or IPX services. The order in which the protocols are listed is the order in which they are used. If IP is the preferred protocol, the client will try the IP-based NSPs first, then try the IPX-based NSPs. The default order of IP service providers is NWHOST, SLP, DNS, NDS, DHCP, BINDERY and finally SAP. You can use the Up/Down buttons in the Protocol Preference tab to prioritize the order in which both the protocols and the NSPs will be tried.
Chapter 1
12
1.6 How NetWare clients resolve network names
Windows NT/2000/XP client The Windows NT client can’t determine the protocol order—only the provider order. Instead, the Windows NT client checks all of the name service providers (NSP) simultaneously. All configured NSPs are first queried with a cache flag that allows the NSPs that maintain a cache to resolve the name. If no NSP resolves the name, the providers are queried without the cache flag. You can add and remove services, but you can’t change their priority because there isn’t one. The NT client simply sends out service requests to all services simultaneously and then waits a certain amount of time to see what comes back. The default time to wait for responses from the NSP is 10 seconds (this is the Name Resolution Timeout value and can be adjusted from the advanced settings tab on the client properties page). If the client can’t find anything via IP, then it will use the IPX NSPs. Also, the NT client does not use the preferred server or preferred tree information to establish an initial network connection. The user must press Ctrl+Alt+Del to bring up the Netware Login dialog box on an NT workstation. Windows NT or 2000 will auto reconnect at the Volume level only. This is a limitation of Windows NT and Windows 2000—not the NetWare client.
1.6
How NetWare clients resolve network names I cover this topic in the TCP/IP chapter. If you want to look it up online, Novell publishes TID 10018391 “How NW5 Clients Locate NW Services.”
1.7
Microsoft’s TCP/IP stack Novell uses Microsoft’s implementation of the TCP/IP stack. It can be added to the client at the time of the NetWare client installation or through the Network icon in control panel. The Windows TCP/IP registry entries are documented on Microsoft’s support Website. You can also find information on the CD—see Admin\ Reskit\Helpfile\Win95rk.hlp on the Windows 95 OS CD-ROM or \.tools\ reskit\help on the WIN98 CD-ROM.
1.7
Microsoft’s TCP/IP stack
1.7.1
13
WINSOCK.DLL version 2 (WSOCK32.DLL, too) NetWare 5 clients support Winsock 2—which is required for Service Location Protocol (SLP) and Novell’s IP Gateway—and will automatically overwrite older Winsock files. The Novell Client for Windows 95/98 version 3.0 and higher all install the 2.0 Microsoft version of Windows Sockets (WINSOCK.DLL). If Native IP, SLP, or IP Gateway functionality is not needed (e.g., installing with the IPX Only option), then it is not necessary to install WINSOCK2 either prior or during the Novell Client installation. Winsock 2 was not defined when Win95 was released—it is only available as a separate download from Microsoft. On all of the other platforms, Winsock 2 is the standard transport interface. Several of Novell’s user-level components such as Network Neighborhood use the Winsock name providers to display NetWare trees and servers. Sometimes distributing the new WINSOCK.DLL before the upgrade is prudent. Use the Network Application Launcher (NAL) by either running W95WS2SETUP.EXE or taking a ZENworks for Desktop’s snapshot. If you do not want the Winsock 2 file upgraded on your workstation, “REM” it out of the NWSETUP.INI by editing the file before the install. Put a semi-colon in front of line 2. [Client.Run] 1=WS2NSINS.EXE /install,>=1998 2=WS2SETUP.EXE,\ system32\drivers\etc in WINNT or C:\WINDOWS in WIN9x. The advantage of using the LMHOST file is that name lookups are virtually instantaneous—as the entries are kept in RAM cache. Like the NWHOST file, the disadvantage is the maintenance of the file. Without a desktop management utility such as ZENworks for Desktops, I would use it only in smaller implementations. NETBIOS names are up to 15 characters. Further information can be found in the LMHOSTS.SAM file.
1.7.3
NETBIOS name resolution order When using NetBIOS, TCP/IP host names to refer to computers, the corresponding IP address must be found. This is name resolution. The NIC or MAC address must be eventually found too—NIC addresses are a function of the address resolution (ARP). Troubleshoot NETBIOS on a command line by C:\>nbtstat
More information about IP command line troubleshooting is covered later in this chapter. The following methods are attempted (in order) to resolve Microsoft NetBIOS host names to TCP/IP addresses: 1.
NetBIOS Name Cache NetBIOS Name Cache Local cache containing the locally registered computer names and computer names the local computer recently resolved.
2.
WINS Server NetBIOS Name Server A RFC 1001/1002 compliant computer to provide NetBIOS name resolution. Microsoft implements this as Windows Internet Names Server (WINS). Chapter 1
16
1.8
3.
Windows IP stack tools
B-node broadcast Local broadcast. A b-node broadcast on the local network for the IP address of the destination
4.
LMHOSTS file LMHOSTS file Local file that maps IP addresses to NetBIOS computer names.
5.
HOSTS file HOSTS file Local file in same format as a 4.3 BSD hosts file. Maps host names to IP addresses and is typically used to resolve names for TCP/IP utilities.
6.
DNS Server Domain Name Server (DNS) Server configured with DNS daemon that maintains database of IP address/host name mappings. May be maintained on a NetWare server, NT or UNIX.
1.8
Windows IP stack tools Wondering how to troubleshoot IP problems? There are lots of freeware/ shareware programs available. I wanted to list some of the most important tools.
1.8.1
Windows 9x IP configuration Start ➝ Run ➝ WINIPCFG or open a DOS window and type: C:\>IPCONFIG C:\>IPCONFIG /?
/all—Show all parameters /batch [filename.txt]—writes to a file /renew_all—Renews the IP address of all adapters on this machine /release_all—Releases all of the IP addresses, on all adapters, on this machine /renew X—Renews the specific IP address of adapter X /release X—Release the IP address of adapter X
1.8
Windows IP stack tools
17
Note: WindowsME supports both WINIPCFG and NT’s IPCONFIG.
1.8.2
Windows NT IP configuration The default is to display only the IP address, subnet mask and default gateway for each adapter bound to TCP/IP. For Release and Renew, if no adapter name is specified, then the IP address leases for all adapters bound to TCP/IP will be released or renewed. NT also has a GUI utility, in the resource kit, called WINTIPCFG. ipconfig [/? | /all | /release [adapter] | /renew [adapter]]
/?—Display this help message. /all—Display full configuration information. /release—Releases the IP address for the specified adapter. /renew—Renews the IP address for the specified adapter. Note: Some of the information below is OS specific, other commands work on WIN 98 and NT. Notice that I give the NetWare server’s equivalent commands too.
1.8.3
ROUTE All symbolic names used for destination, or gateway, are looked up in the network and host name database files NETWORKS and HOSTS, respectively. If the route command is PRINT or DELETE, wildcards may be used for the destination and gateway, or the gateway argument may be omitted. Manipulates network routing tables. ROUTE [-fp] [command [destination] [MASK netmask] [gateway]]
–f—Clears the routing tables of all gateway entries. If this is used in conjunction with one of the commands, the tables are cleared prior to running the command. –p—When used with the ADD command, makes a route persistent across boots of the system. By default, routes are not preserved when Chapter 1
18
1.8
Windows IP stack tools
the system is restarted. When used with the PRINT command, displays the list of registered persistent routes. Ignored for all other commands, which always affect the appropriate persistent routes. command—Specifies one of four commands PRINT: Prints a route ADD: Adds a route DELETE: Deletes a route CHANGE: Modifies an existing route destination—Specifies the host to send command. MASK—If the MASK keyword is present, the next parameter is interpreted as the netmask parameter. netmask—If provided, specifies a sub-net mask value to be associated with this route entry. If not specified, if defaults to 255.255.255.255. Gateway signifies a gateway device. Note: TCPCON at the NetWare server provides roughly the same features.
1.8.4
ARP Address Resolution Protocol is used to map IP addresses to MAC or NIC addresses. This is often the job of a switching device, but a routing device can perform this function. Since servers and workstations can route—provided they are multi-homed, the ARP function is essential to local network communications. ARP -s inet_addr eth_addr [if_addr] ARP -d inet_addr [if_addr] ARP -a [inet_addr] [-N if_addr]
–a—Displays current ARP entries by interrogating the current protocol data. If inet_addr is specified, the IP and Physical addresses for only the specified computer are displayed. If more than one network interface uses ARP, entries for each ARP table are displayed. –g—Same as –a. inet_addr—Specifies an internet address. –N if_addr—Displays the ARP entries for the network interface specified by if_addr.
1.8
Windows IP stack tools
19
–d—Deletes the host specified by inet_addr. –s—Adds the host and associates the Internet address inet_addr with the Physical address eth_addr. The Physical address is given as 6 hexadecimal bytes separated by hyphens. The entry is permanent. eth_addr—Specifies a physical address. if_addr—If present, this specifies the Internet address of the interface whose address translation table should be modified. If not present, the first applicable interface will be used. Note: TCPCON at the NetWare server provides roughly the same features
1.8.5
NBTSTAT Displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP). NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-s] [-S] [interval] ]
–a (adapter status)—Lists the remote machine’s name table given its name –A (Adapter status)—Lists the remote machine’s name table given its IP address. –c (cache)—Lists the remote name cache including the IP addresses –n (names)—Lists local NetBIOS names. –r (resolved)—Lists names resolved by broadcast and via WINS –R (Reload)—Purges and reloads the remote cache name table –S (Sessions)—Lists sessions table with the destination IP addresses –s (sessions)—Lists sessions table converting destination IP addresses to host names via the hosts file. RemoteName—Remote host machine name. IP address—Dotted decimal representation of the IP address. interval—Redisplays selected statistics, pausing interval seconds between each display. Press Ctrl+C to stop redisplaying statistics.
Chapter 1
20
1.8
1.8.6
Windows IP stack tools
NETSTAT NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
–a—Displays all connections and listening ports. (Server-side connections are normally not shown). –e—Displays Ethernet statistics. This may be combined with the –s option. –n—Displays addresses and port numbers in numerical form. –p [TCP OR UDP]—Shows connections for the protocol specified; protocol may be TCP or UDP. If used with the –s option to display per-protocol statistics, proto may be TCP, UDP or IP. –r—Displays the contents of the routing table. –s—Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the –p option may be used to specify a subset of the default. interval—Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once. Note: TCPCON at the NetWare server provides roughly the same features. Displays protocol statistics and active TCP/IP network connections.
1.8.7
TRACERT Trace route reports on the route used between two hosts. Syntax is: C:\>tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name
–d—Do not resolve addresses to hostnames. –h maximum_hops—Maximum number of hops to search for target. –j host-list—Loose source route along host-list. –w timeout—Wait timeout milliseconds for each reply.
1.9
Highlights of recent client versions
21
Note: Microsoft uses ICMP packets for TRACERT and is more susceptible to being dropped, whereas Unix uses a packet request to the router for route information. Read more about MS utilities on TechNet (www.microsoft.com/ technet). IPTRACE.NLM on the NetWare server provides roughly the same functionality.
1.9
Highlights of recent client versions
Client 2.2 IntraNetware client (NetWare version 4.11). This client is a 32-bit client with a few 16-bit modules. Several of Novell’s largest customers found this a very stable client and have used it for years. This is the last client version that Novell supplied with ODI drivers.
Client 2.5 This was intended to be a ZENworks—now ZENworks for Desktops—“aware” client. NetWare 5 compatible, though you should always use the latest client that passes your internal lab and pilot tests. The workstation manager module was introduced in this version.
Client 3.0 Preferred protocol is IP. Support with location profiles, but not in the ACU.
Client 3.21 This client prefers IP connections, too. If an IP connection can be made to a server, then it will. IPX will initiate automatically, providing you are using a dual IP IPX stack, upon the timeout of IP. Support location profiles.
Client 3.3/3.5x Support for WIN9x and ME version OS.
OS/2 Client Dead.
Chapter 1
22
1.10 Anatomy of a WIN9x client boot
NT Client 4.71 NT and WIN2000 are the same client—there also will be VPN support for WIN2000.
1.10 Anatomy of a WIN9x client boot First, realize that with each client release/upgrade, the behavior may differ. For example, one version may send out three GNS packets, the next five. Novell has three major services that start as part of the Windows 95/98 bootup that then turn around and launch other Novell modules. They are the NOVELLNIOS, NWREDIR, and NOVELLNP services and the first two services can be seen listed in the following registry key: HKLM\System\CurrentControlSet\Services\VxD
The NOVELLNIOS launches the NIOS.VXD, which is similar in function to the SERVER.EXE on a NetWare server. It provides the memory space environment for the Client .NLM files to load in (stored in NOVELL\CLIENT32 directory). These three services will be completely loaded and active in memory when the GUI login first appears. The loading of these services is multitasked with the loading of all other services. Each VxD has start values of between 0 and 2, but nearly everything has it set to 0 (including Novell components). The concurrent loading of these services really makes it impossible to track exactly when Novell client services start to load the processor time they take to complete. When a Netware 5 Windows 95/98 client initially boots up and loads IP, by default the client queries the NWHOST file—in the C:\NOVELL\ CLIENT32 directory—for a server name. If no name is resolved in NWHOST, the client then queries for a server via SLP, DNS, DHCP, NDS, BINDERY and finally SAP. The name resolution order is found in the Protocol Preferences tab in the client 32 properties and found in the Windows registry at My Computer\HKEY_LOCAL_MACHINE\Network\Novell\System Config\NetWare DOS Requestor\Name Resolving Order. The order of the name space providers can be changed to suit your network’s needs. Each name space provider has a timeout value. NWHOST SLP
1.10
Anatomy of a WIN9x client boot
23
DNS DHCP NDS BINDERY SAP Note: Read the section on SLP to better understand SLP concepts such as User Agent, Service Agents, and Directory Agents, or read RFC 2165. If IPX is loaded, IPX will broadcast a GNS packet (get nearest server) 3 times. IPX will then use hops and ticks to determine the number of router hops and the time (ticks) between the client and the servers. With IP you do not have a way to determine the nearest server. IP only has the network and subnet addresses, which makes it very difficult to calculate the “closest” server. Because of this, a special algorithm is needed, for IP. The client must evaluate which server to connect to based on the following criteria. 1.
Find a server that resides on the same IP subnet as the client.
2.
Find a server that resides on the same IP network as the client.
3.
Find any server.
The client queries SLP by sending a multicast packet (either 224.0.1.35 or 224.0.1.22) to find BINDERY.NOVELL services. Each BINDERY.NOVELL service replies with a unicast response to the client. The client’s User Agent chooses some of these responses to multicast an attribute request to receive the IP address in an attribute reply based on the aforementioned algorithm. Note: The BINDERY.NOVELL service in SLP is equivalent to the TYPE 4 SAP in IPX. The Multicast delivery method is propagated—requests don’t need a default route to get to the next hop (because it is a routing is a function of the router). The routers, must, of course, allow multicast to cross router interfaces—multicast is blocked by default. There is also a hop count associated with SLP IP UPD packets—it is configurable on the client and the server. User Agents send the packet out on the wire and the routers propagate the request as far as SLP multicast hops have been configured to go— Chapter 1
24
1.10 Anatomy of a WIN9x client boot
in the advanced properties of the client and in MONITOR ➝ Server Parameters ➝ Service Location Protocol ➝ SLP Multicasst Radius on the server. Once the initial server attachment is made, the login dialog box is displayed to allow the user to log in. If a Preferred Server or Preferred Tree is specified in the client properties, or if the user enters a server or tree name in the dialog box, the client looks for the specified server in the list of servers it received. If that server is found, the client checks to see if the server is in the specified tree. If so, the client connects to the server and the user is logged in. To obtain a list of known NDS trees, the client requests all NDAP.NOVELL services (equivalent to SAP Type 278–Directory Services– servers that host NDS partitions) that the UA (User Agent) can find. The NDAP.NOVELL service registers by partition, not by tree, but the partition name is truncated to just the tree name before being placed in the list. Warning: The use of multicast to authenticate, without a preferred server configured, may result in a connection to a server across a WAN link. Your client multicasts to 224.0.1.22 will first make an attachment to any server and then request a ndap.novell server. Any ndap.novell server in the replica ring may be referred—even those across a WAN link. Give out the preferred server via DHCP or client property setting. SLP information is cached at the client based upon the SLP Cache Replies parameter found in the Advanced Settings tab in the Novell Client Configurations Properties.
1.10.1
DHCP communications by the client Once the client boots and obtains an IP address—via DHCP or statically configured—the client sends a DHCPINFORM packet requesting options 78 (DA) and 79 (SLP Scope). The Novell DHCP server 3.0 or later will send out the DA options and the CMD option 63 only if the CMD module is bound on the client. Just remember D-O-R-A for DHCP communications. Discover packet, offer, request and finally acknowledge. Interestingly, you can use another vendor’s DHCP server for addressing and Novell’s DHCP server to hand out SLP options 78 and 79 only.
1.11
NetWare client utilities
25
The following are DHCP options:
56 preferred tree—it is a good idea to use this option; it supports an IP address or DNS name
57 NDS name context—difficult to configure for clients unless you have large groups of people in the same OU
63 sub-options
12, 13 and 14 Compatibility Mode options (CMD)
78 DA—great idea to use this option
79 SLP Scope
85 preferred server
Third-party applications I often hear clients complain about the slowness of the NetWare client. While some claims are valid—then fixed in an update—many are due to third-party applications loading with the client. Third-party applications add startup time to the boot process. I have documented anti-virus programs adding 20 to 25 seconds to the boot process. Windows run processes are those run during the GUI initialization. The corresponding registry keys can be found in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
See the client tuning section later in this chapter for client optimization information.
1.11 NetWare client utilities 1.11.1
Right-click objects with the NetWare Workstation client Realize that the NetWare client adds right-click choice on several objects. You may right-click on network drives in Explorer, My Computer, Network Neighborhood, etc. Different objects allow for different right-click functionality. The registry entries associated with these values can be found earlier in this chapter—under the Advanced Menu Settings for the Novell workstation client.
Chapter 1
26
1.11
NetWare client utilities
Figure 1.2 SYSTRAY menu choices.
List of menu choices on SYSTRAY The small red in the client systray is an administrator’s best friend. Your help desk should be intimately familiar with the time saving features of this shortcut. Use this to walk clients through troubleshooting connection, password, browsing, printing, mapping, and login problems. (See Figure 1.2.) Some clients I visit do not like to enable this on the user’s desktops for fear of user intervention. I would rather have it enabled to use as a help desk troubleshooting tool. NetWare Login—Choose this to login to the network or other NDS trees and/or resources. NetWare Connections—This is a great troubleshooting utility (see Figure 1.3). Resource: The names of the servers and trees you are connected to. The asterisks signify your primary connection—one to an NDS tree another to your primary server. The Novell Client queries the primary server or tree to obtain lists of other servers or trees on the network—as well as using NDS to resolve names. User Name: User name for each authentication. Directory Services (NDS*) connections, the username is prefixed by “CN=” (CN denotes common name).
1.11
NetWare client utilities
27
Figure 1.3 NetWare connection information.
Conn No.: Your connection number on the server—same as the number under MONITOR ➝ Connections: Authentication State: Shows whether the connection is a Directory Services (NDS) or bindery connection NDS Tree: The NDS tree for each connection to a server that is running NetWare 4.x or later Trans Type: The protocol being used for NCP transit between client and server Address: The IP or IPX internal address of the server Detach: Removes your connection to the selected server or tree Set Primary: Novell Map Network Drive—GUI mapping utility Disconnect Network Drive—GUI disconnecting mapping Novell Capture Printer Port—GUI Print Capture utility Novell End Capture—GUI Print Capture disconnect NetWare Utilities— NetWare Copy Send Message Trustee Rights Inherited Rights and Filters Object Properties Salvage Purge
Chapter 1
28
1.11
NetWare client utilities
User Administration for your_tree_name—Gives the following information: Personal Information: You may update your own information— with the proper rights Work Information: You may update your work information— with the proper rights Mailing Information: Mailing address information—updateable with the proper rights Edit Login Script: Create, edit or delete your personal login script—with the proper rights (users, by default do have the right to personalize their own login script) Figure 1.4 Right-click the N on the client systray ➝ User Administration ➝ Login Account Information. This window is a great source of information when an end-user calls with problems— have them read off the values to you.
1.11
NetWare client utilities
29
Login Information: Login information such as time and account restrictions (see Figure 1.4). Novell Password Administration: I love this feature. You don’t have to go to the DOS prompt and type the SETPASS command anymore. This feature is not available in NT or WIN2000. Change your password in Windows NT/2000, by Ctrl+Alt+Del and select the Change Password option. Group Memberships: Shows memberships of logged in user Browse to—The browseable path option allows you to quickly access files without the need to map drives. Too many drive mappings can considerably lengthen the login time. Use this option to help you, or your client, find those locations you use frequently but don’t normally map to, and those that you occasionally use and can’t remember. My Computer Network Neighborhood Your choice (editable) Configure System Tray Icon—Configure the icon as a shortcut to make the features you use most often available by double-clicking or Shift+double-clicking the icon. By default, double-clicking the icon opens Network Neighborhood. Shift+double-clicking the icon opens the Novell Login dialog box. Novell Client help— User’s Guide: Brings up a Web interface to help files on your hard drive. Web links: Brings up a browser with links to Novell’s home page, support connection, documentation home page, client download page, and free-electron.com—try it. Novell Client Properties—A shortcut to going to Control Panel ➝ Network ➝ Novell NetWare Client ➝ Properties.
1.11.2
NetWare Administrator The NetWare Administrator is your tool to access and manage the NDS database on an object and object property level. NetWare Administrator
Chapter 1
30
1.11
NetWare client utilities
allows the creation, editing and deletion of NDS object and their corresponding property values to customize the directory database to fit your custom environment. NDS is the gateway to the network—providing authentication services—while NetWare Administrator provides the portal for the creation and configuration of objects to access other objects representing network resources and file systems based on security rights. Object—The menu choice to manipulate NDS objects Create (Ins) Details <Enter> when an object is highlighted Details on Multiple Users Rights to Other Objects Trustees of this Object Move (F7) Copy (F8) Rename Delete (Del) Browse Search Print (Ctrl+P) Print setup Exit View—Lists of customized display features Show Hints Show Toolbar Show Status Bar Show QuickTips at startup of the program Configure Toolbar and Status Bar Set Context Go Up a Level (Backspace) Sort and Include Expand (keypad +) Collapse (keypad –) Options— Save Settings on Exit Confirm on Delete Get Alias Trustees Get Aliased Object Trustees Tools—This menu item shows items that have been installed on the server you are connected to or items installed and schema extensions
1.11
NetWare client utilities
31
Internet Connections Salvage: Only available when you highlight a NDS Volume Object Remote Console Pure IP Remote Console NDS Browser EpsonNet NDPS DriverSetup DNS-DHCP Management Console NDPS Public Access Printers NDPS Remote Printer Management Novell Licensing Services Add Extended Systems Printer Server Remove Extended Systems Printer Server Print Services Quick Setup (Non-NDPS) Window—Customize your windows layout New Window Cascade (Shirt+F5) Tile (Shift+F4) Arrange Icons Close All 1: Shows each open window Help— Help Topics Novell Support: Opens your browser to Novell’s support site— http://support.novell.com Show Welcome Screen on Startup About NetWare Administrator: Version number—remember 5.19f is supposed to be the last released version; after which only updated versions of ConsoleOne will be released Future of NWAdmin32.exe According to Novell, there will be no more development on the NetWare Administrator. The future is Novell’s NetConsole, which is comprised of ConsoleOne and browser based administration. The last version for the NetWare Administrator is 5.19f. NWAdmin has scalability limitations that prevent it from becoming the NDS object manager utility of choice. Chapter 1
32
1.11
NetWare client utilities
Search results are limited to 38,000 objects as are Object selector, group membership, and trustees of an object. Although these numbers seem impressive, in an NDS 8 (eDirectory) implementation they do not work. eDirectory has been tested to hold 1/5 of the earth’s population—1.1 billion objects—in the directory database. Besides all of the scalability issues, it only runs on MS Windows platforms—an issue for Novell administrators running Linux, Apples, and other workstation platforms. Snapins Snapins for the NetWare Administrator are simply .dll files that are needed in the \SNAPIN directory to view new features in NDS—usually under the Tool menu. These new features are usually enabled in NDS by schema extensions, which are new rules for NDS.
1.11.3
ConsoleOne/NetConsole ConsoleOne/NetConsole is still a work in progress. You may find that ConsoleOne seems clumsy and slow—as it is a common complaint. ConsoleOne will run on ANY platform that supports a Java virtual machine— which is its attractiveness. The functionality of ConsoleOne/NetConsole is the same as NetWare Administrator, plus additional features never built into the NetWare Administrator. ConsoleOne/NetConsole should be your first choice of NDS object configuration and management—which includes partition and replica management.
1.11.4
Controlling the Web server The Netscape Enterprise Webserver can be administered through your browser—the NetWare client software is NOT needed. Set your browser to https://10.x.x.x:2200
Port 2200 is used by default and may be changed. Notice that you must use the secure https connection. You will be prompted by your browser to accept the certificate—certificates generated by Novell’s certificate server are not yet supported by Netscape or the IE browser. Note: Novell now seems to be supporting the Apache Web server instead. They, surprisingly, provide a link to the NetWare version of Apache on their Website.
1.11
NetWare client utilities
1.11.5
33
RCONSOLE The RCONSOLE utility can be run from most clients. Even non-Windows clients can use the RCONSOLE telnet option—if you don’t mind sending clear text RCONSOLE passwords across the wire. RCONSOLE is an SPX utility. SPX is a connection-oriented protocol— like TCP—that maintains a persistent connection. Loading RCONSOLE—or more specifically RSPX.NLM—causes the server to SAP type 107B for every server the REMOTE.NLM and RSPX.NLM modules are loaded on. In a large environment, it may be more traffic than preferred. There is a freeware RCONSOLE utility that I recommend. Download RCONSOLE.ZIP from www.novell.com/coolsolutions/freetools_r_u.html. RCONSOLE can run from the Windows Start ➝ Run menu, from DOS or from a shortcut icon. The utility, like many others, is found in the SYS:PUBLIC directory. Best Practice: As soon as you get into RCONSOLE, type: :RSPX
at the server console which will give you a list of everyone RCONSOLED to the server. This is one way to catch unauthorized access.
Key functions in RCONSOLE You can use the following keystrokes during a remote console session. Most other keys function as if you were at the server console. Alt+F1—Access the drop-down list of target server console screens which include: Select a screen to view: Equal to a Ctrl+Esc at the server console Directory Scan: You can look, but not touch, the contents of any directory on the server. Use the freeware CPQFM.NLM for a more full-featured CWorthy server console browsing tool. Transfer Files to server: A God-send. Transfer files from your workstation to the server. I use this option when I cannot connect to the server because of NDS lockups or licensing errors. Invoke Operating System Shell: Takes you to your workstation’s hard drive. Type “EXIT” to return to RCONSOLE. Chapter 1
34
1.11
NetWare client utilities
End Remote Session with server: Same as using the Alt+F2 option Resume Remote Session with server <ESC>: Same as hitting the Esc key Workstation Address: IPX network number and node address Configure keystroke buffering: Gives the following options (check boxes) No keystroke buffering (default) Keystroke delay (send when keyboard is idle) Manual keystroke send (Alt+F8 to send) On demand buffering (Alt+F9 to enter a buffered command) Alt+F2—Exits the RCONSOLE screen Alt+F3—Cycle to the next target server console screen Alt+F4—Cycle to the previous target server console screen Atl+F5—Displays the workstation’s network and node address Three methods to control the 107B SAP The RCONSOLE utility, when loaded, SAPs type 107B hex. To control this SAP: 1.
Novell has a freeware RCONSOLE utility that runs off of the SAP type 4 (Novell server type SAP)—giving administrators the ability to let router boy block all 107B SAPs. See the Security chapter for more RCONSOLE recommendations and warnings. http://www.novell.com/coolsolutions/freetools.html
2.
Have router boy allow all incoming 107B SAPs to the centrally administered workstation segments, but block (deny) outbound 107Bs.
3.
Use the new RCONJ utility that can use IP instead of IPX.
How to RCONSOLE to an asynchronous (modem) connection Load :REMOTE.NLM :RS232.NLM :AIO.NLM
You will need to configure the modem for the server.
1.11
NetWare client utilities
35
The RS232.NLM and AIO.NLM initialize the server’s communication port and transfers the console screen and keyboard information to and from the REMOTE.NLM
1.11.6
RCONJ (Java Pure IP Remote Console) RConsoleJ is a Java based program used at any workstation or server that runs a Java virtual machine—JVM—to gain access to a local or remote target server’s console through an IP connection. RCONAG6 has to be loaded on the server before RCONJ can connect—the NLM is usually commented out in the AUTOEXEC.NCF file in NetWare 5.1. How to RCONSOLE to a NW5 server in Pure IP On the NW5 server, load RCONAG6.NLM. This will prompt you for a password, a TCP (default is 2034) port and an SPX port (default is 16800). :RCONAG6 [ [-E Epassword] | [password] ] [TCP Port] [SPX Port] [ENCRYPT]
–E specifies that an encrypted password will be used in the command line. You cannot use this parameter until you have loaded RCONAG6 using the ENCRYPT option and entered the encrypted value for the password on the console screen. The encrypted –E parameter is used in the LDRCONAG.NCF file (if you decide to create the file when using the ENCRYPT option). For “TCP Port”, –1 disables TCP listening and 0 allows a dynamically assigned port to be used. Likewise for “SPX Port.” A Java Console will appear in which you will need to type the host name—if you have DNS configured on the network or use the server HOSTS file—or use the IP address of the server, with the TCP port number and password. Realize that RCONJ uses SLP when browsing for servers. If you want to use server names instead of IP addresses to connect, the server must either communicate with a DA, point to a DNS server, or maintain a HOSTS file. The name to address association is picked up from the HOSTS file when SLP.NLM is loaded. After the server(s) have been added to the HOSTS file, the SLP.NLM must be restarted. Edit SYS:ETC\HOSTS and add the server name and IP address in the format IPADDRESS SERVERNAME
Once the information is keyed in, click on the Connect button. Chapter 1
36
1.11
NetWare client utilities
You can launch RCONJ using one of the following methods:
ConsoleOne ➝ select server object ➝ Tools ➝ Remote Console
Note: Selecting and highlighting the exact server you want to connect to will make ConsoleOne automatically brings up RCONJ utility with the IP address of the server already filled in.
NWADMN32 ➝ Tools ➝ Pure IP Remote Console
SYS:PUBLIC\MGMT\RCONJ.BAT
RCONJ.NCF from the server console
SYS:PUBLIC\RCONJ.EXE
Note: Realize NWADMN32.EXE has the path to RCONJ.EXE hard coded, and that from a certain version of the support pack, the location of RCONJ changed. This means that with certain support packs, you can’t run RCONJ from NWADMN32.EXE, however you can run it by starting it directly as a standalone program. The syntax for RCONJ is as follows: RConsoleJ agent [agent port] [-sync] [-proxy proxy [proxy port] [-tcp|-spx] ]
RCONPRXY.NLM loaded on the server creates a RCONJ proxy server on a NetWare 5 server. RCONJ proxy servers allow RCONJ to access target servers using an IPX or IP connection. RCONPRXY.NLM :RCONPRXY TCP_Port
The default TCP_Port is 2035. A TCP port value of 0 allows a dynamically assigned port to be used. To enable RCONJ to communicate with an IPX-only NetWare 5 server, use RCONPRXY.NLM. RCONPRXY creates a proxy server through which RCONJ can communicate with the IPX-only server. The proxy server must run both IP and Stream-based SPX services.
1.12 Tools to help with client and workstation issues
37
In the RCONJ, The Advanced button will give you the option to connect through a proxy. For more information on RCONPRXY.NLM, refer to TIDs (What is RCONPRXY.NLM in NetWare 5). CONMAN.EXE Alternatively, you can run CONMAN.EXE from SYS:PUBLIC\MGMT directory. I find this in NetWare 5.0, but not 5.1. A Java Novell Server Console Manage will appear in which you will need to key in the host name—provided you have a DNS or the server’s local HOSTS file configured in your network—or the IP address of the server, with the TCP port number and password. Once the information is keyed in, click on the Connect button. The server will report that the connection is granted. A screen of buttons showing all the available screens on your server is seen. To view any screen, just click on the button. If you load a new screen on the server, you will have to click on the Refresh button to show up more icons of the available screens on your server. To end the Java RCONSOLE, just close the screen and the server will report the connection is cleared.
1.12 Tools to help with client and workstation issues There are several great shareware/freeware Websites that will assist in your workstation troubleshooting. Again, if you have NetWare client issues, save time and reload the client from the network or CD. Check out these popular sites for help with your client OS troubleshooting.
www.download.com
www.shareware.com
www.tucows.com
www.microsoft.com/download
Chapter 1
38
1.13
Log files
Some great client utilities to consider are:
Microsoft’s REGCLEAN This Microsoft utility examines your registry and removes entries that are orphaned. You are left with an executable to back out any changes. Find this buried on Microsoft’s Website.
Norton’s SystemWorks I can sometimes find this on sale for $49. That is a bargain for this set of utilities. I use most all of the utilities in this package. The only con I can find is that the program sometimes crashes my Win98 workstation—which is a small price to pay for the benefits it gives the other times.
ERU.EXE From Microsoft Corporation, this is found on the CD \other\misc\ eru
CFGBACK.EXE From Microsoft Corporation, this is found on the CD \other\misc\ cfgback and used to back up the last 9 registries—use it within a login script to keep registry backups on the server for important users.
Defragmentation utility. I use Diskeeper full version from www.execsoft.com. They make the stripped down version you can use for free within Windows.
WINDIFF This free utility may be downloaded from Microsoft’s Website or found on some of the OS CDs. The WINDIFF graphical utility is used to compare two directories or files. The differences in the files will be highlighted. For example, on the WIN98 CD \tools\ reskit\file.
Hundreds of others
1.13 Log files The following log files are useful for troubleshooting:
Bootlog.txt—Software that loads
DETLOG.TXT—Hardware information
SETUPLOG.TXT—Logs setup info Use Microsoft’s LOGVIEW.EXE.
1.14 Novell-specific client troubleshooting utilities
39
1.14 Novell-specific client troubleshooting utilities Most of the time, for client problems, I simply reinstall the client—versus spending hours of time and my client’s money on my labor. Sometimes it is better to start with a clean slate by uninstalling the client first. Use the UNC32.EXE. Novell also provides a freeware utility NCCUTIL4.EXE. Since this program is new, it is possible that the filename will change. http://support.novell.com ➝ File Finder ➝ NCCUTIL4.EXE
Or look it up in TID form. This is an incredibly useful utility developed by Novell’s technical support. The utility is a reporting tool for client configurations. The executable file, NCCSCAN.EXE outputs a text file NCCSCAN.TXT that can then be read by the GUI program, NCCREAD.EXE. (See Figure 1.5.) The NCCSCAN.TXT file can be read manually, if desired. The strength of this program is the ability to compare two seemingly identical machines and find out what is different. The difference may point you to the solution of your problem. The tab functions are: General—This tab gives you the computer name, OS, RAM, CPU type, login name, NIC type, system up time, date and report time Config Text—The raw output of the NCCSCAN.TXT file Sections—Drills down the Config Text to headings and their corresponding individual and sectional registry keys Registry Keys—Shows registry keys, the corresponding value, the default value and whether a key was not found, or changed from its default value Files—Displays the listing of files that are supposed to be included in the client installation. The program will color code files based on those not found, and files older than the client installed files Attached Files—Looks for a NIOS.LOG_FILE. Mine showed that one was not found Suggestions—Just that. Suggestions from Novell’s technical support
Chapter 1
40
1.15
Troubleshooting slow logins and client best practices
Figure 1.5 The NCCREAD.EXE program reads the NCCSCAN.TXT file and reports its findings.
1.15 Troubleshooting slow logins and client best practices Novell’s newest clients have generated many support calls. This may seem like a conspiracy, but in talking to several client technical support specialists, it is not so. They welcomed a section on troubleshooting client issues to save them phone calls. The login process begins as the desktop Operating System begins to load. A Not-Logged-In (NLI) connection is created on a server—as seen in MONITOR ➝ Connections—and the user is prompted to input their username and password credentials. After their credentials are accepted, the
1.15 Troubleshooting slow logins and client best practices
41
login process continues with the loading of the OS. If the OS experiences any delays in loading—such as virus protection software—these delays may be perceived as delays in the client login process. Login scripts complicate the login process—as do any programs run from login scripts. User authentication in NDS can cause delays too. Often NDS must tree walk to find your user name and password credentials. This can cause delays in the login process too. When a client submits an authentication request to NDS, the request is not always received by a NetWare server able to fulfill the request. A NetWare server with an NDS replica on it is needed— referred to as a name server—to fulfill the request. The name server receiving the request must find a name server with that user object in an NDS partition that can fulfill the request. Name servers may need to refer to another name server up the NDS tree to resolve the user object’s credentials. To find the information, a name server initiates a search until a replica is found that contains the desired information. This process is called tree walking. As long as the replica information can be accessed quickly, tree walking is not a problem. There are situations that a replica server with the needing user object information is only available across a slow WAN link. Any application that uses NDS—like ZENworks, DHCP, Novell Certificate Server—can cause tree walking, but good NDS tree design can minimize tree walking. Understanding name resolution, and the client login process is essential to troubleshooting, tweaking, or tuning the client. Earlier in this chapter, I explain the login process—read it first before trying any of the recommendations below.
1.15.1
Performance and optimization recommendations The following are recommendations to speed your NetWare experience. Several of the suggestions come from administrators in NetWare newsgroups and Websites. 1.
Use the latest client
2.
Apply the Windows 9x and NT service packs before installing the Novell Client
3.
Defrag your workstation. I use Diskeeper from www.execsoft.com.
4.
Optimize your NDS design. There are many variables to consider. See the NDS chapter for recommendations.
Chapter 1
42
1.15 Troubleshooting slow logins and client best practices
5.
Re-install the client rather than to try to spend too much time troubleshooting client problems. It is far easier and more efficient to re-install than to spend the afternoon figuring out what is going on.
6.
Verify WINS is setup correctly. Use P or H-node for the most efficient bandwidth WINS server location resolution.
7.
Verify there are no routing problems.
8.
Decrease the number of hops to the server. You can use NetPro’s DS Analyzer to discover how many hops a client must use to login.
9.
Check the VLAN configuration. I have experienced many client problems from incorrect VLAN configurations from router boy. Have him hit the books again and check his work. I know it couldn’t be anything that he has done, but have him check anyway.
10.
Specify a frame type on the client—the WIN9x default is an AUTO frame discovery Control Panel ➝ Network ➝ IPX 32-bit Protocol for the Novell NetWare Client ➝ Properties. WIN9x, by default, broadcasts about 20 to find a protocol frame type to bind. Cut down on network traffic, the time it takes to find a valid frame type and the possibility of an incorrect frame type binding by a specific frame type for your loaded protocols.
11.
Discover why the server that holds the replica for the object cannot be accessed. In many cases it is busy, ABENDed, or not accessible. This can be viewed in a trace where a request is made to resolve an object, but a reply is never received. After the request times out, another request is sent, and the server responds with a Reply Rqst Being Processed; conn= which means that the replica server is still working on the original request and cannot find a server that will resolve that object.
12.
Verify there are no name resolution problems. Specifying a preferred server by IP address, in the available login box, will allow your client to resolve the IP address instead of the name—which is much faster. There are other client properties that will help in name resolution—found earlier in this chapter. This is a great troubleshooting tip for network name resolution sluggishness.
13.
Use OU for grouping permissions, when possible, over an NDS group object. When resolving access permissions your OU will
1.15 Troubleshooting slow logins and client best practices
43
always be in your NDS partition, your NDS group objects may have to be resolved up the NDS tree—in other partitions causing NDS to tree walk to find your group information. 14.
Verify the client isn’t looking for information that isn’t available during login. For example, incorrect login scripts and workstation CONFIG.POL policies called during login that aren’t in the specified directories can cause the client to stall.
15.
ZENworks policies should be searched by container, and not to the NDS tree [Root]—when possible. This means that all pertinent ZENworks info—workstation policies, desktop policies, Dynamic local user, NT Desktop preferences, and NT Restrict Login are accessible in a partition close to the user logging in. A delay may be caused by the ZENworks client walking the NDS tree to resolve policy and/or group information—this is a big problem found by many large NDS implementations. See TID 10022970 “Novell Recommendations for Search Policies.”
16.
You may put the LOGIN and MAP executables on the workstation to speed up the login. Realize, doing so means that any time the LOGIN.EXE or MAP.EXE is updated on the server, you will need to update it on any client that has these commands locally.
17.
Verify that server and NDS tree names are unique.
18.
Perform an NDS health-check and troubleshoot NDS issues. NDS Health check procedures found in the NDS chapter.
19.
Cache the entire NDS database on the servers. NDS version 8 gives the ability to cache the entire NDS database—or any parts thereof. By default, only 8MB of the NDS database is cached in RAM. Find out how much your NDS servers—replica servers—have on them and cache that amount in RAM. To increase the amount of memory available to the NDS, type: SET DSTRACE=!MB(memory in bytes), the number of bytes in a megabyte is 1000000 (1 million) = 1MB :SET DSTRACE=!MB(number_of_bytes_of_RAM)
For example, to cache 25MB of NDS in RAM, type: :SET DSTRACE = !MB25000000
Chapter 1
44
1.15 Troubleshooting slow logins and client best practices
Check to see that the change was made correctly by :SET DSTRACE=ON :SET DSTRACE=*P
You should see that the value next to the SMI Max Cache=number_just_set See Chapter 3 for NDS settings important information about this and other SET commands. 20.
Use a single protocol, if possible. The newer clients prefer an IP connection—to an IPX connection—and will wait to time out on IP before connecting IPX. If you cannot standardize on just one protocol, then make certain you have an SLP infrastructure to support the IP protocol system wide. See Chapter 4 on IP for more information.
21.
Install Updated MUP.SYS from SP4 or Later. (NT Workstation only) Another example of having the latest patches applied. Multiple UNC Provider (MUP) delays come from two locations: a. First, the attempt to access the resource through DFS and, b. Secondly, the MUP must wait and recognize all responses from all redirectors before completing the request.
Therefore, even if a resource is readily available and accessible over one redirector, the request must still be made over all other installed redirectors before the request completes. Depending on the number of redirectors, protocols, and timer configurations for connectivity, these delays can exceed 13 seconds for each initial connection. A bug exists in the MUP.SYS on NT stations prior to SP4 in which the system would continue searching for the server on all protocols on all redirectors even after the server was located. The article below discusses the bug. http://support.microsoft.com/support/kb/ articles/q171/3/86.asp?FR=0 1.
Optimize The Redirectors on the PC If unused directors are installed on a PC or rarely used directors are configured with a high preference, you will see degraded performance. Common redirectors are the MS Client for Microsoft Networks, the Novell client for NetWare networks, and various NFS clients. If any of these clients are not needed, they should be removed. If they are needed, make sure to bind only the necessary protocols. A client with only IPX bound to the Novell client and
1.15 Troubleshooting slow logins and client best practices
45
IP to the Microsoft and NFS clients may be significantly faster in accessing network resources than one which has IP and IPX bound to the Novell client, IP, IPX, and NetBIOS to the MS client due to the unneeded searches performed by the MUP.SYS. Also be sure to make the most used redirectors the first redirectors tested to locate a server. To do this open the Networking control panel and select the “Network Access Order” under the services tab and place the most frequently used redirectors at the top. If the MUP.SYS from SP4+ has not been installed, this will have no effect due to the bug mentioned above. The protocol bindings to each redirector should also be optimized. Within the Network Control Panel, select the bindings tab and move the most used protocol for each redirector to the top. 2.
There are many NT registry hacks that may be used to possibly speed up client access. Buy a book like 1001 Secrets for Windows NT Registry and consult the Networking Performance section.
3.
Disable DFS Support if not used. DFS is a feature of NT, which allows multiple physical file systems to be logically grafted together to appear as a singe directory structure—which can help users locate resources faster across different servers. The first step in locating a server via UNC is to check to see if it is DFS. Disabling DFS support will cause this step to be skipped. To disable DFS, create the DisableDFS registry entry (DWORD with a value of 1) at: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Mup\
4.
Tweak NetBIOS Settings A client can be configured to attempt to locate MS resources via broadcasts, WINS servers, or a combination of both. The workstation can also be configured to use hosts file and DNS searches to locate resources. Inefficiencies can occur if a machine is configured to use methods that are not configured to work. The registry entries of [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\NetBT\Parameters] "EnableLMHOSTS"=dword:00000000 "EnableDNS"=dword:00000000 Chapter 1
46
1.15 Troubleshooting slow logins and client best practices
will disable both DNS and LMHOST searches if they are not used. Changing the final 0 to a 1 will enable the use of those options. The most efficient of all the WINS NODE types is a PNODE, which only uses a WINS server instead of broadcasting for name resolution. The following registry entry will set your machine to a P-NODE. 5.
Change the order of the name space providers in the NT registry. Move the NetWare provider to the start of the list. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\NetworkProvider Valuename=Order
6.
Here are a few additional registry entries that can be tweaked to improve performance. Set the values to match your local environment. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\NetBT\Parameters] "NodeType"=dword:00000002 (For WinNT Machines) HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\VxD\MSTCP "NodeType"=dword:00000002 (For Win95 Machines) BcastNameQueryCount Key: Netbt\Parameters Value Type: REG_DWORD - Count Valid Range: 1 to 0xFFFF Default: 3
This value determines the number of times NetBT broadcasts a query for a given name without receiving a response. BcastQueryTimeout Key: Netbt\Parameters Value Type: REG_DWORD - Time in milliseconds Valid Range: 100 to 0xFFFFFFFF Default: 0x2ee ( 750 decimal)
This value determines the time interval between successive broadcast name queries for the same name. CacheTimeout Key: Netbt\Parameters Value Type: REG_DWORD - Time in milliseconds Valid Range: 60000 to 0xFFFFFFFF Default: 0x927c0 ( 600000 milliseconds = 10 minutes)
1.15 Troubleshooting slow logins and client best practices
47
This value determines the time interval that names are cached in the remote name table. NameSrvQueryCount Key: Netbt\Parameters Value Type: REG_DWORD - Count Valid Range: 0 - 0xFFFF Default: 3
This value determines the number of times NetBT sends a query to a WINS server for a given name without receiving a response. NameSrvQueryTimeout Key: Netbt\Parameters Value Type: REG_DWORD - Time in milliseconds Valid Range: 100 - 0xFFFFFFFF Default: 1500 (1.5 seconds)
This value determines the time interval between successive name queries to WINS for a given name. Size/Small/Medium/Large Key: Netbt\Parameters Value Type: REG_DWORD Valid Range: 1, 2, 3 (Small, Medium, Large) Default: 1 (Small)
Description: This value determines the size of the name tables used to store local and remote names. In general, Small is adequate. If the system is acting as a proxy name server, then the value is automatically set to Large to increase the size of the name cache hash table. Hash table buckets are sized as: Large: 256, Medium: 128, Small: 16. 7.
Change Drivers to newer or older ones Generally newer LAN drivers perform the best due to constant improvements in the software. Sometimes the latest drivers can actually cause a performance decrease. Driver performance is not always equal between different sites due to differences in switches, routers, and how they are configured. If you feel your PC is not as fast as it should be, try getting the latest drivers or down grading to a previous version.
8.
Remove IE5’s offline browsing IE5’s offline browsing has been reported to noticeably decrease overall networking responsiveness. Read - Q226370.ASP
Chapter 1
48
1.15 Troubleshooting slow logins and client best practices
9.
IoPageLockLimit This setting determines the number of bytes that can be locked for I/O functions. Increasing the value from the default (512) can have a big boost on the performance on machines with a large amount of disk I/O. The example below increases the value to 4096bytes. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Session Manager\Memory Management] "IoPageLockLimit"=dword:00001000
10.
LargeSystemCache – This entry will cause NT Workstation to use the same “LargeSystemCache” model used by NT server. This is recommended with systems with extra available RAM to increase the effectiveness of the system cache. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Session Manager\Memory Management] "LargeSystemCache"=dword:00000001
11.
DisablePagingExecutive This entry will prevent the system kernel from being swapped to disk. NT will slow down significantly if the kernel is swapped to disk. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Session Manager\Memory "DisablePagingExecutive"=dword:00000001
12.
NTFSDisableLastAccessUpdate—By disabling this option, NTFS will not record the last time a file was accessed. This can speed up disk operations if applications are written to access many small files very frequently as is found in many pseudo database applications. (Modification timestamps will still be made). REGEDIT: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\FileSystem] "NtfsDisableLastAccessUpdate"=dword
13.
Enable DMA Transfers By default, DMA transfers are disabled for your systems IDE hard drives. This can significantly decrease the performance of your system during periods of high disk usage. Turning on DMA Detection will enableDMA on devices, which support DMA. All devices on a channel must support DMA.
1.15 Troubleshooting slow logins and client best practices
49
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\atapi\Parameters\Device0] "DriverParameter"="DmaDetectionLevel = 0x1;" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\atapi\Parameters\Device1] "DriverParameter"="DmaDetectionLevel = 0x1;"
14.
Use IPX or IP only—do not run a dual IPX IP stack By Default, the Novell client will install in IPX an IP mode with IP as the preferred protocol. This means that if you attempt to locate a server, it will first attempt to locate it via IP before it attempts to locate it via IPX. If the server is not a NW5 server running IP, there will be an added delay before the server is located. It is recommended to run the client as IPX only until all or nearly all servers are upgraded to NW5 to support native IP. At this point workstations can be converted to IP only.
15.
Tweak Novell’s Name Resolution Timeout Under the advanced settings tab of the Novell Client, change the Name Resolution Timeout to 1 from 10. This setting can be pushed via the following registry entry (HKLM\SOFTWARE\Novell\NetwareWorkstation\Policies\ Network Timeout in Seconds=1)
16.
Disable Unused Protocol Search Methods By default, the Novell client will attempt to use many different resolution methods for IP that may not be configured for use on your network. Under the “Protocol Preferences” tab of the Novell Client configuration, disable all resolution methods not used. I normally disable Host File, DNS, and DHCP DNS. I leave NDS and SLP enabled. If SLP is not set up on the servers and configured on the clients, disable this resolution method also.
17.
Enable/Disable Packet Burst IPX communication originally was designed in which the sender sent a single packet to the receiver and waited for a response before sending a second packet. Packet bursting was developed to allow the sender to send multiple packets before needing a response to send additional packets. Normally this greatly enhances performance. Some cards, however, do not handle this well and drop a large number of packets. This causes a significant
Chapter 1
50
1.15 Troubleshooting slow logins and client best practices
performance drop. Disabling packet bursting can improve performance in these cases. If disabling packet bursting increases performance, new NIC drivers or a new LAN card is recommended. 18.
Patch/Upgrade third-party software that may be called during the login process.
19.
Remove Programs from the Startup Folder. I’ve documented an anti-virus program that added a full 20 to 25 seconds per boot.
20.
Run MSCONFIG (WIN98) ➝ Startup ➝ remove checks from programs that are unnecessary or take too long to load
21.
Disable any unneeded services in NT/2000
22.
Take a sniffer trace. If you don’t know how to read it and what to look for, open an incident at Novell’s technical support desk and get them to look at it.
23.
Use an NDS sniffer to find out what is happening. There is such an animal, made by NetPro (www.netpro.com), which is called DSAnalyzer. This utility is worth your consideration. See Chapter 9 for more information.
24.
Only Install Necessary Components on the client On machines with limited memory, performance can be enhanced by only installing needed memory. Some of the unneeded client components may include workstation manager, NDPS printing, and remote control.
1.15.2
Other resources for client login and optimizations
support.novell.com Look up TIDs on client issues—there are many good ones available www.novell.com/documentation
developer.novell.com/research Novell’s AppNotes provide a lot of great information about Novell’s technologies and how to optimize them.
1.16 The future of the NetWare client
51
1.16 The future of the NetWare client The Novell client, again, is used to provide a 32-bit client/server connection to a NetWare server. It encapsulates NCP calls into either IP or IPX packets. NCP—NetWare Core Protocol—is to NetWare what SMB—server messaging block protocol—is to Microsoft. Without the NetWare client loaded, the proprietary nature of Novell’s NCP protocol prevents other operating systems and networking clients from accessing the NetWare server—unless NFS or FTP server is loaded. Still the power of NetWare and NDS can currently only be unleashed through NCPs. Does it make sense that I put on a 26+ MB software program on my workstation client to access Novell’s resources? Why can’t we just use a browser to do everything? To do such, Novell would have to allow the substitution of proprietary NCP protocol. Possible replacement protocols are: XMLRPC—Extensible markup language remote procedure call SOAP—Simple Object Access Protocol WebDAV—Allows basic file services over the HTTP IP protocol LDAP—Lightweight Directory Access Protocol is a replacement to Novell Directory Access Protocol (NDAP). LDAP version 3 is supported now through the latest updated versions of NDS 7.x and 8.x IPP—The Internet Printing Protocol allows basic printing support. NDPS supports IPP. Novell has started such an endeavor—IFolder. Stay tuned.
Chapter 1
This Page Intentionally Left Blank
Supplement 1:
NetWare Client DOS Command Line Utilities
53
SUPPLEMENT 1 NetWare Client DOS Command Line Utilities Novell supplies several DOS command-line querying utilities.
AUDITCON AUDITCON is Novell’s auditing utility. It is not supported with NDS v8. AUDITCON is, perhaps, the most unintuitive NetWare utility. I recommend a third-party utility to do auditing. I like Bindview or Bluelance LT Auditor. AUDITCON opens up an initial screen that gives you the following choices:
Audit directory services
External auditing
Change current server
Change current volume
Enable volume auditing
CX The CX command will display your current NDS context and allow you to manipulate your context within the NDS organization as well as view container and leaf objects. Spaces are not recognized—you must use quotation marks when using NDS names with spaces. C:\>CX [new context][/option ...][/? |/ver]
No parameter—Views your current context New context—Moves you to another context /option—Available options /?—Help Ver—Version information—all other parameters are ignored Options Optional CX flags /R—Lists containers at the root /T—Lists containers below the current context /CONT—Lists containers with a vertical output /A—Includes all objects—for use with /T or /CONT /C—Scrolls continually You may chain the CX options. Chapter 1
54
Supplement 1:
NetWare Client DOS Command Line Utilities
Example C:\>CX /R /A /T
Lists all objects in the entire tree.
CAPTURE Legacy, queue-based printing utility—hopefully, you are planning an upgrade to NDPS. :C:\>CAPTURE [P=printer | Q=queue ][L=1 | LPT1][options]
FILER This may be the best all around file management utility. Your initial C-Worthy screen is:
Manage files and directories
Manage according to search pattern
Select current directory
View volume information
Salvage deleted files
Purge deleted files
Set default filer options I normally use graphical utilities, but this utility is a one-stop shop.
FLAG Use the FLAG option to:
View or modify file and directory attributes to determine which operations can be performed with the file or directory
Modify the owner of a file or directory
View or modify the search mode of executable files to determine how the program uses search drives when looking for a file C:\>FLAG path
[[+ | -] attribute ...] [/option ...] [/? | /VER]
(no parameter)—Attributes of all files in the current directory appears. Path—Indicate the path to the file or directory whose attributes you want to modify. + | – —Add attributes to a file or directory with the + (plus). Remove attributes from a file or directory with the – (minus). Using neither + nor – indicates the attributes will be consigned to the file/directory as specified. Group all + (plus) and – (minus) attributes together on the command-line. attribute—Specify file or directory attributes. See below /option—Available options—see below /?—View help
Supplement 1:
NetWare Client DOS Command Line Utilities
55
/VER—View the version number of the utility and the dependency on other files it uses. All other parameters are ignored. Using FLAG Remember:
Include a space between attribute abbreviations when you add or delete multiple attributes.
You can’t remove the Execute Only attribute—unless you have the X-Away hacking utility. You must delete the file and then reinstall it.
You may use wildcard characters.
General FLAG options Optional FLAG switches: /NAME GROUP name—Change the owner of a file or directory /D—Detailed view about a file or directory /DO—View or modify only directories in the specified path /FO—View or modify only files in the specified path /OWNER=name—View all files or directories owned by a user /M=mode—Modify search modes of executable files. See Search Modes for Executable Files /S—Search the subdirectory in the specified path and any subdirectories below that level /C—Scroll continuously Directory attributes You may specify directory attribute switches by using the following options. ALL—Assigns directories Di, H, Ic, P, Ri, and Sy specific Di (Delete Inhibit)—Prohibits the directory from being deleted. Dc (Don’t Compress)—Prohibits the directory from being compressed—volume compression properties may not override Dm (Don’t Migrate)—Prohibits the directory from being migrated to a secondary backup system (like a jukebox)—volume compression properties may not override H (Hidden)—Prohibits the directory from being viewed with the DOS DIR command Ic (Immediate Compress)—Compress the directory as soon as the OS can N (Normal)—Specifies no attributes P (Purge)—Purges the directory immediately upon deletion Ri (Rename Inhibit)—Prohibits the directory from being renamed Sy (System)—Prohibits the directory from being viewed with the DOS DIR command—and prohibits it from being copied or deleted
Chapter 1
56
Supplement 1:
NetWare Client DOS Command Line Utilities
File attributes These same attributes may be changed several ways. You may use FILER, NetWare Administrator, Explorer, right-click ➝ properties on any server file or directory. Specify file attribute switches by using the following options. ALL—Assigns directories Di, H, Ic, P, Ri, and Sy specific A (Archive needed)—Indicates the file has been modified since the last backup Dc (Don’t Compress)—Prohibits a file from being compressed—volume compression properties may not override Di (Delete Inhibit)—Prohibits a file from being deleted or copied over Dm (Don’t Migrate)—Prohibits a file from being migrated to a secondary backup system—volume compression properties may not override Ds (Don’t Suballocate)—Prohibits an individual file from being suballocated—volume compression properties may not override. Use on large files that are appended frequently—e.g., database files H (Hidden)—Prohibits a filename from being viewed with the DOS DIR command. The file may not be copied or deleted Ic (Immediate compress)—Compresses a file ASAP N (Normal)—Specifies the Rw attribute P (Purge)—Purges a file immediately upon deletion Ri (Rename Inhibit)—Prohibits the renaming of a file Ro (Read Only)—Permits a file to be read only; it may not be written to or deleted Rw (Read Write)—Permits a file to be read and written to—considered normal Sh (Shareable)—Permits a file to be used by several users at the same time Sy (System)—Prohibits a filename from being displayed with the DOS DIR command. It can’t be copied or deleted T (Transactional)—Protects a file by using the Transaction Tracking System—NDS uses this. More info about TTS can be found in Chapter 3 X (Execute Only)—Given only to .EXE or .COM files. Prohibits an exectuable file from being copied or copied over. This attribute may not be removed—without a hacking utility, that is Status flags Status flags show file and/or directory attribute information only. You may not change these flags. Cc (Can’t Compress)—The file can’t be compressed because of limited space savings Co (Compressed)—The file has been compressed M (Migrated)—The file has been migrated
Supplement 1:
NetWare Client DOS Command Line Utilities
57
Examples To add Rw and Ic and remove Di, Dm and A from all files in the current directory, type: C:\>FLAG *.* +R W Ic –Di Dm A
To give only files (no directories) in drive J: the Hidden attribute, type C:\>FLAG J:*.* H /FO
LOGIN Use at a workstation to access the network by logging in to a server and running a login script. NDS logins come from scripts belonging to OU container objects, User objects, and Profile objects. If no login script is specified in any of this objects, NetWare will run a default login script. Syntax C:\>LOGIN [ server name/ | tree/][ user] [/ option ...][/? | / VER]
(no parameter)—Request a login prompt. server name/—Specify the server you want to log in to. tree/—Specify the tree you want to log in to. user—Specify the username you want to log in with. /option—Replace option with any available option. See LOGIN Options. /?—View online help. All other parameters are ignored when /? is used. /VER—View the version number of the utility and the list of files it uses to execute. All other parameters are ignored when /VER is used. Using LOGIN Remember:
Using LOGIN implies LOGGING OUT of all other servers. To remain logged in to servers, use the no script (/NS) option.
Note: Using the /NS option is similar to using the ATTACH command in NetWare 3.x
To use another object’s login script, you need the Read property right to the Login Script property of that object. This login script would replace the profile script (if one is specified).
To set your context before you log in, either use the CX command or set your context in the NET.CFG file (in older VLM clients) using the following statement: name context = complete name
Chapter 1
58
Supplement 1:
NetWare Client DOS Command Line Utilities
LOGIN options Switches for the LOGIN command line are as follows. /NS—Prevent a login script from running and prevent you from being logged out of other servers you are logged in to. /NB—Prevent the Welcome to NetWare banner from being displayed during the login process. /S path | object name—Specify a login script file. Replace path with the path to the script. Replace object name with the object whose script you want to run. /B—Specify a bindery login. /PR=profile object name—Specify the Profile object script you want to run. /NOSWAP—Prevent LOGIN from swapping to extended or expanded memory, or to disk. SWAP=path—Tells login to swap to this path when external commands are executed. DOS only. /TREE—Specify that you want to log in to a tree. Examples To log in to server MOUSE as user RICKY without logging out of other servers you are logged in to, type LOGIN MOUSE/RICKY /NS
To log in to tree TERMINAL as user RICK, type LOGIN TERMINAL/RICK /TREE
To log in to the NDSTM tree as user SAM (if current context is set to SAM’s container), type LOGIN SAM
To log in as user SAM and specify a Profile object to use as a login script, type LOGIN SAM /PR=WPGROUP.NOVELL
LOGOUT Logging out is leaving the network community. You release your authentication to network resources when you logout by sending a logout packet to the server. C:\>LOGOUT [ server name | /T][/? | /VER]
(no parameter)—Exit the network by logging out of all servers and NDSTM. server name—Specify the server you want to log out of if you want to log out of one server but remain logged in to other servers or to the NDS tree. /option—Replace option with any available option.
Supplement 1:
NetWare Client DOS Command Line Utilities
59
/T—Log out of NDS and all servers in the NDS tree, but not out of bindery servers (NetWare 2 and 3 servers). /?—View online help. All other parameters are ignored when /? is used. /VER —View the version number of the utility and the list of files it uses to execute. All other parameters are ignored when /VER is used. NetWare provides a logout safety net. The server may log your connection out automatically if the server cannot verify that your client is still up—used for security and to disconnect users who have just powered off their machines. The server will send a watchdog packet to PING your connection every 59.3 seconds and will not log you out until it cannot verify your connection 10 times. The server watchdog SET commands are listed with their defaults: Disable Watchdog Process: OFF—Turning on this option will inhibit the sending of watchdog packets on all loaded protocols. Enable Watchdog Screen: OFF—Turn on/off Watchdog Activity Screen Number Of Watchdog Packets = 10—Limits: 5 to 100 The number of times the server will ask an inactive workstation if it is still attached to the file server before terminating the workstation’s connection if no response has been received Delay Between Watchdog Packets = 59.3 SEC—Limits: 9.9 seconds to 10 minutes 26.2 seconds Amount of time the server will wait for an inactive workstation to reply to a watchdog packet, before asking the workstation again if it is still attached to the file server Delay Before First Watchdog Packet = 4 MIN 56.6 SEC—Limits: 15.7 seconds to 20160 minutes Amount of time the server will wait, without receiving a request from a workstation, before asking the workstation if it is still attached to the file server Console Display Watchdog Logouts = OFF—Display an alert on the console when the watchdog logs out a user because of a connection failure
MAP The MAP command it used to customize your redirection drives. One purpose of an NOS is to redirect drive letters to a shared file server. Most end-users know that they have a U: drive, but wouldn’t have a clue where it is. You provide the shared access and home directories as mapped drives. Best Practice: Users can browse drive mappings. Use the MAP ROOT command to create a fake root and keep users out of unnecessary areas.
Chapter 1
60
Supplement 1:
NetWare Client DOS Command Line Utilities
Syntax C:\>MAP [P | NP] [ option ...] drive:= [ drive: | path] [/? | /VER]
(no parameter)—View drive mappings. P—Map to a physical volume—must be listed first or second. NP—No Prompt—overwrite local or search drives (must be listed first or second) without being prompted. option—Replace option with any available option—see MAP Options. drive:—Specify the drive you want to change. path—Specify the path you want to map a drive to. To map to a physical volume on a server that is not your default server, specify the entire path (including server, volume, and directory name). For example, C:\>map macbeth/sys:account\pay (server/volume:directory\subdirectory)
You may also map to NDS directory map objects and/or NDS volume names C:\>map NW51T_SYS:PUBLIC
/?—View online help. All other parameters are ignored when /? is used. /VER—View the version number of the utility and the files it uses to execute. All other parameters are ignored when /VER is used. MAP options Optional MAP switches include the following. P—Map to a physical volume. Must be listed first or second. Np—Overwrite local or search drives without being prompted. Must be listed first or second. C—Change a regular drive to a search drive, or a search drive to a regular drive. DEL—Delete a drive mapping. INS—Insert a search drive mapping without replacing an existing mapping. N—Map the next available drive to the specified path. ROOT—Map a drive to a fake root directory for applications that require rights in a root directory. W—Do not change master environment. Using MAP Remember:
If you don’t include drive mappings in your login script, they will have to be manually recreated each time the user logs in
You can have up to 26 mappings, including local drives
To map to the next available search drive, use S16:=
Supplement 1:
NetWare Client DOS Command Line Utilities
61
To map a search drive, use S and a number—see MAP Options
If you don’t want to overwrite existing search drives, use the INS option.
Search drive mappings begin with the letter Z and continue backward through the alphabet
NLIST All NLIST commands are simple queries against NDS objects—users, groups, servers, and volumes—with the NetWare server you have your primary connection. You may also view object property information. For example, view all groups that have a specific user as a member. Format The NLIST command-line format: C:/>NLIST [class type [property search option] [object name] [/ basic option] [display option]] | [/? | /VER]
Class type—Specify an object type, such as USER, SERVER, PRINTER, GROUP, VOLUME, etc. For bindery servers (NetWare 3), replace class type with USER, SERVER, QUEUE, GROUP, or VOLUME. Property search option—Specify a search option. For online help, type NLIST /? R. Object name—Specify the name of the object you want information about. /basic option—Specify any available option—see “NLIST Options.” display option—Select how data is displayed. For online help, type NLIST /? D /?—View online help. All other parameters are ignored when /? is used. /VER—View the version number of the utility and the files it uses to execute. All other parameters are ignored when /VER is used.
Figure S1.1 An NDS object, such as a user object, has properties assigned to it. These objects, and their properties, can be queried via the NLIST command.
Chapter 1
62
Supplement 1:
NetWare Client DOS Command Line Utilities
NLIST options NLIST command-line options: A—View users who are logged in. B[= server name]—View information stored in the bindery of the specified server (bindery servers only). C—Scroll continuously through information. CO[=context]—Set the context to be searched (NDS servers only). D—View all object properties. N—View object names. S—Search all levels of the database, beginning at the current context. SHOW[property]—View a specific property of an object. TREE—View all tree names visible from this login. Note: You can use Property groups only with a bindery connection or with bindery services. USER, SERVER, QUEUE, GROUP, and VOLUME are the only objects you can search on in a bindery context. For detailed information on the parameters in this table, see the online help. Any information To see all NLIST information: NLIST [class type] [=object name] [/option ...]
User information To find user information via NLIST command: NLIST user=[username] [WHERE [property] [operator] [value]] [SHOW [property]] [/option ...]
Note: For bindery servers, use [property group] instead of [property]. To list all users whose password lengths are less than 7 characters, type: NLIST USER WHERE "PASSWORD MINIMUM LENGTH" LT 7
To list all users whose accounts will expire by September 23, 2001, type: NLIST USER WHERE "ACCOUNT EXPIRATION" LE 09-23-01
Best Practice: Show your help desk how to view all users whose passwords will expire on a certain date.
Supplement 1:
NetWare Client DOS Command Line Utilities
63
To list all users who are members of a group called 49ers, type: NLIST USER WHERE "GROUP MEMBERSHIP" = 49ers
To list all users logged in, type: NLIST USER /A
To list all users who have supervisor equivalence, type: NLIST USER WHERE "SECURITY EQUAL TO" = SUPERVISOR
To list all properties of user BART, type: NLIST USER=BART /D
To list all users managed by PULKIT (bindery users only), type: NLIST USER WHERE MANAGERS=PULKIT
To list users logged in to the database, type: NLIST USER /A /S
To list properties of users in the current context, type: NLIST USER /D
To list the login script of every user who has a login script in all contexts, type: NLIST USER SHOW "LOGIN SCRIPT" /S
To list users whose telephone numbers begin with 7 (search all subordinate containers), type: NLIST USER WHERE "TELEPHONE NUMBER" = 7* /S
To list users at a context, type: NLIST USER /CO
To list telephone numbers of all users in the current context, type: NLIST USER SHOW "TELEPHONE NUMBER"
Server information Server information via NLIST must follow this format: NLIST server=[server name] [WHERE [property] [operator] [value]] [SHOW [property]] [/option ...]
For bindery servers, use [property group] instead of [property] To list servers running NetWare 4.11 , type: NLIST SERVER WHERE VERSION = "NOVELL NetWare 4.11[DS]"
If you don’t know the version number of a server, use the SHOW option. In this case, you can use: NLIST SERVER SHOW VERSION.
Chapter 1
64
Supplement 1:
NetWare Client DOS Command Line Utilities
To list the network address of server SERVER1 (search all subordinate containers), type: NLIST SERVER=SERVER1 SHOW "NETWORK ADDRESS" /S
For bindery servers, type: NLIST SERVER=ACCT SHOW "ATTACHMENT INFORMATION"
To list servers in the current context, type: NLIST SERVER
To search for servers in the Directory tree, type: NLIST SERVER /S
To see if server ACCT is up, type: NLIST SERVER=ACCT /A
To list servers whose name begins with L, type: NLIST SERVER = L*
Group information You may query group information via NLIST with the following format: NLIST group=[group] [WHERE [property] [operator] [value]] [SHOW [property]] [/option ...]
Note: For bindery servers, use [property group] instead of [property]. To list members of group LOSERS, type: NLIST GROUP=LOSERS SHOW MEMBERS
To list groups with MSMITH as a member, type: NLIST GROUP WHERE MEMBER EQ MSMITH
To list the owner of group RECORDS, type: NLIST GROUP=RECORDS SHOW OWNER
To list all information about group RECORDS (bindery servers only), type: NLIST GROUP=RECORDS SHOW MISC
Printer information NDS printer information is queried, via NLST in the following format: NLIST printer=[printer] [WHERE [property] [operator] [value]] [SHOW [property]] [/option ...]
Note: For bindery servers, use [property group] instead of [property].
Supplement 1:
NetWare Client DOS Command Line Utilities
65
To list operators for printer HP_P1, type: NLIST PRINTER=HP_P1 SHOW OPERATOR
To list users for printer HP_P1, type: NLIST PRINTER=HP_P1 SHOW USER
To list printers whose name begins with H, type: NLIST PRINTER WHERE NAME = H*
To list printers in the current context and below, type: NLIST PRINTER /S
Print queue information Print queue is queried, via NLST in the following format: NLIST queue=[queue] [WHERE [property] [operator] [value]] [SHOW [property]] [/option ...]
To list operators for print queue ISDEPT_Q1, type: NLIST QUEUE=ISDEPT_Q1 SHOW OPERATORS
To list users for print queue ISDEPT_Q1, type: NLIST QUEUE=ISDEPT_Q1 SHOW USERS
To list print queue names, type: NLIST QUEUE /N
Volume information Volume information is queried, via NLST in the following format: NLIST volume=[volume] [WHERE [property] [operator] [value]] [SHOW [property]] [/option ...]
To list host servers volumes beginning with V on a specific host server type: NLIST VOLUME=V* SHOW "HOST SERVER"
To list the bindery server where volume VOL1: resides, type: NLIST VOLUME=VOL1 SHOW SERVER
Object information NDS object information is queried, via NLST in the following format: NLIST [class type] [=object name] [[WHERE name [operator] [value1] | WHERE object] [operator] [value2]] [/option ...]
To list objects named HOMER, type: NLIST * WHERE NAME = HOMER
To list objects in the current context, type: NLIST *
Chapter 1
66
Supplement 1:
NetWare Client DOS Command Line Utilities
Bindery object information: NLIST /OT [=value] [WHERE name [operator] [value1] | WHERE object] [operator] [value2]] [/option ...]
Redirecting NLIST information to a file Use the redirect symbol > to output your results to a file. You can import the files to a spreadsheet and make a report of user’s with passwords about to expire or really any object or property query you can think of. NLIST “print queue” /r /s /d > output.txt
Lists Print Queues in a text file—great idea to document print queues on a server before an upgrade. Other useful NLSIT command uses You can use NLIST to see what objects have a Back Link by typing the following at a workstation. To see what objects have Back Links type the following. Syntax: NLIST Where "Back Link" EXISTS Example: NLIST "Directory Map" Where "Back Link" EXISTS To see what objects do not have Back Links type the following. Syntax: NLIST Where "Back Link" NEXISTS Example: NLIST "Directory Map" Where "Back Link" NEXISTS Revision—This property is not displayed on any information pages rather this property is used by Novell’s Directory Services database. This property shows the number of times the object has been changed by a user or Admin. You can use NLIST to see the revision property by typing the following at a workstation: Syntax: /D Example: NLIST "Directory Map" /D
NCOPY The NCOPY command is a challenger to the DOS copy command. NCOPY differs by providing read-after-write verification on copied files. /S—Copy subdirectories /S /E—Copy subdirectories including empty directories /A—Copy files with the archive bit set /M—Copy files with the archive bit set, then clear the bit /F—Copy sparse files /I—Inform when non-DOS file information will be lost /C—Copy only DOS information /V—Read after write verification on local drives (DOS only)
Supplement 1:
NetWare Client DOS Command Line Utilities
67
/R—Retain compression on supported media /R /U—Retain compression on unsupported media /VER—Display version information Examples C:\>NCOPY VOL1:*.* j:*.* /S
Copies all files from VOL1 to the mapped J: drive To copy an empty subdirectory to the subdirectory above your current drive, type C:\>NCOPY MYSTUFF .. /S /E
Syntax C:\>NCOPY [source_path ] filename target_path [filename ] [/option ... ] [/? | /VER]
NDIR The NDIR command is used to query files, directories and volumes. You can use the command line options to display your text in different ways. Use at a workstation to:
View information about files (date, size, owner, attributes, archive information)
View information about directories (creation date, owner, subdirectories, Inherited Rights Filter, effective rights)
Sort information according to creation date, owner, file or directory attributes, etc.
Syntax C:\>NDIR [path ] [/option ... ] [/? | /VER]
Path—Specify the path leading to the information you want to view. Include the volume, directory, or filename. /option—See the following NDIR options: NDIR Display Options, NDIR Format Options, NDIR Sort Options, NDIR Attribute Options, NDIR Restriction Options /?—View online help. All other parameters are ignored when /? is used. /VER—View the version number of the utility and the files it uses to execute. All other parameters are ignored when /VER is used. Using NDIR Remember:
A forward slash (/) must precede the first option of the option list. Use backslashes (\) in pathnames.
You can use several options, but separate the options by spaces.
To view several files in your default directory, include a comma between filenames.
You can use wildcard characters. Chapter 1
68
Supplement 1:
NetWare Client DOS Command Line Utilities
NDIR display options NDIR command-line output display options: DO—Sort and view directories only. FO—Sort and view files only. FI—View every occurrence of the specified files within your current directory and your PATH environment. SUB—Sort and view all subdirectories and their files. VOL—View volume information for the specified volume. SPA—View directory space limitation information for the specified directory. C—Scroll continuously through a display. NDIR format options NDIR formatting options: DA—View dates when files were last updated, archived, accessed, created, and copied. DE—View file details. COMP—View file and compression sizes for NetWare4 and Netware5 files. LONG—View name space long filenames. R—View file attributes, the compression and migration status, your effective rights, and the rights allowed to pass through the Inherited Rights Filter. NDIR sort options You may sort NDIR information by REV—Reverse the direction of a sort. Put REV before SORT. Example /REV SORT OW.
SORT CR—Sort by creation or copy date, from earliest to latest. SORT UN—Suspend sorting. SORT AC—Sort by date last accessed, from earliest to latest. SORT AR—Sort by date last archived, from earliest to latest. SORT UP—Sort by last update, from earliest to latest. SORT OW—Sort alphabetically by file owner names. SORT SI—Sort by file size, from smallest to largest. NDIR attribute options NDIR attribute options are as follows: NOT—Views files without a specific attribute
Supplement 1:
NetWare Client DOS Command Line Utilities
69
To display all files in the current context that do not have the IC (Immediately Compress) attribute, type: C:\>NDIR *.* /NOT /IC
A (Archive Needed)—Views files modified since the last backup Di (Delete Inhibit)—Prevents the file from being deleted Dc (Don’t Compress)—Prevents the file from being compressed—in spite of what the volume or directory is set to Dm (Don’t Migrate)—Prevents the file from being migrated to a secondary backup—in spite of what the volume or directory is set to Ds (Don’t Suballocate)—Prevents individual file(s) from being suballocated—in spite of the suballocation setting for the volume X (Execute Only)—Prevents a file from being copied or copied over. This attribute can be given only to .EXE or .COM files, and cannot be removed—except by the XAWAY hack utility. H (Hidden)—Prevents a file from being seen with the DOS DIR command. The file can’t be copied or deleted Ic (Immediate Compress)—Compresses a file now P (Purge)—Purges a file immediately as the file is deleted R (Rename Inhibit)—Prevents a file from being renamed Ro (Read Only)—Allows a file to only be read—it can’t be written to or deleted Rw (Read Write)—Allows a file to be read and written to S (Shareable)—Allows a file to be used by several users simultaneously Sy (System)—Prevents a file from being seen with the DOS DIR command. The file can’t be copied or deleted T (Transactional)—Protects a file by using the Transaction Tracking System (TTS)— mostly used for databases, e.g., NDS NDIR status flags Status flags provide you with information only. You can’t change them. Flag (flag name)—This flag means Cc (Can’t Compress)—The file won’t be compressed because of limited space savings. Co (Compressed)—The file is compressed. M (Migrated)—The file has been migrated. NDIR restriction options NDIR has some restriction options, too—they are as follows: [NOT] (Not)—View all files except those the option specifies. Syntax: /CR [NOT] BEF | EQ | AFT mm-dd-yy
Chapter 1
70
Supplement 1:
NetWare Client DOS Command Line Utilities
/CR BEF | EQ | AFT mm-dd-yy (Creation date)—View files created on, before, or after the date specified /AC BEF | EQ | AFT mm-dd-yy (Last access)—View file last accessed before, on, or after the date specified /AR BEF | EQ | AFT mm-dd-yy (Last archive)—View files last archived on, before, or after the date specified /UP BEF | EQ | AFT mm-dd-yy (Last update)—View files last updated on, before, or after the date specified /OW EQ user (Owner)—View files created by a specific user /SI GR | EQ | LE number (Size)—View files with byte sizes greater than, equal to, or less than a specified number Examples To view all files in the current directory, type C:\>NDIR *.*
To view the version of all .MP3 files on drive X:, type C:\>NDIR X:\*.MP3 /VER
To view only directories on drive Q:, type C:\>NDIR Q:\*.* /DO
To view rights for all files in the current directory, type C:\>NDIR *.* /R
To view the date of file STEPH.TXT, type C:\>NDIR STEPH.TXT /DA
To view detailed file information on STEPH.TXT, type C:\>NDIR STEPH.TXT /D
To view all Read Only files in SYS:PUBLIC, type C:\>NDIR SYS:PUBLIC\*.* /RO
To search for all executable files on drive C:, type C:\>NDIR C:\*.EXE /SUB
To search (from the root) all subdirectories on your current drive for PAUL.MSG, type C:\>NDIR PAUL.MSG /S
To view all files in the current directory that are not Read Only, type C:\>NDIR *.* /NOT RO
To view all files on the current directory by file size from smallest to largest, type C:\>NDIR *.* /SORT SI
Supplement 1:
NetWare Client DOS Command Line Utilities
71
To view all files in drive J: by the most recent access date first, type C:\>NDIR J:*.* /REV SORT AC
To view all files updated before December 6, 2000, type C:\>NDIR *.* /UP BEF 12-06-00
To view all files not owned by user ANDY (you must type the user’s complete name) type: C:\>NDIR *.* /OW NOT EQ ANDY.MOBILE.ENGINEERING
To find where COMMAND.COM is located, type C:\>NDIR COMMAND.COM /FI
To determine space used by compressed files in volumes C:\>NDIR /COMP /DO /SUB
NPRINT NPRINT is used to send a file to a printer—includes plain text (ASCII) files and application software output already formatted for a printer. Not supported by NDPS. C:\>NPRINT filename [P= printername | Q= queuename] [/ option ...]
NPRINTER NPRINTER is used to share, and therefore, advertise a printer on a client workstation as a network printer. This is different that Microsoft’s file and print sharing option. This option is not used much since network printers now contain their own NIC, RAM and print server software—some even have hard drives. NPRINTER supports Windows 3.x or DOS workstations and may be added to a batch file. NPRINTER is not supported under NDPS. NPRINTER printername [/ options ...]
or NPRINTER printservername printernumber [/ options ...]
PURGE Deleted files, on a NetWare server, are not erased totally. They may be recovered with the SALVAGE utility, or permanently erased with the PURGE utility. The deleted files are stored in the DELETED.SAV file on the root of each volume. You may delete a single file or all files.
Chapter 1
72
Supplement 1:
NetWare Client DOS Command Line Utilities
If your workstation is attached to more than one file server, PURGE deletes only those recoverable files that you own and that are located on the file server you current drive is mapped to. The usage is: C:\>PURGE path\filename /option
The PURGE command supports all DOS wildcards. /A—Purges all files in the current directory and all of its subdirectories Note: The delete file system right is needed at the root of whatever directory you are purging is needed to PURGE. /VER—Displays the version of the PURGE command /?—Shows the help screen Example C:\>PURGE *.GIF
Purges all .GIF files in the current directory only—a useful command for administrators. For Windows 9x, NT and WIN2000 machines, you may right-click the small red N on the systray ➝ NetWare Utilities ➝ Purge…
RIGHTS Use this utility to view or modify user or group rights to volumes, directories, or files. C:\> RIGHTS path [[ + | - ] rights] [/ option ...] [/? | /VER]
Note: Novell has a TBACKUP.EXE freeware utility that mimics the RIGHTS command but redirects all of the trustee rights into a TRESTORE.BAT file. This utility can be used for backups. I use this utility for backups before upgrades.
Options Optional switches: /C—Scroll continuously through output—use this option when you redirect to a file, see note later /F—View the inherited rights filter /I—View the trustee and group rights that created the inherited rights, and view where the inherited rights came from. /NAME=user_name—View or modify rights for the user or group of your choice /S—View or modify subdirectories under the present level /T—View trustee rights in a directory
Supplement 1:
NetWare Client DOS Command Line Utilities
73
Note: You can redirect the output to a file with the > switch:
C:\>RIGHTS >MYRIGHTS.TXT
Examples To see your rights to the current mapped drive: X:\>RIGHTS
To set the trustee rights in the current directory for user TROBBINS to Read, Write, and File Scan, type C:\>RIGHTS R W F /NAME=TROBBINS
To remove user SPF from FS01/SYS:USERS, type C:\>RIGHTS FS01/SYS:USERS REM /NAME=SPF
To see where user DAVE’s inherited rights came from for SYS:USERS/HOME, type C:\>RIGHTS SYS:USERS/HOME /NAME=DAVE /I
To replace a group’s or user’s rights, use: C:\>RIGHTS FS1_VOL1:APPS/OFFICE RF /NAME=COLLENE
The + and – is to add or delete rights you already have—versus replacing them, as seen earlier C:\>RIGHTS FS02_SYS:SYSTEM –SRWFMA /NAME=JR-ADMIN
File System Rights File system rights include the following options: S (Supervisor)—Grant all rights to the file or directory. R (Read)—Open and read files in the directory. W (Write)—Open and write to files in the directory. C (Create)—Create files and subdirectories. E (Erase)—Erase files and directories. M (Modify)—Rename files and directories, and change file attributes. F (File Scan)—View and search on file and directory names in the file system structure. A (Access Control)—Add and remove trustees and change trustee rights to files and directories. N (No Rights)—Remove all rights. REM (Remove)—Remove the user or group as a trustee of the specified file or directory. ALL—Add All rights except Supervisor.
Chapter 1
74
Supplement 1:
NetWare Client DOS Command Line Utilities
Using RIGHTS Remember:
If you use + (plus) to add rights you are adding to the existing rights list.
If you use – (minus) to remove rights you are deleting rights from the existing rights list.
If you use one command to add and delete rights, group all added rights together and all deleted rights together.
If you list rights without using + or –, the rights you list replace all of the existing rights.
A specified path is required. You may use a period (.) to represent your current directory.
Wildcard characters are permitted.
SETPASS Changes your password from a DOS command line. C:|\>SETPASS [servername/] [ username] [/? | /VER]
With no parameters, you will simply change your name on the network. The server name parameter is for bindery services. With the proper password rights, you or your help desk can type: C:\>SETPASS anyusername C:\>SETPASS TTURNER
The proper rights consist of the Password Management property in NetWare 5. Rightclick on any OU ➝ Trustees of this object ➝ Add user or group to be trustee ➝ Selected Properties (radio button) ➝ Password Management ➝ grant Compare, Read, Write and Inheritable ➝ make sure the Inheritable Object right, too. Note that this feature will only work in pure NetWare 5 environments, or only when you are connected to a NetWare 5 server in a mixed 4.x and 5.x environment. Best Practice: Enable the password management feature for container password changers on your help desks or junior admins. A Windows 9x client can, more easily, right-click the small red on the systray ➝ User Administration ➝ Novell Password Administration ➝ Change Password For NT and WIN2000 workstations, you must Ctrl+Alt+Del ➝ Change Password
Supplement 2:
Novell Client32 Properties
75
SUPPLEMENT 2 Novell Client32 Properties The client property options between the Windows9x platforms and NT/Win2000 are very similar. The organization and screens are not. Still, the listings that follow are for the Win9x platform, with the NT/Win2000 highlights given afterward.
Windows 9x registry The values you choose for each client option—whether upon install or through the Client Properties tab—are written and saved to the Windows registry. This is an important point. Registry values, by themselves, can be changed individually via login script commands or ZENworks for desktop packages—both of which can change important values in the Novell client. For example, you could change the frame type at a site by simply finding the corresponding registry values and changing them within the login script. Obviously, test any changes in your lab first. The registry settings for the Win9x client are different than the NT client. I list the Win9x only as most of my clients have WIN9x workstations. The NT client settings are almost exactly the same, though their registry values are mostly found in HKLM\SOFTWARE\Novell\Login HKLM\SOFTWARE\Novell\Network Provider HKLM\SYSTEM\CurrentControlSet\Services\srvloc\Parameters HKLM\SYSTEM\CurrentControlSet\Services\NetWareWorkstation\ Parameters
and subsequent subdirectories. (See Figure S2.1.) Best Practice: At medium to larger installations, use the ACU, ZEN for desktops, or a login script registry hack to update workstation information on many machines at once. Some changes may require you to reinstall the client.
Windows 9x Client properties The NetWare client for provides many choices for customization. They are: Preferred server—The server where you would like the client to connect. The server’s name can be a short name (ATLFS2), an IP address (10.10.1.12), or a DNS name (atlfs2.corporate.netdrwiz.com). The preferred server tab is ignored when the preferred tree value is set. The Windows registry saves the last 5 entries. This value may be populated by DHCP. The corresponding Default Location Profile value takes precedence over this setting. Preferred Server Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\Preferred Server Registry Value: [string] 0
Chapter 1
76
Supplement 2:
Novell Client32 Properties
Default Value: N/A Range: N/A Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Warning: If there is no value set in the preferred server and preferred tree and you are using IP/SLP to find a login server, you may have to authenticate, inefficiently, to a server over a WAN link—it is the way SLP works. See the Chapter on IP for more information on SLP. Preferred tree—Overrides the preferred server, the preferred tree setting causes the client to query an IPX replica server, or IP SLP ndap.novell server for a specific NDS tree name. This value may be populated by DHCP. This box supports values of IP addresses, IPX names, and DNS names. This value may be populated by DHCP. The login script variable TREE may be used, in a login script, to connect a user to more
Figure S2.1 REGEDIT.EXE displays the NetWare client entries in the WIN98 client.
Supplement 2:
Novell Client32 Properties
77
than one tree—see Chapter 4 for more information about this and other login script variables. The corresponding Default Location Profile value takes precedence over this setting. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\Preferred Tree Registry Value: [string] 0 Default Value: N/A Range: N/A Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Name context—Sets the NDS context for the container where the user exists. This is not needed if you are logging into a server that is in the same container/context that your user object is in. If you login with a FDN—like bconstrictor.texas.Midwest.acme
The name context value in the client value box is ignored. This value may be populated by DHCP. The Default Location Profile value takes precedence over this setting. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\Name Context Registry Value: [string] 0 Default Value: N/A Range: N/A Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
First network drive—Usually set to F, this setting lets your client know where, in the alphabet, it can start assigning network drive letters. By default, F will be used to map to a server’s SYS:LOGIN directory. This setting is workstation specific. Realize that a user that boots and does not login will still establish a connection to the server—for more information see the chapter on Security. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\First Network Drive Registry Value: [string] 0 Default Value: F Range: A - Z (only allow non-local drives) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Client version—A recent addition to Novell clients—great for troubleshooting. Always test and troubleshoot with the latest NetWare client, then move back versions, if necessary. (see Figures S2.2 and S2.3.) Registry Key: HKLM\Network\Novell\System Config\Install\Client Version Registry Value: [dword] MajorVersion, MinorVersion, Level, Revision Default Value: 3.2.0.0 (for the 3.2 version of the client Range: 0 - 9999 Client Version: Implemented by at least the 95/98 Client version 3.0 or higher.
Chapter 1
78
Figure S2.2 This is client version 3.21. Count the number of tabs and then check the client version 3.1 below. You see 9 available tabs here versus 8 in the earlier client version.
Figure S2.3 The client version 3.1 shows only 8 available tabs for configuration. Missing is the Advanced Menu settings tab included in client 3.21.
Supplement 2:
Novell Client32 Properties
Supplement 2:
Novell Client32 Properties
79
Figure S2.4 Location Profiles tab.
Service Pack—If a service pack is installed, you will be able to see the version on this screen too, plus a button activated list of the patched files. Registry Key: HKLM\Network\Novell\System Config\Install\Client Version Registry Value: [dword] Service Pack Default Value: 0 Range: 0 - 9999 Client Version: Implemented by at least the 95/98 Client version 3.1 or higher.
The location profile gives administrators options for setting client variables by profile names (see Figure S2.4)—roughly analogous to Windows hardware profiles where certain feature sets can be enable or disabled for each defined profile. Choosing the default profile ➝ properties ➝ properties of the login service, shows the screen in Figure S2.5. The client profile screen gives five configuration tabs. This configuration tab is dynamic for many of its components. There are 5 tabs (e.g., Tab1, Tab2, Tab3, Tab4, and Tab5) which are represented by registry keys with each a different possible list of values. Each Tab key has a “Tab” string value that displays the heading of the tab (e.g., “NDS,” “Bindery,” “Script,” “NT Credentials,” or “Dialup”)—depending on what has been enabled, Script may be Tab3 for one machine and Tab2 or even Tab4 on another machine. You will need to key off of the “Tab” Registry Value (when enabled) to know which values to expect for each key.
Chapter 1
80
Supplement 2:
Novell Client32 Properties
Figure S2.5 From the login service properties screen, you can change the way the client is displayed upon boot up.
List of Location Profiles—Possible profiles used Registry Key: HKLM\SOFTWARE\Novell\Location Profiles\Profile List Registry Value: [string] 0, 1, ..., n Default Value: N/A Range: N/A Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Default Login Location Profile—Profile used unless otherwise specified Registry Key: HKLM\SOFTWARE\Novell\Location Profiles\Services\ {1E6CEEA1-FB73-11CF-BD76-00001B27DA23}\Default
NT Credentials—NT Login When Tab = "NT Credentials" Registry Values: [string]DefaultDomainName, [string]DefaultUserName
Credentials—Simply your NDS login name NDS—Support for NetWare 4.x and 5.x servers Active Authenticator (check box): A check signifies that you are going to use an NDS connection as your authentication. There is another check box in the next bindery tab that would indicate a bindery-authenticated connection. Always use NDS authentication when possible. When Tab = "NDS" Registry Values: [dword]Clear Connections, [string]Context, [string]Server, [string]Tree
Supplement 2:
Novell Client32 Properties
81
Tree: The NDS tree that you want to show up in this profile Context: NDS context you define for this profile Server: A specific login server identity Clear current connections (check box): Indicates, when checked, that you want to clear any current mapped connections and start over Bindery—Support for NetWare 3.x servers Active Authenticator (check box): A check in this box would indicate your desire for a bindery login connection—versus an NDS login authentication. An NDS authentication is preferred. When Tab = "Bindery" Registry Values: [dword]Clear Connections, [string]Server Server: The bindery server that you want to authenticate to Clear current connections (check box): Indicates, when checked, that you want to clear any current mapped connections Script—Optional script support Enable Tab (check box): When checked, this tab will show up when the client box is presented to the user at login When Tab = "Script" Registry Values: [dword]Close Results, [dword]Display Results, [dword]Login Script, [string]Profile Script, [string]Script File, [string]Variable2, [string]Variable3, [string]Variable4 Run Scripts (check box): A check instructs NetWare to run login scripts Display Results window (check box): Display the results of the login process Close Automatically (check box): Close the results of the login process automatically Login Script: Profile Script: Dial-up—For use when the client is the front end to a dial up connection Enable Tab (check box): This box will activate the four other screen choices When Tab = "Dialup" Registry Values: [string]Dialup Entry, [string]Dialup From, [dword]Enable RAS Default Policy Support—Enabled means after the user logs into a NetWare/NDS server, the Novell Client will try to read the CONFIG.POL file from the Authentication server’s PUBLIC directory on the SYS volume. (See Figure S2.6.) Registry Key: HKLM\Software\Novell\Workstation Manager\Policy Support Registry Value: [dword] Check Default Default Value: 1 Range: 0 = OFF, 1 = ON
Chapter 1
82
Supplement 2:
Novell Client32 Properties
Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Policy Path and Filename—Available only if the Default Policy Support is unchecked. Allows any valid UNC path to any network file location that the current client has a network provider enabled for (e.g., the file could be stored on any NT Server or NetWare Server) for the CONFIG.POL file (or a different file name of your choosing). This setting must include the server, volume/share, directory, and the filename—leaving out the filename will cause the Policy download to fail. Registry Key: HKLM\Software\Novell\Workstation Manager\Policy Support Registry Value: [string] Policy Path Default Value: NULL Range: N/A Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Location List—Specifies whether the Location list in the Login dialog box is enabled. After the initial installation, there is one Location Profile enabled named Default Location Profile—additional Location Profiles can be configured manually or by using ZENworks. The list shows Location Profiles that have been configured on this workstation and allows the user to select one for login (Location Profiles store many login settings such as Preferred Server, Tree, and Context).
Figure S2.6 Advanced Login tab.
Supplement 2:
Novell Client32 Properties
83
Registry Key: HKLM\Software\Novell\Login Registry Value: [dword] Location Default Value: 0 Range: 0 = OFF, 1=ON Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Advanced Button—Specifies whether the Advanced button on the Login dialog box is enabled. This button leads to various tabs that help you to specify advanced login parameters. Some clients choose to hide this button as they don’t want the client browsing other trees and contexts at the expense of not letting your client browse for a context to login to—your choice. Registry Key: HKLM\Software\Novell\Login Registry Value: [dword] Advanced Default Value: 1 Range: 0 = OFF, 1=ON Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Variables Button—Specifies whether the Variables button in the Login dialog box is enabled. The button allows you to define the %2, %3, %4 and %5 login script variables used when the user logs in (from the old DOS days where %1 was the program executable and %2 was the first command line parameter, etc., and %5 was the fourth command line parameter). I have seen this used for dial up accounts. A dial up user would fill in a value under one of the variable boxes to indicate a dial up session which would signal the login script to minimize mappings and bandwidth intensive features. Registry Key: HKLM\Software\Novell\Login Registry Value: [dword] Variables Default Value: 1 Range: 0 = OFF, 1=ON Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Clear Connections—Specifies whether the Clear Connections checkbox is visible in the Login dialog box. The check box allows you to clear all previous connections when you create a new connection to the network (clears printer captures, drive mappings, and network drive search path entries from the Environment Search PATH). Registry Key: HKLM\Software\Novell\Login Registry Value: [dword] Clear Connections Default Value: 1 Range: 0 = OFF, 1=ON Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
The contextless login tab is for NDS version 7.x. It will not work with NDS 8.x at this time. I recommend NDS 8 for the many features and tuning that can be done with the database, so unless you are married to NDS version 7.x, you won’t use this feature. Contextless login can be enabled on NDS version 8 through LDAP (which may require you to use clear text passwords)—see the shareware section in the last chapter.
Chapter 1
84
Supplement 2:
Novell Client32 Properties
Figure S2.7 Contextless Login tab, used solely for this purpose.
Contextless login tab Not supported in early NDSv8 releases, this option queries the indexed NDS login name values to provide support for short name logins. (See Figure S2.7.) Enable (check box)—Make this feature possible to enable contextless login—which is when you enter your login name only, never having to remember your context. Contextless login requires the catalog and dredger services to be configured on a NetWare server and will not work without this preparation—nor will it work in NDS version 8. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Graphical Login\NWLGE\ZXContext Registry Value: [dword] RunContext Default Value: 0 Range: 0 = OFF, 1 = ON Client Version: Implemented in the 95/98 Client version 3.0 or higher.
Wildcard Searching Allowed (check box)—Grants the ability to search for a name with DOS wildcard characters—only available if the Contextless login is enabled. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Graphical Login\NWLGE\ZXContext Registry Value: [dword] AllowWild Default Value: 0
Supplement 2:
Novell Client32 Properties
85
Range: 0 = OFF, 1 = ON Client Version: Implemented in the 95/98 Client version 3.0 or higher.
Search Timeout (Seconds)—Maximum time—in seconds—the Novell Login searches NDS for the specified user. Setting this value too low may cause the search to timeout before the user is located in NDS. Setting too high a search for an invalid or unavailable user may take too long. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Graphical Login\NWLGE\ZXContext Registry Value: [dword] SearchTimeout Default Value: 2 Range: 0 - 999 Client Version: Implemented in the 95/98 Client version 3.0 or higher.
Tree—During a login session, usable catalogs are automatically found. You can specify Tree and Catalog pairs to force contextless login to use a specific catalog for each tree in the list. For each Tree/Catalog pair there will be a string value with the name of the Tree and the value of the Catalog. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Graphical Login\NWLGE\ZXContext\Catalogs\[Tree Name] Registry Value: [Catalog Name] Default Value: N/A Range: N/A Client Version: Implemented in the 95/98 Client version 3.0 or higher.
Catalog—The name of the NDS Catalog object that holds the indexed information needed for Contextless Login (not supported in NDS version 8)
Output settings Printing options include (see Figure S2.8): Number of copies—Just what you’d think. Clients that complain that they are printing 3 copies of everything every time they print would do well to look here. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Capture Flags Registry Value: [dword] Number of Copies Default Value: 1 Range: 1-255 Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Form Feed—Enable this check box to make the printer to add a blank piece of paper at the end of the print job. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Capture Flags Registry Value: [dword] Form Feed Default Value: 0 (Unchecked) Range: 0, 1 (0=Unchecked, 1=Checked)
Chapter 1
86
Supplement 2:
Novell Client32 Properties
Figure S2.8 Printing option on the client.
Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Enable Tabs—If you want to print the specified number of spaces in place of tab characters, enable this check box. if you don’t want spaces to be printed in place of tabs, disable this check box. Byte-stream print jobs do not require tabs to be enabled. Some graphics print data contain tab characters and this option may cause some graphics jobs to print incorrectly. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Capture Flags Registry Value: [dword] Enable Tabs Default Value: 0 (Unchecked) Range: 0, 1 (0=Unchecked, 1=Checked) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Number of spaces: Specifies the number of spaces that are printed in place of tab characters. You must check the Enable Tabs check box for this setting to take effect. Registry Key: HKLM\Network\Novell\System Config\ Network Provider\Capture Flags Registry Value: [dword] Number of Spaces Default Value: 8
Supplement 2:
Novell Client32 Properties
87
Range: 1-18 spaces Client Version: Implemented by at least the 95/98 Client version 2.5 or higher. Number of spaces each tab would make on the printed copy. Banner Settings—Separate page banner options Enable Banner—If you want a banner page for each print job, enable this check box. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Capture Flags Registry Value: [dword] Enable Banner Default Value: 0 (Unchecked) Range: 0, 1 (0=Unchecked, 1=Checked) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
1st Banner Name: Specifies the text printed on the upper half of the banner page—supports text up to 12 characters. Registry Key: HKLM\Network\Novell\System Config\ Network Provider\Capture Flags Registry Value: [string] 1st Banner Name Default Value: NULL Range: Any valid string Client Version: Implemented by at least the 95/98 Client version 2.5 or higher. 2nd Banner Name: Specifies the text printed on the lower half of the banner page—supports text up to 12 characters. Registry Key: HKLM\Network\Novell\System Config\ Network Provider\Capture Flags Registry Value: [string] 2nd Banner Name Default Value: NULL Range: Any valid string Client Version: Implemented by at least the 95/98 Client version 2.5 or higher. Other Settings— Hold (check box): To put a user hold on print jobs, enable this check box. Registry Key: HKLM\Network\Novell\System Config\ Network Provider\Capture Flags Registry Value: [dword] Hold Default Value: 0 (Unchecked) Range: 0, 1 (0=Unchecked, 1=Checked) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher. Auto endcap (check box): If you want captured data to be closed and sent to the printer after you exit the application submitting it, then enable this check box. If not, then disable this check box. Chapter 1
88
Supplement 2:
Novell Client32 Properties
Registry Key: HKLM\Network\Novell\System Config\ Network Provider\Capture Flags Registry Value: [dword] Auto Endcap Default Value: 1 (Checked) Range: 0, 1 (0=Unchecked, 1=Checked) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher. Notify (check box): If you want to receive a popup message when the print job is printed, enable this check box. Registry Key: HKLM\Network\Novell\System Config\ Network Provider\Capture Flags Registry Value: [dword] Notify Default Value: 1 (Checked) Range: 0, 1 (0=Unchecked, 1=Checked) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher. Keep (check box): Enable this check box to keep jobs in the print queue after they have completed printing. Registry Key: HKLM\Network\Novell\System Config\ Network Provider\Capture Flags Registry Value: [dword] Keep Default Value: 0 (Unchecked) Range: 0, 1 (0=Unchecked, 1=Checked) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher. Seconds before timeout: Specifies the number of seconds the operating system waits after the last data is received before closing the print job. Registry Key: HKLM\Network\Novell\System Config\ Network Provider\Capture Flags Registry Value: [dword] Seconds before Timeout Default Value: 0 Range: 0-1000 seconds Client Version: Implemented by at least the 95/98 Client version 2.5 or higher. The Protocol Preference tab may be the most important tab (Figure S2.9). The name resolution order is comprised in order, by default, of: Protocol Order—Specifies the sequence of protocols the Novell Client uses when trying to connect to a server. For example, if the list contains IP and IPX, in that order, the client first tries to connect using IP. If an IP connection cannot be made, the client tries again using IPX.
Supplement 2:
Novell Client32 Properties
89
Figure S2.9 Protocol Preference tab may be the most important. I changed the name resolution order for my lab testing.
Note: Tuning this parameter can improve performance greatly—see later in this chapter for more information.
Registry Key: HKLM\Network\Novell\System Config\Netware DOS Requester\Transport Order Registry Value: [string] 0 Default Value: IP, IPX Range: IP, IPX; IPX, IP; IP; IPX Client Version: Implemented in the 95/98 Client version 3.0 or higher.
Name Resolution Order—The list specifies the order in which Name Space Providers are used to attempt to resolve Service Names. Configured name service providers (NSP) are queried asynchronously in order to resolve a service name to an address. They are first queried with a cache flag which permit NSPs that maintain a cache to attempt to resolve the name. If no NSP resolves the name then the list is queried again without the cache flag. The client will wait the time specified by the Name Resolution Timeout or until all the queried NSPs respond with a NOT_FOUND or NO_MORE status.
Chapter 1
90
Supplement 2:
Novell Client32 Properties
Note: Tuning this parameter can improve performance greatly—see later in this chapter for more information.
Registry Key: HKLM\Network\Novell\System Config\Netware DOS Requester\Name Resolving Order Registry Value: [string] 0 Default Value: NWHOST,SLP,DNS,DHCP,NDS,BIND,SAP Range: Any combination of the above entries in any order. Client Version: Implemented in the 95/98 Client version 3.0 or higher.
NWHOST—This host file is like other host files that map IP addresses to names. Using a host file is the fastest method to resolve names. The administration of the file for each workstation is the challenge. The NetWare server also has a HOSTS file in the SYS:ETC directory. SLP—Service Location Protocol (RFC 2165). Tells the client to resolve via a multicast to an SA or DA. It is possible to statically configure the client to point to the address of the Directory Agent—which is a repository of Service Agent information. Note: Refer to Chapter 4 for SLP information. DNS—I haven’t been to many clients that have all or most of their NetWare servers into DNS. DNS is a great way to resolve names and map names via the login script. Use DNS whenever you can. This is an IP only option. DHCP—DHCP can feed the client many important options. Use DHCP to send as much information as possible. This is obviously an IP only option. NDS—NDS is used to resolve names after you find a replica server—the trick is how the client finds a replica server. By default, an IPX client finds a replica server by querying the BINDERY of the server it makes its initial attachment to for login. An IP only client will use multicast (the SLP protocol) to attempt to locate a replica server. A dual IP/IPX stack client will default to use IP—before timing out and trying IPX—to try to find a replica server. This is an IP and IPX option. BINDERY—The bindery is a fast file finder on the server—like a mini database. This is an IPX option only. Interestingly, a Pure IP workstation client will query all BINDERY IPX services if it finds a server running IP and IPX. This would allow a global view of resources in Network Neighborhood (compared to the restricted view that an IP only implementation of SLP may provide). SAP—The SAP protocol runs within IPX to advertise names on the network. This is an IPX option only. See the IP chapter for an explanation of SLP and DHCP configuration options. Scope List—This is an optional choice. If configured with an alpha-numeric name, it tells the client which scope to query for SA information. The client will only be able to browse in Network Neighborhood based on which scope(s) is input here. The list order reflects the preference order. Multiple Scope names are allowed, but not recom-
Supplement 2:
Novell Client32 Properties
91
Figure S2.10 The SLP Scope List and Directory Agent List choices.
mended for anyone other than Administrators. More than one scope will cause an SA query to be sent to all scopes—which may be too much network traffic. Scopes can also be configured via DHCP or discovered dynamically from Directory Agents (unless the Active Discovery option has been disabled), though dynamically discovered Scopes are not displayed here (can only be viewed with the SLPINFO command). This is DHCP option 79. (See Figure S2.10.) Realize that SLP scopes are only needed to limit client browsing or if your environment is so large that an SLP reply packet would overflow the RFC’s allowable 64K data packet size—only applicable in very large environments of more than 400 NetWare servers. Registry Key: HKLM\Network\Novell\System Config\SRVLOC\Scope Registry Value: [string] 0, 1, ..., n Default Value: N/A Range: N/A Client Version: Implemented in the 95/98 Client version 3.0 or higher.
Static (check box): Check the Static check box if you don’t want the list to be supplemented by scopes that are discovered dynamically from Directory Agents, otherwise the client will use all scopes discovered through assigned Directory Agents.
Chapter 1
92
Supplement 2:
Novell Client32 Properties
Registry Key: HKLM\Network\Novell\System Config\ SRVLOC\Static Scopes Registry Value: [string] 0 Default Value: OFF Range: ON, OFF Client Version: Implemented in the 95/98 Client version 3.0 or higher. Directory Agent List—This is a list of SLP Directory Agent addresses. Multiple Directory Agent addresses are allowed. The SLP User Agent—which is your client workstation—will contact each of these DAs when doing a Service query, so it is not recommended to assign more than 2 or 3 DAs. Addresses may be a fully qualified domain name (DNS), or a dotted decimal IP address. Directory Agents can also be configured via DHCP, or discovered dynamically. This is DHCP option 78. Interestingly, the client parses the Directory Agent List backwards or upside down. Registry Key: HKLM\Network\Novell\System Config\SRVLOC\ Directory Agent Registry Value: [string] 0, 1, ..., n Default Value: N/A Range: N/A Client Version: Implemented in the 95/98 Client version 3.0 or higher
Best Practice: The use of DNS in this value can be used to provide load sharing among DAs in the same scope. Static (In Directory Agent window): If you check the Static check box for the Directory Agent list, SLP requests will be sent to the Directory Agents whose addresses or DNS names have been configured in the list. Otherwise, SLP will send requests to all Directory Agents discovered statically or dynamically in the network. Registry Key: HKLM\Network\Novell\System Config\ SRVLOC\Static DAs Registry Value: [string] 0 Default Value: OFF Range: ON, OFF Client Version: Implemented in the 95/98 Client version 3.0 or higher. Active Discovery (check box): Look for the DA via static configuration, DHCP, or multicast. This is the recommended setting. Controls whether or not SLP is allowed to use multicast to look up services. If it is set to ON, then the SLP name space provider can send multicast requests (224.0.1.22) to Service Agents (SAs). Setting this to ON also allows the SLP User Agent (UA) to attempt to locate a DA using multicast (224.0.1.35). A setting of OFF, makes the SLP name space provider send all service requests to DAs via unicast—multicasts are NOT allowed to SAs when checked.
Supplement 2:
Novell Client32 Properties
93
Registry Key: HKLM\Network\Novell\System Config\ SRVLOC\Active Discovery Registry Value: [string] 0 Default Value: ON Range: ON, OFF Client Version: Implemented in the 95/98 Client version 3.0 or higher. Warning: If you have no server on your local segment—e.g., the closest NetWare server is across a router—you will have to configure the DA option in the client unless:
The router allows multicast traffic to pass OR
DCHP is used to give out the DA (option 78) OR
You use an IP address or DNS name in the login GUI preferred tree name box in the client OR
You use an IP address or DNS name in the login GUI preferred server box
Advanced Settings tab The Advanced Settings tab (Figure S2.11) has the following organizational headings: Connection Environment, NETX Compatibility File System Packet Management Performance, Cache Printing Troubleshooting WAN SLP General SLP Times These headings merely organize all of the many advanced settings into like pieces. The values will be listed by the aforementioned headings. Registry settings, again, follow each value so that you may change any value by a ZEN for desktops package or login script registry hack.
Connection The Connection group contains the parameters dealing with the Client’s connection to the network. Auto Reconnect Level—This setting describes the level of automatic reconnection the Client will support in the event it loses its connection to a network service. Each Chapter 1
94
Supplement 2:
Novell Client32 Properties
Figure S2.11 The Advanced Setting has an additional organizational piece. The Parameter groups has a drop down menu that organizes the many choices by logical groupings.
level includes the previous level, plus any additional features listed. Selecting a value from 0 to 5 will cause the following to be restored: 0 = No auto reconnect—Disable 1 = Devices (connections, drive mappings, and printers captures only) 2 = Devices (connections, drive mappings, and printers) plus read-only files 3 = Devices (connections, drive mappings, and printers) plus all files and file locks 4 = Devices (connections, drive mappings, and printers) plus added file write data recovery is guaranteed 5 = Reserved for future use Devices, all opened Files/File Locks, guaranteed File Write data recovery, and ability to write network files to local disk and then resync files to the network later (only available with Disconnectable NetWare). Note: The 3.2 95/98 Client and NetWare 5 only support Auto Reconnect Levels 0–3. Levels 4 and 5 are for future implementations of the Client and NetWare. If you specify 5, the auto reconnect level is effectively 4. The range is 0 to 5. The default is 3. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\AUTO RECONNECT LEVEL
Supplement 2:
Novell Client32 Properties
95
Registry Value: [string] 0 Default Value: 3 Range: 0 - 5 Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Auto Reconnect Timeout—This setting specifies the time in minutes to drop auto reconnect capabilities if the client cannot connect to the services that were previously available. The Auto Reconnect feature will continue to attempt to reconnect to lost resources for 10 minutes, by default, before timing out. The range is 1 to 65,535 minutes. The default is 10. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\AUTO RECONNECT TIMEOUT Registry Value: [string] 0 Default Value: 120 Range: 120 - 65535 Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
NetWare Protocol—Enables you to specify the NetWare protocols that are initially used to authenticate to the network and the order in which they are accessed. You can give priority to a specific protocol for login, the load order, and other functions performed by the Client. These are legacy settings that control what order the Name Space Providers (formerly NetWare Name Services) are accessed in and is now controlled on the Name Resolution Order on the Protocol Preferences tab. The default is NDS BIND. The values are: NDS BIND: NDS first, then try the server bindery BIND NDS: Bindery attempt first, then try NDS NDS: Needs a replica holding server to authenticate BIND: Queries the bindery for a replica server (SAP type 278) In a Pure IP environment—with no IPX loaded on the client nor on the server— the BINDERY (BIND) option will not work. The BIND option is dependent upon IPX being loaded on the server. Even a Pure IP client can query, via IP, the server’s BINDERY as long as IPX is bound to the server. This will enable the client to see every NetWare server in Network Neighborhood. Note: This is not to be confused with the protocols that you can set through the Protocol Preference tab that is also found under the Novell NetWare Client Properties window. The Protocol Preference tab gives the complete listing of both IPX and IP protocol services that are available (with NetWare 5’s default of IP protocol loading first), as well as the services that can be used to resolve NetWare server names to appropriate services and IP addresses when necessary.
Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\NetWare Protocol Registry Value: [string] 0 Default Value: NDS BIND
Chapter 1
96
Supplement 2:
Novell Client32 Properties
Range: NDS BIND, BIND NDS, NDS, BIND Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Replica Timeout—The duration of time the client will attempt to log back in to the NDS replica where the previously Primary NDS Server is logged out of—helps to ensure that a user is connecting to the closest NDS replica servers. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\REPLICA TIMEOUT Registry Value: [string] 0 Default Value: 0 Range: 0 - 1000 (minutes) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Resolve Name Using Primary Connection—The resolution of name requests will only be done over the primary connection /Primary NDS server (for NetWare 5, this is IP using the NWHOST file) if this entry is set to On (the default). If you set this entry to Off, resolution of name requests for IP will be done over all connections rather than the primary connection only. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\Resolve Name Using Primary Registry Value: [string] 0 Default Value: ON Range: ON, OFF Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Environment, NETX compatibility The Environment, NETX Compatibility grouping contains settings used mostly for backward compatibility with earlier versions of DOS and Windows 3.x applications. Broadcast Mode—Choices of All, Server Only, or None. Broadcast Mode: Controls what type of incoming popup messages a workstation can receive. All: Workstation receives all incoming messages from users and servers Server Only: Receives only messages generated by the server (low volume space, printing notification, etc) None: Restricts
all incoming popup messages.
Registry Key: HKLM\Network\Novell\System Config\ NetWare DOS Requester\broadcast mode Registry Value: [string] 0 Default Value: 120 Range: 0, 1, 2 (0=All, 1=Server Only, 2=None) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Supplement 2:
Novell Client32 Properties
97
Cache NetWare Password—This setting specifies whether the NetWare password from the first NetWare login is stored in memory and is used to authenticate to additional NetWare resources. For best performance, leave it on. Use the default setting if you do not want to be prompted for your username and password when accessing additional resources on other servers. You will be prompted only when the Client cannot authenticate to those network resources by using the username and password you specified when you first logged in. Your username and password are stored in RAM memory, not on your hard disk. After you shut down your computer, your username and password are flushed from memory. You will, obviously, be prompted for them again the next time you start your computer. Set the value of this setting to Off if you want to be prompted for your username and password whenever you access a network resource that you are not already authenticated to. Also, you must specify your username and password for every NDS and bindery resource you want to access. The default is On. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Cache NetWare Password Registry Value: [string] 0 Default Value: ON Range: ON, OFF Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
DOS Name—This parameter sets the name of the operating system used in the shell. This value can be 1 to 5 characters long. The %OS variable in the login or profile script uses this variable when mapping a search drive to the network DOS directory. For example, if you have a Windows 95 workstation and you wish to make the CAB files available to all Windows 95 users, you can put a line similar to the following in the container login script or profile script: IF %OS == "WIN95", THEN MAP INS S3:=SYS_VOL:PUBLIC\WIN95\CAB
The default changes to match the operating system that presently loaded, such as WIN95 or WIN98. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\DOS NAME Registry Value: [string] 0 Default Value: WIN95 Range: N/A Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
End of Job—This command is for backward compatibility purposes with programs that usually predate DOS v3.0. If turned on, this sends an End Of Job command to the file server, which releases all resources (files, locks, semaphores) allocated on the file server to the current task. The default is Off. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\EOJ Registry Value: [string] 0
Chapter 1
98
Supplement 2:
Novell Client32 Properties
Default Value: NO (OFF) Range: YES, NO (GUI shows this as ON, OFF, registry uses YES, NO) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Environment Pad—This setting adds the specified number of bytes to the DOS environment for DOS applications running in a Windows environment. Use this parameter if you have DOS applications that need additional environment space after Windows is loaded. (In Windows 95/98, you can specify these settings for each DOS application through the Properties ➝ Memory ➝ Initial Settings entry.) The range is 17 to 512 bytes. The default is 17. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\ENVIRONMENT PAD Registry Value: [string] 0 Default Value: 17 Range: 17 - 512 bytes Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Force First Network Drive—This setting specifies the network drive letter that the SYS:LOGIN directory is mapped to before logging in and after logging out of a server or network. On returns you to the First Network Drive. Off maps SYS:LOGIN to the current drive letter in use or leaves you at the current drive. For this setting to work, the First Network Drive setting must also be set. Setting the value to On specifies that the drive letter that the SYS:LOGIN directory is mapped to after logging out must be the same as the one used in First Network Drive. Setting the value to Off specifies that the drive letter is the one you logged out from, unless you logged out from a local drive. The default is Off. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\FORCE FIRST NETWORK DRIVE Registry Value: [string] 0 Default Value: NO (OFF) Range: YES, NO (GUI shows this as ON, OFF, registry uses YES, NO) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Hold Files—This setting specifies whether files opened by a program using FCB_IO are held open until the program ends. The default setting Off means that files opened by a program using FCB_IO can be closed by the program before it exits. On means they are held open until the program exits. Older versions of certain applications that use FCB_IO might need the value of this setting to be On. The default is Off. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\Hold Files Registry Value: [string] 0 Default Value: OFF Range: ON, OFF
Supplement 2:
Novell Client32 Properties
99
Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Long Machine Type—This parameter tells the Novell Client software what type of machine is being used each time the %MACHINE variable is. This is an ancient variable mainly used to set the machine’s search path to the correct version of DOS. The default is IBM_PC. You can use the %MACHINE variable along with the %OS and %OS_VERSION variables to map network drives to specific operating system versions or their CAB files. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\LONG MACHINE TYPE Registry Value: [string] 0 Default Value: IBM_PC Range: N/A Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Maximum Cur Dir Length—DOS, in earlier versions, defined a valid ASCII string to be 128 bytes. This gave 128 bytes to define a directory path—including the file name. Some applications may not function correctly if this value is greater than 64. The range is 64 to 255 characters. The default is 64. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\Max Cur Dir Length Registry Value: [string] 0 Default Value: 64 Range: 64-255 characters Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
NWLanguage (not in client version 3.21)—This setting determines the language that NetWare utilities will default to on this workstation. Earlier versions required this variable set in the AUTOEXEC.BAT. The default is English. Registry Key: HKLM\Network\Novell\System Config\Language\ NWLanguage Registry Value: (Default) Default Value: ENGLISH Range: N/A (Any valid string will be accepted) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Polled Broadcast Message Buffers—This parameter sets the maximum number of broadcast messages saved on the Client when Broadcast Message Mode is set to polled value—in the broadcast packet, not the same as Broadcast Mode. The range is 0 to 100 messages. The default is 0. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\polled broadcast msg buffers Registry Value: [string] 0 Default Value: 0 Range: 0-100 Client Version: Implemented by at least the 95/98 Client version
Chapter 1
100
Supplement 2:
Novell Client32 Properties
2.5 or higher.
Remove Drive From Environment—This setting determines if a search drive letter is removed from the path when a drive is deleted. The default is On. If the AUTOEXEC.BAT defines a PATH statement that includes a network drive letter (e.g., pointing to a drive letter that will be mapped to an NT or other non-NetWare server during the persistent drive reconnecting), it will be removed during login to Netware unless this parameter is set to Off. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\REMOVE DRIVE FROM ENVIRONMENT Registry Value: [string] 0 Default Value: NO (OFF) Range: YES, NO (GUI shows this as ON, OFF, registry uses YES, NO) Client Version: Implemented by at least the 95/98 Client version 3.0 or higher.
Search DIRs First—This setting specifies whether directories or files are displayed first when using the DIR command. When you set this parameter to Off, you will first see files displayed first, followed by directories. If you set this parameter to On, you will first see directories displayed, and then files. Unless you open more directories than files, leave this setting at default. The default is Off. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\SEARCH DIR FIRST Registry Value: [string] 0 Default Value: NO (OFF) Range: YES, NO (GUI shows this as ON, OFF, registry uses YES, NO) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Search Mode—The setting alters the way the client finds a file that is not in the current path or directory. In some previous client software versions, the default drive had to be a network drive for this setting to function. But now the effect is global. This setting affects all .EXE and .COM files, regardless of the current drive. When using Search Mode, select the search mode that works correctly with most of your .EXE and .COM files. If you want to set a search mode for one particular .EXE or .COM file, use the Search Mode option in FLAG. Search Mode has five settings that range from 1, 2, 3, 5, and 7. The default is 1. Mode 1 is the default setting that looks in the search drives only when the application specifies no path and the file is not in the default directory. Mode 1 works with both read-only and read-write requests. Mode 2 prevents the Novell Client from looking in any search drives for auxiliary files (a do not search mode). Mode 3 acts as Mode 1, but it focuses only on read-only search requests (a search on read-only opens with no path).
Supplement 2:
Novell Client32 Properties
101
Mode 5 searches on all search paths, even if the application also specifies a path (a search on all opens). Mode 7 acts as Mode 5, except it looks in the search drives for read-only requests (a search on all read-only opens). Registry Key: HKLM\Network\Novell\System Config\ NetWare DOS Requester\SEARCH MODE Registry Value: [string] 0 Default Value: 1 Range: 1-7 Client Version: Implemented by at least the 95/98 Client version 2.5 or higher. Set Station Time—This parameter synchronizes the client workstation date and time with that of the NetWare server that the client workstation initially attaches to. The workstation’s displayed time is a function of the workstation’s own time zone setting calculated against the server’s time—which is a value derived from a calculation of GMT plus or minus specific server time zone settings. Setting the value of this parameter to Off disables the synchronization feature. The default is On. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\Set Station Time Registry Value: [string] 0 Default Value: ON Range: ON, OFF Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Short Machine Type—Specifies which overlay files to use with the specific client workstation machine type. Used specifically with overlay files usually used for certain monitor types. Similar to Long Machine Type. Use this setting when the %SMACHINE variable is accessed. Examples of files using this setting and value include the IBM$RUN.OVL file for the windowing utilities and the CMPQ$RUN.OVL file that uses a default black-and-white color palette for DOS-based NetWare menus. This setting can be up to four characters long The default is IBM. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\SHORT MACHINE TYPE Registry Value: [string] 0 Default Value: IBM Range: N/A (Any valid string) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Shrink Path to Dot—This setting specifies whether network search drives in the DOS PATH set variable are truncated to a dot or left with the full directory path. The default is On. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\SHRINK PATH TO DOT Registry Value: [string] 0 Default Value: YES (ON) Range: YES, NO (GUI shows this as ON, OFF, registry uses YES, NO)
Chapter 1
102
Supplement 2:
Novell Client32 Properties
Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Use Video BIOS—Specifies whether the Client uses BIOS or direct video memory access when a pop-up message is displayed. Applies only to messages that are displayed in character mode. A setting to OFF causes the Novell client to use direct video memory access (faster than using BIOS calls). The default is Off. Registry Key: HKLM\Network\Novell\System Config\NIOS\Use Video BIOS Registry Value: [string] 0 Default Value: OFF Range: ON, OFF Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
File System The File System grouping contains parameters that deal with locking and several caching mechanisms. Lock Delay—Sets the amount of time, in ticks, (1/18 of a second) the Novell Client waits before trying to get a lock for a file. Use this setting if client workstations frequently receive error messages when a file is requested. Increase this value if you receive SHARE errors. When many users access a file simultaneously, the Client might be unable to gain access before its allotted wait time. This number is used for lock types that do not have a wait ability. For locks that have a wait ability, calculate the wait time by multiplying the value number by the Lock Retries number and multiplying by 2. The resulting number is the time, in ticks, the client workstation waits for a lock. The range is 1 to 65,535 ticks. The default is 1. Note: To determine the total time (in ticks) needed to broadcast a name resolution packet across the network, multiply the wait time value by the value used for the Lock Retries setting.
Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\LOCK DELAY Registry Value: [string] 0 Default Value: 1 Range: 0-65535 ticks Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Lock Retries—Establishes the number of client retries to open or lock a file after a SHARE failure. Increase this value if you receive SHARE errors.
Supplement 2:
Novell Client32 Properties
103
The range is 1 to 65,535 retries. The default is 5. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\LOCK RETRIES Registry Value: [string] 0 Default Value: 5 Range: 1-65535 retries Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Read Only Compatibility—Determines whether a file marked Read Only can be opened with a Read/Write access call. Some applications require this parameter to be On to function properly. If you are using any application that uses the NETX=OFF command, ensure that this setting is On. The default is Off. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\READ ONLY COMPATIBILITY Registry Value: [string] 0 Default Value: NO (OFF) Range: YES, NO (GUI shows this as ON, OFF, registry uses YES, NO) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Use Extended File Handles—Controls if the Novell client uses extended file handles. Use Extended File Handles = Off, when the number of files the client can open is limited by the space available in the job file table (JFT) to 170 files. Use Extended File Handles = On when number of files that can be opened is limited only by the value of the server’s Maximum Locks Per Connection setting. It is recommended to use default of Use Extended File Handles = Off unless you have a rare case. The default is Off. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\USE EXTENDED FILE HANDLES Registry Value: [string] 0 Default Value: NO (OFF) Range: YES, NO (GUI shows this as ON, OFF, registry uses YES, NO) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Packet Management The Packet Management group contains parameters that affect packet size and other packet level settings. The allowable range for a workstation packet is 576 to 6500 bytes—depending upon the LAN driver, client configuration settings or the router’s maximum transmittion unit (MTU).
Chapter 1
104
Supplement 2:
Novell Client32 Properties
Checksum—This setting specifies a higher level of data integrity by validating NetWare Core Protocol (NCP) packets. This value represents an IPX checksum, which may be in addition to other error checking that the network board or driver may already be performing. The values are as follows: 0: Disabled 1: Enabled but not preferred 2: Enabled and preferred 3: Required Setting the value for this parameter to 2 or 3 increases data integrity but decreases performance. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\CHECKSUM Registry Value: [string] 0 Default Value: 3 Range: 0 - 3 Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
The range is 0 to 3. The default is 1. Large Internet Packets—Allows your workstation to use packets larger than NetWare’s default of 576 bytes. When set to On, Large Internet Packets uses the maximum packet size negotiated between the NetWare server and the workstation— taking into consideration the largest packet size (MTU) the network supports, too. The default is On. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\large internet packets Registry Value: [string] 0 Default Value: YES (ON) Range: YES, NO (GUI shows this as ON, OFF, registry uses YES, NO) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Link Support Layer Max Buffer Size—Specifies the maximum supported packet size in bytes. Use this setting to optimize performance for media (primarily Token Ring) that can use packets that are larger than the default size. If your workstation’s network board uses bus mastering, increasing this value increases the system memory usage. Without bus mastering, system memory usage is normally unaffected by this value. The range is 638 to 24,682 bytes. The default is 4,736. Registry Key: HKLM\Network\Novell\System Config\Link Support\Max Buffer Size Registry Value: [string] 0 Default Value: 4736 Range: 638-24682 bytes
Supplement 2:
Novell Client32 Properties
105
Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Packet Burst—Controls the use of the Packet Burst protocol for file input/output (read/write). Normally, enabling Packet Burst reduces overall network traffic and improves network performance by permitting multiple packets to be sent before an acknowledgment is required. The default is On. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\PB BUFFERS Registry Value: [string] 0 Default Value: 1 Range: 0, 1 (0=Off, 1=On) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Packet Burst Read Window Size—This setting specifies the maximum window size (in packets) that Packet Burst should use for read bursts. Warning: Normally, you should not change the value of this setting. This value is not used in IP, because IP has its own windowing capabilities. The window size that Packet Burst uses changes dynamically depending on network conditions. The Packet Burst Read Window Size sets an upper limit for this window size. Packet Burst supersedes the value for the Packet Burst Read Window Size value if the quantity of packets specified results in a window size greater than 64 KB. For low-bandwidth network connections, increasing this value might improve performance. Increasing this value past its default setting may be damaging to server performance. The client will continue to try to increase this value even if it has previously backed off the same value because of network problems (the Client reduces the value as packets are lost or when it receives data in the packet that is incomplete). Range is 3 to 255 packets. The default is 24 (or 255, if Packet Burst detects a low bandwidth network connection). Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\PBURST READ WINDOW SIZE Registry Value: [string] 0 Default Value: 24 Range: 3-255 packets Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Packet Burst Write Window Size—This setting specifies the maximum window size (in packets) that Packet Burst should use for write bursts.
Chapter 1
106
Supplement 2:
Novell Client32 Properties
Warning: Normally, you should not change the value of this setting. Increasing this value might have a negative effect on server performance.
Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\PBURST WRITE WINDOW SIZE Registry Value: [string] 0 Default Value: 10 Range: 3-255 packets Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Signature Level—This parameter establishes the level of enhanced security support provided by packet signing (encrypting) on the first 64 bytes of a packet, which ensures some degree of data integrity. Enhanced security includes:
Use of a message digest algorithm
Per connection/per request session state The values are as follows: 0: Disabled 1: Enabled but not preferred. Can sign if required by the server 2: Preferred, but won’t work if not supported on the server side 3: Required signing or won’t communicate with server The range is 0 to 3. The default is 1. The SET command at the server that initiates packet signatures is: :SET NCP PACKET SIGNATURE OPTION = X Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\signature level Registry Value: [string] 0 Default Value: 1 Range: 0-3 (0=Disabled, 1=Enabled, but not preferred, 2=Preferred, 3=Required) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Performance, Cache The Performance, Cache groups contains the parameters that affect caching and performance. Cache Writes—This setting specifies whether network writes are cached at this workstation. The default setting On improves client performance by saving files to workstation memory before saving them to the network. Setting the value for this parameter to Off improves data integrity but reduces performance—the Novell Client must submit the file write changes to the server before being allowed to continue on. Leaving the value for this setting as On (the default)
Supplement 2:
Novell Client32 Properties
107
can cause data loss if the NetWare server runs out of disk space between write requests or if the workstation crashes or fatally loses its connection with the network. This is not the same as the True Commit parameter, which goes a step further and requires that the server acknowledge that the file changes have actually been committed to the volume on the server (not just submitted to be written) before being allowed to continue on. Network writes are not cached if the True Commit parameter is set to On. The default is On. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\CACHE WRITES Registry Value: [string] 0 Default Value: YES (ON) Range: YES, NO (GUI shows this as ON, OFF, registry uses YES, NO) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Close Behind Ticks—This setting specifies the time, in ticks—1/18 of a second, that the client waits after a file is closed before flushing the file from the cache and writing it to disk. Increasing this value improves performance. Setting the value for this parameter to 0 increases data integrity but decreases performance. Using this setting improves performance most when files are opened and closed frequently. If a file is opened again during the delay period specified by this setting, the file is reused without hitting the network. If the value of Close Behind Ticks is 0, the value of Delay Writes has no effect. The value of File Cache Level does not affect whether files are held open after they are closed. The value of Close Behind Ticks is the only value that affects this. Increasing this value will improve file performance where files are opened, changed, closed, and then reopened frequently (i.e., a database). The range is 0 to 65,535 ticks. The default is 0. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\CLOSE BEHIND TICKS Registry Value: [string] 0 Default Value: 0 Range: 0 - 65535 Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
The time (in ticks) the client waits after a file is closed before flushing the file from cache and writing it to disk. Delay Writes—Delay Writes keeps the file in cache for the amount of time specified by the Close Behind Ticks parameter after the application closes the file. This is used for applications that repeatedly close and reopen files (such as overlay files). The following is a list of further explanations.
Set the value of this parameter to On if you want faster performance. When Delay Writes is set to On, network writes can lag behind an application’s close file request. This allows the application to continue without having to wait for the data to actually be written to the network server. Therefore, the application can respond more quickly. Chapter 1
108
Supplement 2:
Novell Client32 Properties
When Delay Writes is set to On and you exit Windows or the MS-DOS Prompt where you were running an application, all outstanding write data is written to the network without delay. The amount of time for the delay is specified by the Close Behind Ticks parameter. If the value of Close Behind Ticks is 0, writes are not delayed regardless of the value of Delay Writes. If Cache Writes is set to Off, writes are not delayed regardless of the value of Delay Writes.
The default is Off. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\DELAY WRITES Registry Value: [string] 0 Default Value: NO (OFF) Range: YES, NO (GUI shows this as ON, OFF, registry uses YES, NO) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
File Cache Level—This parameter defines how the Novell client should cache file data. The values are as follows: 0 = Disabled: When file caching is disabled, no extended memory is used for caching. 1 = Read-ahead and write-behind only: Read-ahead is a caching mode where, on a read request, an entire block of data (up to 4KB) is read from the network rather than just the portion of the block that is requested. The assumption is that other nearby data (within the 4KB block) is likely to be accessed next, thus reducing the number of network accesses necessary to read the file. Read-ahead mode is most efficient when the file is being accessed sequentially. During random accesses to large files, read-ahead causes performance to deteriorate, so read-ahead caching is turned off when random access is detected. The Novell client also performs write-behind caching where data is written into a cached data block until the entire block is filled, then the entire block is written to disk at once (as opposed to writing data directly to disk in smaller chunks). This setting causes the client to use read-ahead and write-behind file caching without using any other file-caching methods. 2 = Short-lived caching (open files only): When using this caching method, the client can cache file data up until the file is closed. If the file is reopened, file read and write operations will begin fresh instead of checking the cache to see if any file data is still there. With this setting, files are fully cached when they are opened, which means the entire file is stored in memory using as many 4KB blocks as are necessary. The data remains cached in memory until the file is closed. If you reopen the file, it will have to be read again from the server. This is known as “short-lived caching.” 3 = Long-lived caching: With this setting, both open and closed files are kept in cache as long as memory is available. This is known as “long-lived caching.” When using this caching method, the Client retrieves file data from cache buffers that are already in memory if a file is closed and reopened and if the file data is
Supplement 2:
Novell Client32 Properties
109
still in the buffers—but only if no changes have been made to the file since the last time it was in cache memory. 4 = (Reserved for future use): The larger the value number, the better the performance. Keep in mind that using local caching is more risky because data could be lost if the local hard disk fails or if there is a power glitch. Network writes are not cached if True Commit is set to On or if Cache Writes is set to Off. The valid range is 0 to 3. The default is 3. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\FILE CACHE LEVEL Registry Value: [string] 0 Default Value: 3 Range: 0 - 3 Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
File Write Through—This setting controls whether all files are opened in writethrough mode, which means the client waits until it receives an acknowledgment that data is written to the network disk, thus avoiding both client and server caching mechanisms. If a file is opened in write-through mode, the writes to that file will not be cached on the client or the server. In effect, File Write Through = On disables file write caching, which reduces overall client performance but ensures data integrity in the event of catastrophic failure of the client workstation. The default setting (File Write Though = Off) is recommended. Often the application or system will offer a similar capabilities, such as a two-phase commit in a relational database management system (such as Oracle). Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\FILE WRITE THROUGH Registry Value: [string] 0 Default Value: NO (OFF) Range: YES, NO (GUI shows this as ON, OFF, registry uses YES, NO) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Max Cache Size—This control sets the largest possible amount of memory (in KB) that the client can use for caching. When the value of this parameter is set to 0 (the default), the cache size is dynamically set to 25 percent of the total amount of memory that is free when the CLIENT32.NLM program loads. The amount of memory that is free at this time can vary significantly between workstations depending upon what other software is initially installed after the workstation’s operating system. When the value of this parameter is not 0, the cache size is set to the specified value. However, the cache size cannot be greater than 75 percent of the total free memory. For example, if you specify a value of 8,192 for this parameter and the total free memory when CLIENT32.NLM loads is only 8 MB, your cache size would be around 6 MB because that is 75 percent of the free memory. Chapter 1
110
Supplement 2:
Novell Client32 Properties
Larger values improve the performance of network file access but decrease the memory available for running applications or caching local drives. When caching is turned off (by setting the File Cache Level to 0), the Client does not use any workstation memory for caching. The range is 0 to 49,152 KB. The default is 0. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\MAX CACHE SIZE Registry Value: [string] 0 Default Value: 0 (dynamically sized by Novell Client) Range: 0-49152 Kbytes Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Name Cache Level—Name Cache level specifies the type of service mapping to address name cache that the Novell client will use. The settings: 0 = Disabled: 1 = Enabled: Level 1 turns on name caching but does not save the cache entries to the hard disk, which means the cache will be emptied upon every reboot. 2 = Enabled with persistence: Level 2 enables name caching and saves the contents of the cache to the hard disk (in the Windows registry) so it is available for query even after the workstation is restarted, which can result in significantly reduced login times and network traffic. If you have trouble resolving server names or tree names or resolving user names to object IDs, try setting this parameter to 0 to determine whether the client is producing this problem. If this parameter is set to 1 or 2, entries are entered into name cache when a service name-to-IP address or object-to-ID is successfully completed by an NCP request to that network service. Subsequent name resolution requests are then handled by name cache. Note: The larger the value, the better the performance. The range is 0 to 2. The default is 1. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\Name Cache Level Registry Value: [string] 0 Default Value: 1 Range: 0, 1, 2 (0=disabled, 1=enabled, 2=enabled with persistence) Client Version: Implemented in the 95/98 Client version 3.1 or higher.
Opportunistic Locking—Use this parameter to automatically detect opportunities to cache files. Note: Setting this value to On increases file access performance.
Supplement 2:
Novell Client32 Properties
111
The default is Off. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\OPPORTUNISTIC LOCKING Registry Value: [string] 0 Default Value: NO (OFF) Range: YES, NO (GUI shows this as ON, OFF, registry uses YES, NO) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
True Commit—This setting specifies whether file writes should be written to the server’s disk immediately. Setting the value of this parameter to On guarantees data integrity when processing critical data. However, the On setting slows performance, because data that is written to the network is not cached at the workstation or the server. Setting the value of this parameter to Off results in better performance. Network writes are not cached if the True Commit value is set to On or if the Cache Writes value is set to Off. Set the True Commit value to Off if you want to choose performance over integrity, or set the value to On to choose integrity over performance. The default is Off. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\TRUE COMMIT Registry Value: [string] 0 Default Value: NO (OFF) Range: YES, NO (GUI shows this as ON, OFF, registry uses YES, NO) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Printing The Printing grouping contains those client settings that affect workstation printing. Network Printers—This parameter sets the number of LPT ports that the Client can capture/redirect. This setting allows you to capture and redirect LPT1 through LPT9. Default is 3. Increasing the value of this setting increases memory use. The amount of conventional memory used can be calculated using the following formula: mem = netprt x (prthdr + prttail + 23 bytes)
For example: Network Printers [netprt] = 3 Print Header [prthdr] = 64 bytes Print Tail [prttail] = 16 bytes Memory [mem] = 3 x (64 bytes + 16 bytes + 23 bytes) = 309 bytes (a very nominal amount) The range is 0 to 9 printer ports. The default is 3.
Chapter 1
112
Supplement 2:
Novell Client32 Properties
Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\Network Printers Registry Value: [string] 0 Default Value: 3 Range: 0-9 printers Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Print Header—This control sets the size of the buffer (in bytes) that holds the information used to initialize a printer for each print job. This information is usually addressed by the printer driver as it is a part of the print job itself. Note: There is little reason to modify this value. The range is 0 to 1024 bytes. The default is 64 bytes (characters) Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\Print Header Registry Value: [string] 0 Default Value: 64 Range: 0-1024 bytes Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Print Tail—This control sets the size of the buffer (in bytes) that holds the information used to reset or re-initialize the printer after a print job. This information is now a part of the print job itself and addressed by the printer driver used for printing. Some printers use two characters for its initialization sequence, while other printers need each function used to be turned off. If your printer is not clearing out the printer buffer completely or is resetting after each print job, increase the print tail size and see if the problem goes away. The range is 0 to 1,024 bytes. The default is 16. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\Print Tail Registry Value: [string] 0 Default Value: 16 Range: 0-1024 bytes Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Trouble Shooting The Trouble Shooting grouping contains the parameters that are helpful in trouble shooting purposes. Alert Beep—Specifies whether the client should sound an audible beep when it displays popup alert messages—applies only to messages that are displayed in character mode. The default is On.
Supplement 2:
Novell Client32 Properties
113
Registry Key: HKLM\Network\Novell\System Config\NIOS\Alert Beep Registry Value: [string] 0 Default Value: ON Range: ON, OFF Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Handle Net Errors—This setting determines whether the Novell client or the applications handle network-critical errors. A network error is generated when the client workstation does not receive a response from the NetWare server. To have the client handle network critical errors, set the value to On. To have the client generate an interrupt 24, allowing applications to handle network critical errors, set the value to Off. The value of Handle Net Errors affects the handling of the Net Status Timeout and Net Status Busy Timeout settings. The default is On. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\handle net errors Registry Value: [string] 0 Default Value: NO (OFF) Range: YES, NO (GUI shows this as ON, OFF, registry uses YES, NO) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Log File—This setting specifies the path and location of the log file used for client diagnostics. The default is the NIOS.LOG file in the NetWare home directory. For example, C:\NOVELL\CLIENT32\NIOS.LOG. Note: You must enable the log file by setting the following parameter in the SYSTEM.INI file: NWEnable Logging=True Registry Key: HKLM\Network\Novell\System Config\NIOS\LOG FILE Registry Value: [string] 0 Default Value: NULL Range: N/A Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Log File Size—This setting specifies the maximum size (in bytes) of the log file used for client diagnostics. The range is 1 to 1,048,576 bytes. The default size is 65,535 bytes (about 6K). When the limit is reached, the information is then truncated as newer information is added during the login process. Registry Key: HKLM\Network\Novell\System Config\NIOS\LOG FILE SIZE Registry Value: [string] 0
Chapter 1
114
Supplement 2:
Novell Client32 Properties
Default Value: 65535 Range: 0 - 1048576 bytes Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Message Timeout—This setting defines how long, in ticks (1/18 of a second), before broadcast messages are cleared from the screen without user intervention. Zero means to wait for the user to clear the message. The range is 0 to 10,000 ticks. The default is 0. 10,000 ticks is about 9 minutes. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\Message Timeout Registry Value: [string] 0 Default Value: 0 (User must clear the message manually) Range: 0-10000 ticks Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Net Status Busy Timeout—This setting specifies the number of seconds the Novell client waits for a non-busy response before displaying a message that the server is busy. When Handle Net Errors is set to Off the error message does not appear. Instead, an error is returned to the application that made the network request. The range is 1 to 600 seconds. The default is 20. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\net status busy timeout Registry Value: [string] 0 Default Value: 180 Range: 1-600 seconds Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Net Status Timeout—This setting specifies the number of seconds the Novell client waits for a network response before concluding that a network error has occurred. The actual time the client waits might be longer than this value. If four times the average roundtrip time to the network is greater than the value for Net Status Timeout, the client waits four times the average roundtrip time. For example, if the Net Status Timeout (the Net Status Busy Timeout is used when there has been a “Server Busy”/Choke/“Request Being Processed” reply from the server for a request, but the actual requested information has not yet been provided) is 15 seconds and the average roundtrip time to the server is four seconds, the client waits 16 seconds (four times the average roundtrip time) before displaying an error message. When Handle Net Errors is set to Off, the error message does not appear. Instead, an error is returned to the application that made the network request. The range is 1 to 600 seconds. The default is 30 seconds. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\net status timeout Registry Value: [string] 0
Supplement 2:
Novell Client32 Properties
115
Default Value: 30 Range: 1-600 seconds Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
WAN The WAN group contains the parameters that can be set to optimize the client’s performance over WAN links. Large Internet Packet Start Size—This setting specifies the starting value (in bytes) for negotiating the Large Internet Packet size. Use this option to reduce the amount of traffic caused by the negotiation process (use 1514 for Ethernet, 4096 for Token Ring). Setting this value can shorten the initial negotiation time for packet size over slow links. The range is 512 to 65,535 bytes. The default is 65,535. On the server side, you can use the following SET command to set or define the maximum physical packet size that the server will support: SET MAXIMUM PHYSICAL RECEIVE PACKET SIZE = 4224 (default size)
The default size is set for Token Ring 4,202 bytes—Ethernet is 1,514 bytes and should be changed if you are running Ethernet. NetWare 5 defaults to 4,202 to accommodate the larger packet size, even if the network uses the Ethernet protocol only. When a workstation negotiates a connection to the server, the packet size for the session is negotiated also. Verify this SET parameter is set large enough to support the protocols run on the network— otherwise, the server’s packet receive buffers can become a potential bottleneck for workstations. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\lip start size Registry Value: [string] 0 Default Value: 65535 Range: 512-65535 Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Minimum Time to Net—On bridged WAN/satellite links with low time-to-net values, workstations may fail to make a connection if:
The server on the other side of the link is not running Packet Burst The transfer rate for the link is 2400 baud or less
The range is 0 to 65,535 milliseconds. The default is 0. For 2400 baud lines, use the 10000 setting. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\minimum time to net Registry Value: [string] 0 Default Value: 0 Range: 0-65535 milliseconds Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Chapter 1
116
Supplement 2:
Novell Client32 Properties
NCP Max Timeout—This setting specifies the amount of time allowed to retry a network connection. If the network connection cannot be established in the specified amount of time, an error message appears. The range is 0 to 65,535 seconds. The default is 30. Registry Key: HKLM\Network\Novell\System Config\NetWare DOS Requester\NCP Max Timeout Registry Value: [string] 0 Default Value: 30 Range: 0-65535 seconds Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Graphical Interface The Graphical Interface group contains the parameters that affect what the users see on the Windows desktop. Cancel Desktop Login—Set this parameter to On if you do not want users to be able to log in to other Windows workstations/server or other network providers if they cancel their initial client login. Set this parameter to Off if you do want to let users log in to the workstation and other network providers, even if they do not initially log in through the client. The default is Off. Send Message—Specifies whether the Send Message function is enabled. This function is available by right-clicking on a server in Network Neighborhood. In the 3.2 95/98 Client, this parameter was renamed “Enable Send Message” and is now under the Advanced Menu Settings tab. The default is On. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Send Message Registry Value: [string] Enable Default Value: YES (ON) Range: YES, NO (GUI shows this as ON, OFF, registry uses YES, NO) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Show Edit Login Script Item—This setting specifies whether the Edit Login Script item is available in the User Administration menu. You get to the User Administration menu by right-clicking the big red Novell icon that appears in the system tray of the Windows 95/98 taskbar. You then select the “User Administration for (tree name or servername)” entry to see the selections available, which include: Personal Information Work Information Mailing Information Edit Login Script Login Account Information Novell Password Administration Group Memberships
Supplement 2:
Novell Client32 Properties
117
If the Show Edit Login Script is set to Off on a workstation, the Edit Login Script in the User Administration for “menu” will appear grayed out and cannot be selected. The default is On. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Modify Login Script Default Value: YES (ON) Range: YES, NO (GUI shows this as ON, OFF, registry uses YES, NO) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Note: The 95/98 Client version 3.2 and higher has moved the GUI display of this setting to the Advanced Menu Settings tab. Show Novell System Tray Icon—When this parameter is enabled, a red capital “N” icon appears in the system tray at the right-hand side of the Windows 95/98 task bar. You can then right-click this Novell icon to select from a list of client tasks. For example, you can double-click the icon to log in to a NetWare tree or server. Other Novellrelated items you can perform here include tasks such as: Performing a NetWare login Viewing network connections Mapping network drives Capturing printers Configuring browsable paths The default is On. If you set this value to Off, the red “N” icon will no longer appear in the task bar (you must reboot the workstation for the change to take effect.). Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Systray Icon Default Value: YES (ON) Range: YES, NO (GUI shows this as ON, OFF, registry uses YES, NO) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Note: The 95/98 Client version 3.2 and higher has moved the GUI display of this setting to the Advanced Menu Settings tab. Show Scheduler System Tray Icon—If this value is enabled (the default is On), the Novell Scheduler icon appears in the system tray at the right-hand side of the task bar. Double-click the Scheduler icon to open the Scheduler. With the Show Scheduler System Tray Icon enabled, You can right-click the Scheduler icon to select from a list of Scheduler tasks, showing a screen similar to Figure S2.4.
Chapter 1
118
Supplement 2:
Novell Client32 Properties
The default is On. If you do not wish to have the Novell Scheduler icon appear in the system tray, set this entry to Off. (You must reboot the workstation for this value to take effect.) Registry Key: HKLM\Software\Novell\Workstation Manager Registry Value: [dword] NoTrayIcon Default Value: 0 Range: 0, 1 (0=ON [Show icon], 1=OFF [Don't show icon]) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Note: The 95/98 Client version 3.2 and higher has moved the GUI display of this setting to the Advanced Menu Settings tab. Show User Administration Menu—This setting specifies whether the “User Administration for (tree name or servername)” menu item will be available for users when they right-click the big red Novell icon that appears in the system tray of the Windows 95/98 taskbar. With the default setting of On, users can presently select the “User Administration for (tree name or servername)” entry to see the available selections that were listed under the Show Edit Login Script Item entry earlier in this AppNote. If the Show User Administration Menu is set to Off on a workstation, the “User Administration for context/servername” menu will appear grayed out and cannot be selected. The default is On. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable User Info Default Value: YES (ON) Range: YES, NO (GUI shows this as ON, OFF, registry uses YES, NO) Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Note: The 95/98 Client version 3.2 and higher has moved the GUI display of this setting to the Advanced Menu Settings tab.
SLP General The SLP General grouping contains parameters that deal with general Service Location Protocol settings. SLP Maximum Transmission Unit—Specifies the maximum transmission unit— MTU—(User Datagram Protocol, or UDP packet size) for the link layer to use. Setting this parameter too large or too small will adversely affect the performance of SLP (Service Location Protocol).
Supplement 2:
Novell Client32 Properties
119
Note: This parameter only affects SLP traffic using the UDP protocol, the TCP protocol negotiates its own MTU during connection creation. The range is 576 to 4,096 bytes. The default is 1,400. Have it most closely match the protocol packet size the network is using (1514 for Ethernet and 4096 for Token Ring). Registry Key: HKLM\Network\Novell\System Config\SRVLOC\MTU Registry Value: [string] 0 Default Value: 1400 Range: 576-4096 bytes Client Version: Implemented in the 95/98 Client version 3.0 or higher.
SLP Multicast Radius—This parameter specifies the maximum number of sub-nets (number of routers plus 1) that SLP’s Multicasting should traverse. In the SLP world, multicasting is the client’s method of locating IP services on the network. In its simplest form, SLP uses multicasts from the clients (User Agents or UAs) to find services (Service Agents or SAs) on servers. In this simple configuration, the SA does not advertise its services by broadcasting or replicating information to other servers, routers, or clients. Instead, the server waits for a multicast request from a client. If a client sends a multicast request looking for a service that is running on the server, the server will send a unicast message back to the client with the information about the requested service. Multicasts are not isolated to local segments. Routers will forward them to whatever subnets have a member of the multicast group. A value of 1 confines multicasting to the local segment (no routers). The range on the SLP Multicast Radius entry is from 1 to 32, with the default set to 32. For best network performance, use Directory Agents (DA). Directory Agents reduce the consumption of bandwidth from SLP multicast traffic by having each server’s Service Agent register its services via unicasts with the DA. Additionally, the workstation clients that are requesting IP services can unicast their requests to the DA instead of multicasting their requests to all the servers on the network. Best Practice: Change this setting to reflect your overall SLP design. For example, if no DA is more than 3 hops from a client workstation, set this parameter to 4—which will keep the clients SLP packets from possibly taking up extra bandwidth caused by routing issues.
Registry Key: HKLM\Network\Novell\System Config\SRVLOC\ Multicast Radius Registry Value: [string] 0 Default Value: 32 Range: 1-32 Client Version: Implemented in the 95/98 Client version 3.0 or higher.
Chapter 1
120
Supplement 2:
Novell Client32 Properties
Use Broadcast for SLP Multicast—This parameter specifies that broadcasting should be used in all cases instead of IP multicasting. SLP is designed to use IP multicasting; however, if any SLP Agent does not implement IP multicasting, then all Agents must use broadcasting to reach that Agent. If it is a Directory Agent that does not support multicasting, then it is preferable to configure that Directory Agent using the Directory Agent list rather than this parameter. If the network does not contain a Directory Agent, then IP servers must use their own Service Agents to specify the services that are available. If the Service Agent does not support multicasting and if there are any services advertised by that Service Agent that are needed by the User Agent on this machine, then the Use Broadcast For Multicast configuration parameter must be used. IP broadcasting has the disadvantage of being limited to the local LAN segment (as if Multicast Radius were set to 1). The default is Off. Registry Key: HKLM\Network\Novell\System Config\SRVLOC\Use Broadcast For Multicast Registry Value: [string] 0 Default Value: OFF Range: ON, OFF Client Version: Implemented in the 95/98 Client version 3.0 or higher.
Use DHCP for SLP—SLP scopes allow network administrators to organize SLP services into groups. The Service Agent on each server determines into which groupings the services on that server will be registered. By default, all SLP services are registered in the “unscoped” grouping. When clients send SLP requests to a Directory Agent, they can specify a scope for the DA to use in order to find the service they are looking for. If no scope is specified by the client, the DA will look in the “unscoped” table to find the service requested. As a service, DHCP (Dynamic Host Configuration Protocol) automatically allocates reusable (dynamic) IP network addresses in an environment that has limited IP address resources. Windows 95/98 clients can use this service to initially establish connections and to set preferred tree and context. The Use DHCP for SLP parameter specifies whether the Dynamic Host Configuration Protocol can be used for obtaining SLP scope and Directory Agent configuration information. The default is On. In order to use DHCP on the server: :SET SLP DA Discovery Options = , where = 0 to 15
(Default = 3) 0x01 = Use multicast DA advertisements 0x02 = Use DHCP discovery 0x04 = Use static file SYS:ETC\SLP.CFG 0x08 = Scopes Required
Supplement 2:
Novell Client32 Properties
121
Note: The default of 3 combines both 0x01 and 0x02 values. For more on the different SLP server commands, see Chapter 4 on IP.
Registry Key: HKLM\Network\Novell\System Config\SRVLOC\DHCP Registry Value: [string] 0 Default Value: ON Range: ON, OFF Client Version: Implemented in the 95/98 Client version 3.0 or higher.
SLP Times The SLP Times grouping contains more specific SLP parameters. Give Up on Requests to SAs—A Service Agent (SA) is a process that works on behalf of one or more services to advertise those services for IP servers. When a Novell Client for Windows 95/98 workstation initially boots up and loads IP, by default the client queries NWHOST for a server name. If there is no name resolved in the NWHOST file, the client queries SLP for a server. In order for IP to find a specific service object on the network, the User Agent (UA) in the client software sends a multicast request to find all Service Agents to see if they have the requested object registered with them, along with their corresponding IP addresses. These IP addresses, along with other relevant information about the server, are then sent directly back to the client using a unicast reply (a routed packet). This parameter specifies the maximum amount of time SLP will take to send requests to Service Agents on the network. The range is 1 to 60,000 seconds. The default is 15 seconds. Registry Key: HKLM\Network\Novell\System Config\SRVLOC\TIME-8QUIT-SA-Q Registry Value: [string] 0 Default Value: 15 Range: 1 - 60000 seconds Client Version: Implemented in the 95/98 Client version 3.0 or higher.
SLP Cache Replies—When SLP receives a service request from a User Agent, the SLP reply is saved for the amount of time specified by the SLP Cache Replies parameter. If SLP receives a duplicate of this request, the cached reply is sent, so the same reply does not have to be generated again. The default value is one minute. Setting this value higher will consume more memory to retain replies longer. It is recommended that you do not change this default, because any duplicate requests should occur within the first minute. The range is 1 to 60 minutes. The default is 1 minute. Registry Key: HKLM\Network\Novell\System Config\SRVLOC\TIME-0CACHE-REPLIES Registry Value: [string] 0
Chapter 1
122
Supplement 2:
Novell Client32 Properties
Default Value: 1 Range: 1-60 minutes Client Version: Implemented in the 95/98 Client version 3.0 or higher.
SLP Default Registration Lifetime—This setting specifies the lifetime of a service registration which is registered by a service provider requesting the default lifetime value. Each service contains a “Time To Live” (TTL) attribute for which the default is one hour. If the Server Agent doesn’t re-register its services before the TTL period expires, the Directory Agent removes it from its list of available services. Every Service Agent has a TTL for each of its services. If the service provider specifies a lifetime value when the service is registered, the SLP Default Registration Lifetime value is not used. The Directory Agent deletes the service when the lifetime expires if it hasn’t been specifically renewed or unregistered before then. This prevents the Directory Agent’s information from becoming too stale if the Server Agent registering the service goes down. The Server Agent automatically renews the service so the application doesn’t need to. The range is 60 to 60,000 seconds. The default value is 10,800 seconds, which is 3 hours. Using a smaller value will make the Directory Agent’s information less stale at the expense of more network traffic to renew services more frequently. This parameter does not affect how long the service is registered by the Server Agent. Registry Key: HKLM\Network\Novell\System Config\SRVLOC\TIME-1REG-LIFETIME Registry Value: [string] 0 Default Value: 10800 Range: 60-60000 seconds Client Version: Implemented in the 95/98 Client version 3.0 or higher.
Wait Before Giving Up On DA—This parameter specifies the amount of time that SLP will wait before giving up on a request to a Directory Agent. A Directory Agent collects and caches service advertisements from Service Agents. The range is 1 to 60,000 seconds. The default is 5 seconds. At this point, the User Agent begins multicasting SLP for known services. Registry Key: HKLM\Network\Novell\System Config\SRVLOC\TIME-6QUIT-DA-WAIT Registry Value: [string] 0 Default Value: 5 Range: 1-60000 seconds Client Version: Implemented in the 95/98 Client version 3.0 or higher.
Wait Before Registering on Passive DA—When a Service Agent passively discovers a Directory Agent (i.e., the Service Agent receives an unsolicited Directory Agent advertisement message because the Directory Agent just started), the Service Agent registers its services with the Directory Agent after waiting a random interval of time. This is to prevent all Service Agents from registering their information with the Directory Agent as soon as they receive the Directory Agent advertisement, overwhelming the Directory Agent.
Supplement 2:
Novell Client32 Properties
123
The range of time for the random delay interval is specified by the Wait Before Registering on Passive DA parameter. The range is 1 to 60,000 seconds. The default is 2 seconds. Registry Key: HKLM\Network\Novell\System Config\SRVLOC\TIME-10WAIT-REG-DA-PASSIVE Registry Value: [string] 0 Default Value: 2 Range: 1-60000 seconds Client Version: Implemented in the 95/98 Client version 3.0 or higher.
Advanced Menu Settings tab All of these following settings are simply ways to customize the display when the red “N” on the client’s systray is right-clicked or by right-clicking an NDS object in Network Neighborhood. (See Figure S2.12.) Cancel Desktop Login—Allows/disallows the desktop login Registry Key: HKLM\Network\Novell\System Config\Network Provider\Initial Login Registry Value: [string] Cancel Desktop Login Default Value: Off Range: On, Off (YES=On, NO=Off)
Figure S2.12 The Advanced Menu Settings tab.
Chapter 1
124
Supplement 2:
Novell Client32 Properties
Client Version: Implemented by at least the 95/98 Client version 2.5 or higher.
Change Password—Enables/disables the Change Password button in the Novell Password Administration dialog available when right-clicking on the Novell red “N” in the System Tray ➝ selecting User Administration for [your_NDS_Tree]. If disabled, the Change Password button is still displayed in the Novell Password Administration dialog, but it is grayed out (disabled) and may not be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Change Password Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Display Bindery Services Page— Registry Key: HKLM\Network\Novell\System Config\Network Provider\Property Pages Registry Value: [string] Display Bindery Services Page Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Display Container Page— Registry Key: HKLM\Network\Novell\System Config\Network Provider\Property Pages Registry Value: [string] Display Container Page Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Display Directory Map Object Page—Enables/disables the “NetWare Directory Map Object Information” page for the Directory Map object. This property page shows the full NDS object Path (context) and NDS Tree as well as the Server, Volume and Directory Path the Directory Map Object references. Disabling this property page does not disable other property pages (i.e., NetWare Info or NetWare Rights), nor does it restrict a user’s ability to use this Directory Map Object (NDS rights/ACL), it merely affects whether or not the user can see the “NetWare Directory Map Object Information” property page. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Property Pages Registry Value: [string] Display Directory Map Object Page Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Display Directory Services Page—Enables/disables the properties page for the Novell Directory Services selection. The Novell Directory Services selection is available
Supplement 2:
Novell Client32 Properties
125
under Network Neighborhood, Entire Network, NetWare Services. Disabling this setting does not prevent a user from opening the the Novell Directory Services selection and browsing within the NDS tree, only from viewing the properties. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Property Pages Registry Value: [string] Display Directory Services Page Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Display NetWare Information Page—Enables/disables the “NetWare Info” page for a Volume, Directory or file object when browsing within Network Neighborhood. This page is normally viewed when browsing inside of Network Neighborhood, browsing inside NDS containers, selecting a Volume, Directory, or File object (represented with a folder icon), Right-clicking one of these objects, selecting Properties. This property page shows the Name Spaces loaded, the assigned Owner, Space Restrictions, Space Available, Create/Last Modified dates, and NetWare Directory/ File attributes. Disabling this property page does not disable other property pages (i.e., NetWare Rights), nor does it restrict a user’s ability to use the volume, directory, or file (managed using NDS rights/ACL), it merely affects whether or not the user can see the “NetWare Info” property page. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Property Pages Registry Value: [string] Display NetWare Information Page Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Display NetWare Rights Page—Enables/disables the “NetWare Rights” page for a Volume, Directory or file object when browsing within Network Neighborhood. This page is normally viewed when browsing inside of Network Neighborhood, browsing inside NDS containers, selecting a Volume, Directory, or File object (represented with a folder icon), Right-clicking one of these objects, selecting Properties. This property page shows the direct Trustee assignments, Inherited Rights Filters, and Effective Rights (for logged in user). Disabling this property page does not disable other property pages (i.e., NetWare Info), nor does it restrict a user’s ability to use the volume, directory, or file (managed using NDS rights/ACL), it merely affects whether or not the user can see the “NetWare Rights” property page. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Property Pages Registry Value: [string] Display NetWare Rights Page Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Display Server Page—Enables/disables the properties page for a NetWare Server object when browsing within Network Neighborhood. This page is normally viewed Chapter 1
126
Supplement 2:
Novell Client32 Properties
when browsing inside of Network Neighborhood, either browsing inside NDS containers or under NetWare Servers. The “NetWare Server Information” property page shows the Server Name, Company, Version, Revision date, Network Address(es) (both IPX/IP), Connections in Use, Max Licensed Connections, NDS Tree, and full NDS Server object name/context. Disabling this property page disables the ability to see any properties of the NetWare Server object in Network Neighborhood, but does not restrict a user’s ability to use the server. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Property Pages Registry Value: [string] Display Server Page Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Display Tree Page—Enables/disables the properties page for a NetWare Tree object when browsing within Network Neighborhood. This page is normally viewed when browsing inside of Network Neighborhood, either browsing inside NDS containers or under NetWare Servers. The “NetWare Tree Information” property page shows the Company and Tree Name. Disabling this property page disables the ability to see any properties of the NetWare Tree object in Network Neighborhood, but does not restrict a user’s ability to use the Tree. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Property Pages Registry Value: [string] Display Tree Page Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Display Volume Information Page—Enables/disables the “NetWare Volume Information” page for a Volume object when browsing within Network Neighborhood. This page is normally viewed when browsing inside of Network Neighborhood, browsing inside NDS containers, selecting a Volume, Right-clicking on a Volume object, and selecting Properties. This property page shows the Volume Name, storing Server, Name Spaces, Volume Number, Block Size, Installed Features (Suballoc, Compression), User Restrictions, and Free/Used disk for the user. Disabling this property page does not disable other property pages (i.e., NetWare Volume Statistics, NetWare Info, or NetWare Rights), nor does it restrict a user’s ability to use the volume (managed using NDS rights/ACL), it merely affects whether or not the user can see the “NetWare Volume Information” property page. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Property Pages Registry Value: [string] Display Volume Information Page Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Supplement 2:
Novell Client32 Properties
127
Display Volume Statistics Page—Enables/disables the “NetWare Volume Statistics” page for a Volume object when browsing within Network Neighborhood. This page is normally viewed when browsing inside of Network Neighborhood, browsing inside NDS containers, selecting a Volume, Right-clicking on a Volume object, and selecting Properties. This property page shows the Volume Name, Disk Total Space, Free Space, Compressed Space, Purgeable Space, Used Space, Total Directory Entries, Avalaible Directory Entries, and Used Directory Entries. Disabling this property page does not disable other property pages (i.e., NetWare Volume Information, NetWare Info, or NetWare Rights), nor does it restrict a user’s ability to use the volume (managed using NDS rights/ACL), it merely affects whether or not the user can see the “NetWare Volume Statistics” property page. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Property Pages Registry Value: [string] Display Volume Statistics Page Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Authenticate to Server—Enables/disables the selection for “Authenticate” when right-clicking on a NetWare Server in Network Neighborhood. If disabled, the selection for “Authenticate” is still displayed when right-clicking on a NetWare Server, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Authenticate to Server Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Authenticate to Tree—Enables/disables the selection for “Authenticate” when right-clicking on an NDS Tree in Network Neighborhood. If disabled, the selection for “Authenticate” is still displayed when right-clicking on an NDS Tree, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Authenticate to Tree Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Browse To Dialog—Enables/disables the selection for “Browse To” when right-clicking on the Novell red “N” in the System Tray (Systray). If disabled, the selection for “Browse To” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Browse To Dialog
Chapter 1
128
Supplement 2:
Novell Client32 Properties
Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Capture Dialog—Enables/disables the selection for “Novell Capture Printer Port” when right-clicking on the Novell red “N” in the System Tray (Systray). If disabled, the selection for “Novell Capture Printer Port” is still displayed when rightclicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Capture Dialog Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Change Context Dialog—Enables/disables the selection for “Change Context” when right-clicking on an NDS Tree in Network Neighborhood. If disabled, the selection for “Change Context” is still displayed when right-clicking on an NDS Tree, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Change Context Dialog Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Disconnect Dialog—Enables/disables the selection for “Disconnect Network Drive” when right-clicking on the Novell red “N” in the System Tray (Systray). If disabled, the selection for “Disconnect Network Drive” is still displayed when rightclicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Disconnect Dialog Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable End Capture Dialog—Enables/disables the selection for “Novell End Capture” when right-clicking on the Novell red “N” in the System Tray (Systray). If disabled, the selection for “Novell End Capture” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable End Capture Dialog Default Value: On Range: On, Off (YES=On, NO=Off)
Supplement 2:
Novell Client32 Properties
129
Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Group Membership Dialog—Enables/disables the selection for “Group Memberships” when right-clicking on the Novell red “N” in the System Tray (Systray) and selecting “User Administration for [your_NDS_Tree].” Disabled, the selection for “Group Memberships” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Group Membership Dialog Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Inherited Rights Dialog—Enables/disables the selection for “Inherited Rights and Filters” when right-clicking on the Novell red “N” in the System Tray (Systray) and selecting “NetWare Utilities.” If disabled, the selection for “Inherited Rights and Filters” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enabled Inherited Rights Dialog Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Login Administration—Enables/disables the selection for “Login Account Information” when right-clicking on the Novell red “N” in the System Tray (Systray) and selecting “User Administration for [your_NDS_Tree].” If disabled, the selection for “Login Account Information” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Login Administration Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Login Dialog—Enables/disables the selection for “NetWare Login” when right-clicking on the Novell red “N” in the System Tray (Systray). If disabled, the selection for “NetWare Login” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Login Dialog Default Value: On Range: On, Off (YES=On, NO=Off)
Chapter 1
130
Supplement 2:
Novell Client32 Properties
Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Login to Server—Enables/disables the selection for “Login to Server” when right-clicking on a NetWare Server in Network Neighborhood. If disabled, the selection for “Login to Server” is still displayed when right-clicking on a NetWare Server, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Login to Server Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Logout of Server—Enables/disables the selection for “Logout” when rightclicking on a NetWare Server in Network Neighborhood. If disabled, the selection for “Logout” is still displayed when right-clicking on a NetWare Server, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Logout of Server Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Logout of Tree—Enables/disables the selection for “Logout” when rightclicking on an NDS Tree in Network Neighborhood. If disabled, the selection for “Logout” is still displayed when right-clicking on an NDS Tree, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Logout of Tree Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Map Dialog—Enables/disables the selection for “Novell Map Network Drive” when right-clicking on the Novell red “N” in the System Tray (Systray). If disabled, the selection for “Novell Map Network Drive” is still displayed when rightclicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Map Dialog Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Supplement 2:
Novell Client32 Properties
131
Enable Modify Container Script—Enables/disables the selection for “Edit NDS Container Login Script” when right-clicking on an NDS Container object in Network Neighborhood. If disabled, the selection for “Edit NDS Container Login Script” is still displayed when right-clicking on an NDS Container object, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Modify Container Script Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable NDS Login To Tree—Enables/disables the selection for “Login to NDS Tree” when right-clicking on an NDS Tree object in Network Neighborhood. If disabled, the selection for “Login to NDS Tree” is still displayed when right-clicking on an NDS Tree, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable NDS Login To Tree Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable NDS Mailing Information—Enables/disables the selection for “Mailing Information” when right-clicking on the Novell red “N” in the System Tray (Systray) and selecting “User Administration for [your_NDS_Tree].” If disabled, the selection for “Mailing Information” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable NDS Mailing Information Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable NDS Personal Information—Enables/disables the selection for “Personal Information” when right-clicking on the Novell red “N” in the System Tray (Systray) and selecting “User Administration for [your_NDS_Tree].” If disabled, the selection for “Personal Information” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable NDS Personal Information Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Chapter 1
132
Supplement 2:
Novell Client32 Properties
Enable NDS Work Information—Enables/disables the selection for “Work Information” when right-clicking on the Novell red “N” in the System Tray (Systray) and selecting “User Administration for [your_NDS_Tree].” If disabled, the selection for “Work Information” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable NDS Work Information Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable NetWare Connections Dialog—Enables/disables the selection for “NetWare Connections” when right-clicking on the Novell red “N” in the System Tray (Systray). If disabled, the selection for “NetWare Connections” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable NetWare Connections Dialog Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable NetWare Copy Dialog—Enables/disables the selection for “NetWare Copy” when right-clicking on the Novell red “N” in the System Tray (Systray) and selecting “NetWare Utilities.” If disabled, the selection for “NetWare Copy” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable NetWare Copy Dialog Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable NetWare Utilities—Enables/disables the selection for “NetWare Utilities” when right-clicking on the Novell red “N” in the System Tray (Systray). If disabled, the selection for “NetWare Utilities” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable NetWare Utilities Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Supplement 2:
Novell Client32 Properties
133
Enable Novell Client Help—Enables/disables the selection for “Novell Client Help” when right-clicking on the Novell red “N” in the System Tray (Systray). If disabled, the selection for “Novell Client Help” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Novell Client Help Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Novell Client Properties—Enables/disables the selection for “Novell Client Properties” when right-clicking on the Novell red “N” in the System Tray (Systray). If disabled, the selection for “Novell Client Properties” is still displayed when rightclicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Novell Client Properties Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Object Properties Dialog—Enables/disables the selection for “Object Properties” when right-clicking on the Novell red “N” in the System Tray (Systray) and selecting “NetWare Utilities.” If disabled, the selection for “Object Properties” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Object Properties Dialog Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Password Administration—Enables/disables the selection for “Novell Password Administration” when right-clicking on the Novell red “N” in the System Tray (Systray) and selecting “User Administration for [your_NDS_Tree].” If disabled, the selection for “Novell Password Administration” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Password Administration Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Chapter 1
134
Supplement 2:
Novell Client32 Properties
Enable Purge Dialog—Enables/disables the selection for “Purge” when right-clicking on the Novell red “N” in the System Tray (Systray) and selecting “NetWare Utilities.” If disabled, the selection for “Purge” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Purge Dialog Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Salvage Dialog—Enables/disables the selection for “Salvage” when rightclicking on the Novell red “N” in the System Tray (Systray) and selecting “NetWare Utilities.” If disabled, the selection for “Salvage” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Salvage Dialog Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Send Message Dialog—Enables/disables the selection for “Send Message” when right-clicking on the Novell red “N” in the System Tray (Systray) and selecting “Send Message.” If disabled, the selection for “Inherited Rights and Filters” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Send Message Dialog Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Send Message To Server Dialog—Enables/disables the selection for “To Server Console” when right-clicking on a NetWare Server object in Network Neighborhood and selecting “Send Message” or when using the “Send Message” selection by right-clicking on the red “N” in the System Tray (Systray) and selecting “NetWare Utilities” and “Send Message.” If disabled, the selection for “To Server Console” is still displayed in the Send Message menu, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Send Message To Server Dialog Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Supplement 2:
Novell Client32 Properties
135
Enable Send Message To User Dialog—Enables/disables the selection for “To Users” when right-clicking on a NetWare Server object in Network Neighborhood and selecting “Send Message” or when using the “Send Message” selection by right-clicking on the red “N” in the System Tray (Systray) and selecting “NetWare Utilities” and “Send Message.” If disabled, the selection for “To Users” is still displayed in the Send Message menu, but it is grayed out (disabled) and cannot be selected Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Send Message To User Dialog Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Set Current Tree—Enables/disables the selection for “Set Current Tree” when right-clicking on an NDS Tree in Network Neighborhood. If disabled, the selection for “Set Current Tree” is still displayed when right-clicking on an NDS Tree, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Set Current Tree Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Set Default Context—Enables/disables the selection for “Set Default Context” when right-clicking on an NDS Container object in Network Neighborhood. If disabled, the selection for “Set Default Context” is still displayed when right-clicking on an NDS Container object, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Set Default Context Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Show Parent Context—Enables/disables the selection for “Show Parent Context” when right-clicking on an NDS Container object in Network Neighborhood. If disabled, the selection for “Show Parent Context” is still displayed when right-clicking on an NDS Container object, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Show Parent Context Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Chapter 1
136
Supplement 2:
Novell Client32 Properties
Enable Systray Config Dialog—Enables/disables the selection for “Configure System Tray Icon” when right-clicking on the Novell red “N” in the System Tray (Systray). If disabled, the selection for “Configure System Tray Icon” is still displayed when rightclicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Systray Config Dialog Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Trustee Rights Dialog—Enables/disables the selection for “Trustee Rights” when right-clicking on the Novell red “N” in the System Tray (Systray) and selecting “NetWare Utilities.” If disabled, the selection for “Trustee Rights” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Trustee Rights Dialog Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Enable Who Am I Dialog—Enables/disables the selection for “WhoAmI” when right-clicking on an NDS Tree or NetWare Server in Network Neighborhood. If disabled, the selection for “WhoAmI” is still displayed when right-clicking on an NDS Tree or NetWare Server, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Menu Items Registry Value: [string] Enable Who Am I Dialog Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Filter User List—Has same functionality as the selection for “Show only user objects in list” when right-clicking on the Novell red “N” in the System Tray (Systray) and selecting “NetWare Utilities,” “Send Message,” and then “To Users.” If this is enabled, then the selection for “Show only user object in list” when display as checked when the Send Message To Users window is first displayed (changes made in this window will also be written to the registry and can undo changes made within the Advanced Menu Settings tab). Registry Key: HKLM\Network\Novell\System Config\Network Provider\SEND MESSAGE Registry Value: [string] Filter User List Default Value: Off Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Supplement 2:
Novell Client32 Properties
137
Force Bindery Connections—Appears to not be implemented in the initial release of the 4.7 NT Client. In the Windows 95/98 version of the Novell Client, this setting forces the Novell Login Dialog to provide valid Bindery Login Credentials to authenticate (effectively disables NDS Authenticator logins, though once connected, can still browse the tree if the user object has rights). Registry Key: HKLM\Network\Novell\System Config\Network Provider\CONNECTIONS Registry Value: [string] Force Bindery Connections Default Value: Off Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Force Login Dialog—Forces the Login Dialog on initial login. Setting this parameter to On forces the login at initial login rather than attempting a background authentication. This is utilized only when the Primary Network Logon is NOT set to Novell’s provider. Registry Key: HKLM\Network\Novell\System Config\Network Provider\Initial Login Registry Value: [string] Force Login Dialog Default Value: Off Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Show Bindery Servers—Enables/Disables the option for “NetWare Servers” in the Network Neighborhood Entire Network/NetWare Services (Still leaves the option for “Novell Directory Services”). When the option for “NetWare Servers” is selected, it will attempt to locate all NetWare servers on the network using the enabled Name Space Providers. When IPX is enabled on the server, this allows the client to issue a bindery scan request for type 0004 (NW File Server SAP). If this occurs frequently enough, it may increase server utilization and reduce server performance/responsiveness. Registry Key: HKLM\Network\System Config\Network Provider\Browse Settings Registry Value: [string] Show Bindery Servers Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Show Current Connections—Enables/disables the display of the currently connected NetWare Servers and NDS Trees when opening NetWork Neighborhood (will still display the Microsoft connected resources if the Microsoft Client is installed/ enabled). Registry Key: HKLM\Network\System Config\Network Provider\Browse Settings Registry Value: [string] Show Current Connections Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Chapter 1
138
Supplement 2:
Novell Client32 Properties
Show Edit Login Script Item—Enables/disables the selection for “Edit Login Script” when right-clicking on the Novell red “N” in the System Tray (Systray) and selecting “User Administration for [your_NDS_Tree].” If disabled, the selection for “Edit Login Script” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\System Config\Network Provider\Menu Items Registry Value: [string] Modify Login Script Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Show NDS Description—Shows the “Description” NDS attribute of all leaf objects under the Comment column when browsing contexts inside the NDS Tree using Network Neighborhood. The Comments column is only visible when the Network Neighborhood view is set to “Details” (under the View drop-down menu). Even when set to details, this will not display the Description attribute of Container objects (Country, Organization, and Organizational Unit), only the Description attribute of Leaf objects. Registry Key: HKLM\Network\System Config\Network Provider\Browse Settings Registry Value: [string] Show NDS Description Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Show NDS Objects—Enables/disables the display of all NDS type objects in Network Neighborhood. This includes NDS Trees, Containers, any NDS leaf objects, and the removal of the “Novell Directory Services” option under NetWare Services. When this setting is disabled, all views displayed are using Bindery Name Space Providers. Registry Key: HKLM\Network\System Config\Network Provider\Browse Settings Registry Value: [string] Show NDS Objects Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Show Novell System Tray Icon—Enables/disables the display of the red “N” in the System Tray (Systray). Disabling this will not affect the user’s ability to perform the same tasks using other methods (i.e., mapping a drive in Network Neighborhood), it merely disabled this interface. Registry Key: HKLM\Network\System Config\Network Provider\Menut Items Registry Value: [string] Enable Systray Icon Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Supplement 2:
Novell Client32 Properties
139
Show Scheduler System Tray Icon—Disables/enables the display of the icon with a calendar, clock, and pen knows as the ZENworks Desktop Manager Scheduler (previously known as the Workstation Manager Scheduler). Registry Key: HKLM\Software\Novell\Workstation Manager Registry Value: [dword] NoTray Default Value: 0 Range: 0, 1 (0=Off, 1=On) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Show User Administration Menu—Enables/disables the selection for “User Administration for [your_NDS_Tree]” when right-clicking on the Novell red “N” in the System Tray (Systray). If disabled, the selection for “User Administration for [your_NDS_Tree]” is still displayed when right-clicking on Novell red “N”, but it is grayed out (disabled) and cannot be selected. Registry Key: HKLM\Network\System Config\Network Provider\Menu Items Registry Value: [string] Enable User Info Default Value: On Range: On, Off (YES=On, NO=Off) Client Version: Implemented in the 95/98 Client version 3.2 or higher.
Frame Type Information This panel is self-explanatory. (See Figure S2.13.)
Figure S2.13 The Novell IPX 32-bit protocol property page.
Chapter 1
140
Supplement 2:
Novell Client32 Properties
Figure S2.14 IPX parameters shown in the IPX properties panel.
IPX retry count (See Figure S2.14.) Allow IPX access through interrupt 7AH (check box) Allow IPX access through interrupt 64H (check box) IPX Diagnostics
IPX diagnostics enabled (check box) Pre-allocate VGNMA memory (check box)
Enable source routing over NDIS Primary logical board—Frame type of primary (default) logical board (See Figure S2.15.) Use all detected frame types (radio button)—Either or choice with the next radio button Use only the following frame types (radio button) Frame type: Choose from the frame types listed earlier in this section SPX connections (see Figure S2.16)—All of the following choices are available at the server for tuning the server’s IPX/SPX communication stack, too. SPX verify timeout SPX listen timeout SPX abort timeout Allow connection watchdogging (check box)—Watchdogging is a server process that verifies a client connection periodically. The purpose is to keep the server from severing the client connection when the client doesn’t communicate with the server for
Supplement 2:
Novell Client32 Properties
141
Figure S2.15 The frame type selections shown in the Advanced tab.
Figure S2.16 The connectionoriented, transport layer 4 protocol choices.
Chapter 1
142
Figure S2.17 Microsoft’s IPX/SPX property page. If you don’t use NETBIOS for browsing or for client-to-client file sharing, uncheck it.
Figure S2.18 Microsoft’s IPX/SPX compatible protocol property page showing what NOT to do. Don’t use the Auto frame type option—choose one manually.
Supplement 2:
Novell Client32 Properties
Supplement 2:
Novell Client32 Properties
143
long periods of time. If the server doesn’t receive a reply packet from a client after specified times (tunable at the server—see Chapter 2) the client connection is dropped, which will cause the client workstation to “re-login” to authenticate again. The check boxes enable or disables each binding. (See Figure S2.17.) Force Even Length Packets—Leave at default. (See Figure S2.18.) Even length packets are the most efficient method of network packet communication. It seems like a good idea, but to standardize on a packet length causes smaller packets to be stuffed with zeroes. Frame Type—Choose from the following: Auto 802.2 802.3 Ethernet II Ethernet SNAP Token Ring Token Ring SNAP Maximum Connections—Leave at default Maximum Sockets—Leave at default Network Address—Leave at default Source Routing—Leave at default; for token ring networks only Set this protocol to be the default protocol (check box)—I sometimes use this. As a network administrator you may want to use this setting.
Figure S2.19 The infamous NetBIOS feature. You need it to browse, but NetBIOS is a major congestor of network traffic.
Chapter 1
144
Supplement 2:
Novell Client32 Properties
I want to enable NetBIOS over IPX/SPX (check box)—Watch network traffic grow almost exponentially with this menu choice. Make sure you have a valid reason to turn this on. (See Figure S2.19.)
2 What Can Be Done @ the NetWare Server
This chapter was the hardest to write because I wanted to explain each section and module of the NetWare server. I researched and condensed a great deal of material to make this chapter complete. If you want to “know” NetWare, you will need to read the entire chapter. I start with what’s new in NetWare 6 then go right into the server. I start explaining the server from the beginning of the boot. As the server boots, I explain and list not only the boot process, but the modules, their special command switches, and how they work. Supplement 1 to this chapter describes the server console commands. You can find most of these commands by simply typing HELP at the console prompt. Supplement 2 to this chapter explains the all important server SET commands. To tune the server, you’ll want to refer to Chapter 9. Understanding the NetWare environment is essential to troubleshooting. Each of the variables that control your NetWare environment is discussed. The server is where “it” all happens. The server services your client needs. NetWare is arguably the best server platform for file and print. Novell wants you to think of NetWare as more than that.
2.1
Next-generation NetWare 6 What’s in the future for NetWare? Novell first announced that there will be no more NetWare updates. When its stock fell like lead, Novell said that they were just kidding. NetWare 6, code name “six-pack,” is the announced update to NetWare 5.1.
145
146
2.1
Next-generation NetWare 6
Novell is continuing to update products within the OS, too. Portal services, NSS, and NDS now have product updates no longer linked to the OS—great idea.
2.1.1
Scalability Scalability is the magic word for talking about NetWare 6. In my days as a Novell consultant, rarely did my client need more scalability than NetWare provided. The exceptions were very heavily used servers for dedicated NDS functions at some of Novell’s largest clients (30,000+ user objects). Novell reports that NetWare 5.1 can support as many as 8,000 users per server. While I have never experienced a NetWare server with that many users, I can say that many NetWare servers I’ve seen handle well over 1,000 clients—very impressive. Adding CPUs to a server is the scale-up approach—as opposed to the scale-out approach, which would be to add more servers (like in a cluster with a SAN [Storage Attached Network]). Adding a second processor to a server does not give you exactly 100% more processing power. The overhead of having to schedule threads on the different processors takes from the added processors. Novell says to expect to get about 80% of the second processor. That translates to a 1.8 scale factor. The scale factor is a function of how efficiently the OS uses the additional hardware (therefore, these numbers do not translate to NT, Windows2000 or SUN Solaris). Note: Remember that processing power is rarely the bottleneck—see the Tuning section in the last chapter of this book.
Table 2.1
Scale Up Factor to adding more processors in NetWare 6 Number of Processors
Scale Factor
1
1
2
1.8
4
3.5
6
5.2
8
6.1
2.1
Next-generation NetWare 6
147
According to Novell, in the October 2000 Novell Connection magazine, NetWare 6’s target audience is large companies with 1,000+ employees. NetWare 6 will make better use of SMP for its core components and key components. NetWare 6 multithreaded components
CLIB (C-library)
RSA security functions
NCP engine (NetWare Core Protocol)
The TCP/IP stack—which is/was the source of many bottlenecks
HTTP
WebDAV
LDAP (Lighweight Directory Access Protocol
NSS (Novell Storage Services—the new file system) update
EDirectory
NICI (Novell’s International Cryptographic Infrastructure)
SLP v2 (Service Location Protocol version 2)
MLID (Multiple-Link Interface Drivers)
LSL (Link Support Layer)
Fibre Channel disk support
Novell’s Java Virtual Machine
Servlet Interface
Routing tasks
ODI (Open Data-Link Interface) drivers (which are not recommended on the NetWare client anymore—Novell recommends you use Microsoft’s NDIS drivers)
GUI Audit
Web and Search Engines
NetWare News Server
Chapter 2
148
2.2
Entering the NetWare server environment
NetWare 6.x provides:
32-node cluster support (NetWare Cluster Service 1.6)
32 processor support from the Multi Processing Kernel (MPK) and more efficient use of the processors
NSS file system enhancements in NetWare 6 (NSS 3.0)
NSS will now be the default file system DFS support (Distributed File System) 64-bit interface that supports up to 8 TB volumes Support for volume splitting (applicable to clustering) Support for the SYS volume Support for file compression Support for user and directory quotas Support for TTS (Transaction-Tracking System—used by Novell to support database transactional data, like NDS)
NDPS version 3 with the following enhancements
2.2
SNMP support SMTP notification support Management through Novell’s Portal Services Resource management enhancements
A NDPS Broker health monitor for the Portal services IPP Gateway (Internet Printing Protocol) Additional vendor support for the NDPS gateway used to service non–NDPS aware printers. Major vendors supported this release are Axis, Epson, Extended Systems, Hewlett-Packard, Kyocera, Lexmark, Tektronix, and Xerox. NDPS Broker installation enhancements Remote Printer Management installation enhancements based on NDS User and Group Object memberships
Entering the NetWare server environment As you press the server’s on button—assuming NetWare is loaded—your machine will load the hardware BIOS, maybe the video BIOS too, initialize hardware, and look for any system partition (such as the Compaq system partition that takes up about 35MB of space) to instruct the server how to treat the hardware based on a stored configuration (which in Compaq’s case is done from the Smart Start CD), and then begin the Disk Operating System (DOS).
2.2 Entering the NetWare server environment
149
NetWare uses a DOS partition to begin the boot process. As the DOS environment is initialized, the AUTOEXEC.BAT calls the SERVER.EXE file. At that point NetWare takes control from DOS. The SERVER.EXE initializes the NetWare environment. AUTOEXEC.BAT ➝ SERVER.EXE ➝ STARTUP.NCF ➝ AUTOEXEC.NCF
2.2.1
SERVER.EXE The SERVER.EXE contains the NetWare OS. This file is considered the NetWare Operating System’s kernel. The SERVER.EXE contains: SERVER.EXE—The server environment executable LOADER.EXEQ—Loads the NetWare environment SERVER.NLM—Manages resources The SERVER.EXE has several command line switches. C:\>SERVER –NL
Typing SERVER –NL loads the NetWare operating system without the new logo screen. C:\>SERVER –L
SERVER –L force loads the splash screen. C:\>SERVER –S\path\filename
SERVER –S loads an alternate STARTUP.NCF file in the specified path. Use this for maintenance and troubleshooting purposes. C:\>SERVER –NS
Typing SERVER –NS loads the NetWare operating system without loading the STARTUP.NCF file. C:\>SERVER –NA
Typing SERVER –NA loads the NetWare operating system without loading the AUTOEXEC.NCF file. C:\>SERVER –NDB
This command loads the server WITHOUT loading Directory Services (DS). These commands can be used/chained together. C:\>SERVER –NS –NA –NDB Chapter 2
150
2.2
2.2.2
Entering the NetWare server environment
LOADER.EXE LOADER.EXE is contained in and called by the SERVER.EXE. The loader is the first portion of the SERVER.EXE that runs. Its main function is to interact with the hardware—such as the BIOS to update and keep the system clock and OS time. It also verifies physical memory to determine the size and locations available to the OS.
2.2.3
SERVER.NLM The SERVER.NLM is executed after the LOADER.EXE initializes the OS environment. The SERVER.NLM is a complex component that gets the blame for many ABENDs—documented in the ABEND.LOGs see many references to the SERVER.NLM. Resource Management components begin executing as the SERVER.NLM is loaded. Kernel process management The kernel process feature manages how and when process are executed though CPU time available. The process management includes tasks, applications, management, and work-to-do processes. Since NetWare is multitasking, various processes are loaded and need managed at any one time. Specific process management pieces include: Threads/processes—A thread is simply a code path of execution. A process, or thread, is not instructed to give up the CPU—NetWare is non-preemptive. The OS retains control of the CPU. To see the most active threads, in order, use :MONITOR'Kernel'Threads. Some processes are: Server: Generic processes Console Commands: Processes user input MakeThread: Used by the OS to allocate memory and new processes Media Manger: Processes I/O from hardware drivers Note: Related SET parameters: :SET CPU Hog Timeout Amount = 1 MIN
can be found later in this chapter and in Chapter 9’s Server Tuning section.
2.2 Entering the NetWare server environment
151
Server processes/WorkToDo—When a process completes, the server looks at the WorkToDo queue. If another NLM wants CPU time, it must ask permission by calling the code function ScheduleWorkToDoList, which is a CLIB function. Note: Related SET parameters: :SET MINIMUM SERVICE PROCESSES :SET MAXIMUM SERVICE PROCESSES :SET NEW SERVICE PROCESS WAIT TIME
can be found later in this chapter and in Chapter 9’s Server Tuning section. States—Keeps track of where each process is in relation to its completion. Processes exist in states: 00: ready to run; will be executed when its turn arrives at the CPU. Waiting on a Semaphore: waiting on a resource to become available; when the resource becomes available, the process moves to a 00 state. Handicapped wait: Process is delayed for a certain number of context switches—the NetWare OS can handicap a thread or the thread can handicap itself. When the handicap state is reached, the wait state goes to 00 and the thread moves back to the bottom of the queue. Waiting on an Interrupt Wakeup: A group of threads needing to execute in a specific order may need to be put to sleep and awakened together at a certain time—like a backup program that needs to initialize the hardware before the backup software can proceed. Priorities—There are six types of priorities: Interrupt Service Routine: The OS’s way to handle hardware interrupts. Note: Related SET parameters: :SET MAXIMUM INTERRUPT EVENTS = 10 (default)
can be found later in this chapter and in Chapter 9’s Server Tuning section.
Chapter 2
152
2.2
Entering the NetWare server environment
FastWorkToDoList/SMP server processes (highest priority thread): Processes from the SMP kernel. Worker thread/server process (second highest priority thread): Processes WorkToDoList threads and detects more work to be done. NLM Threads/other processes (third highest priority thread): Placed on the run queue—which is checked when there is nothing on the WorkToDoLists or when a set amount of WorkToDo proesses have been serviced consecutively. Temporarily handicapping: Shifts threads to the DelayedWorkToDoList until their handicap has completed (e.g., a value of 25 lets 25 other server processes or NLM threads complete before being rescheduled in the run queue). Permanently handicapping: A tag put on by the OS when a particular thread does not surrender the CPU often enough—a value gets placed on the thread just like temporary handicapping. Low Priority: These threads run only when there are no other processes scheduled (e.g., file compression is a low priority thread. There is a server SET command relating to low priority threads that should be left to OFF (unless you have a multiprocessor system). :SET UPGRADE LOW PRIORITY THREADS=OFF
Delayed Work: Runs as it is ready; waits on resources; will yield the CPU until it is ready. Process Queues—The organizational piece of server threads, priorities and states: FastWorkToDoList (highest service priority): First In First Out (FIFO) queue. WorkToDoList (second highest priority): FIFO queue queue. Run Queue (third highest priority queue): FIFO queue that services most processes. DelayedWorkToDoList: Non-FIFO queue; threads placed here wait a certain amount of thread switches before going to the Run Queue. LowPriorityRunList: FIFO queue that are serviced only when the kernel is idle—nothing in the above queues—and are moved to
2.2 Entering the NetWare server environment
153
the Run Queue when there are no other processes or if the NetWare OS upgrades the thread. Not on the run queue: Not an actual queue but shown in the debugger—processes that are waiting on a semaphore or waiting for an interrupt are found here. Memory management The SERVER.NLM manages how processes use memory. NetWare addresses memory linearly and physically. View memory management through: :MONITOR ➝ System Resources AND :MONITOR ➝ Loaded Modules AND :MONITOR ➝ Virtual Memory
Note: Related SET parameters: :SET GARBAGE COLLECTION INTERVAL :SET NUNBER OF FREES FOR GARBAGE COLLECTION :SET MINIMUM FREE MEMORY FOR GARBAGE COLLECTION
can be found later in this chapter and in Chapter 9’s Server Tuning section.
Communication management The SERVER.NLM manages the communication from the network— packets and protocols stacks. :MONITOR ➝ LAN/WAN drivers
Packet—When a packet is received, it is placed in a queue called an event control block (ECB). ECBs represent each socket for the server. Packets with destination sockets are put into the server’s receive buffer and an event is triggered—event service routine (ESR). Packets received may not all be processed at once, therefore, NetWare provides a packet receive buffer. View packet information by a sniffer program from your workstation or: :MONITOR ➝ LAN/WAN drivers ➝ <Enter> on your NIC OR
Packet Receive Buffers—A queue that allows unprocessed packets storage space while they wait to be serviced. The IP protocol stack needs more buffer space than IPX.
Chapter 2
154
2.2
Entering the NetWare server environment
Note: Related SET parameters: :SET MINUMUM PACKET RECEIVE BUFFERS :SET MAXIMUM PACKET RECEIVE BUFFERS
can be found later in this chapter and in Chapter 9’s Server Tuning section.
File system management Ever notice that you do not have to defrag a hard drive in NetWare? That’s because the file system works differently on a server than a desktop OS. You may look at some file system information in: :MONITOR ➝ Storage Devices :MONITOR ➝ Volumes
or use: FILER FLAG NCOPY NetWare Administrator NDIR RENDIR Explorer File Manager (right-click) FILER may be your most robust choice. Note: Related SET parameters: :MONITOR ➝ SERVER PARAMETERS ➝ File System
can be found later in this chapter and in Chapter 9’s Server Tuning section.
Server loading stages The SERVER.EXE initializes the NetWare environment. Many NLMs are called directly by the SERVER.EXE. The NLMs contained in SERVER.EXE include the following: CDBE.NLM
2.2 Entering the NetWare server environment
155
SHOWLOGO.NLM CPUCHECK.NLM DIAG500.NLM PVER500.NLM NEB.NLM NBI.NLM MM.NLM LSL.NLM CONNMGR.NLM LFS.NLM FILESYS.NLM UNICODE.NLM QUEUE.NLM NCP.NLM POLIMGR.NLM HWDETECT.NLM NWPA.NLM NWPALOAD.NLM WS2_32.NLM NWKCFG.NLM SGUID.NLM XLDR.NLM Note: These NLMs are loaded from another module (SERVER.EXE) and can be loaded individually with an asterisk before the load command—for example, :*LFS.
2.2.4
Example stage description NLMs loaded The NetWare server loads in stages. There are over 30 defined stages. During and after installation, NetWare 5 will display a variety of loading messages at the console. This follows a specific order based on a load order Chapter 2
156
2.2
Entering the NetWare server environment
template and ranges from Stage 0 to Stage 31, for a total of 32 stages. Stages 0–5 are defined as Kernel stages, while the remaining stages are user stages. There is a pre-0 stage called the K stage for Kernel Startup stage during which NetWare loads the NetWare Configuration Database Engine (CDBE)—which tells NetWare what to load during the other stages. K—Kernel startup stage. CDBE.NLM This NLM loads the SERVCFG.000 file found in C:\ NWSERVER, which contains server specific configuration information such as SET parameters, alias, etc. 0—Pre-STARTUP.NCF stage, .NLMs loaded at this stage include: SHOWLOGO.NLM PVER500 DIAG CPUCHECK NEB NBI NWPA NWPALOAD ORION THEJUDGE SERVZEN 1—Post-STARTUP.NCF execution/Pre-SYS volume mount stage CONNMGR.NLM FILESYS LSL SGUID CONNMGR LFS 2—Pre-AUTOEXEC.NCF/ Post SYS volume mount stage NCP.NLM UNICODE QUEUE LOCNLM32 WS2_32 XIM.XLM XSUP.XLM
2.2 Entering the NetWare server environment
157
XMGR.XLM NOVXENG.XLM INSTAUTO.NCF 3—Pre-AUTOEXEC.NCF/pre Name Service Loader stage DSLOADER.NLM CCS.XLM SLP POLIMGR MASV 4—Pre-AUTOEXEC.NCF/Post Name Service Loader stage NDSAUDIT.NLM DS TIMESYNC 5—Post AUTOEXEC.NCF stage HWDETECT.NLM BAILIFF LOADIMG During installation and boot up, no user input is required for these stages.
2.2.5
STARTUP.NCF Hopefully, you know that .NCF files are synonymous with DOS batch files. The STARTUP.NCF file is considered a boot file. Edit it with any text editor, EDIT.NLM, or NWCONFIG. Pre-NetWare 5.x STARTUP.NCF files contained relevant SET commands. NetWare 5 has the ability to automatically store set commands in the C:\NWSERVER\SERVCFG.000 file and load them at the appropriate load stage. Note: Make a copy of every AUTOEXEC.NCF file by typing:
server’s
STARTUP.NCF
and
:load config /s
Then copy the resulting CONFIG.TXT file from the SYS:SYSTEM to your workstation or another central location for reference.
Chapter 2
158
2.2
Entering the NetWare server environment
A driver loading will rely on parameters to initialize it. Hardware driver parameter’s may be auto-discovered if they provide a .DDI (for disks) or .LDI file (for LAN cards).
2.2.6
AUTOEXEC.NCF This file contains time zone, bindery context, server name, internal network number information as well as calls .NCF files, programs, and SET commands. Edit it with any text editor, EDIT.NLM, or NWCONFIG.
2.2.7
Boot up NDS processes When a NW5 server comes up and holds 1 or more copies of a partition it must register this information with SLP. NDS will make a call to the OS to determine what IP addresses are bound on this server. NDS will then send a service registration request to SLP and register this servers IP addresses into the ndap.novell SLP service. After this, NDS will make a call to Winsock to build up its internal cache of IP addresses for servers in the replica ring for partitions that this server holds copies of. Winsock then calls SLP and generates a service request for ndap.novell specifying the partition name. The response to this request will contain the attributes of the ndap.novell service and this is sent back to NDS. These attributes contain a list of IP addresses of the servers and interfaces that hold a copy of the partition. When a server has TCP/IP bound more than once, each of these IP addresses will be seen twice in this list—one for TCP connection and one for UDP connection. When the DS.NLM loads, like upon boot up or a SET DSTRACE=*., the DS.NLM automatically starts a heartbeat and limber process (which is equal to a SET DSTRACE=*H and SET DSTRACE=*L).
2.2.8
Boot up network traffic In my lab, I did a sniffer trace on a NW5.1 boot-up sequence. The trace was a single server in a tree. There were no other servers to contact. The server was running a dual IP/IPX stack. The server is in a default state (nothing has been changed from installation). The trace showed 41 total packets. Every packet was either a broadcast packet, or a multicast packet:
9 IPX packets, 31 IP packets and a single ARP packet.
3 IPX RIP packets made up of 2 response packets and one RIP request broadcast to find network FFFFFFFF.
1 IP RIP request.
2.3
Server innerworkings
159
1 ARP broadcast from the server lets the network know to resolve the server’s IP address to its MAC or NIC address.
4 IGMP packets broadcast (to routers) to join a multicast group.
6 IPX SAP packets in the following order:
Find General Request response SAP Type 278 (Directory Services) Tree name SAP SAP Type 4 (NetWare Server) SAP Type 4B (Btrieve VAP 5.x). Actually, this packet contained two separate Type 4B SAPs with socket numbers 805A and 8059. SAP Type 26B (Time Synchronization)
Note: Get rid of type 26B by using configured sources on all of your NetWare servers.
27 multicast, SLP, packets made up of two destination addresses
SAP Type 8202 (NDPS Broker Agent) 224.0.1.22 224.0.1.35 (looking for a Directory Agent – see RFC 2165)
2 DHCP inform packets
Note: Did you know that your NetWare server can obtain DA option 78 and 79 SLP information from a DHCP server even though the server is not a DHCP client? I recommend using the SLP.CFG instead of relying on your DHCP server.
2.3
Server innerworkings According to Novell, the NetWare server consists of: The kernel The Server Console NetWare Loadable Modules (NLMs, LAN, HAM, CDM, etc.) The kernel provides: Multiprocessor support—The Kernel is both a uni-processing and multiprocessing kernel—as compared to NetWare 4.11 that required Chapter 2
160
2.3
Server innerworkings
an extra driver for MPK servers. NetWare 5.1 supports 32 processors and 4 GIG of RAM because it was written to the Intel 82489DX MPK interrupt controller specification, and makes the most efficient use of the Intel multiprocessing platform—as compared to other NOSes. For simple file and print services neither the NetWare OS— which has never been CPU intensive—nor the NetWare modules need to use the added processors to a degree that I believe can be justified to purchase multiprocessing servers. A multiprocessing machine would be justified with GroupWise, Netscape Web server or other high-load CPU intensive applications. The next major revision of NetWare is scheduled to include better module support for multiprocessing Intel platform hardware—code named “six pack.” What supports MPK now? Anything written to the new kernel APIs and not hooked to IP stack directly, nor NCP directly (file system). The short list is: GroupWise MTA (lots of benefit), POA (some due to NCP access to file system) NDS (uses DFS [direct file system] calls that bypass CLIB when using the FLAIM database) LDAP (very well multithreaded—working well at our largest clients) SSL (very well multithreaded) Oracle (uses DFS to access file system) Web Server (uses NCPs, but server-side stuff (parsing, CGI) are fast. Protocol level pieces (LDAP, SSL) that have server-side work to do (searches and encryption) run very well. There is really no issue getting packets in/out of NetWare since the queue model is so efficient. NLMs that aren’t coded to take advantage of MPK multithreading capabilities may display the following message in green as they load on the server console: :<Module_name> does not have any XDC data
Multithreading—Multithreading is defined as the ability to process two tasks simultaneously. Think of several people running applications from the server, at the same time. The singular whole task of opening the application upon the user double-clicking the icon is not given to the CPU. This one whole job is broken down into small parts defined as tasks. For example, let’s say the job of opening the
2.3
Server innerworkings
161
NDS Manager application from the server, while other users are running spreadsheet application at the same time, cost 100 CPU cycles each. Each of the 100 tasks may be queued to the CPU at the same time. These jobs have to be broken into many smaller pieces, or tasks. Let’s assume each of the 100 cycles is a single task. We now have: Each application to start/open = 100 CPU cycles = 1 task per CPU cycle
It is these many, smaller tasks that can be given to the CPU for processing one at a time. The CPU, in reality, is focused and cannot work on more than one thread, or task at a time. We are all fooled into thinking that the CPU is working on all three at the same time because the total 300 cycles it takes to start each application are spread out in the CPU’s queue—making it look like the CPU is opening all three at the same time. Politically, we call this socialism— each unit getting equal turns at the CPU—no one task getting preference, in theory. Most of the LAN, IP stack and file systems pieces are not multithreaded until “six pack.” Note: See the section below for detail on the following Console commands relating to MPK: :DISPLAY INTERRUPTS
Memory protection—The ability to load modules (.NLMs) into protected memory space is covered later in this chapter—see the PROTECTION command later in this chapter. Virtual memory—You may now fool applications into thinking that the NetWare server has more memory than actual RAM. A SWAP file, yes SWAP file, is used to store needed RAM space on hard drives. See the console commands below or type HELP SWAP at the server console. VM is backward compatible with any application that is using CLIB, and every program that runs in a protected address space and is using CLIB will automatically use VM. For example, GroupWise is written to CLIB and can therefore run in VM without modification. Load balancing—Load balancing is the ability to share a load between multiple processors. NetWare 5 supports 32 processors.
Chapter 2
162
2.3
Server innerworkings
Scheduling—NetWare can be configured to allow you to manage the amount of CPU time each application is given. More important applications can be given more cycle bandwidth. Preemption—NetWare can take control of the CPU at any time, regardless of the current running application.
2.3.1
The NetWare 5.1 Server supports
PCI Hot Plug To enable these hot plug capabilities, be sure the NEB, ODINEB, NCM, NCMCON, HWDETECT, and the SBD modules are all loaded. NCMCON.NLM gives you a C-Worthy menu to assist in the swapping process. :NCMCON.NLM
The following commands may also be used for the configuring hot plug capabilities. :SCAN :SCAN :LIST :LIST
ALL FOR NEW DEVICES STORAGE ADAPTERS STORAGE DEVICE BINDINGS
All of the server console commands are explained later in this chapter.
I20 NetWare 5 will automatically detect I2O motherboard designs and add-on network boards. NetWare will be able to achieve faster throughput for both the I/O channels and NetWare OS services. By splitting the workload to embedded processors on I/O controllers, user and server requested data reads and writes can improve dramatically under heavy workloads—up to 20% faster throughput with 50% less CPU cycles according to Compaq. I20 Architecture and CPU access time When the CPU has to resolve data or instructions from the
L1 cache; it costs between 1 to 3 clock cycles L2 cache; 3 to 10 clock cycles Main Memory; up to 30 cycles
Accessing the PCI bus and every peripheral access request; costs the time to flush the pipeline, pieces of the L1 and L2 cache then 1,000 wait cycles.
2.3
Server innerworkings
163
Winsock 2.0 support WinSock 2 contains the Windows Open System Architecture (WOSA) compliant architecture, which allows applications access to protocols other than TCP/IP. WinSock 2 also provides for a name resolution mechanism when more than one transport protocol is in use. More information about Winsock version 2 is found in the preceding chapter. The NetWare server uses the NETDB.NLM for name resolution—except in BorderManager.
Support for Java Java apps exist in either classes or applets. A class is a fully functioning app, an applet is an app written to run within a compatible browser—NetWare 5 supports both. :JAVA [-options] path_to_java_class
The JAVA.NLM must be loaded before any Java apps can be loaded. Names of Java classes are case sensitive and require the LONG.NAM name support module. The following server console commands relate to Java: :STARTX :C1START :JAVA –EXIT :UNLOAD JAVA
More about Java and its associated commands are listed later in this chapter.
PC or Serial Mouse To redetect your mouse and video drivers, type: :VESA_RSP
The NetWare peripheral architecture NWPA started with NetWare 4.10. Splitting storage device drivers into two components—HAMs and CDMs—allows for better NetWare support of peripheral components. Host adapter modules (HAMs) and custom device modules (CDMs) replace the DSK drivers in NetWare 5. HAM aligns itself to adapter hardware, while CDM associates with storage devices or autochangers attached to a host adapter bus.
Chapter 2
164
2.3
Server innerworkings
To prevent the NetWare Peripheral Architecture (NWPA) from autoloading drivers, use the following command in the STARTUP.NCF file. NWPA \NALOAD
HAMs and CDMs are loaded as NLMs to provide resource-need information as they load. They also must de-allocate their resources when they are unloaded. Components making up the NWPA architecture are as follows: Media Manager—The Media Manager is the storage management layer and the “brain” that runs the NWPA. This component provides the storage management interface between NLM applications and storage device drivers. The Media Manager takes NLM application I/ O requests and converts them to messages that are compatible with the NWPA architecture. The Media Manager is the layer between NWPA and the storage application. The Media Manager adds value to the devices presented by NWPA and provides the APIs set used to configure and manage the IO System. One of the added value features Media Manager provides is software fault tolerance via the HotFix and Mirror support. HotFix reserves space on the media as spares for other parts of the media that are bad. IO requests to the bad areas are transparently redirects by HotFix to the spares. The Mirror support duplicates data by writing the same data to multiple media. Should one of the media in the Mirror set go bad data is still preserved and obtained from the remaining media in the set. Media Manager also supports all aspects of removable media. Host Adapter Module (HAM)—HAMs are the driver components that are associated with a specific host adapter hardware. Third-party developers who are writing to the NWPA supply these program modules with their host adapters. HAMs are loaded as NetWare Loadable Modules (NLMs) and are used to route requests to the bus where a specified device is attached. Host Adapter Interface (HAI)—The HAI is a set of APIs within the NWPA that provides an interface for HAMs to communicate with the NWPA. Custom Device Module (CDM)—CDMs are the driver components that are associated with storage devices and are supplied by third-party developers. CDMs build device-specific commands from
2.3
Server innerworkings
165
the I/O messages received from the Media Manager, and are also loaded as NLMs. Custom Device Interface (CDI)—The CDI is another layer within the NWPA that provides an interface for CDMs to communicate with the NWPA. CDM Message—The CDM message is a data structure for an I/O message that is received by a CDM. The NWPA receives an I/O request from the Media Manager and converts the request to a CDM message to be passed to a CDM. It is from the contents of this structure that a CDM builds a request structure (SuperHACB) specific to a particular hardware-bus protocol. Super Host Adapter Control Block (SuperHACB)—The SuperHACB is a data structure built by a CDM and contains device-specific commands. Each SuperHACB contains a HACB as one of its data members along with some additional data space. Host Adapter Control Block (HACB)—The HACB is the protocolspecific request structure containing the data that is essential to communicate with the HAM layer. It is an I/O data structure contains a protocol-specific command block (such as SCSI or IDE-ATA). All I/O requests to the HAM are in the form of HACBs, and the HAM passes the commands comtained in the command block on to the devices attached to the hardware bus. NetWare Bus Interface (NBI)—The NBI is a hardware abstraction layer that allows hardware developers to write platform independent modules. Some platforms may support more than one bus at a time and each bus can be quite different from another bus. The NBI makes platform-related issues transparent to the software modules. Novell Event Bus (NEB)—The NEB allows multiple event producers to communicate with multiple event consumers in a synchronous or asynchronous manner. Consumers and producers must register with the event bus in order to interact with producers and consumers. How NWPA works Functionally: 1.
An NLM application, or the OS, issues an I/O request to the Media Manager, which then converts the raw request into a Media Manager Message.
Chapter 2
166
2.3
2.3.2
Server innerworkings
2.
The NWPA converts the Media Manager’s message to a CDM message and passes a pointer to the CDM Message to the CDM’s I/O entry point that it specifies during CDM initiation and registration.
3.
The CDM builds a SuperHACB from the data in the CDM Message. The CDM then passes a pointer to this SuperHACB to the NWPA through the CDI interface.
4.
The NWPA routes the HACB portion of the SuperHACB to the HAM supporting the target device associated with the I/O request.
5.
The HAM sends the device command in the HACB to the appropriate adapter registers to where it is attached.
6.
After the device finishes processing the command, the HAM is notified (usually by an interrupt).
7.
The HAM layer does whatever is necessary to complete the HACB I/O request, places the completed information in the HACB, and then passes a pointer to the HACB to the NWPA through the HAI interface.
8.
The NWPA then performs a callback to the CDM by passing a pointer to the original SuperHACB. At this point, the CDM checks to see if the requested action completed and to determine the device’s error status. The CDM then returns to the NWPA the completion status.
9.
The NWPA then returns the Media Manager message back to the Media Manager.
10.
The Media Manager then calls the application back with the completed message
Server common files and directories When volume SYS: is created, it contains predefined directories: SYS:CDROM$$.ROM—The index file for mounted CD ROMs SYS:DELETED.SAV—Holds files that have been deleted until they are manually purged. This file is automatically created on every newly created volume. Right-click on the file and choose Purge Files. It is essential to keep the SYS: volume purged. Space is reclaimed from the DELETED.SAV as needed, but the volume will not show deleted files as free space until it is purged. (See Figure 2.1.)
2.3
Server innerworkings
167
Figure 2.1 Purgeable Space is more than .5 GB on VOL1.
NetWare also allows for the ability to immediately purge files upon deletion. :SET IMMEDIATE PURGE OF DELETED FILES=ON
The default is off. You lose all possibility of file recovery with this option. Note: Use a CRON job to purge space on your SYS: volumes every month or week. Keep print queues off and user directories off of the SYS: volume. SYS:ETC—Contains important configuration files and sample files to assist the network supervisor in configuring the server. SYS:JAVA—Stores Java support related files SYS:JAVASAVE—Java related files SYS:LICENSE—License related files
Chapter 2
168
2.3
Server innerworkings
SYS:LOGIN—Contains executables that are needed for users to log in. By default, the [Public] object has Read and File Scan rights to this directory. SYS:MAIL—Is used by mail programs compatible with NetWare. (NetWare creates a subdirectory in SYS:MAIL for User object ADMIN.) If you create new users after upgrading, the new users do not have directories in SYS:MAIL. If you upgrade from an earlier NetWare version, existing users still have subdirectories here, but their login script becomes a property of their User objects. Most of the files from SYS: do not come over in a migration, which gives you a clean environment to start with. SYS:NDPS—Contains NDPS specific server support files SYS:NETBASIC—NetBasic support files SYS:NI—NetWare installation files—the most important is SYS:NI\ DATA\RESPONSE.NI which documents the server install configuration and can be used to upgrade other similar servers (see the chapter on installation and the upgrading chapter). Some of NetWare’s install logs are also kept here. SYS:PERL—Perl related script files SYS:README—README files for: NDS eDirectory Basic Remote Access Setup and Configuration Instructions VisiBroker Readme Pervasive SQL 2000 database Licenses NW51 OS Readme in a text file and .HTML file SYS:SYSTEM—Contains NetWare operating system files as well as NLM programs and NetWare utilities used for managing the network. Restrict access to this directory to Administrators only. SYS:SYSTEM/SYS$LOG.ERR: This file is created for server console messages that range from OS error messages or OS event notifications SYS:PUBLIC—Allows general access to the network and contains NetWare utilities and programs for network users. I don’t like that end-users can get to management utilities in: SYS:PUBLIC\DNSDHCP SYS:PUBLIC\JRE SYS:PUBLIC\MGMT
2.3
Server innerworkings
169
The ConsoleOne utility is buried \CONSOLEONE\1.2\BIN\CONSOLEONE.EXE RCONJ is located in \CONSOLEONE\1.2\RCONJ.EXE SYS:PUBLIC\NLS SYS:PUBLIC\SWLC SYS:PUBLIC\WIN32 This directory is where you should be running the NetWare Administrator and NDS Manager. The utilities have a wrapper around the .EXE file which will discover the desktop OS you are running and open the appropriate utility SYS:PUBLIC\WIN95 SYS:PUBLIC\WINNT Use an IRF to restrict access to these important directories to Administrators only. SYS:DOC —Contains electronic versions of the NetWare manuals. Note: Some applications write files to the root. For security reasons you don’t want users working at the root level. Therefore, use MAP ROOT to map a drive to a fake root. Use the C:\>RIGHTS path /T command to see a list of all trustees associated to a directory or file.
2.3.3
Purpose and architecture of an .NLM A NetWare Loadable Module (NLM) is a modular program that runs on a NetWare server. This program, NLM, can be loaded and unloaded at will without rebooting the server. You can think of NLMs as links between program and the NetWare operating system. When you unload an .NLM you reclaim the space that .NLM held in RAM memory. .NLMs are made up of groups of threads that interact with the CPU. An application is a groups of .NLMs that provide a service. Applications may be defined by an administrator and given CPU share values to “tune” the application—see Server Console Commands later in this chapter. The format for loading .NLMs is: :[path]NLMname [parameters]
NetWare 5.x allows the loading of modules without having to type the LOAD command. Chapter 2
170
2.3
Server innerworkings
Usually, typing the name of the .NLM is sufficient. :INETCFG
Any module can be loaded from the default search paths this way. Search paths can be found by typing: :search
Sometimes, I download and try .NLMs that I don’t want others to load. I can make a SYS:PATCHES directory and load the .NLMs from there. If I want everyone to access all of the .NLMs in my PATCHES directory, I can add it to the search path :search add sys:patches
Unload an .NLM by typing: :unload NLM_name
You may encounter errors for .NLMs that have a dependency on other .NLMs. You will have to unload modules in a certain order sometimes. There are four types of loadable modules:
DISK DRIVERS NetWare 4 supports .DSK drivers that are common for hard drives. NetWare 5 does not support .DSK drivers, instead, HAM and CDM modules. Host Adaptor Modules (HAM) control the bus. Custom Device Modules (CDM) controls the hardware devices connected to the host bus adapter.
LAN DRIVERS LAN drivers are the software pieces that make the hardware communicate. In certain vendor server modules, LAN cards, along with the LAN drivers, are hot swappable.
NAME SPACE MODULES Name space modules, like LONG.NAM or MAC.NAM, add file system support to naming conventions beyond the standard DOS 8.3 format. These modules can be added at any time. To unload the modules is disastrous to your longer file names, but can be done (which will revert the file names to bastardized DOS 8.3 format). If you are ever inclined to do this, run VREPAIR after doing so to readjust the DET (Directory entry table). :ADD NAME SPACE [WHATEVER.NAM] TO [VOLUME_NAME] :ADD NAME SPACE LONG TO VOL1
2.3
Server innerworkings
171
NetWare 5 will remember your loaded name space and will automatically start it each time the server boots. NetWare 4 requires a load statement in the STARTUP.NCF.
LONG.NAM—The LONG.NAM module adds Windows9x/NT long name support to the volumes. OS2.NAM—The OS2.NAM is a pre-NetWare 5 means to enable Windows9x/NT long name support. MAC.NAM—The MAC.NAM adds support for Apple McIntosh naming conventions. NFS.NAM—The NFS.NAM enables volume support for the NFS name space.
NLM UTILITES NLMs allow the server to run expanded services for most everything you could think of. Network Management, e-mail programs, fax programs, security, java services, printing, backup services, routing, file system services, etc. To see the loaded .NLMs on your server, type M or MODULES. You will notice that as the server loads and upon entering M at the server console, the .NLM’s text are in color.
Blue—These NLMs are loaded from a hard-coded internal list that is called when SERVER.EXE executes Red—These NLMs are also bound in to SERVER.EXE, but are loaded from the startup partition at C:\NWSERVER. For instance DSLOADER.NLM is always colored Red because it needs to load from the C: drive. Purple—These NLMs are autoloaded by another NLM as the server initially comes up. For example, LONG.NAM, CLIB, STREAMS, are colored Purple when they initially load, but they are then colored Red when you see them listed through the MODULES command. White—These NLMs are loaded from the Novell Configuration file, from any .NCF files (i.e., the AUTOEXEC.NCF or STARTUP.NCF files), or from the server console prompt. Yellow—Informational messages referring to symbol information about the modules that are loading Green—Informational messages on the modules that are loading
Note: XLMs are also new to NetWare 5. They are cryptographic modules.
Chapter 2
172
2.4
2.4 Protocols
Protocols You must have been under a rock to not have heard about Novell’s new NCP protocol independent architecture. The NetWare Core Protocol, in NetWare 5, is not tied to IPX in the kernel anymore. NCPs can be encapsulated in IPX, IP or a future protocol. Chapter 1 discusses the client aspects of NCP. To see the NCP carrier protocols and ports type, at the server console: :NCP ADDRESSES
You will notice that IP port 524 is used for NCP communications, and therefore cannot be filtered on your internal network. The displayed order represents the order the protocols were loaded in the AUTOEXEC.NCF or NETINFO.CFG file, though it makes no difference in what order they were loaded. NCP communications represent NetWare 5 client/server and server/ server communications. NDS uses NCP in either UDP IP or IPX packets. NetWare 5, as you might expect, always prefers an IP connection over IPX. This can be changed—and should be if you are running the IPX protocol as your main protocol in NetWare 5—by a SET command or by MONTIOR ➝ Server parameters ➝ NCP ➝ NCP Protocol Preferences. A list of all NCP codes can be found at www.novell.com/documentation/ lg/nwec/nwec_enu/nwec_list_of_all_codes.html.
2.5
Server console commands and NLMs All of the server console commands are listed in the supplement to this chapter. Understanding the server console commands and their functionality will greatly add to your NetWare and troubleshooting understanding. Note: Each service pack adds functionality available to the administrator. The README files normally indicate new server console commands, switches, NLMs and functionality. For instance, MONITOR.NLM will load anytime in the AUTOEXEC.NCF after the SYS volume mounts, but will not reflect all of the other loaded modules unless it is loaded as the last .NLM
2.6
SET commands
173
Included in this section are NLMs that control and manipulate the NetWare server environment from the core OS install, a few shareware and freeware NLMs.
2.5.1
Auto-loaded .NLMs NetWare 5 uses the color purple to indicate which .NLM modules are loaded by another .NLM or process. To load an internal NLM, you must add an asterisk to the filename to indicate that the file is located in SERVER.EXE. For example: :*FILENAME.NLM :*NCP.NLM
Should a newer version of an internal NLM ever be released, placing the newer version in the SERVER.EXE startup directory will force the server to use the newer version.
2.6
SET commands The NetWare SET commands are a way for you to manipulate your NetWare server. It amazes me so few Administrators use this powerful means to change the way your server performs. See Chapter 9 for SET command tuning information. In the old days, if you wanted a SET command to be permanent, you would have to manually add it to the STARTUP.NCF or AUTOEXEC.NCF. You would have to remember which .NCF file it needs to go in and many times where in the .NCF file it should go. The placement of statements in these two batch files is very important. If there were no documentation on the SET command you would have to experiment with the server until it worked. With the advent of NetWare 5.0, Novell has included a small database that saves the SET parameters—NetWare Server Configuration Database Engine (CDBE). The CDBE is simply a permanent file, SERVCFG.000 in the SYS:_NETWARE directory and on the DOS partition C:\ NWSERVER, that stores all of the set commands. The bad news is that some support packs corrupt this registry. It is therefore, necessary to save your changes. When changes are made in MONITOR in the SERVER PARAMETERS option, the changes are saved to the CDBE settings in memory, but Chapter 2
174
2.6 SET commands
the changes are only written/flushed to the hard disk when the server is “gracefully” DOWNed. The settings can be forced to write to disk (called flushing). The command to do this is :flush cdbe
SET parameters register with the SETPARM engine. At the time a SET parameter registers with the SETPARM engine it declares it self as either persistent or nonpersistent. To get a list of nonpersistent set parameters, type the following on the server command line: :save notper environment filename.ext
Then edit the file to see which set paramters are not persistent. To get a list of persistent SET parameters, type the following on the server command line: :save per environment
does not allow for drive or path. The file is created at the root of SYS: Edit the file to see which SET parameters are persistent. If non-persistent SET parameters need to be set to a value other than the default, they must be set in the appropriate NCF file (Startup.ncf or Autoexec.ncf) Other console commands: :display environment
To see all SET parameters and their values. :save environment filename.ext
To save all modified SET parameters to a file in the root of SYS. :display modified environment
To see everything the user has set different from default type. :save modified environment filename.ext
To save everything the user has set different from default type to a file in the root of SYS: :save notper environment filename.txt
2.6
SET commands
175
To save nonpersistent SET parameters the user has changed to a file in the root of SYS. :save per environment filename.txt
To save persistent SET parameters the user has changed to a file in the root of SYS. Forces a save of Persistent SET parameters to the SERVCFG.000 file. There is no tool other than MONITOR.NLM to view the contents of the CDBE registry directly. All of the save command generated text files have the same format. They will include the SET parameters from 16 categories. The following is a partial output example of output from the “save environment” save command (I will show all sections, but only the first and last SET parameter for each section to save on document space). I recommend the following: 1.
Download the Novell CONFIG.NLM and type :LOAD CONFIG /S
at the server console. Your servers’ configuration, as well as SET commands are saved to SYS:SYSTEM/CONFIG.TXT 2.
Use Novell’s free CONFIG Reader utility to make a copy of all of your servers’ parameters.
3.
Premium Support customers can use Onsite Admin Pro. If you do not have it, call or e-mail Novell support and ask for it.
4.
If you don’t have a premium support package, no worries. Go to www.netwarefiles.com and get Command Center. This is very close to the same tool as Onsite Admin Pro. An invaluable tool!
5.
ZEN for Servers will let you set policies for server SET parameters
6.
www.netwarefiles.com look for SETSAVE.ZIP with the SETSAVE.NLM. This simple .NLM will save all of your set parameters to the SYS:SYSTEM\SETSAVE.LOG file.
It is important to note that these SET commands can be performed at the server console: : SET MINIMUM PHYSICAL PACKET RECEIVE BUFFERS = 2000
Chapter 2
176
2.6 SET commands
Figure 2.2 Simply typing SET on the server console gives the following menu (NW5.1 shown).
Or you can carry out the same changes by MONITOR→SERVER PARAMETERS. Or you can just type SET at the server console :SET
When you type only SET at the server console you see the menu in Figure 2.2. If you type the SET parameter without a value, the server will return the current value. If you don’t know or don’t remember what values you have changed on the server, NW 5.1 can tell you. :DISPLAY MODIFIED ENVIRONMENT
You will be returned a screen showing all the changed SET parameters. I often use SET parameters to “tune” NetWare servers, although I prefer to change them through MONITOR ➝ Server Parameters. I have never been a fan of memorizing 300 or so vague SET commands. I have experienced dramatic increases to response times and alleviated ABENDs.
2.6.1
SET commands organized by their function The SET commands are organized by their function. The headings correspond to the exact screen you would see on a NW5.1 SP1 server if you typed: :SET
2.6
SET commands
177
Shortcuts to SET parameter changes and comparisons SET parameters are an important part of troubleshooting servers. Two servers will equal hardware and CPU loads. Console commands related to SET parameters Server console commands are covered earlier in this chapter. Console commands relating to SET parameters are great for troubleshooting are: :DISPLAY MODIFIED ENVIRONMENT :SAVE ENVIRONMENT (filename.txt) :SAVE MODIFIED ENVIRONMENT (filename.txt) :RESET ENVIRONMENT :CSET (set category displayed) :CSET MEMORY PARAMETERS
ONSITE Admin Pro (for Novell premium support customers) Get this utility if you are a premium support customer. (See Figure 2.3.) Figure 2.3 Novell’s unsupported OnSite Admin Pro.
Chapter 2
178
2.7 Server SET commands
Figure 2.4 Command shareware
Command (shareware) If you do not have a premium support contract, don’t worry. Get this freeware utility. (See Figure 2.4.) SETSAVE (shareware) SETSAVE.NLM writes all of your SET commands to the SYS:SYSTEM/ SETSAVE.LOG.
2.7
Server SET commands Server SET commands are enumerated in this chapter’s supplement.
2.8
Printing Printing is one of the top two helpdesk call drivers—the other being password problems. NetWare allows for two different printing architectures— the older, well-known queue based printing and the new NDPS printing— co-developed by Novell, HP, and Xerox. Put NDPS upgrades on your project list.
2.8 Printing
2.8.1
179
Queue based printing The legacy queue-based printing requires 3 NDS objects. They may be setup by the wizard in NWADMIN. NLMs related to queue based printing PSERVER.NLM—PSERVER initializes the print server support on a NetWare server. PSERVER will auto-load NPRINTER.NLM for any printer defined as Auto-Load (Local) in the printer location property. NPRINTER.NLM—When you are bold enough—or your installation is small enough—the NPRINTER.NLM allows the server to have a printer attached to the serial or LPT port. NPTWIN95.EXE—Shares a printer attached locally to a WIN9x workstation as a network printer. To load NPRINTER on a server that isn’t running the PSERVER.NLM, type: :LOAD NPRINTER printserver_name printer_name
Put this command in AUTOEXEC.NCF to autoload upon each reboot. Note: If you are not going to use the LPT port disable IRQ 7 in BIOS.
NDS objects related to queue based printing Print Server—To create this object, a name and printer assignment is required A single print server object may support many printers. The print server is activated when the PSERVER.NLM is loaded on the server. When the print server and file server exist in different contexts, the print server’s context is required in the load statement— place this statement in the AUTOEXEC.NCF file. :LOAD PSERVER .PRINTERS.CORP.DFW.THINGSCO
Assign print server users and operators through NDS NetWare Administrator. Print server versions, number of printers supported, current status, and the name can be found in NDS also. Print Queue—Requires a name and a volume assignment. Chapter 2
180
2.8 Printing
Best Practice: Use a name that you can easily identify a print queue with, like HPDJ04_PQ. Keep print queues off the SYS volume. I like to make a small volume called QUEUES, set the immediate purge attribute on the volume and assign all print queues to it. The immediate purge attribute does not flow down, so it will have to be assigned individually to each queue directory. When making an extra volume for spooling remember the eight-segment limitation. If you are short on segments or want to save segments, put your queues on a static volume like VOL1, you can put a directory limitation on the QUEUES directory at the root of the volume, too. Before any upgrade, document all print queues and assignments. Many consultants have worked well into the morning hours recreating print objects that didn’t transfer in an upgrade. This object is unique as it represents a file on the server that print jobs are held in. This may be the most troublesome object to upgrade— when upgrading the NOS. Print jobs in the queue may be manipulated; you can: Change the order of print jobs in a print queue View the jobs in the queue Delete the jobs in the queue Place a print job on hold Modifying the print job attributes To allow a user to send print jobs to the print queue, add the user—in NetWare Administrator or ConsoleOne—to the Print queue Users list Printer—Printer NDS objects require A name: Your choice—you may want to use a name that signifies a printer, like HPDJ4M_P Printer type: Parallel, Serial, AppleTalk, or Unix Connection type: Auto Load or Manual Load Interrupt: Choice of polled mode or use interrupts—a dedicated interrupt usually provides better printing performance Port: LPT or COM
2.8 Printing
181
Print queue(s) assignment(s): Choose which queue(s) will service this printer Note: Printers may be assigned to service more than one queue. A queue may be assigned to more than one printer.
Manual queue based printing setup in NetWare Administrator In NetWare Administrator, the print queue object is created first, then the printer object, which needs the queue assigned; last, the print server object, which requires a printer assignment. Quick Setup NetWare Administrator ➝ Tools ➝ Print Services ➝ Quick Setup (NonNDPS)
2.8.2
NDPS NDPS allows the administrator to create only one printer agent object instead of three separate printing objects in queue based printing—the print server, print queue and printer objects. NDPS supports “plug and print”; as soon as a new printer is plugged into a network, the program automatically creates a public access printer agent, allowing anyone on the network to use the printer. If access to the new printer must be controlled a quick configuration step is necessary. NDPS also allows administrators to specify who should receive alerts and notifications. For example, a pop-up window can notify the person submitting a print job when the work is done, and an administrative assistant can receive “out of paper” or “toner low” alerts. Notifications can also be sent as e-mail via Novell GroupWise or any e-mail package that uses SMTP. Finally, workstation drivers can be installed automatically when any enduser assigned to that printer logs on to the network. NLMs related to NDPS based printing NDPSM.NLM—The NDPS Manager BROKER.NLM—The NDPS Broker
Chapter 2
182
2.8 Printing
XGATEWAY.NLM—Gateway services for Xerox; gateways only needed to provide backwards support for print queues HPGATE.NLM—Gateway services for HP; gateways only needed to provide backwards support for print queues NDS objects related to NDPS NDPS Broker—Provides event notification; only one needed per every three network hops. NDPS Manager—Manages the printer agents; can manage an unlimited number, though I have heard 600 agents working fine on a single manager NDPS Printer Agent—Represents a physical printing device, except for the public access printers which need no corresponding NDS object SLP and NDPS NDPS printers use SLP to register their services and for client browsing of printing services. Figure 2.5 HP’s NDPS printing snap-in.
2.8 Printing
183
Other NDPS Tips
The client will keep a log file (5K) in the C:\WINDOWS directory for remote printer management functions.
NDPS 2.0 requires NetWare 5.
NetWare Administrator ➝ Tools ➝ NDPS Remote Printer Management option. You may manage printers in containers for which you have Supervisor rights to the container object.
There are NDPS white papers and TID to reference.
Note: Put the Broker on a NetWare server that has a replica of the context the Broker in. NDPS support must be installed on the client. Make this one of your considerations when you deploy the NetWare client software—800K of RAM is used for NDPS. Use IP to print when possible, you are going to have to migrate to it sometime. If you are using IPX do not let the print server autoselect its frame type; manually assign it. When setting up printers in NDS, make the assignments based on the NDS tree, not off of the server, which would be a bindery connection.
2.8.3
NetWare print services for Unix In a NetWare Pure IP environment you may use LPR/LPD, which provides public access to printers and no security. NetWare Print Services for Unix provides the same services as NFS.
2.8.4
Third-party printing support HP HP’s JetAdmin utility is a mainstay for almost every network I have been in. HP printers are as numerous as middle management personnel.
Chapter 2
184
2.8 Printing
Note: Some people have problems with the JetAdmin working properly on their desktop. One trick I found was to disable “interview mode” from the menu bar ➝ options ➝ interview mode. Disabling interview mode seemed to make jetadmin happier when configuring a new printer.
Lexmark printing support Lexmark Printers do support Novell’s NDPS printing architecture. Lexmark’s IP Gateway for Novell Distributed Print Services and Novell Enterprise Print Services provides status and print capabilities for Lexmark printers and print servers. Download this self-extracting EXE to obtain a package that contains the support along with a whitepaper outlining functionality and install procedures. Two versions of the software are available. Both contain the same level of NDPS/NEPS functionality; however, one contains sound support so that the Printer Control page snapin to NWAdmin can provide audio alert status as well as graphical status. Lexmark supports both NetWare 4.x and 5.x. Lexmark NDPS package and whitepapers—http://www.lexmark.com/ networking/ndps.html Lexmark Support—http://support.lexmark.com 888-LEXMARK—888-539-6275 Xerox printing support Support for IP networking and CentreWare Internet Services. Xerox’s NDPS/NEPS Solution supports IP networking in addition to IPX. The IP networking piece supports Web-based printer management software. There is no need to install additional printer management software because CentreWare Internet Services can be launched directly from any NDPS/NEPS client with our IP/IPX solution and Internet Explorer 4.0 or greater installed. Load through NWCONFIG ➝ Product Options ➝ Install a Product not listed The Xerox Installation Wizard application will automatically create an Organizational Unit (OU) in the NDS tree along with three objects for each IPX Xerox printer agent that is created. These objects are necessary to
2.9
Pervasive SQL (formerly BTRIEVE)
185
support “Print Server” communication protocol (PServer) that Xerox printers use for job submission. The Xerox Installation Wizard resets the printer after Printer Agent creation. To complete the installation for certain families of Xerox Document Centre printers, it will be necessary to go to the printer and cycle the power off and on after the Printer Agent is successfully created. Once the power on process for the printer is complete you must shutdown and restart the printer agent in the NDPS Manager (NDPSM) at the server console or using the RCONSOLE utility. Xerox NDPS components Environments supported: Novell Netware 4.11 with Support Pack 6 or greater Novell Netware 4.2 Novell Netware 5.x Xerox support www.xerox.com 800-34XEROX in the US 800-ASK-XEROX in Canada Xerox .NLMs XGATEWAY.NLM—Is the NDPS Gateway for Xerox Printers. This .NLM is included in NetWare 5.x
2.9
Pervasive SQL (formerly BTRIEVE) If you haven’t heard, Novell sold off BTRIEVE to Pervasive (http://www.pervasive.com), which has unhooked BTRIEVE from IPX and made Pervasive Pure IP SQL. The licensing is different—and not free. Be sure to contact any vendor of BTRIEVE dependant software to see if they support NetWare 5.x and check with Pervasive about licensing. Pervasive provides a help file on the NetWare 5.1 CD--\PRODUCTS\ PERVASIVE\ODBC\PVSW\DOC Pervasive SQL 2000 consists of the following components:
The Pervasive SQL engine Chapter 2
186
2.10
Novell’s SMS backup software
Requesters to access the server-based MicroKernel from a Windows 95/98/NT workstation.
Utilities that help you troubleshoot configuration problems (SmartScout, InstallScout), administer Pervasive.SQL (Monitor), enhance performance and set configuration options (Control Center), and maintain databases (Maintenance, Rebuild, and DDF or SQL Data Manager).
Client install copies
ODBC 3.x
DBAdmin API
Administrative-level security
2.10 Novell’s SMS backup software SMS has come a long way. I would have never used this feature before NetWare 5.x, but have used it several times at client sites before upgrades. The NDS schema will need to be extended, which is done automatically. The most confusing thing about SMS is remembering which modules to load in which order. I don’t know why Novell didn’t make an .NCF file for this. Load SMS Load the .NLMs in this order. You may be prompted for information. SMDR.NLM—Storage Management Data Requester; do not try to unload this module individually. TSA500—Target Service Agent that requests data from the OS (e.g., the TSA for NetWare 4.10 is TSA410). SMSDI—SMS Device Interface. QMAN SBSC.NLM SBCON—The server management utility console; it is not intuitive. Note: To backup NDS, you will have to load the TSANDS.NLM as well.
2.10
Novell’s SMS backup software
187
Types of backups Full—Backup everything and clear archive bit. Fastest to restore—only one step. Differential—Backup whatever is different from the last full backup—archive bit not cleared. The differential backup is the second easiest, or second hardest, to restore. You would restore your full backup and then the latest differential. Incremental—Backup created or modified files that have changed from the last full or incremental backup. Clear archive bit. Hardest to restore as you have to restore the last full backup and all of the incremental backups since the latest full backup. Best Practice: I see many backup strategies. The most common is a full backup once weekly, then incremental the rest of the weekdays. Off-site storage should be used for proper disaster recovery procedures. A UPS system should always be used, too. Some larger clients use a dedicated server to backup NDS and another for specific file server farms. 24 X 7 shops may want to use a separate LAN card and subnet to connect to a dedicated server for backups—freeing the end-user network of unnecessary competing traffic.
NDS rights needed for backups The backup user object must possess: To backup files/data on volumes—Read and File Scan rights to all files being backed up. To backup NDS—Browse Object right and the Read property right to the entire tree. To restore the file system or NDS—All of the aforementioned rights, plus the Create write. Client SMS Utility NWBACK32.EXE Very intuitive—use the help file. The first screen you are greeted with is shown in Figure 2.6.
Chapter 2
188
2.10 Novell’s SMS backup software
Figure 2.6 NWBACK32.EXE Client Utility to Backup NetWare servers.
Each of the buttons pictured in Figure 2.6 are available on the top of the user interface. (See Figure 2.7.) Figure 2.7 WBACK32.EXE user interface.
2.10
Novell’s SMS backup software
189
Top buttons starting at top left: Start a backup Start a restore job Start verify session Start create session Job administration Device administration Reports Run Apply filters Complete, incremental, differential backup Schedule the job Frequency with which backup is to be done Second row of buttons from left: Change the context Change your client’s preferred protocol Check how your are connected to the server you are going to backup by right-clicking on the red N on systray ➝ NetWare connections ➝ Trans type. Now choose the same protocol. Reconfigure SMDR Good for when you login incorrectly Help End the Novell Storage Services application SMS backup terms Host—NetWare server running the backup program—with an attached device for backups (e.g., DLT drive) Target—Node to be backed up, signified by the Target Service Agent (TSA) running TSA—Target Service Agent
Chapter 2
190
2.11 Server troubleshooting
Parent—Data set that can have subordinate sets, literally a container, directory or subdirectory Child—Data set with no other subordinates, a file Modules used by SMS MAP3XIDS.NLM QMAN.NLM SBCON.NLM SBSC.NLM SMDR.NLM SME.NLM SMSDI.NLM TSA400.NLM TSA410.NLM TSA500.NLM TSADOSP.NLM TSAPROXY.NLM
2.11 Server troubleshooting The following information is to assist you in day to day troubleshooting of NetWare problems. The first place to look for any error message is either support TIDs or documentation. http://support.novell.com www.novell.com/documentation
2.11.1
Server hangs and lockups The troubleshooting steps for a lockup is similar to troubleshooting a server in high utilization. Refer to TIDs on troubleshooting high utilization. At the support.novell.com/misc/patlst.htm Minimum Patch List page, download the file called HIGHUTL1.EXE. Other TIDs on troubleshooting high utilization are: Troubleshooting High Utilization NW 4 Summary
2.11 Server troubleshooting
191
Troubleshooting High Utilization for NW 4 Suballocation and High Utilization Compression and High Utilization High Utilization and Volume Free Blocks You can search the knowledge base on High Utilization and there are TIDs which also talk about more specific issues relating to specific products, etc. and high utilization. Even when the screen seems to lock, you should always be able to get into the debugger screen or: SHIFT+ALT+SHIFT+ESC
Helpful debugger commands I listed some helpful debugger commands in the order you should use them—though you may skip the first two help commands. In a nutshell, the most helpful are: h—Help screen .h—Help screen for all of the dot commands (.*) ?—Displays current instruction pointer—look here to see what instruction the server did last before it ABENDed (not necessarily the problem) .r—Shows the last loaded application/module at the time of the ABEND—this is not always the guilty party V—Toggles through all of the loaded previously loaded server console screens. Look for some error information on the console or other screens. .m—Goes through all of the loaded modules at the time of the ABEND .p—Lists all of the processes that were running on the server .a—Shows the ABEND and reason .c—Forces a coredump; make sure you say yes to Full without cache .v—Shows server version q—Quits and goes to DOS—all user information is lost g—Leaves the debugger screen and goes back out to the server console screen Chapter 2
192
2.11 Server troubleshooting
EIP=CsleepUntilInterrupt<Enter>—May put the offending process to sleep (kill it) If it is a Java application, you can show it and kill it: :java -show
A process ID(s) are shown. You can kill one, or all, by: :java –kill
For example, ConsoleOne shows the following on my sever, when I do a JAVA –SHOW: Classname ID ============================================= ===== com.novell.applications.console.shell.Console......236
I can kill this application by: :java –kill236
2.11.2
ABENDs An abnormal end (ABEND) is the most critical problem that a NetWare file server can experience. All code execution stops and the contents of the server’s memory are preserved as they are. The operating system then calls an ABEND handling routine to handle the situation from there. At this point, the server is unavailable to handle client requests. Nothing else can be done on the server until the ABEND is handled by the NetWare autorecovery process (4.11 and later), or until the server is rebooted. The ABEND.LOG is found in SYS:SYSTEM. Some of the main ABEND culprits are:
Outdated device drivers—update your drivers
Server process stuck—tune your server
Bad packets from the client—put on the most current OS patches
Defective memory chips—replace RAM
Static electricity charges
Corrupt OS file
Faulty power supply—use a line conditioner
Power spikes or surges—use a line conditioner and surge protector
2.11 Server troubleshooting
193
Page corruption—developers can turn on the SET PAGE FAULT PARAMETERS to find a bad NLM
Compressed files—use FIXCFILE.NLM
Novell is providing a beta ABEND analysis Website. http:// abend.provo.novell.com lets you upload you ABEND.LOG file only and query the database for a possible causality. I have used it with about 50% success. It is worth your time to try. Coredumps A coredump is a byte-by-byte image of RAM—a literal snapshot the NetWare server’s memory of a server’s at the time it ABENDed. Since memory does not change or refresh on the server when it is in an ABENDed state, the coredump will contain information about all of the following system activities and the state they were in when the server experienced the critical error: Processes—A coredump contains all processes allocated on the server at ABEND time. This includes the process that was currently running when the server ABENDed, processes waiting to run, and processes that were not in use. For each process a call stack (history of what the process has done) is also preserved in the coredump. Loaded Modules—A coredump also contains all of the modules that were loaded on the server at the time of the ABEND. This includes the module information, code, and data. Allocated Memory—As processes are run on the server, they allocate memory for various functions. They can set values in that allocated memory and then use it later. That allocated memory is also stored in a coredump. Cache Memory—Memory that has not been allocated for a module, process, or allocated memory is called cache memory, and is also included in a coredump. Screen Shots—Screen shots of every screen on the NetWare server are also preserved in the coredump. These appear on the console screen and include the ABEND message, server name, and any remaining errors. Other helpful screens include MONITOR and SERVMAN for statistical information, and application screens for application errors.
Chapter 2
194
2.11 Server troubleshooting
What Is an ABEND.LOG file? In NetWare 4.11 and later, advanced features were added for handling critical server issues such as ABENDs and NLM (NetWare Loadable Module) lockups. One advanced feature is the automatic creation of ABEND.LOG, a file that contains a history of every critical situation the server experiences. The ABEND.LOG is essentially an abbreviated version of a coredump, with only the most vital pieces of information included to keep the size as small as possible. The ABEND.LOG file is created as part of the auto-recovery process starting in NetWare 4.11. In many circumstances, the process will suspend the thread responsible for the ABEND and still allow the server to continue operations. NetWare creates a summary log of the state of the file server at the time of the ABEND (part of the autorecovery process). The ABEND info is written to a file named ABEND.LOG on the DOS (C:) partition, and then later appended to a file with the same name on the SYS volume in the SYSTEM directory. (The ABEND.LOG file in the SYS:SYSTEM directory can be reset or deleted to save space.) Figure 2.8 indicates types of information contained in an ABEND.LOG file. File Server Name—Often a simple comparison between one server that is ABENDing and one that is not will show the cause of the ABEND. Use a server comparing tool like Command Center (freeware) or OnSite Admin Pro. Date and Time of ABEND ABEND Message—The ABEND message can be a source of great troubleshooting information or great frustration. An ABEND message such as “Free detected modified memory beyond the end of the cell being returned” is fairly specific. Others such as a CPU hog in module SERVER.NLM don’t provide enough information and may be misleading. The reported process (written to the ABEND.LOG) may have nothing to do with the ABEND. Registers—Registers are areas of memory. Registers become important when other pieces of information aren’t providing enough information to isolate the cause or imply a troubleshooting course. Registers can be helpful if a pattern is established from several ABENDs. ABENDed NLM—The ABENDed NLM is the last running module that was processed or running when the server stopped. This, how-
2.11
Server troubleshooting
195
Figure 2.8 ABEND.LOG from the SYS:SYSTEM directory. This file only exists if the server has ever ABENDed.
ever does not indicate specifically that this module caused the ABEND. Running Process—Frequently the running process belongs to the module that caused the ABEND. Often, it is related to the ABEND. If the running process is something other than just a generic server process, the module that owns that process can be targeted for troubleshooting. Stack Limit and Pointer—The stack limit and pointer are used to determine if severe memory corruption has taken place. The stack limit is simply the smallest size of the running process stack. Stack Trace—The stack trace is a printout of the stack, one value at a time.
Chapter 2
196
2.11 Server troubleshooting
Modules List—This is a listing of all modules that were loaded on the server, complete with version numbers and dates, so it is easy to tell which revisions were on the server when it ABENDed—check them against the minimum patch list. The first thing you should do with an ABENDed server is submit the ABEND.LOG file to Novell’s ABEND site (ABEND.provo.novell.com). Next, look at your modules list and compare it to the latest patches or another server with the same configuration. Then check third-party drivers (which is the number one cause of ABENDS) for updates—especially NIC drivers. Software updates and patches are readily available from Novell at: http://support.novell.com/misc/patlst.htm If you have no success and the ABEND reoccurs several times, open a support incident with Novell and FTP them the coredump(s). ABEND tools http://abend.provo.novell.com—New Website, that is in beta at the time of this writing, that allows you to upload your SYS:SYSTEM\ ABEND.LOG file and have it analyzed. I use it often. Alexander Lan Kit—Third-party utility for reporting and intercepting ABENDs DBNET.NLM—DBNET is an advanced troubleshooting tool found on the NetWare 5.1 installation CD or support pack 5 for NetWare 5.0 in the \TOOLS directory. A readme file is found on the CD, too. TABEND#.EXE—This a downloadable, self-extracting file that contains the following ABEND troubleshooting tools and documentation—look for updates for each of these files on Novell’s support sites: http://support.novell.com/misc/patlst.htm http://support.novell.com/products/nw51 http://support.novell.com/products/nw51/patches/htm AppNotes, Documents, a Flow Chart and a Bitmap: To assist you troubleshooting ABENDs IMGCOPY.NLM: Used to transfer a file to a NetWare volume (when the server is in DOS) 410PBOFF.NLM: Turns packet burst off on the server—only for troubleshooting CONFIG.NLM: There is probably a newer CONFIG.NLM found on the NetWare 5.x download site
2.11 Server troubleshooting
197
IMGCOPY: Can be run from a floppy, or the server :LOAD IMGCOPY [[S=source_path][D=destination_path[]R=priority] :LOAD IMGCOPY S=c:\COREDUMP.IMG D=SYS:SYSTEM\ABEND
NETALIVE.NLM: Sends a core dump to another server’s volume :LOAD NETALIVE server_name [name_of_second_LAN_card]
FCONSOLE.EXE: Used to down a file server from a workstation HDUMP.NLM: For NetWare 3.11 servers There is a virtual debugger that will allow you to run the debugger against a coredump—instead of a live server. Download TVDB2, a freeware tool from http://developer.novell.com. Personal experience My record for ABENDS is 250—no kidding. The server was still up, but no one could connect to it. The problem was in the TCPIP.NLM after a NetWare 5 upgrade from 4.11. I did an in-place upgrade with 17MB in the DOS partition and when the install ran out of room, it gave me an error and was unable to continue copying files to the DOS partition. Notice that the TCPIP.NLM, like several other important NLMs are copied to the SYS:SYSTEM and C:\NWSERVER directory. Since the DOS partition was full, the file never got copied to the C:\NWSERVER directory; therefore, the server used the old 4.11 .NLM that bombed continually.
2.11.3
Public symbol errors Public symbol errors are on of my most common server errors. They indicate an out of date .NLM. Here’s how you find the offender and then upgrade it. First write down the public symbol error message—it is case sensitive. Go to a server not experiencing the public symbol error and enter the debugger screen. (Warning: all user activity stops when you go into the debugger screen.) <shift>+<shift>++<esc>—Enters ?<missing_symbol>—Displays
the debugger screen
the NLM that loads the symbol
Last, make sure the referencing NLM is loaded or updated.
Chapter 2
198
2.12
In ConsoleOne/NetConsole
2.12 In ConsoleOne/NetConsole Novell introduced ConsoleOne with NetWare 5. It looked like a bad joke at first. We were told that the ConsoleOne that shipped with NetWare 5 was more of a proof of concept and was the company’s future direction for NDS manipulation. The clunky ConsoleOne has evolved into a full featured, cross-platform tool. ConsoleOne is a Java program. As such it suffers from the same limitations that the Java programming language does.
2.12.1
ConsoleOne/NetConsole ConsoleOne is Novell’s cross-platform utility to manage the NetWare server and NDS. http://www.novell.com/products/netconsole/ ConsoleOne is both a browser based and client/server tool. By the end of 2000 Novell is saying that the ConsoleOne tool will replace NWAdmin. ConsoleOne will then, also, support opening any LDAP v3 directory. The functionality of ConsoleOne/NetConsole is the same on the server as it is on the client—given you are using the same version. ConsoleOne/ NetConsole is sometimes updated on the server with each service pack. You can start it from the server console command line. :C1START
Remember, it is a Java app and Java is in its infancy as a programming language. Novell has dedicated some great resources to the ConsoleOne product. ConsoleOne/NetConsole is the current foundation for future Novell server/application management. After 15 minutes, when working at the server console, ConsoleOne and the common GUI shell (known as the Graphical Console screen) is written to virtual memory hard disk to conserve RAM physical memory and other server resources. You will notice everything comes to a standstill when you pull up the Graphical Console screen, if you are using the Alt+Esc keys, because the screen must first be reloaded into physical memory from the virtual memory SWAP file. To avoid this wait, use the Ctrl+Esc keys instead of using the Alt+Esc keys for changing console screens,. This key combination will bring up the Current Screens window, listing the different console screens that are presently open. Simply type in the number of the screen you want to go to and that screen will be displayed—or hit the Esc key one more time to go to the server console prompt.
2.12
In ConsoleOne/NetConsole
199
Change the server ConsoleOne background NetWare 5 allows you to change the background on ConsoleOne. Save an image in XPM format, to the SYS:\JAVA\NWGFX\PIXMAPS directory. You may then, click on the Novell button ➝ Settings ➝ Background ➝ choose your new background. Add a menu to ConsoleOne In a text editor, edit SYS:JAVA\NWGFX\FVWM2\FVWM2RC5XX
then, under the MENUS section find the subsections where the menu you wantto add an item is defined ➝ add your menu item using the following syntax: + “menuitem” Exec command example +”newapp” Exec Applet SYS:JAVA\NEWAPP.HTML
Accessing the server from ConsoleOne ConsoleOne provides two programs as a substitute to RCONSOLE—Console Manager and RconsoleJ can only control severs that are running the RCONAG6.NLM agent. ConsoleOne snapins Snapins are modules that provide additional functionality for the ConsoleOne management utility. For example, you will have to have a snap-in to use ConsoleOne to control NDPS printing, or BorderManager or ZEN for Desktops. Snapins are found in SYS:PUBLIC\MGMT\CONSOLEONE\1.2\ SNAPINS. Examples of snapins are Novell Certificate Server Snapin, NDS Administration Snapins, NDS Partition and Replication Snapins, Novell LDAP Snapins, and NDS Wanman Snapins. You can display the currently loaded snapins by HELP ➝ About Snapins. Single clicks on any of the snapins reveal the version number and publisher of the snapin. The snap-in architecture of ConsoleOne/NetConsole can also display network objects or resources within a defined namespace. These can be in logical namespaces, such as NDS, LDAP, NetWare file systems, NT Domains, or they can be physical name spaces, such as network or segment maps or inventory databases.
Chapter 2
200
2.13 Keystrokes available on the server
2.13 Keystrokes available on the server New and existing keystrokes on the server: ALT+ESC
Toggles through the available server console screens. CTRL+ALT+ESC
Unlocks most hung servers and displays three options: down the file server and exit to DOS, cancel the volume mount, spawn new command line process. You may press Esc to exit this screen and its choices. SHIFT+SHIFT+ALT+ESCAPE
Enters the NetWare server’s debugger screen. For examples of commands to use while in the debugger, see the debugger section earlier in this chapter. Best Practice: Exit polling screens on the server. Server screens like DSTRACE Directory Services Screens eat up valuable CPU cycles.
2.14 Patching/updating the NetWare server Loading a support pack is as easy as going to NWCONFIG.NLM ➝ Product Options ➝ Install a product not listed ➝ PATH_OF_PATCH. I like to copy the files over to the server and run the patch from the server’s volume. You can mount a CD if you want. The patch, if downloaded from Novell’s Website, is zipped. Unzip it with the following syntax: :name_of_download –y -ns :nw51sp6 –y -ns
Newer files on the server are not overwritten with the support pack. Vendor specific updates are sometimes included in service packs. Occasionally the support pack includes tools that are usually in a \TOOLS directory and not copied to the server (only available after you expand the support pack executable). To load the patch, you must have console operator rights (Write right to the NDS NCP Server object). If you are extending the schema—which you only need do once per product—you need Admin rights to the [Root] object.
2.14 Patching/updating the NetWare server
201
Figure 2.9 Support Pack 1 for NetWare 5.1.
Installing support pack one for NetWare 5.1 (Figure 2.9) gives the following options: Reboot the server after copying files—Either now or later—it’s up to you—you will need to reboot the server. Don’t use the RESTART SERVER command as it doesn’t reload the SERVER.EXE. The RESET SERVER command warm boots and reloads the SERVER.EXE, which is usually updated in a service pack. :RESET SERVER
and not a :RESTART SERVER
Backup files replaced by NetWare 5.1 Support Pack v1.0—If you are paranoid, choose this option. The files are backed up to the SYS:SPACK directory. This can take up 130MB of space or more. Do not mistake this option for a clean backup of the server. This will only help “rollback” the service pack—which is no good to you if the server crashes and you can’t get the server to come back up. NetWare 5.1 Support Pack v1.0 (230MB)—230MB? Yes, the OS is a mere 45MB or so. The rest is support for all of the extra products. You will always choose this option to install SP1 on the server(s).
Chapter 2
202
2.15
Hardware vendor support for NetWare
Note: The support pack only updates installed products. If you install a product later, you will need to re-install the support pack again. Support packs contain all of the current fixes/updates/patches/enhancements in the current pack plus those of the support packs before. For example, if you are loaded support pack 5 for NetWare 5.0, you do not need to install support packs one through four. Unload all Web services before installing the support packs. Extend Directory Services Schema (If necessary)—Choose this option on the Master of [Root]—you do not have to choose this option afterwards. The schema extension will travel from the [Root] down the rest of the NDS tree at the next 30 minute NDS slow sync interval. To force a schema synch type from the [Root] partition: :SET DSTRACE=*SSA
Other DSTRACE SET commands can be found in the NDS chapter. The support pack process writes the update to the PRODUCTS.DAT file which can be viewed by NWCONFIG ➝ Product Options ➝ View/ Configure/Remove installed products ➝ SPACK 5.1.1 Pressing enter on the SPACK5.1.1 will display the SYS:SYSTEM\ SPACKLOG.TXT. This file documents the support pack installation.
2.15 Hardware vendor support for NetWare I know NetWare enjoys support from many hardware vendors. I have included those I run into most often at my client sites—Compaq and Dell. It is hard to go wrong with either of these choices. I have received great support from both when I have had to call concerning hardware issues.
2.15.1
Compaq Compaq has worked well with Novell and the NetWare platform. I have had great support experiences with Compaq. Compaq provides a Power Resource PAQ for Novell products—ask your Compaq rep for one—full of tech papers, instruction and planning.
2.15 Hardware vendor support for NetWare
203
Compaq has many links for Novell related information, though I spend much of my time at: www.nw5occ.com www5.compaq.com/support/files Compaq support software for Novell products includes:
Novell SSD (NSSD) NetWare drivers, NLMs, utilities, patches, and information for customize and optimize NetWare 5 for Compaq systems Novell Support Pack—Updates for all services contained in the NetWare box. Features an improved installation, available through NWCONFIG.NLM. Compaq System Configuration Utility—Configurations for the server and its expansion boards. Automatically allocates system resources, such as interrupts, DMA channels, memory, and I/O ports among the installed expansion boards. Compaq Array Configuration Utility—Setup program for Compaq array controllers. Configures physical drives attached to the controller into arrays and logical drives that the OS uses. To distribute data to newly added drives, use the Expansion feature of Compaq Online Configuration Utility (CPQONLIN.NLM). When new drives are added to an array, the volumes on that array can be expanded to include the new drives. In NetWare 5 create a second, third, or up to a fourth partition and assign it a volume without disturbing current disk partitions. The ability to create additional partitions is particularly useful when upgrading from a smaller physical drive to a larger one. Since we can create more partitions on a single drive—NetWare 4.x only supported one—simply mirror the smaller drive onto the larger drive. Next, create a new volume on the remaining space to reclaim it without having to backup and rebuild the original partition. Remember, NSS volumes are able to claim free space from other volumes. Compaq Diagnostics Systems ROMPaq—ROM BIOS updates for Compaq ProSignia and ProLiant servers
Chapter 2
204
2.15
Hardware vendor support for NetWare
Compaq Options ROMPaq—Upgrades of programmable ROMs on Compaq options, such as, disk controllers and drives Compaq Array Diagnostic Utility—Diagnostics for Compaq Drive Arrays Note: To access array controllers use CPQARRAY.HAM. You can update CPQARRAY.HAM in memory by copying the driver to the server, and type in CPQARRAY.HAM. Done! There’s no need to unload and reload drivers while the server is running. This works for any CPQ*.HAM.
Compaq management solutions Compaq provides the following management utilities: Compaq Survey Utility—Enhanced serviceability tool that delivers on-line configuration capture and comparison Systems Management Toolkit—Integration tool that unifies thirdparty management products with Compaq Insight Manager Diskette Builder Management—Utility that automates the creation of installation diskettes for products on the management CD ROM The Novell Event Bus (NEB.NLM) facilitates communication between software modules (such as CPQHLTH.NLM and NWPA.NLM), management agents and device drivers. Load NEB.NLM before CPQHLTH.NLM and before any command to manually load Host Adapter Modules (HAMs) or CDMs, which would force NWPA to be loaded. Note: Use only CPQHLTH.NLM (Compaq Server Health Driver) versions 4.02 and higher with NetWare 5 and be sure that CPQHLTH.NLM is loaded before loading CPQRSO.NLM
Insight Manager Compaq’s strongest management tool is its Insight Manager—the 4.0 release is browser enabled. (See Figure 2.10.) The utility monitors over 1,000 management parameters. Insight Manger is made up of server agents and a client GUI interface—or browser based—and can monitor both servers and Compaq workstations.
2.15 Hardware vendor support for NetWare
205
Figure 2.10 Compaq’s Insight Manager.
The Insight version control piece presents the administrator with the ability to compare Compaq’s recent firmware and software updates against your current production environment via an Internet connection or dialup. There is a performance management piece that you may set thresholds on and see utilization graphs on CPU, EISA and PCI bus utilization as well as NIC throughput. Note: The Compaq Survey Utility and Compaq Insight Manager modules are not overwritten during a same-server upgrade. Install the version of these utilities that are compatible with NetWare 5. I always look on Compaq’s Website for the latest software/drivers/updates/patches (http:// www.compaq.com/support/files/server/us/index.html or http://www.compaq.com/ support/files/). If you choose to use install via the CD you may be using patches that are 6 months old or older. Insight Manger MIBs may be complied and used in Novell’s ManageWise. A white paper describing this process can be found at www.nw5occ.com. Insight Manager also supports other network management software.
Chapter 2
206
2.15
Hardware vendor support for NetWare
Remote insight board The remote insight board is a mini-PC in your server. It operates separately from the server and provides updates via pager or Insight Manager. It offers remote reboot capabilities as well as dial-in PPP access if your server hangs. Smart Start CD The Smart Start CD is usually old by the time you get the server delivered. Look for updates on the Web before you use it. The Smart Start CD is a wizard GUI tool to configure your Compaq server. The results of your configuration choices are written to a ~35MB system partition on the hard drive. Use version 4.2 or later to support NetWare 5. Compaq’s Power Array Status Screen CPQPOWER.NLM—On the Novel SSD, under the server management section, there is a new utility that displays redundant power subsystem status. It also incorporates the Power Down Manager that allows configuration of the intelligent power switch on ProLiant 6000, 6500, and 7000 systems. Remember to load CPQHLTH.NLM before CPQPOWER.NLM.
2.15.2
Dell I really love Dell computers—mostly because I have had many great experiences with the hardware and Dell support. In many clients, I see Dell desktops and Compaq servers. Dell is aggressively marketing to the server market. Dell has been a Novell OEM partner since 1990 and was the first hardware vendor to offer Novell’s ICS technology as an appliance worldwide. They were also the first to certify a 32-node cluster Novell solution. A readership survey from NetWare Connection magazine shows that 32% of NetWare installations use at least some Dell servers. Dell’s storage area network Dell has great SAN and clustering solutions for NetWare. www.dell.com/us/en/biz/topics/products_pvaul_nw_clust.htm www.novell-dell.com
2.15 Hardware vendor support for NetWare
207
Note: Dell has a technical sales consulting team to call for information, too.
Sizing tools Dell has shown great support for Novell products. Dell consistently impresses me with their hardware and technical support. I would like to see a better NetWare presence on their Website. You may customize Dell’s support page to your server’s specific model and your Dell server’s system service tag code. From there, you will get support news, information concerning your specific model, and may sign up for e-mail alerts when new patches are introduced for your model. Dell’s RAID card Dells ADAPTEC RAID card is the most customizable RAID card I have seen. Dell servers do not have any proprietary software. Dell uses the ADAPTEC RAID cards in their servers—they do, however, have some AMI cards available. The ADAPTEC RAID cards, known as the PERC (be careful—some PERC cards are AMI) are feature rich. There is an NLM for managing the PERC controllers. As with any RAID card it is advisable to get to know how your RAID card works. The GUI, called the FAST utility might look complex at first, but remember this is a highly customizable raid controller. Get to know it in the lab. Server management Dell uses an OEM HP Openview for their server management and a Dell product called IT Assitant. http://support.dell.com http://support.dell.com/us/en/filelib/download/index.asp?fileid=2047
2.15.3
Other vendor patches www.patchlink.com
Chapter 2
208
2.16 Microsoft tools for NetWare administration/migration
2.16 Microsoft tools for NetWare administration/ migration Don’t be confused, Microsoft’s tools are those to help rid you of your NetWare reliance. They feel resistance is futile. Sooner or later, you will be a Microsoft shop. Realize that Active Directory is not taking over the industry just yet. According to IDC numbers, less than 40% of the Windows 2000 servers deployed are using Active Directory—clients are using Windows 2000 servers as standalone, member or IIS servers apparently. It wasn’t that much different for Novell when they went from NetWare 3 to NetWare 4. People, especially small businesses, didn’t want/need the headaches of deploying a directory service. Even when NetWare 5 premiered Novell was still selling plenty of NetWare 3.x. NDS is complex, but it is kid’s play next to Active Directory. Microsoft did something with Active Directory that Novell didn’t—provide support for backwards compatibility to its previous NOS. Domains still have a big place in Active Directory. Novell basically abandoned the bindery flat file system of NetWare 3. There are pluses and minuses to both approaches. Microsoft Services for NetWare 5.0 is Microsoft’s latest compatibility offering. The information can, of course, be found on Microsoft’s Website. http://www.microsoft.com/windows2000/sfn/ http://www.microsoft.com/windows2000/guide/server/solutions/netware.asp Basically, you will find the following services:
MSDSS (Microsoft Directory Synchronization Services) This is a tool to keep your Active Directory synched with NDS or NetWare 3.x binderys. It says it provides for password synchronization, though what it means is AD to NetWare synch—not two way synch. I’ve heard how this tool was useful in a 15,000 object NDS environments.
File and Print Services for NetWare (FPSNW) mimics a NetWare server. A Windows 2000 (or NT 4) server can serve as another NetWare file and print server.
File Migration Utility provides a migration tool to go from NetWare to NT/W2K
2.16 Microsoft tools for NetWare administration/migration
2.16.1
209
Best practices Novell does provide a couple of NT to NetWare migration tools. Check Novell’s Website for the latest. Really all you need is a way to import users and migrate files and folders—keeping the ACLs. I can tell you from a plethora of personal experience that there are few NT to NetWare migrations. Most are NetWare to Linux or NetWare to NT/Windows 2000. Knowing that, I will suggest that you visit Novell’s Website rather than take up room for tools I have never had a chance to use. I have read Microsoft’s assessment of Novell’s NetWare 5 and find it lacking. While I am neither a Novell nor Microsoft bigot, you really have to know what you are doing and research carefully when you read FUD (fear, uncertainty and doubt) from any vendor.
Chapter 2
This Page Intentionally Left Blank
Supplement 1:
Server Console Commands and NLMs
211
SUPPLEMENT 1 Server Console Commands and NLMs Understanding the server console commands and their functionality will greatly add to your NetWare and troubleshooting understanding. Note: Each service pack adds functionality available to the administrator. The README files normally indicate new server console commands, switches, NLMs and functionality. For instance, MONITOR.NLM will load anytime in the AUTOEXEC.NCF after the SYS volume mounts, but will not reflect all of the other loaded modules unless it is loaded as the last .NLM Included in this section are NLMs that control and manipulate the NetWare server environment from the core OS install, a few shareware and freeware NLMs # (pound) Specifies a comment in a file, like an NCF or CFG file. ; (semicolon) Comment used in a .CFG or .NCF file—like REM or # –A (NetWare 5) Defines an application space for the CPU. The format is: :-A=user_defined_name NLM_name
Example: :LOAD –A WEBSRVR NETSCAPE.NLM
The assigned share values are proportional amounts of CPU cycle time that threads in the assigned application are allowed to use. These user-defined applications will compete with the default NetWare OS Application. Any undefined .NLMs are assigned to the NetWare Application. To view the application, load MONITOR ➝ Kernel ➝ Applications ➝ defined_name Change the share value by pressing F3. The NetWare Application has a share value of 100. If you assign an application a share value of 500, it will have 5 times the CPU time than NetWare. ABORT REMIRROR Use in combinations with MIRROR STATUS. The NetWare software mirroring process will stop upon this command. Mirroring can be setup through NWCONFIG ➝ Standard Disk Options ➝ Mirror/Unmirror disk partitions.
Chapter 2
212
Supplement 1:
Server Console Commands and NLMs
ADD NAME SPACE Adds a “name space” to a volume and works only on a volume level. By default NetWare supports DOS 8.3 naming conventions. NetWare 5 supports the LONG.NAM name space on the SYS volume, by default, as it provides Java support and Java uses unconventional DOS naming schemes. For example, adding the name space MAC to a volume provides for Apple Macintosh long name support. Interestingly, in previous versions of NW 4.x, support for Windows long names was the OS2.NLM that has now been changed to LONG.NLM and is loaded automatically by NW5.X because of Java files. When you load the LONG.NAM or other name space, you create a separate Directory Entry Table (DET) entry for every file. This will require more space on your volume. Exactly how much space will be indicated on the server console screen before it adds Example: :ADD NAME SPACE name to volume-name <Enter> :ADD NAME SPACE LONG TO VOL1
Options: LONG—Windows 9X, WINNT, OS2 NFS—NFS/UNIX FTP MAC—Apple Macintosh FTAM—from third-party providers Note: Adding Name Spaces consumes available RAM memory. You can calculate the amount of memory by 0.032 × volume size (in MB)/block size (in MB) = extra needed RAM.
ALIAS I love the alias command. In NetWare 4.x the command was available, but you lost all of your changes upon each server reboot. Now NetWare remembers your alias commands—in the SERVERCFG.000. This is a shortcut utility to type in your choice of an abbreviated command. Instead of typing VOLUME you can type V—or chose whatever you want to represent the VOLUME command. It is like having an icon on your desktop as a shortcut. The simple server console command of “alias” returns all of commands that have currently been given an alias. To make your own aliases: :ALIAS [your chosen shortcut letter or letters] [normal NetWare command] Example: ALIAS VOL VOLUME Example: ALIAS DS SCRSAVER DISABLE
Works with .NCF files, too. Note: Don’t alias the down, restart server, or reset server commands
Supplement 1:
Server Console Commands and NLMs
213
BINDERY Use it to add or delete bindery context(s) from the server: :BINDERY ADD|DELETE [NDS_CONTEXT]=
Bindery contexts—when defined, are loaded in the AUTOEXEC.NCF during installation. You have to manually add others. Best Practice: Using a bindery context(s) on a server requires an NDS replica on the server and presents a security hole since most hacks are to bindery connections. Upgrade your printers and clients to NDS supported server connections, then remove bindery contexts. Bindery requests are only given 1 thread and therefore can be quite slow. Make sure your users are connecting via NDS as well as printers. The bindery has been such a performance stopper that Novell has introduced some QOS bindery commands in eDirectory.
BIND Command to bind a protocol to a specific NIC board—normally done through INETCFG and not on the command line. Before a protocol is bound, the upper-layer protocol stack must be loaded and an MLID must be loaded to define a virtual network adapter for the physical adapter plus a frame type to be used. BIND IP TO board_name [ADDR=ip_address][MASK=subnet_mask][GATE=default_gateway][BCAST =broadcast_address][DEFROUTE={YES | NO}][ARP={YES | NO}][POISON=={YES | NO}][COST=hop_count]
ADDR—IP address MASK—Subnet mask GATE—Default gateway; not needed when using RIP as RIP will discover the default gateway DEFROUTE—A YES specifies that the server advertises itself as a default gateway through RIP; default is NO; FORWARD must equal YES too ARP—Uses the server to resolve IP addresses to MAC or node addresses. Address Resolution Protocol is turned on by default (YES). POISON—Specifies the use of poison reverse for routing updates sent to this interface. Default is NO; split horizon is used as default. COST—1–16; metric specification for the interface BOOTPFWD.NLM A relay agent to forward DHCP requests to a remote DHCP server—see DHCPSRVR.NLM. :BOOTPFWD servers_IP_address SERVER=IP_address [LOG = {YES | NO}][FILE=filename][INFO]
SERVER—DCHP Server’s IP address LOG—YES indicates that forwarding activity is recorded in a log file or to the screen Chapter 2
214
Supplement 1:
Server Console Commands and NLMs
FILE—Specifies the name of a log file; default is SYS:ETC/BOOTP.LOG INFO—Current operational status BootP configuration through INETCFG or NIASCFG: :INETCFG ➝ PROTOCOLS ➝ TCP/IP ➝ Expert Configuration Options ➝ BootP Forwarding Configuration
BROADCAST Sends messages to clients BROADCAST “your message here” [[TO] username|connection_number][[and|,] username|connection_number ...]
BSTART.NCF Used to start BTRIEVE. Inside my BSTART.NCF is: NWAIF103 DSAPI NWMKDE BTRIEVE LINK NWBSRVCM CDINST.NLM Begins the CD ROM volume mount. This is the pre-NetWare 5 approach to mount the CD ROM. The CDINST.NLM is also used to by the NetWare 5 OS install routine. You would use the CDINST.NLM—and other following commands—to mount a CD ROM in a “source server” that you plan to use if you are upgrading a server from across the network— another server’s (called the source server) CDROM. :CDINST :CD DEVICE LIST :MOUNT NW51
or :CDINST :CD DEVICE LIST :MOUNT 1
The number MOUNT 1 command would be replaced by MOUNT (whatever number the CD ROM shows up as). CDROM (NetWare 5) :CDROM
To load CD-ROM support without loading other NSS support, enter: :NSS CD9660
Supplement 1:
Server Console Commands and NLMs
215
Once loaded, the CD-ROM acts as a standard NSS volume allowing PC-compatible CD-ROMs to be made available for clients. To load CD-ROM support but provide access to Macintosh formatted CD-ROMs, enter :NSS CDHFS
The NSS CD-ROM module also supports automatic mounting/dismounting on compact disc eject and insertion. If you need to mount/dismount both Macintosh and PC-formatted CD-ROMs, load CDROM.NLM. Note: More information about NSS is found later in this same section under NSS.
CLEAR STATION This command removes all file server resources allocated to a specific station—all network information that the client connection is working on will be lost :CLEAR STATION # :CLEAR STATION ALL
You may find the station number by MONITOR ➝ Connections. CLS Same as its DOS equivalent clear screen. The OFF command does the same thing. CONFIG Administrators use this command more than any other. Check your: Server name IPX internal network number Server up time LAN card information (e.g., versions, dates) Protocols Frame types IP addresses Tree name Bindery context(s) Best Practice: I use this command to check the dates of the NIC drivers especially. I have found 2 ½ year old NIC drivers like this. Update your drivers.
Chapter 2
216
Supplement 1:
Server Console Commands and NLMs
CONFIG.NLM This is a freeware NLM from Novell. You can download it from Novell’s Website. I consider this one of the most important freeware items that I use. Copy this NLM to a diskette and keep it with you. If you are a consultant, take it to your customer’s site and document all of their servers—and put it in a spreadsheet. Running this command with the LOAD statement creates a CONFIG.TXT in SYS:SYSTEM that documents your server’s configuration. This is a great utility to troubleshoot changes to your system or to back out of changes as it documents all .NCF files, loaded modules, drivers, versions, etc. Realize that this is completely different than the earlier CONFIG console command. Use this command preceded with LOAD :LOAD CONFIG
Other parameters: :LOAD CONFIG /S :LOAD CONFIG /A
Best Practice: Regularly take a config of the server with the set command option: :LOAD CONFIG /S
Store the CONFIG.TXT in a central location where it can be referenced by any admin that may need to check the server’s configuration.
CPUCHECK (NetWare 5) Displays processor information as well as L1 and L2 cache sizes. See the SPEED command listed later. DBNET5.NLM The DBNET module works with the DIAG411.NLM or the DIAG500.NLM to copy an ABEND coredump to another network machine. If you are using a name—versus an IP address—to send the file to, the server’s RESOLV.CFG. Use an IP address, which prevents any dependence upon name resolution providers. :LOAD DIAGxxx -d NETWORK -h 10.10.138.100
When DIAG is loaded in this manner, its AUTODUMP option is enabled, allowing a coredump to be started automatically as the server traps or ABENDs. After the core dump copy completes, the server will either restart or reboot, dependant upon the Auto Restart After ABEND SET parameter. DIAG can be loaded either before or after DBNET.NLM DBNET also needs a core dump receiver. IMGHOST receives the core dump from DBNET. IMGHOST has two executable types: IMGHOST.NLM and IMGHOST.EXE. IMGHOST.NLM runs on the server and IMGHOST.EXE is a Win32 console application which will run on Windows NT or Windows 95/98. DBHELP—Displays DBNET console commands
Supplement 1:
Server Console Commands and NLMs
217
DBCONFIG—Configures debug network. This command is executed the first time DBNET loads to set up DBNET.CFG on the NetWare DOS partition. Whenever there is a change to the network boards loaded by the OS or changes to the TCP/IP address assigned to those boards, DBCFG should be executed manually to reconfigure DBNET.CFG. DBNET.CFG can also be edited manually. DBSTART—Starts debug network DBSTOP—Stops debug network DBMODULES—Displays debug network modules DBSTAT —Displays debug network statistics DHCPCLNT.NLM (NetWare 5.1) This .NLM enables the server as a DHCP client—useful when you are using the server as a gateway to the Internet. :DHCPCLNT name=board_name
DHCPSRVR.NLM This is the .NLM to load Novell’s DHCP server. –d2—Turn on debug option to server’s screen (Ctrl+Esc to see screen) –d3—Turns on debug screen and outputs the debug information to the \ETC\ DHCPSRVR.LOG log file Example: :DHCPSRVR –d3
–p#—Specify global polling interval in # minutes –h—help messages –s—Specify Master replica for directory operations. This command is used often in larger installations. See also DNIPINST.NLM and Chapter 4 IP, for more DHCP information and best practices. DISABLE LOGIN Prohibits any new connections from attaching or authenticating to the server. I use this command to prepare for downing the server while I clear connections manually in MONITOR. Great for patching or upgrading. Opposite is ENABLE LOGIN. May use in conjunction with CLEAR STATION ALL—but be very careful when you clear all connections as user’s have no chance to save any work before the server connection is terminated. DISABLE TTS Manually disables all TTS activity on server; for developer use. Opposite of Enable TTS. DISMOUNT :DISMOUNT volume_name
Chapter 2
218
Supplement 1:
Server Console Commands and NLMs
Takes a volume offline to allow VREPAIR maintenance :DISMOUNT VOL1 :VREPAIR VOL1
When finished, mount the volume again :MOUNT VOL1
DISPLAY ENVIRONMENT (NetWare 5) Displays ALL server PATH and SET commands with their current and OS patch default settings. DISPLAY INTERRUPTS (NetWare 5) Displays the currently used interrupts. Since this is a real-time view, the display can change as the interrupts are used. :DISPLAY INTERRUPTS [I# I# I# | ALL] [PROC | REAL] [ALLOC]
I#—Equals the interrupt number you wish to view. If no number is specified, all numbers are displayed. ALL—Displays all interrupts PROC—Displays per processor interrupt information ALLOC—Displays allocated interrupts REAL—Displays interrupts which occurred while the OS was in real mode and were reflected back to protected mode for servicing. DISPLAY MODIFIED ENVIRONMENT (NetWare 5.x) Every SET parameter changed since install will be displayed with this console command. Best Practice: Use this command as a quick troubleshooting tool. Find out what SET commands have changed.
DISPLAY NETWORKS Shows IPX network information from the server’s RIP routing table. In RIP version 1, which is what is used by default, look for hops of 15 and 16. RIP routes can only increment to 15. The router drops any RIP packet after 15 hops. Therefore, you can identify problems in your routing networks. DISPLAY PROCESSORS (NetWare 5) A simple listing of the processor number and status. Default is to show all processors. DISPLAY SERVERS Shows IPX servers that are found in the server’s bindery. DNIPINST.NLM Adds the NDS schema extensions related to DNS/DHCP
Supplement 1:
Server Console Commands and NLMs
219
–R—Removes the DNS/DHCP objects, schema extensions and licenses All zones and subnets should be exported before using this option. They can be imported back in afterwards. After the command: :DSREPAIR ➝ Advanced Options ➝ Repair Local DS Database ➝ Set Check Local References and Rebuild Operational schema to YES ➝ hit F10 Repeat until 0 errors.
Wait for DS to synchronize. Then load DNIPINST to put the schema extenstions back and re-import the zones and subnets. Save existing information and remove/recreate the objects in the desired context. You will have to reload DNS/DHCP from the OS CD. –F—Recreates the DNS/DCHP objects if they do not exist—Locator, Group, RootServerInfo objects See DHCPSRVR.NLM and NAMED.NLM DNSCONVRT.NLM DNS conversion utility used to convert the IntraNetWare DNS database to the DNS file needed in NetWare 5. This method searches for a SYS:ETC\DNS\HOST.DB BTRIEVE file and translates it into SYS:\ETC\DNS\H.DAT. Start the administration console ➝ click on “Import the files” ➝ Browse to SYS:\ETC\DNS\H.DAT. The BIND database format is converted into NDS format and will automatically create all the objects for you. DOWN In NetWare 5, you are taken directly to the DOS command prompt. DSREPAIR.NLM The ability to repair the database is an integral part of NDS health. The first most important piece of NDS health is to upgrade to the minimum patch listed version of NDS—http:// support.novell.com/misc/patlst.htm. Realize that most all of the switches (–A the exception) are to provide automated script support. You can use the DSREPAIR C-Worthy menu to do most every task. Note: Know what you are doing before running the XK killer switches!
DSREPAIR switches Note that not all switches work on all versions of DSREPAIR.NLM and DS.NLM. :DSREPAIR -switch
–41x—Deletes the 41x files after an upgrade –CV #—Enter a number greater than value to show attributes with more than # values. Example DSREPAIR –cv 75 shows all attributes with more than 75 values. –A—Enables advanced mode. I use this often. –D—Alternate DIB files mode (dsrepair –ext) is requested Chapter 2
220
Supplement 1:
Server Console Commands and NLMs
–INS—Extend Schema –xk2—Destroys all replica roots by: Make all objects external references Zero the creation and modification time stamps Clear all flags except EF_PRESENT Class = –1 (not backlinked) –xk3—Clear backlinks EF_BACKLINKED, Flags = 8001 which is present and verify creation timestamp Class = id_invalid =FFFFFFFF=–1 All ext-ref attributes time stamps set to zero Note: It is advisable to run the backlinker after this DSREPAIR switch to re-backlink SET DSTRACE=*B
–xk6—Removes all trustee assignments to a volume. Load DSREPAIR with the –xk6 switch ➝ Advanced Options ➝ Check Volume objects and trustees –L—Sets a flag so the file will be deleted and a new log file name created –M—Report move inhibit obituaries –MR—Removed –N#—Number of days before deleting user object net-address—if it is older, it is deleted (default is 60 days). For example, to release connections that are older than 1 day, on NetWare 4.x, go to the Master replica ➝ DSREPAIR –N1 ➝ Advanced Options ➝ Repair local DS ➝ –P—Mark all unknowns per-replica as referenced –RC—Remote load create dib dump file; use this in STUFKEY.NLM scripts –RD—Repair local database (automated); use this in STUFKEY.NLM scripts –RI—Verify and repair remote server IDs; dependant upon IPX or SLP –RL—Specifies an alternate DSREPAIR log file name; the first one is deleted. To keep the old one and append to it, use the –L switch. –RM <partition_root_ID>—Make this server the master for the specified partition ID. I prefer doing this manually through DSREPAIR ➝ Advanced Options ➝ Replica and partition operations ➝ <Enter on partition> ➝ Designate this server as the new master replica Use this to troubleshoot external reference and backlink problems –RN—Repair network addresses; dependant upon the server’s IPX SAP table or your SLP infrastructure –RR <partition_root_ID>—Repair replica with specified partition id
Supplement 1:
Server Console Commands and NLMs
221
–RS <server_ID><partition_root_ID>—Remove specified server id from the specified partition id –RV—Repair volume objects and trustees –736—Terminates the 0.DSB file; used to troubleshoot a specific 736 NDS error –V—Ignore API version checking –wm—Clears the wm:registered workstation attributes that can sometimes cause high utilization from ZEN for desktops registry entries when the workstation is not being imported into the NDS database as a workstation object. Some of the switches that I use most often are: :DSREPAIR –RC –RD
This repairs the local database and dumps a .DIB set of the database :DSREPAIR –A
Opens advanced options in DSREPAIR See Chapter 3 for DSREPAIR C-Worthy menu explanations DSTRACE This is actually a SET command. See Chapter 3 and/or Novell’s TIDs for a complete explanation. DSTRACE.NLM I haven’t seen anyone use this, other than to look at it. Everyone I know uses the DSTRACE SET commands. :DSTRACE options
[taglist]—List of qualified event tags ON—Enables tracing to target device OFF—Disables tracing FILE—Change command target from screen to log file SCREEN—Change command to trace screen INLINE—Display events inline JOURNAL—Display events on a background thread FMAX=[size]—Specifies maximum disk file size FNAME=[name]—Specifies the disk file name Each of the tags can be abbreviated by the first two letters. For a list of tags type: :DSTRACE
ECHO OFF Disables the on-screen display of commands executed through .NCF files—default is ECHO ON
Chapter 2
222
Supplement 1:
Server Console Commands and NLMs
ECHO ON Enables the on-screen display of executed commands from .NCF files EDIT.NLM C-Worthy menu editing utility that edits files like any text editor ENABLE LOGIN
Allows users to connect/attach/login to the server
Resets a SUPERVISOR account that has been disabled/locked by NDS intruder detection
ENABLE TTS Enables the Transaction Tracking System, which is always enabled by default EXIT DOWN and EXIT to a DOS prompt FILE SERVER NAME You may change the name of the fileserver this way. It is written to the AUTOEXEC.NCF file. Check Novell’s TIDs before changing a file server’s name. There are many considerations and dependencies. HELP Just what it says. :HELP
A simple help command lists possible console commands. To understand what each command is for, read this book or type: :HELP console_command :HELP PROTOCOL
HTTPSTK.NLM This is an auto-loaded NLM, from PORTAL.NLM, but does have one load parameter. To unload HTTPSTK.NLM and reload it without the security options, the command line would be :LOAD HTTPSTK.NLM /RESET
INETCFG INETCFG.NLM is the most important protocol configuration utility. This C-Worthy menu is used by the core OS, BorderManger, NAIS, MPR and other packages that require IP configuration. It is not required, though. INETCFG stores configuration information in the following files: AURP.CFG TCPIP.CFG IPXSPX.CFG
Supplement 1:
Server Console Commands and NLMs
223
NLSP.CFG NETINFO.CFG INITSYS.NCF All of these files are located in the SYS:ETC directory. Never try to use a text editor to edit these files. The beginning screen lists your choices as: Boards—Lists the installed network boards, even if they are not activated. <Enter> on any board for its configuration information which varies by vendor. Board Name Slot Media and Line Speed Auto-Sense media type Twisted Pair 10MBPS Twisted pair – Full Duplex 10MBPS Twisted pair – Full Duplex 100MBPS Fast Ethernet 100MBPS Node Address: You can override the imprinted NIC address Comment Board Status Enabled Disabled Force causes all LAN driver frame types to be loaded Driver Info: Network Interfaces—Almost a repeat of the above Board choice WAN Call Directory—PPP, X.25, Frame Relay or other interface support Protocols—AppleTalk IPX IPX Status: Enabled or Disabled Packet Forwarding: Enabled or Disabled Routing Protocol: NLSP with RIP/SAP Compatibility RIP/SAP Only Tunnel IPX Through IP: Enabled or Disabled Tunnel Configuration: Remote Peers—IP Addresses UDP Checksum Enabled by default UDP Port 213 used as default Transport Time is the amount of ticks (1/18 of a second) to transmit a 576-byte packet Mobile IPX Support: Enabled or Disabled Chapter 2
224
Supplement 1:
Server Console Commands and NLMs
Mobile IPX Configuration: Time to live override overrides the mobile client’s HR Time to live setting Watch Dog Spoofing enables or disables the home router to answer (spoof) client NCP watchdog packet requests—usually the job of the server Broadcast to Virtual Network either forwards or discards broadcast packets to the mobile clients Address Mapping Gateway: Enabled or Disabled Address Mapping Gateway Configuration: Address Mapping Network Number Maximum Address Mapping Entries Address Mapping Hold Time Use RIP Filters For Nonmappable Networks enable or disable Nonmappable SAP Types Nonmappable Network Numbers Filtering Support: Enabled or Disabled IPX/SPX Parameters: Maximum IPX socket table size SPX watchdog abort timeout SPX watchdog verify timeout SPX ack wait timeout SPX default retry count Maximum concurrent SPX sessions Note: SPX II is a choice, too. Novell has improved the protocol by making it support a larger frame packet (1518), windowed acknowledgment, additional header filed, additional values for the connection control field. Expert Configuration Options Get Nearest Server Requests accepted or ignored Override Nearest Server Nearest Server Advanced Packet Type 20 Flooding—NetBIOS traffic propagation Hop Count Limit default of 64 Maximum Number of Path Splits Load Balance NCP Packets to Local Clients LSP Size 1024 default Source Route Bridge Source Router End Stn Enabled or Disabled: TCP/IP
Supplement 1:
Server Console Commands and NLMs
225
TCP/IP Status: Enabled or Disabled IP Packet Forwarding: Enabled (server used as a router) or Disabled (End Node). You may go to TCPCON.NLM and look at the IP Forwarded value for information on how a server is being used. Disabled means that the routing function is disabled, a value of 0 means that the server is enabled as a router but no packets have been routed, any other number will show you how many packets have been routed RIP: Enabled or Disabled OSPF: Enabled or Disabled OSPF Configuration: Router ID Autonomous System Boundary Router Area Configuration Virtual Link Configuration IP Load Sharing LAN Static Routing: Enabled or Disabled LAN Static Routing Table: Configure a Default Route, Host or Network. The default network value is one of the first places I go to troubleshoot connection problems. SNMP Manager Table DNS Resolver Configuration: Stupid name for configuring DNS name servers. This information gets written into the SYS:ETC\RESOLV.CFG file (which you could manipulate with a text editor, but don’t) Filter Support: Enabled or Disabled NAT Implicit Filtering: Enabled or Disabled Expert Configuration Options: Directed Broadcast Forwarding (Enabled or Disabled) Forward Source Route Packets (Enabled or Disabled) BootP Forwarding Configuration EGP (Exterior Gateway Protocol Enabled or Disabled) RFC 904 EGP Configuration User-specified protocol For you to insert your own NLM and configure Bindings—All protocols must be bound to a NIC interface to become active IPX (Chapter 9 lists recommendations for frame type and network traffic management) Network Interface Name IPX Network Number Frame Type Expert Bind Options Chapter 2
226
Supplement 1:
Server Console Commands and NLMs
TCP/IP: Network Interface Local IP Address Subnetwork Mask of Connected Network RIP Bind Options OSPF Bind Options Expert TCP/IP Bind Options Manage Configuration—This is a deceptive menu choice because all the INTETCFG options manage your configuration. Configure SNMP Parameters Configure SNMP Information Expert Configuration Import Configuration Configure Remote Console Access Edit AUTOEXEC.NCF View Configuration— All INETCFG Commands: Lists all INETCFG generated commands LAN Board Commands: This is great to look at your configuration if you ever wanted to put these commands into the AUTOEXEC.NCF file and not use INETCFG for any reason WAN Board Commands Protocol Commands: LOAD commands for IPX, TCP/IP, and whatever else you have loaded Protocol Bind Commands: Binding the protocols to a specific interface Configuration Summary: View Configuration Summary Save Summary to SYS:ETC\CONFIG.SUM Console Messages: Read from SYS:ETC/CONSOLE.LOG Reinitialize System—Just as if you typed the command on the server console. Reloads the protocols and bindings on the LAN interfaces (NIC cards) so you don’t have to reboot the server. Protocol information is found in Chapter 4 as is the INETCFG menu explanations. INSTALL.NLM Replaced in NetWare 5.x with NWCONFIG. See NWCONFIG. –dsremove—Be very careful with this switch. This enables a user to remove directory services without logging in with admin rights. IPTRACE.NLM Roughly equivalent to the TRACERT command line utility, IPTRACE reports the route taken between two hosts. Usage:
Supplement 1:
Server Console Commands and NLMs
227
:LOAD IPTRACE <destination (which is an IP address or DNS name)> [Hops=maximum hops (default is 30)][Wait=maximum time(default is 5 seconds][Port=destination port number (default is 40001) value cannot be less than 6000)][Noresolve][NewLog(restart iptrace.log)]
Display description: Destination—An IP address or DNS name Hops—Maximum hops traced; default is 30 Wait—Maximum time, in milliseconds, IPTRACE should wait for a reply—default is 5 seconds Port—Specifies the IP port used on the destination host—default is 40,001 Noresolve—Commands IPTRACE not to resolve host names Newlog—Starts a new trace log file—the IPTRACE.LOG is found in the /ETC directory IPX INTERNAL NET :IPX INTERNAL NET
Displays the fileserver’s internal network number—easier to use the CONFIG command. :IPX INTERNAL NET 123456
Sets the fileserver’s internal network number to the value 123456. Note: NetWare 5 renamed the IPX Internal Network Number to ServerID.
Java :JAVA [-options] path_to_java_class
Names of Java classes are case sensitive and require the LONG.NAM name support module. (See Table S1.1.) The JAVA.NLM must be loaded before any Java apps can be loaded. :JAVA –HELP
LANGUAGE :LANGUAGE
Displays the current NLM displayed description language list—Displays the list of available server languages name|number—Set preferred NLM language by name or by number add # name—Add a new language by name or number ren number new_name—Rename the language specified by number
Chapter 2
228
Supplement 1:
Table S1.1
Server Console Commands and NLMs
Java –help Command Options Option
Meaning
–help
print out this message
–nwhelp
print out NetWare specific options
–version
show the build version (i.e., 1.1.5 on NW5; 1.1.7B on NW5.1)
–v –verbose
show everything on the screen
–debug
enable remote Java debugging
–noasyncgc
do not allow asynchronous garbage collection
–verosegc
print a message when garbage collection occurs
–noclassgc
disable class garbage collection
–ss
set the C stack size of a process
–oss
set the Java stack size of a process
–ms
set the initial Java heap size
–mx
set the maximum Java heap size
–classpath
set directories in which to look for classes
–prof
output profiling data to ./java.prof
–verify
verify all classes when read in
–verifyremote
verify classes read in over the network (default)
–noverify
do not verify any class
–D<propertyName=newValue>
redefines a property value
–nojit
disable JIT compiler
LIST DEVICES Displays all recognized physical storage devices—you should see your hard drive and CD ROM minimum LIST STORAGE ADAPTERS (NetWare 5) Displays the .HAM modules loaded and their associated devices, such as SCSI and IDE hard drives and CD-ROM devices. LIST STORAGE DEVICE BINDINGS (NetWare 5) Lists all filters and .HAMs bound to a specified device. :LIST STORAGE DEVICE BINIDNGS 2
Supplement 1:
Server Console Commands and NLMs
229
LOAD The LOAD command is not required. To load NLMs in NetWare 5.x, just type .NLM. The LOAD command, however, is required for .CDM, .DSK, and .LAN drivers. The DSK drivers are used in NetWare 4 and no longer needed in NetWare 5. They are, in fact, upgraded during the OS upgrade routine. I always use INETCFG to configure my LAN drivers. If you use the LOAD commands, the following format is appropriate: :LOAD [path] LAN_driver_name [parameter=value]
DMA—Defined by the hardware Reserves a DMA channel for the network board FRAME—Frame types. INT—Defined by the hardware, but may be changed in BIOS Interrupt LS—Defined by the hardware Number of token-ring stations to be configured for the driver MEM—Defined by the hardware Memory address reserved by the driver NAME—Unique board name (numbers, letters, dashes and underlines allowed) Specifies a board name (up to 17 characters) NODE—12 digit hex value Specifies a node address—specifically for the 802.2 specification which overrides the random generated IPX address given at installation PORT—Defined by the hardware Memory address reserved for I/O use by the adapter RETRIES—0–255. Defines the number of times the LAN driver will attempt to retransmit a packet SAPS—Defined by the hardware Specifies the service access point for the 802.2 token driver SLOT—1–8. Specifies the EISA slot—hardware configuration is then taken from the EISA configuration TBC—0–2. Transmit buffer count for the TOKEN driver—default is 2 TBZ—0=use default OR 96-65535 Transmit buffer size for TOKEN driver—default is the maximum physical receive packet size SET parameter M This is an ALIAS, or shortcut, to the MODULES command. Displays description, version and date of NLMs. Supports wildcards. Great troubleshooting tool. :M
Chapter 2
230
Supplement 1:
Server Console Commands and NLMs
Shows all loaded modules. :M N*
Shows all modules that start with an N. :M TCPIP
Displays the NLM and its description, version and date, if it is loaded. To see or make other ALIASes, see the ALIAS command MAGAZINE INSERTED Acknowledgment to the server console’s display alert of “INSERT MAGAZINE” MAGAZINE NOT INSERTED Acknowledgment that the insertion of the specified media magazine was not performed MAGAZINE NOT REMOVED Acknowledgment that the magazine removal was not performed MAGAZINE REMOVED Acknowledgment to the server console’s display alert of “REMOVE MAGAZINE” MEDIA INSERTED Acknowledgment to the server console’s display alert of “INSERT MEDIA” MEDIA NOT INSERTED Acknowledgment that the specified media’s insertion was not performed MEDIA NOT REMOVED Acknowledgment that the specified media’s removal was not performed MEDIA REMOVED Acknowledgment that the specified media’s removal was not performed MEMORY MAP Displays a map of server RAM MEMORY Displays the server’s installed and BIOS recognized RAM 1024/# shown = installed RAM
MIRROR STATUS Upon each reboot, the OS checks and re-mirrors the volumes. This is software mirroring— as opposed to hardware mirroring, which is more efficient. This command will show you where the OS is—as a percentage—during the re-mirroring effort. :MIRROR STATUS :MIRROR STATUS [partition_number} :MIRROR STATUS 1
Supplement 1:
Server Console Commands and NLMs
231
MODULES Displays listed modules. Novell has a built-in ALAIS for MODULES, which is just M. See the listing under M. You may see more information about loaded modules by MONITOR ➝ Loaded Modules. MONITOR If you auto-load the MONITOR.NLM in the AUTOEXEC.NCF, place it as the last module loaded—some of MONITOR’s reporting features required it to be loaded after other module activity. :MONITOR :MONITOR !H (shows all hidden parameters)
You will have the screen in Figure S1.1. Your choices include: 1.
CONNECTIONS Your key choices are:
Tab = Next window
Enter = Select connection
F3 = Sort Options
You may sort the display by:
Connection number Connection time Name
F4 = Send a message to this connection
F5 = Mark this connection
F6 = Clear unused connections
Figure S1.1 NetWare Console Monitor available options.
Chapter 2
232
Supplement 1:
Server Console Commands and NLMs
Delete = Deletes a connection You can also use the server console commands: :CLEAR STATION # :CLEAR STATION 13 :CLEAR STATION ALL
Be careful of this one as you are clearing all user connections without the chance for them to save any work. See the CLEAR STATION server console command. The connections choice displays the:
2.
Status—Authenticated = NDS has acknowledged that this user or node connection is valid and allowed
Network address—Either an IPX or IP address
Connection time (DD:HH:MM)
STORAGE DEVICES Tape drives, etc
3.
VOLUMES All volumes
4.
LAN/WAN DRIVERS Statistics for LAN drivers. Statistics displayed are dependant upon the driver. (See Tables S1.2 through S2.7.) Keep an eye on the Receive discarded, no available buffers statistic—more than 2% of total packets mean the server is not handling processes fast enough for the board. Increase the maximum packet receive buffer settings. If the packets queued for transmission statistic is high, the NIC board may be a bottleneck—replace it with a faster PCI bus-mastering card and new drivers.
Table S1.2
Understanding LAN/WAN Driver Statistics
Statistic
Description
Driver Name
The driver name and parameters that correspond to the hardware settings on the network board
Version
The current version of the driver
Logical Board Number
Number that uniquely identifies a driver each time it is registered with the system
Board Instance Number
Number assigned to each physical adapter for which the driver has been loaded.
Node Address
Station or NIC/MAC address of the network board in the NetWare server.
Protocols
Communication protocols bound to the driver with BIND.
Network
Network number assigned to the cabling system the LAN driver is operating on. Appears only if the IPX protocol has been bound to the board.
Supplement 1:
Server Console Commands and NLMs
Table S1.2
233
Understanding LAN/WAN Driver Statistics (continued)
Statistic
Description
Total Packets Transmitted
Sum number of packets sent from the NetWare server through the LAN driver since the driver was loaded. Note: By comparing this figure with the figures for other LAN drivers, you can see which driver is handling the most traffic. This value is maintained by the TSM module.
Total Packets Received
Sum number of packets received by the NetWare server since the driver was loaded. This counter includes file service requests, packets routed to other networks, and packets to other IPX sockets in the NetWare server. This value is maintained by the TSM module.
Transmit failed, packet too big
A counter that is incremented when the NetWare server tries to transmit a packet that is too large for the hardware to handle. Value is maintained by the TSM module.
Transmit failed, packet too small
A counter that is incremented when the NetWare server tries to transmit a packet that is too small. Value is maintained by the TSM module.
Receive discarded, no available buffers
A counter that is incremented when a device sends a packet to your NetWare server, but no packet receive buffer is available. The server allocates more packet receive buffers after each incident until it reaches its maximum limit (configured with a SET parameter). If you are using an EISA or microchannel bus-master board (such as the NE3200 board), you will probably need to increase both the minimum and maximum number of packet receive buffers. See Minimum Packet Receive Buffers and Maximum Packet Receive Buffers in the Communication Parameters of the SET Commands listed in Chapter 2. No ECB Available Count messages can also indicate that the driver is not configured correctly or that the TSM module and the Hardware Specific Module (HSM) are incompatible. Value is maintained by the TSM module.
Receive failed, packet too big
A counter that is incremented when the NetWare server receives a packet that is too big for the provided receive buffers. Value is maintained by the TSM module.
Receive failed, packet too small
A counter that is incremented when the NetWare server receives a packet that is too small. Currently only the RX-Net TSM module maintains this counter.
Receive failed, adapter overflow
A counter that is incremented each time the adapter’s private receive buffer pool was exhausted. This causes subsequent incoming packets to be discarded.This value is maintained by the HSM module.
Transmit failed, Miscellaneous Error
A counter that is incremented when errors with send packets occur.
Receive failed, Miscellaneous Error
A counter that is incremented when errors with receive packets occur. This value is maintained by the HSM module.
Value is maintained by the HSM module.
Chapter 2
234
Supplement 1:
Table S1.2
Server Console Commands and NLMs
Understanding LAN/WAN Driver Statistics (continued)
Statistic
Description
Transmit failed, retried
A counter that is incremented when the NetWare server tries to send a packet but fails because of a hardware error. The server tries to send the packet until either it succeeds or the retry setting is reached. Value is maintained by the HSM module.
Receive failed, checksum error
Counter incremented when the checksum byte at the end of the packet does not match the sum of the bytes contained in the packet. This indicates a data error. Value is maintained by the HSM module.
Receive failed, packet length
A counter that is incremented when the packet length received by the hardware and the length specified by the packet do not match. Currently only the Ethernet TSM module maintains this counter.
Bytes transmitted modulo 4 GB
The number of bytes, including low-level headers, successfully transmitted.
Bytes transmitted rollover
Upper 32 bits of the Total Send OK Byte Count Low. The Total Send OK Byte Count High statistic is incremented to 1 when the Total Send OK Byte Count Low counter reaches 4 GB.
Value is maintained by the TSM module.
Value is maintained by the TSM module. Bytes received modulo 4 GB
The number of bytes, including low-level headers, successfully received. Value is maintained by the TSM module.
Bytes received rollover
Upper 32 bits of the Total Receive OK Byte Count Low. The Total Receive OK Byte Count High statistic is incremented to 1 when the Total Receive OK Byte Count Low value reaches 4 GB. Counter maintained by the TSM module.
Transmitted to a group address
The number of packets transmitted with a group or multicast destination address. Field is maintained by the TSM module.
Received from a group address
The number of packets received with a group or multicast destination address. Field is maintained by the TSM module.
Adapter resets
The number of times the adapter was reset because of internal failures or other calls to the Driver Reset routine. Field is maintained by the HSM module.
Adapter state change time stamp
The time stamp indicating when the adapter last changed operational state (such as load, shutdown, or reset). Value is maintained by the MSM module.
Packets queued for transmission
The number of transmit packets (transmit ECBs) that are queued for the adapter. This is an indication of throughput overload on transmits. Field is maintained by the TSM module.
Supplement 1:
Server Console Commands and NLMs
Table S1.3
235
Generic Statistics for Ethernet Drivers That Use ETHERTSM.NLM
Statistic
Description
Transmit succeeded, single collision
The number of frames involved in a single collision that are subsequently transmitted successfully. When the Ethernet controller detects a collision, it backs off for a period of time (about 2 milliseconds) then retries the transmission.
Transmit succeeded, multiple collisions
The number of frames involved in more than one collision that are transmitted successfully.
Transmit succeeded, deferred
The number of frames whose transmission was delayed because of a busy medium.
This happens if the Ethernet controller had to back off more than once due to collisions.
This happens if another station is transmitting on the wire when the adapter receives the command to transmit a packet. Transmit failed, late collision
The number of transmits that had a collision after 512 bits of the packet were transmitted. This can be caused by faulty adapters, faulty network equipment, cables that are too long, or faulty terminators.
Transmit failed, excessive collisions
The number of transmits that were aborted because of too many collisions. This usually indicates that a board in the network is bad or jabbering. (“Jabbering” means the board has been on the channel longer than the time needed to transmit the maximum size packet.) This condition could also occur in very heavy traffic conditions.
Transmit failed, carrier sense missing
The number of transmits aborted because of loss of carrier sense while transmitting without any collisions. This is usually caused by a faulty adapter in the network, faulty cabling, an unterminated cable, or a faulty repeater.
Transmit failed, excessive deferral
The number of transmits aborted because of excessive deferrals. This is usually caused by a faulty adapter or repeater in the system that is jabbering on the wire. It can also occur under very heavy traffic conditions.
Receive failed, bad frame alignment
The number of received frames that were misaligned. This occurs when the number of octets in the frame is not correct or the frame does not pass the FCS check. These bad packets are usually caused by a faulty adapter or repeater in the system. They can also be caused by a collision.
Chapter 2
236
Supplement 1:
Table S1.4
Server Console Commands and NLMs
Generic Statistics for FDDI Drivers That Use FDDITSM.NLM
Statistics
Description
AC Errors
This counter is incremented when a ring station receives a Standby Monitor Present MAC frame with the A/C bits in the Frame Status field equal to zero without first receiving an Active Monitor Present MAC frame.
Transmit failed, abort delimiter sent
This counter is incremented when a ring station transmits an abort delimiter. An abort delimiter is transmitted when a ring station receives a frame in which the token bit of the access control field is set to show Token and not Frame. A ring station can also transmit an abort delimiter if an internal hardware error has occurred.
Burst errors
This counter is incremented when a ring station detects the absence of five half-bit times (a burst-five error). Other stations will detect a burst-four error followed by idles.
Frame copied errors
This counter is incremented when a ring station recognizes (receives or repeats) a frame addressed to its specific address and detects that the FC field A bits are set to 1, indicating a possible line hit or a duplicate address.
Frequency errors
This counter is incremented when the frequency of the incoming signal differs from the expected frequency by more than that specified in Section 7 of IEEE Standard 802.5-1989.
Recoverable internal error
This counts the times a ring station has a recoverable internal error, which means a ring station is probably marginal.
Last ring status
This code changes each time the ring status changes. Status codes are reported by the physical hardware. See the IBM Token-Ring Network Architecture Reference for the status code, function, and meaning.
Line errors
This counter is incremented when a frame or token is repeated by the ring station. A frame is repeated when a Frame check Sequence error occurs or a code violation exists between the starting and ending delimiters of the frame.
Transmit failed, lost frame
This counter is incremented when a ring station transmits a frame that does not return to the station. The active monitor sends a new token.
Error tokens transmitted
This counter is incremented when a station acting as the active monitor recognizes an error condition that needs a token transmitted. This occurs when the TVX time expires.
Upstream node address
The twelve digits of the upstream node address of the next node up stream on the ring.
Last ring ID
This contains the value of the local ring ID.
Last beacon type
This contains the value of the last beacon type.
Supplement 1:
Server Console Commands and NLMs
Table S1.5
237
Generic Statistics for Token Ring Drivers That Use TOKENTSM.NLM
Statistic
Description
Configuration State
The attachment configuration for the station or concentrator: 0=isolated; 1=local_a; 2=local_b; 3=local_ab; 4=local_s; 5=wrap_a; 6=wrap_b; 7=wrap_ab; 8=wrap_s; 9=c_wrap_a; 10=c_wrap_b; 11=c_wrap_s; 12=thru
Upstream Node Address
The upstream neighbor’s MAC address (0 if unknown).
Downstream Node Address
The downstream neighbor’s MAC address (0 if unknown).
Receive failed, frame error
The number of frames that were detected in error by this MAC that had not been detected in error by another MAC.
Receive failed, lost frame
The number of instances that this MAC detected a format error during frame reception such that the frame was stripped.
Ring Management State
Indicates the current state of the Ring Management state machine: 0=Isolated; 1=Non_Op; 2=Ring_Op; 3=Detect; 4=Non_Op_Dup; 5=Ring_Op_Dup; 6=Directed; 7=Trace
Consecutive LCT failures
The count of the consecutive times the link confidence test (LCT) has failed during connection management.
LEM, link rejected
The link error monitor (LEM) count of the times that a link was rejected
LEM, total errors
The aggregate link error monitor (LEM) error count.
Connection state
The state of this port’s Physical Connection Management (PCM) state machine: 0=Off; 1=Break; 2=Trace; 3=Connect; 4=Next; 5=Signal; 6=Join; 7=Verify; 8=Active; 9=Maint
Table S1.6
Custom Statistics for NE2000, NE2, NE2_32, CNE2_32, and Other Ethernet Drivers
Statistic
Description
UnderrunErrorCount
This counter is incremented when the RAM buffer on the network board is full; the board cannot accept any more packets until the RAM buffer is cleared.
TransmitTimeoutCount
This counter is incremented when a network board interrupts the file server with the message that the send bit is lost. This is a hardware problem caused by faulty cabling, a bad network board, or a missing terminator.
RxPagingErrorCount
This is a count of the errors that occur when internal buffers on the board are corrupted.
ReceiveFIFOOverrunErrorCount
This counter is incremented when an incoming packet causes an overflow because FIFO was not serviced.
Chapter 2
238
Supplement 1:
Table S1.6
Server Console Commands and NLMs
Custom Statistics for NE2000, NE2, NE2_32, CNE2_32, and Other Ethernet Drivers (continued)
Statistic
Description
ReceiverMissedPacketCount
This counter is incremented when a packet is sent to a network board that cannot accept the packet because all its receive buffers are full.
GotNothingCount
This counter is incremented when the file server receives an interrupt from a network board that is not transmitting or receiving anything. This is not serious.
UnsupportedFramePacketCount
This counter is incremented when a packet is received by the LAN driver with a frame type that hasn’t been loaded for the given board.
UnsupportedMulticastCount
This counter is incremented for each multicast packet received by the board that is not registered with the driver.
BackToBackSendCount
This counter is incremented each time the driver can buffer a send packet onto the network board while the board is sending a previous buffer. Use this counter to track congestion on the network board. See also EnqueuedSendsCount.
EnqueuedSendCount
This counter is incremented when the driver is unable to transmit a packet and must put the packet in a queue until the transmitter is available. Use the counter to track congestion on the network board. See also BackToBackSendCount.
HeartBeatError
(NE2100TM, NE1500TTM, or CNEAMDTM) This counter is incremented when there is a signal quality error. This function is also known as the heartbeat or Signal Quality Error (SQE) test. This counter indicates a hardware problem.
MemoryTimeout
(NE2100, NE1500T, or CNEAMD) This counter is incremented when there is contention on the bus. If this counter is incremented, there may be multiple boards in the server or another busmastering device in the server, such as a LAN or disk channel device.
TxBabblingError
(NE2100, NE1500T, or CNEAMD)This counter is incremented when there is excessive length in the transmit buffer. It will increment after 1,519 data bytes have been transmitted from the buffer. It indicates that the transmitter has been on the channel longer than the time required to send the maximum length packet. If this counter is incremented, it indicates a hardware problem with the network board in the server.
TxUnderflowError
(NE2100, NE1500T, or CNEAMD) This counter is incremented when something else on the bus takes control of the bus while the LAN driver is putting the data on the wire. If this occurs, the packet must be retransmitted.
Supplement 1:
Server Console Commands and NLMs
Table S1.6
239
Custom Statistics for NE2000, NE2, NE2_32, CNE2_32, and Other Ethernet Drivers (continued)
Statistic
Description
TXBufferError
(NE2100, NE1500T, or CNEAMD) This counter is incremented when there is a problem with the transmit buffer. This counter is usually incremented when TxUnderflowError is incremented; it indicates a hardware problem in the server.
RxECBsOver16MegCount TxECBsOver16MegCount
(NE2100, NE1500T, or CNEAMD) One of these counters is incremented when either a transmit or receive occurs and the driver has double buffered the ECB in the reserved buffers below 16 MB in memory. These boards require double buffering because they have a physical limitation that prevents them from accessing memory above 16 MB. Therefore, if the operating system issues an Event Control Block (ECB) with a memory address above 16 MB, the board uses some of the reserved buffers below 16 MB to queue the request. These are not errors. This value tracks how many ECBs are redirected to the buffers below 16 MB. In many cases, this counter can be as high as the total packets sent and received—double buffering decreases performance. If you have more than 16 MB of RAM and a board that is bus-mastering or using DMA that is not a 32-bit adapter, performance might be degraded.
PacketUsed2ECBs
(NE2100, NE1500T, or CNEAMD) This counter is incremented if the Server Maximum Physical Receive Packet Size is set to 1514 bytes (default for NetWare 3.11 servers), and you need to receive a near-full-size packet. For NetWare 3.12 and 4.x, the default Maximum Physical Receive Packet Size is 4202. In this instance, two ECBs are used instead of one, since the CRC on the end of the packet requires an extra four bytes; therefore, increment the maximum physical receive packet size four more bytes. Using two ECBs instead of one may decrease performance slightly.
TransmitRetryCount
(NE3200) This counter is incremented when the driver is unable to transmit a packet after a specified number of times. This may indicate a hardware problem.
TxClearToSendsErrors
(NE3200) This counter tracks an 82586 error. There are some conditions when the Clear to Send signal from the 82586 chip is incorrect. This counter indicates the number of times the corrective code on the adapter was executed to work around this condition in the 82586.
TxDMAUnderrunErrors
(NE3200) This counter tracks an 82586 error. Contention among the BMIC, 80186, and 82586 can occur on the adapter, causing the 82586 to assume it did not receive all of the packet for transmission. The transmit operation must then be retried. This counter indicates the number of times the corrective code on the adapter was executed to work around this condition.
Chapter 2
240
Supplement 1:
Table S1.6
Server Console Commands and NLMs
Custom Statistics for NE2000, NE2, NE2_32, CNE2_32, and Other Ethernet Drivers (continued)
Statistic RxDMAOverrunErrors
Description (NE3200) This counter tracks an 82586 error. If two packets are received back-to-back at close to 9.6 microseconds (the minimum Ethernet interframe spacing), then the chip may report an overrun. If so, the frames are lost by the chip and the source must retransmit. This counter indicates the number of times this error has occurred.
RxPacketSlideErrors
(NE3200) This counter tracks the number of instances of an 82586 anomaly. In some conditions, the 82586 may be off by two bytes in the receive packet descriptors. In this case, the sending station must retransmit the packet. This counter indicates the number of times this condition has occurred.
RxDummyRCBUsedErrors
(NE3200) This counter tracks an 82586 error. In some cases, the 82586 may attempt to receive data into a nonexistent receive buffer at the end of its receive buffer list. To catch this condition and avoid internal data corruption, a dummy receive buffer is added to the end of the list. This variable counts the number of times the 82586 attempted to write into the dummy buffer.
InternalAdapterReset
(NE3200) This counts the number of resets (by the 80186) that occurred on the adapter due to failures on the adapter. This counter is incremented when the software corrects itself for minor problems or if the adapter is in an unknown state. It is common for this counter to be incremented. Under normal conditions, more of these errors should occur during idle time than when the driver is busy. This counter would only indicate a hardware problem if it registered thousands of these errors when the network is busy.
MondoFragmentLengthErrors
(NE3200) This counter tracks the number of instances in which an NLMTM on the server has passed the NE3200 driver an ECB whose logical memory address could not be translated to a physical memory address. You should check other NLM programs on the system and upgrade them. If you are still experiencing problems, identify which NLM is causing the problem and contact the third-party manufacturer of the NLM.
PollingTimeout
(NE3200) This counter tracks the number of times the adapter’s request was put on the queue but was not serviced within 800 nanoseconds (default). After this occurs, the adapter fires an interrupt.
ResetBecauseHardwareDiedErrors
(NE3200) If the adapter is in an unknown state or stops transmitting on the host side, the driver increments this counter and resets or restarts the adapter.
NumberOfInterruptsFired
(NE3200) This counter is incremented each time the adapter had to fire an interrupt to service a request because the polled request wasn’t serviced.
Supplement 1:
Server Console Commands and NLMs
Table S1.7
241
Custom Statistics for Token Ring Drivers
Statistic
Description
Bad Correlator Count
(CNTR2000TM, NTR2000TM) This counter is incremented when a network board responds with a request for data from the file server that the file server does not have. The ECB or some other code may be corrupted. Eventually, this error will ABEND the server. If this counter is non-zero, you should try to find the software that is corrupting the data.
Unknown ARB requests
(CNTR2000, NTR2000) This counts bad Adapter Request Blocks (ARBs). Normally the network board (adapter) uses one of four known commands to communicate with the driver. If a network board sends a command that is not one of the four, the driver does not recognize the request. This error is not a catastrophic error. Sometimes old adapters send bad ARB requests because of software problems on the board. NetWare responds to the network board so that the board will not hang.
MicroChannel Error Count
(TOKENDMA) This counter tracks the number of times the adapter had a problem transmitting on the bus. The adapter interrupt occurred from the firmware on the board.
ECBs Over 16 MB
(TOKENDMA) This counter tracks the number of packets received that had to use an ECB over 16 MB. This number should increment only when more than 16 MB of RAM is used in the server.
DMA Bus Errors Count
(TOKENDMA) This counter is incremented when a DMA transfer completes with a bus error. If this counter is incremented, it could indicate a hardware problem.
DMA Parity Errors Count
(TOKENDMA) This counter is incremented when a DMA transfer completes with a parity error. If this is incremented, it could indicate a hardware problem.
Command Reject Count
(TOKENDMA) This counter is incremented when the driver sends a command to the board and the command is either invalid or the board is still busy processing the previous command. This number should be zero or a low number.
Tx Timeout Count
(TOKENDMA) This counter is incremented and the adapter is reset if two seconds elapse before the driver learns from the firmware that the transmit was or wasn’t successful. This counter shows the driver is successfully recovering from the lost hardware transmit. It isn’t a problem if this number is incremented.
Transmit Late Count
(TOKENDMA) This counter is incremented when the firmware reports that the board transmitted more than it actually did. After this event occurs, the data that wasn’t transmitted will be sent in the next packet. This problem is more likely to occur on busier networks.
Chapter 2
242
Supplement 1:
Table S1.7
Server Console Commands and NLMs
Custom Statistics for Token Ring Drivers (continued)
Statistic
Description
Transmit Defragment Count
(TOKENDMA) This counter tracks how many ECBs are redirected to the buffer below 16 MB. The IBM Token-Ring DMA LAN boards are not able to access memory above 16 MB. Therefore, if the operating system issues an Event Control Block (ECB) with a memory address above 16 MB, the board uses some of the reserved buffers below 16 MB to double buffer the ECB. These are not errors. In many cases, this counter can be as high as the total packets sent and received. However, this double buffering decreases performance. If the system has more than 16 MB of RAM and a board that is bus-mastering or using DMA that is not a 32-bit adapter, performance may decrease.
5.
LOADED MODULES You can see the loaded modules with much less detail by the server console command: :M
or :MODULES
NetWare is an effective cache engine OS. So much so, that Novell has declared that adding more RAM is more effective than upgrading the CPU in most situations. All loaded modules are listed here with detailed information. The basic information that all modules share is:
6.
Version
Creation Date
Address space
Bytes of memory required to load
Allocated memory
Module load flags
FILE OPEN/LOCK ACTIVITY Drill down to any file and look to see the following information:
7.
Connection
Task
Lock Status
Log Status
DISK CACHE UTILIZATION Cache hits means the server found the information in RAM—versus going to the hard disk. This presents a detailed look to see if you need more RAM. You
Supplement 1:
Server Console Commands and NLMs
243
can rarely go wrong adding RAM. See Chapter 9 for information about the tuning the cache.
8.
Short-term cache hits—Look for 98% or consider adding RAM
Short-term cache dirty hits
Long-term cache hits—Look for 90% or consider adding more RAM
Long-term cache dirty hits
LRU sitting time—Least Recently Used—Novell recommends that values less than 15 minutes may indicate a need for more RAM
Allocate block count
Allocated from AVAIL
Allocated from LRU—An incrementing value here indicates a need for more RAM
Allocate wait—An incrementing value here indicates a need for more RAM
Allocate still waiting—A number higher than 7 indicates a need for more RAM
Too many dirty blocks—A high number indicates a need for a better (faster) disk channel I/O or more RAM needed
Cache ReCheckBlock count—An incrementing value here indicates a need for more RAM
SYSTEMS RESOURCES Server memory statistics
9.
VIRTUAL MEMORY Address space and SWAP file information. See the SWAP command covered later in this chapter.
10.
KERNEL
Applications
Processors
Interrupts
Threads
All of these pieces of the kernel are explained in the earlier at the beginning of this chapter. 11.
SERVER PARAMETERS The server parameters choice takes the place of SERVMAN. Server parameters, or SET commands are listed later in this chapter—broken down by the same organization you will see in this C-Worthy utility. There are many hidden commands that are not shown unless monitor is loaded with an !h. Example: :MONITOR !H
Press TAB at the main screen and you will see Figure S1.2.
Chapter 2
244
Supplement 1:
Server Console Commands and NLMs
Figure S1.2 NetWare Console Monitor general information.
At the top left of the screen you are shown:
The name of the .NLM running and version: NetWare 5 Console Monitor 5.22. The version number can also be displayed by typing :M MONITOR
if the MONITOR.NLM is running—the same for any loaded .NLM
Server OS version and date—No support pack updates shown—you have to type the version command or look under NWCONFIG ➝ Product options ➝ View/Configure/Remove installed products.
UTILIZATION—Real-time percentage of time CPU is being used.
SERVER UP TIME—How long the server has been running since the last boot—I’ve seen this number over 500 days.
ONLINE PROCESSORS—The number of enabled processors.
ORIGINAL CACHE BUFFERS—The total number of possible cache buffers that exist when the server is booted—less the OS kernel and DOS space.
TOTAL CACHE BUFFERS—Cache buffers available for file and directory caching. This number will decrease as modules are loaded into memory. Remember, NetWare is a cache engine and can speed requests by having ample cache to service requests. Add more RAM to increment this number.
DIRTY CACHE BUFFERS—Represents information held in queue before it can be serviced by being written to the hard disk.
LONG-TERM CACHE HITS—Percentage of time the server was able to service requests out of RAM versus going to hard disk. Serving information from RAM is the most efficient means of accessing information.
Supplement 1:
Server Console Commands and NLMs
245
Best Practice: If this number goes below 90%, add more RAM.
CURRENT DISK REQUESTS—Number of queued disk requests that the server is waiting to service.
PACKET RECEIVE BUFFERS—Number of buffers available to receive station requests. This number should be set to a minimum of 3 buffers per connection. I like to use 2000 as a minimum and 4000 to 10000 as a maximum. IP will use more buffer space than IPX. See the SET command later in this chapter for more information on this setting. Can be set through MONITOR ➝ Server Parameters ➝ Communications.
DIRECTORY CACHE BUFFERS—Number of buffers allocated to directory caching. I like to increase the minimum to 250 minimum and 1000 maximum—assuming you have ample RAM. Can be set through MONITOR ➝ Server Parameters ➝ Directory Caching.
MAXIMUM SERVICE PROCESSES—Shows what your SET statement shows as maximum number of processes allowed by the OS to service requests—such as logins. Service Processes are threads of execution that act as hosts to incoming service requests. The WORKTHRD.NLM is loaded to pre-allocate service processes. See Chapter 9 for server tuning optimization concerning this parameter. This number may be changed by: MONITOR ➝ Server Parameters ➝ Miscellaneous ➝ Maximum Service Processes
Note: Refer to Chapter 9 for server tuning and optimization information.
CURRENT SERVICE PROCESSES—Number of task handlers allocated for station request. Once memory is allocated for a service process, it can never be reallocated—until the server is rebooted.
CURRENT CONNECTIONS—Sum of licensed and unlicensed connections currently attached to this server. This is an important number to look at before you down the server. For further connection information, see MONITOR ➝ Connections.
OPEN FILES—Number of open files on the server—represents workstation and server use.
MOUNT Mounts/Loads a specified NetWare volume. :MOUNT SYS
You may mount all server volumes with the following command: :MOUNT ALL
To take a volume offline, use the DISMOUNT command. Chapter 2
246
Supplement 1:
Server Console Commands and NLMs
NAME Displays the server’s name. Can be seen through the CONFIG command too. NAMED.NLM Used to load the NDS DNS support on NetWare. More specifically, NAMED is the server module that accepts DNS queries, resolves them and sends a reply back to a query. NAMED never generates DNS requests, it only resolves them. It does this by searching in its local database first, then forwarding the query to another DNS server—if not found. –v—loads in verbose mode –q—turn off verbose mode –s [zonename]—print current status of named –m zone.dat [context]—create zone from master file zone.dat –u zone.dat—update an existing zone from master file zone.dat –l—login as admin –r some.zone.com—remove (delete) some.zone.com –f <scriptfilename> [context]—create zones using BIND boot file like script file –zi —force zone in for the argument zone –a—turn on auto-detect for new zones –b—turn off auto-detect for new zones –rp —list of characters in doman name to be replaced with “–” –help—shows these parameters NCMCON.NLM (NetWare 5) Novell Configuration Manger Console—which is the PCI hot plug support management interface: Active—Adapter is believed to be in working order with a driver loaded Attention—The slot attention indicator has been enabled—not a failure indication, only informational Ready—The adapter is ready, but no driver is loaded yet Powered Off—The switch may be open on the slot and power to the slot is turned off ADD—Degraded—Some device on the adapter has failed but other devices on the adapter continue to work Failed—Either the system bus driver or the adapter’s driver reported some failure— you may remove and replace the driver at this time, if desired REPLACE—guess? POWER ON—The switch may be closed, but the slot power is, but the slot empty—adapter field should say “No adapter present” Processing—You are being told to wait while the slot/adapter is performing some action
Supplement 1:
Server Console Commands and NLMs
247
REMOVE—After highlighting and pressing <ENTER> on a chosen controller, the following options are listed: Slot Information (bus information)—Bus type, number, speed capability, operation speed and size of bus Hot Plug Information—Yes or No Slot Status—Current state of the adapter Device Information—A listing of devices associated with the adapter in this slot— which list the Hardware Instance Number (HIN) of the device, driver name, and driver status To remove an adapter, choose the adapter/controller/slot and press <ENTER> ➝ Remove ➝ you will be prompted to unload the driver from the main server console ➝ physically remove the adapter ➝ physically insert the new adapter ➝ you will be prompted to turn power on to the slot and attach cables ➝ NWCONFIG should start automatically to facilitate the automated driver loading Note: Some vendors support only a PCI card replacement that must match the card removed exactly.
NCP ADDRESSES Displays bound protocols and ports of NCP carrier protocols and the order in which they were loaded—the order doesn’t matter. NCP DUMP (NetWare 5) :NCP DUMP filename.txt
Dump the NCP statistics to a specified file. NCP STATS (NetWare 5) Displays NetWare Core Protocol (NCP) requests that have been serviced by the OS’s kernel. An Example of the display reads: 45154 ProcessNCPPacket requests 145 ProcessNCPPacketWithLength requests 0 ExecuteNCPPacket requests 157416 NCPPacketReceiveHandler requests
ProcessNCPPacket requests—NCP requests that were processed through the IPX or IP protocols, as well as through CLIB ProcessNCPPacketWithLenght requests—NCP requests through the IPX or IP protocols, as well as through CLIB
that
were
processed
ExecuteNCPPacket requests—Not in use at this time; allows developers to designate the packet receive buffer length of differing sizes
Chapter 2
248
Supplement 1:
Server Console Commands and NLMs
NCPPacketReceiveHandler requests—Displays only the NCP requests that were processed through the IPX protocol. NCP TRACE (NetWare 5) :NCP TRACE ON :NCP TRACE ON filename.txt :NCP TRACE OFF
Decodes the incoming NCP packets to the server console screen or a file. The screen goes by too fast to see anything—you’ll need to save your information to a file. Use the NCP DUMP command as the packets fly by the screen too fast to read. Best Practice: Use a sniffer program like Sniffer Pro or Lanalyzer to decode NCP packets.
NCP DUMP filename.txt Dump the NCP statistics to a file—you would have to as they cross the screen too fast. NDPSM Loads the NDPS management console. Can be auto-loaded from the AUTOEXEC.NCF. :NDPSM
NETDB.NLM The NETDB.NLM is not a module that you would normally ever load manually, yet is an essential part of the server’s name resolution process and it deserves space here. I know of only one switch used for NETDB.NLM and I have only used it once for troubleshooting purposes. /n—When loaded with the /n option, NETDB will not attempt to login to NDS. NETDB /n is used to delay a call to Unix services on NetWare—you can use this if you are not running Unix services on NetWare, thereby prohibiting the module from searching for Unix services and saving valuable query times. Ignores the context entry in the SYS:ETC/NWPARAMS file When a DNS name needs to be resolved NETDB only asks the question. NETDB is for server applications—e.g., NWIP, FTP, PING, DHCP, NFS, etc. If NETDB is given a short host name to resolve (i.e., no dots in the name) it will append the domain name configured in the RESOLV.CFG file onto to the host name that needs to be resolved. NETDB sends out a standard DNS query to the IP addresses in the RESOLV.CFG. It assumes that these addresses are running some type of DNS process. They could be any type of DNS server (NetWare, UNIX, etc). NETDB generates a DNS query only; it does not go out to the DNS infrastructure and find the answer—only DNS servers can do that. NIASCFG The Novell Internet Access Server C-Worthy menu provides remote access configuration and protocol configuration. Protocol configuration is done through a link back to INETCFG.
Supplement 1:
Server Console Commands and NLMs
249
NIAS is the new name for the old Multi Protocol Router. See INETCFG in Chapter 4 for more information. NSLOOKUP.NLM This is a DNS troubleshooting freeware .NLM you can download from Novell’s CoolSolutions Website at www.novell.com/coolsolutions/freetools.html :NSLOOKUP [nameserver][record-type][for-name]
Nameserver—DNS server Record-type—A, NS, MX, CNAME, PTR are supported record names NSS.NLM NSS is Novell’s new 64-bit file system—and the default file system for NetWare 6. It does not yet have all of the features and functionality of the older file system. NSS can be configured through NWCONFIG and/or at the server console through commands. More NSS information is contained in the Upgrade Chapter. The NSS file system can mount any volume in under 60 seconds. NSS sheds the limitation of the old FAT table (File Allocation Table) and embraces Novell’s balance trees algorithms (b-trees). B-trees use a journaling technology to record volume changes. NSS requires only 32 MB of RAM to mount, so there are no extra hardware requirements. NSS enjoys multiprocessor support in NetWare 6. For more NetWare 6 features of NSS, see the NetWare 6 section found at the end of this chapter. NSS modules MMPRV—NSS Media Manager designed for DOS formatted partitions; IBM NWPRV—NSS File Provider designed for use with existing NetWare volumes NSS server console commands Use the following commands at the server console. NSS Server Console Help Use the NSS server console Help for locating commands to
Unload NSS
Display NSS module or volume information
Change NSS caching. See SET the cache buffers for information on cache buffers.
Other NSS tuneables To use Help at the console, enter :nss /help :nss /?
Do not confuse this Help facility with the online Help in the NWCONFIG utility or Help in the NSS Administration menus. The server console Help utility contains information on NSS tunable parameters only.
Chapter 2
250
Supplement 1:
Server Console Commands and NLMs
NSS informational commands Several other NSS server console commands are available to provide more in-depth information on your NSS configuration. To use the commands at the server console: :nss /modules
Lists the providers, loadable storage subsystems, and semantic agents. :nss /status
Lists the current NSS status. :volumes
Lists all the NetWare and NSS volumes that are mounted and includes the NSS Admin volume :nss volumes
Lists all the NSS volumes including NSS_Admin. :nss exit
Unloads NSS modules. NSS load commands Use these NSS load commands at the server console: :nss help or /?
Allows access to Help for the NSS commands. :nss /menu
Opens the NSS Administration menus for NSS configuration management. :nss /(No)SkipLoadModules
Prevents auto-loading of all the NSS modules. This lets you load only the NSS modules you need. DOS FAT commands Use these NSS commands at the server console: :nss /(No)FATInMemory
The default is OFF. Loads the entire File Allocation Table (FAT) in to memory for faster access, regardless of its size. :nss /(No)FATLongNames
The default is ON. Enables long filenames on FAT volumes. :nss /(No)FATLazyWrites
The default is ON. Performs lazy writes of FAT. If set to ON, data written will be kept in memory for a specified period of time before it is also written to FAT—which increases performance.
Supplement 1:
Server Console Commands and NLMs
251
:nss /FATLazyWriteDelay=value
The default is 60. The range is 5–180. Sets the FAT lazy write delay (in seconds). When (No)FATLazyWrites is set to ON, you specify how many seconds you want data kept in memory before it is written to FAT. :nss /FATPartition=partition_type_number
Supports up to three additional partition types containing 16-bit FATs, such as /FATPartition=12,13. Other NSS commands Use these NSS commands at the server console to manage NSS: :nss /Activate=volume_name
Activates an NSS volume. :nss /Deactivate=volume_name
Deactivates an NSS volume. :nss /Maintenance=volume_name
Switches the specified NSS volume to maintenance mode. :nss /ForceActivate=volume_name
Forces an NSS volume to become active. :nss /VerifyVolume=volume_name
Verifies the specified NSS volume’s physical integrity. :nss /RebuildVolume=volume_name
Rebuilds the specified NSS volume—similar to the older VREPAIR utility :nss /VerifyVolume
Permits an NSS volume selection from the menu to verify the volume’s physical integrity. :nss /RebuildVolume
Allows you to select an NSS volume from the menu for rebuild. :nss /AutoVerifyVolume=volume_name
Allows you to verify an NSS volume at startup. :nss /StorageAlarmThreshold=value
Allows you to set the threshold for a low storage space warning. The default is 10. The range is 0 to 1000000. :nss /StorageResetThreshold=value
Allows you to reset the threshold for a low storage space warning. The default is 10. The range is 1to 1000000.
Chapter 2
252
Supplement 1:
Server Console Commands and NLMs
:nss /(No)StorageAlertMessages
Turns ON or OFF the low storage message to users. The default is ON. :nss /NumWorkToDo=value
Sets the number of WorkToDo entries which may be concurrently executing. NSS uses WorkToDo entries for tasks such as flushing file metadata to disk in the background. Increasing the number of WorkToDo entries might be useful on a system that is heavily used. NSS always reserves 20 WorkToDo entries. The default is 40. The range is 5 to 100. :nss /FileFlushTimer=value
Sets the flush time for modified open files in seconds. Increasing this number might reduce the number of writes to disk; however, it increases the amount of data that will be lost if the system crashes. The default is 10 seconds. The range is 1 to 3600 seconds. :nss /OpenFileHashShift=value
Sets the size of the Open File hash table (in powers of 2). If many files are used concurrently on the server, we recommend that you increase this number. The default is 11. The range is 8 to 20. :nss /ClosedFileHashShift=value
Sets the number of closed files that can be cached in memory. The default is 512. The range is 1 to 100000. :nss /MailBoxSize=value
Sets the size of your mailbox. The default is 228. The range is 64 to 256. Old versus new The old file system has limitations of:
16 million directory entries
Eight volumes per NetWare partition
User files have a 2GB maximum
NSS improvements in NetWare 5 include:
Store trillions of files in a single directory
Unlimited NetWare volumes permitted per partition and 4 partitions allowed per disk
Support for individual files up to an 8 TB
Ability to create, store and access trillions of files in a single directory
Faster volume mounting and repair—repair done through the REBUILD utility
RAM requirements to support the volume index table are significantly less—which gives faster access to data
Ability to group free space on multiple storage devices—even the DOS partition—as a single volume
Up to 4 NetWare partitions per disk
Unlimited volumes allowed per NetWare partition
Supplement 1:
Server Console Commands and NLMs
253
Enhanced CD-ROM support. CD-ROMs are mounted as NSS volumes, by default
Novell demonstrated an 8TB volume of information perform a VREPAIR and mount in 8 seconds after the power had failed on the server. Mount a CD-ROM by typing: :CDROM
NSS components Provider—Finds the free space on NetWare volumes or on the DOS partition Consumer—Manages the free space Storage Group—Organizes the storage space(s) into NSS volumes NVXADMDN.NCF Unloads the Netscape Web Manager: ADMSERV.NLM MDBLIB.NLM LIBINN.NLM NVXNEWDN Unloads the NetWare News Server by unloading: NEWSTIME.NLM INND.NLM NWCONFIG (NetWare 5) –dsremove—Be very careful. This command will allow you to remove directory services to the server without an admin login NetWare 5’s replaces to INSTALL is NWCONFIG. The C-Worthy menu shows: Driver Options—Load or unload disk or LAN drivers Standard Disk Options—Create and manipulate hard disk partitions and volumes NSS Disk Options—NSS volume management License Options—Licensing Options—which get ported into NDS (authentication required) Copy files Options—File copy options to SYS:SYSTEM, LOGIN, MAIL, and PUBLIC Directory Options—NDS upgrade from bindery, place server volumes into the directory (as NDS object—normally done automatically), backup NDS before upgrades, restore the database after upgrades NCF files Options—Manipulate the STARTUP.NCF and AUTOEXEC.NCF files Multi CPU Options—Install vendor customized platform support modules (PSM) here—should be already loaded through the hardware auto-discovery process associated with the installation or upgrade Chapter 2
254
Supplement 1:
Server Console Commands and NLMs
Product Options—Add, remove, view products—Novell seems to have a disconnect here. Some of their products get loaded here, some through the new ConsoleOne Java GUI, and still others from a workstation NSWEB.NCF Contains all of the modules needed to start the Netscape Web server OFF Same as the CLS command in DOS—clears the server console screen and starts at the top PAUSE Stops and waits for a key to be pressed before continuing. Used by .NCF files. PING.NLM The PING command creates an ICMP Echo Request and message sent to a host. A return PING will be an ICMP Echo Reply that lets you know the host is up and its IP stack is functioning. :PING
or :PING IP_address
or :PING host_name :PING
You may only ping a host name if a name space provider is available to resolve the name (e.g., DNS). Command line syntax :PING [-t][-a][-n #][-][-l length][-f][-I ttl][-v tos][-r #][-s #][-j computer_list][-k computer_list][-w timeout] destination_list
–t—PING until interrupted –a—Displays the computer name of the IP address –n #—Number of times to ping –l—Length of packet in bytes—use this to see if the router is fragmenting properly. Force a length to find out your segment’s MTU. –f—Instructs routers not to fragment the packet –I ttl—Modifies the TTL field to the specific value; default is 64 in NetWare –v tos—Type of Service field setting –r #—Shows the current route taken by the packet –s #—Shows the timestamp for the number of hops –j computer_list or hosts—Uses the loose route specified by the computer_list or hosts
Supplement 1:
Server Console Commands and NLMs
255
–k computer_list or hosts—Uses the strict route specified by computer_list or hosts—must touch every router in exact order –w #—Specifies a timeout interval in milliseconds Destination-list—Specifies a list of computers to PING Return information displayed on C-worthy PING screen Node—IP address of node being pinged—destination host Sent—Number of packets sent Received—Number of packets received High—Longest reply time of destination node Low—Fastest reply time of destination node Last—Most recent reply time of destination node Average—Average reply time of destination node replies Trend—Information messages that may include the following: No Data: Not enough information/data to calculate status Down: This host has received no replies Failing: 2/3 of the requests have gone unanswered Drop: 1/3 of the replies have not been received PING error messages Bad IP Address—Usually means a name space mapping to an IP address is incorrect Destination Unreachable—Communication is active but there is some sort of routing problem Packet needs to be fragmented but DF not set—MTU size is too large to pass or do not fragment bit is set Request Timed Out—The TTL has incremented until the packet has “died” on the network For DNS queries—e.g., PING CNN.COM—PING uses NETDB.NLM to make a call to DNS for name resolution. NETDB only handles HOST (A) records and PTR records—it does not support the resolution of other records like MX. See also TPING.NLM Warning: Don’t leave the server constantly pinging other nodes. Exit out of the screen by ESC until you are asked to exit.
PORTAL.NLM The PORTAL.NLM has to be the most exciting piece of NetWare 5.1. Further development of this management utility will show Novell’s commitment to browser-based administration.
Chapter 2
256
Supplement 1:
Server Console Commands and NLMs
To display editing buttons in the browser to view C-worthy screens on the server (for example, the screens for Monitor and NWCONFIG), add the /BUTTONS parameter to the load line for PORTAL.NLM. The Portal load line in AUTOEXEC.NCF would be: :LOAD PORTAL.NLM /BUTTONS
In Health Monitors, the Multiple Server Health Monitor page now allows you to save multi-server lists to a file and to build a multi-server list from a file instead of using the SLP Server Discovery Method every time. See the help on the Multi-Server Health page for syntax and help on the Multi-Server Health page for syntax and examples. To set up a super-admin password to access a Portal Server if NDS is not functioning correctly, in your browser go to Portal <server address>/SADMINPW
and supply the super-admin password. Click Execute. (Initially, you must be logged in to Portal as ADMIN to set this up.) Thereafter, and in case of emergency, you can use the username SADMIN and the password you set up to access the Portal Server via a bindery attachment. The PORTAL is covered in Chapter 4. # (pound) Specifies a comment in a file, like an NCF or CFG file. PPPTRACE The point-to-point protocol trace utility enables you to view and capture real-time incoming and outgoing data frames. Network Interface Information—Displays available PPP interfaces and their status. Possible values are: I/O: Port address IRQ: Interrupt MEM: Base memory address Channel: Port number LSL Board No: Logical Link Support Layer board number I/F Name: Port interface name configured by the user Real-Time Monitor—Look at data in real-time Playback—Specify disk or RAM as the source of the playback session. Configuration—Choose where the data information should be captured and stored. Use RAM for high-speed, high utilization links. You will need to choose disk file to keep the information long term. Use the configuration option first to decide on file or RAM capture storage. PROTECT (NetWare 5) Loads all NLMs from a NetWare Configuration File (NCF) into a protected memory space. The protected address name space will be the same name as the NCF file.
Supplement 1:
Server Console Commands and NLMs
257
:PROTECT ncf_file_name
You should notice a five to six percent performance hit using protected mode. PROTECTION (NetWare 5) This is not what it sounds like. Displays information about protected memory address spaces and provides a way to turn the feature on or off. :PROTECTION [[NO] RESTART] address space name] :PROTECTION
Shows all protected address spaces and the .NLMs that are in them. The largest is the Address Space OS. :M
or :MODULES
List modules and their corresponding memory address space :LOAD PROTECTED module_name
A new address space is created and the module is loaded into it. The name of the address space would be ADDRESS_SPACE#—where # is a number. :PROTECTION RESTART module_name :PROTECTION NO RESTART
Provides a means to enable and disable the restart feature for protected memory address space. :RESTART module_name
Loads one module into a new protected space with the restart flag enabled. The new address space will be named ADDRESS_SPACE#—the # represents a number. If the module in the protected space ABENDs, the system automatically shuts down and restarts the space—reloading the module in it. :LOAD ADDRESS SPACE = address_space_name_module
Can load more than one module into a specified protected memory space. :UNLOAD ADDRESS SPACE = address_space_name module_name
Unloads a module from an address space :UNLOAD ADDRESS SPACE = address_space_name
Unloads a module from and address space and removes the address space—the address space resources are recovered by the OS. :UNLOAD KILL ADDRESS SPACE = address_space_name
Use this command to remove only the address space—the modules will stay loaded in memory. The address space resources are recovered by the OS.
Chapter 2
258
Supplement 1:
Server Console Commands and NLMs
Any programs running the protected memory space are prohibited from referencing memory areas outside the boundary. Modules loaded into a protected memory space use virtual memory and cannot corrupt the NOS or cause ABENDs. If the server ABENDs in an area of protected memory and you want to clean it up: :SET MEMORY PROTECTION FAULT CLEANUP=ON
For more info on this SET command, see this specific SET command under the section of SET commands later in this chapter. .NLMs in protected memory work with the SYSCALLS.NLM—see SYSCALLS.NLM later in this section—from direct access to the server’s core OS, which prevents memory corruption in the NetWare OS. Use these commands to:
Load modules into a protected memory space
Unload modules from a protected memory space
Remove a protected address space
Kill a protected address space
Best Practice: 1.
Modules loaded into a protected memory space are allocated whatever memory they need up to a maximum of 512MB.
2.
If an .NLM is designed to be loaded only once, you can load multiple copies of the same .NLM if you load them into different protected spaces.
3.
An .NLM that auto-loads other .NLMs will be assigned the same protected address space.
4.
All loaded modules that communicate together should be loaded into the same protected address space. For example, load all of the GroupWise .NLMs together in the same protected address space.
PROTOCOL (NetWare 5) A quick way to display the loaded protocols; not as detailed as CONFIG. RCONAG6.NLM (NetWare 5) The new RCONSOLE utility supports both IP and IPX. RCONSOLE is still available. :RCONAG6 password TCPport SPXport
You may load the :RCONAG6 ENCRYPT
at which you will be prompted to enter a password, and asked for a port number or to <ENTER> and accept the default ports of IP 2034 SPX 16800
Supplement 1:
Server Console Commands and NLMs
259
Last, you will be asked if you want this information written to the SYS:SYSTEM\ LDRCONAG.NCF file where it will be called automatically upon bootup. REGISTER MEMORY Manually registers memory above 16MB with the NOS REM (Remark) Signifies a comment line. Same as the semicolon. Any line containing a REM will not execute commands or load modules. Use it in configuration files to document the code. :REM This next line put in by John Doe of Novell Consulting :CPQFM
REMOTE :REMOTE LOCK OUT
Disables new remote connections :REMOTE UNLOCK
Allows/enables new remote connections :REMOTE ENCRYPT
Hashes an encrypted password :LOAD REMOTE
Loads the REMOTE.NLM and asks for a password. :LOAD REMOTE :LOAD REMOTE –E
Same as the REMOTE ENCRYPT The encrypted hashed value for the password can be automatically written to LDREMOTE.NCF—to be called automatically by the AUTOEXEC.NCF. Best Practice: Configure remote console access through INETCFG ➝ Manage Configuration ➝ Configure Remote Console Access.
REMOVE DOS No longer available in NetWare 5. The use of this command was for security and to provide more available RAM space. RAM is cheap now and the best security for servers is to severely limit physical access. REMIRROR PARTITION Starts the NetWare software re-mirror process. Best Practice: Use your hardware vendor’s mirroring, which is more efficient. Chapter 2
260
Supplement 1:
Server Console Commands and NLMs
RESET ENVIORNMEMT Resets changes to SET parameters from their changed and current values. You may display only the changed parameters by :DISPLAY MODIFIED ENVIRONMENT
Very handy when working on a foreign server and you want to know what parameters have been altered. Use a compare utility (like OnSite Admin Pro or Config Reader) to compare SET parameters between servers. RESET ROUTER Flushes the server’s internal routing table. RIP/SAP information will reload in about 1 minute. NLSP will send a packet out to its neighbor asking for reconvergence. RESET SERVER (NetWare 5) RESET SERVER warm boots the machine. The RESTART SERVER command will restart the server environment without reloading the SERVER.EXE. A new SERVER.EXE, which is installed during support packs, cannot be loaded unless the server is taken down to the DOS command line or warm booted. Use the RESET SERVER command to warm boot and reload the SERVER.EXE. RESTART SERVER This option will dismount all volumes and restart the SERVER.EXE—without reloading it. This is an important point. Any installed support pack will tell you though the README file to use the RESET SERVER command instead, which makes the server reload the BIOS and DOS files. RMIC Java RMI Stub Converter RSPX.NLM Loaded to enable RCONSOLE access to the server. :RSPX
Displays the packet signature status—on or off—for RCONSOLE sessions :RSPX SIGNATURES OFF
Disables the default SIGNATURES ON command :RSPX SIGNATURES ON
Requires RCONSOLE client connections to have valid packet signatures :RSPX
Displays the current RSPX status :RSPX SIGNATURES OFF
A load option that allows for unsigned packets from clients accessing the server through RCONSOLE
Supplement 1:
Server Console Commands and NLMs
261
:RSPX HELP
Displays the options listed above. Best Practice: Use the IP RConsoleJ utility instead. If you choose to use the SPX RCONSOLE configure it though INETCFG ➝ Manage Configuration ➝ Configure Remote Console Access ➝ Enable Remote Console Access
SCAN ALL (NetWare 5) Scans all of the SCSI adapter LUNs. :SCAN ALL :SCAN ALL A1
Scans SCSI adapter 1 SCAN FOR NEW DEVICES Checks for additional storage devices or hardware that has been added since the server was last booted. SCRSAVER (NetWare 5) This .NLM is for security purposes. It replaces the console lock found in MONITOR.NLM in previous versions (NetWare 4.x). After using it many customers tell me they prefer the old 4.x MONITOR lock. :SCRSAVER HELP
ACTIVATE AUTO CLEAR DELAY DELAY DISBALE DISABLE AUTO CLEAR DISABLE LOCK ENABLE ENABLE AUTOE CLEAR ENABLE LOCK NO PASSWORD HELP STATUS :SCRSAVER HELP [command]
Commands may be chained, but must be separated by a semicolon.
Chapter 2
262
Supplement 1:
Server Console Commands and NLMs
SEARCH Displays the search path where NLMS can load without using the full directory path for the NLM. This is the same as the DOS PATH command. Use SEARCH ADD to add to the paths. SECURE.NCF This console command performs the following (taken directly from the .NCF file): # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
Version: 1.01 Date: May 14, 1997 This NetWare script file, SECURE.NCF, is the enhanced security options configuration file. It chooses the options that are required to run NetWare in the trusted configuration, which is designed to meet the US Class C2 security criteria and the European Class F-C2/E2 security criteria. Enhanced security options not required for the trusted configuration (not required by C2 and European Class F-C2/E2 standards) are also included in this file but are commented out. More information regarding enhanced security options may be found in the Enhanced Security Server Administration manual. The server may be configured to automatically execute this configuration file during server boot after the execution of AUTOEXEC.NCF. This can be done by setting the set parameter "Enable SECURE.NCF" to ON. This can be done from SERVMAN (Server parameters/Miscellaneous menu) or in either AUTOEXEC.NCF or STARTUP.NCF. This configuration file can also be executed from the NetWare Console command line. Each of the SET parameters in this file (SECURE.NCF) can be set individually from the NetWare console command line, from SERVMAN, or in AUTOEXEC.NCF. SECURE.NCF may be modified using EDIT.NLM or another ASCII editor. The file is stored in the SYS:/SYSTEM directory. The following commands are required for the trusted configuration. Refer to the Utilities Reference manual for more information about each of these commands. The following command configures the server to disallow the use of unencrypted passwords. The default value is OFF. The trusted configuration value is also OFF.
SET Allow Unencrypted Passwords = OFF # # The following command configures the server to disallow
Supplement 1:
Server Console Commands and NLMs
263
# the use of passwords to identify auditors. The default # value is OFF. The trusted configuration value is also # OFF. # SET Allow Audit Passwords = OFF # # The following command configures the server to # automatically run VREPAIR when a volume fails to mount. # The default value is ON. The trusted configuration # value is also ON. # SET Automatically Repair Bad Volumes = ON # # The following command configures the server to reject # NCP packets that fail boundary checking. Older client # utilities may fail if this SET parameter is set to ON. # The default value is OFF. The trusted configuration # value is ON. # SET Reject NCP Packets with bad lengths = ON # # The following command configures the server to disallow # replication of NetBIOS broadcast packets. The default # value is 2. The trusted configuration value is 0. # SET IPX NetBIOS Replication Option = 0 # # The following command configures the server to reject # NCP packets that fail component checking. Older client # utilities may fail if this set parameter is set to ON. # The default value is OFF. The trusted configuration # value is ON. # SET Reject NCP Packets with bad components = ON # # The following command configures NetWare Directory # Services to perform access control checks which are # not backwards compatiable with previous versions of # NetWare Directory Services. The default value is OFF. # The trusted configuration value is ON. # # SET Additional Security Checks = ON # # The above commands are required for your server to be # in the trusted configuration, designed to meet the # Class C2 criteria and the Class F-C2/E2 criteria. # ########################################################
######################################################## # # The following commands provide additional enhanced # security options that are not required to meet the
Chapter 2
264
Supplement 1:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
Server Console Commands and NLMs
Class C2 criteria and the Class F-C2/E2 criteria. These have been commented out but may be enabled by removing the comment symbol (# ) from the beginning of the line. EDIT.NLM or another ASCII editor may be used to edit this file. For more information about each of these commands refer to the Utilities Reference manual. The following command configures NetWare Directory Services to enforce the checking of the Equivalent To Me attribute during authentication. DSREPAIR must be used to synchronize the Equivalence attribute and the Equivalent To Me attribute if the Check Equivalent to Me parameter is set to ON. Setting this parameter to ON will also adversely affect the authentication performance. The default value is OFF. For enhanced security the value may be set to ON. SET Check Equivalent to Me = ON The following command configures the server to reject NCP packets that are not signed and to sign all reply packets. Setting this parameter to 3 will adversely affect the communication performance of the server. The default value is 1, which signs NCP packets only if required by the client. For enhanced security the value may be set to 3. SET NCP Packet Signature Option = 3 The following command secures the NetWare server console in the following ways: it removes DOS paths from the search path; it allows only NLMs from the search path to be loaded; it disallows the setting of certain SET parameters; it prevents the server date and time from being changed; and it prevents keyboard entry into the operating system debugger. This command does NOT remove the requirement that the server console be physically secured. By default, SECURE CONSOLE is not invoked. For enhanced security SECURE CONSOLE may be invoked. SECURE CONSOLE The above commands provide enhanced security options that are NOT required for your server to be in the trusted configuration -- to meet the Class C2 criteria and the Class F-C2/E2 criteria.
SECURE CONSOLE The SECURE CONSOLE command: Restricts module load from anywhere except current SEARCH paths Allows only console operator write to the server object
Supplement 1:
Server Console Commands and NLMs
265
; (semicolon) Comment used in a .CFG or .NCF file (simialr to REM or #). SEND Sends pop up messages to user’s workstation. :SEND “put message here, you don’t need quotes”[username|connection#][and|,][username|connection#] :SEND STEPHANIE WILL YOU MARRY ME?
SERIALVER For Java developers. SET Displays the categories of SET commands. All of the set commands are listed later in this chapter. SETUPNLS (NetWare 5) This is a utility that creates a license service provider in NDS for the server. This command accomplishes the same deed as NWCONFIG ➝ License Options ➝ Create License Service Provider. SET TIME Sets local time on the server. This command is not advisable if you wish to change the network time. Use the server SET console command: :set timesync time adjustment
which will ensure that NDS timestamps do not get out of whack SET TIME ZONE Changes the servers time zone—this is already set in the first few lines of your AUTOEXEC.NCF SLPDA.NLM This command loads the SLP Directory Agent (RFC 2165) NLM and causes the server to become the repository for SLP information. Other service information—residing on SLP SAs (every NetWare server is an SA)—must be able to communicate, via IP, to register their services into the Directory Agent—which ports the information into NDS. See the chapter on IP for more SLP and Directory Agent information. Put this command in your AUTOEXEC.NCF for the chosen SLP DA servers. Servers with the SLPDA loaded should all show up when the console command: :display slpda
There are 2 ways to setup the Directory Agent—automatically and manually. When this command is loaded for the first time—if SLP hasn’t already been set up in NDS (you can manually make the Directory Agent object and Scope Unit object)—you will be prompted to create a default configuration within NDS. If you select “Yes” the SLPDA will create three objects in NDS. Chapter 2
266
Supplement 1:
Server Console Commands and NLMs
The DA object. This represents the DA and what server the DA is running on. This also has some configuration options and a list of Scope units that this DA supports. The DA object also has a parameter called “start purge hour.” This is the setting to tell the DA when to start the 24-hour purge. Once each day the DA will clear its cache and read all service objects for NDS again.
The “Unscoped scope” OU object. This is a container object that contains the actual service URLs in the form of service objects. The scope name will be UNSCOPED unless you change it.
The Service objects. These leaf objects are the actual URL information. Manual configuration of setting up a Directory Agent: See SLP information in Chapter 4.
SPEED The SPEED command simply displays the CPU’s operating speed. Use this command to compare servers that have identical hardware. If you find that the numbers are not equal, nor are close, look into it. Check for BIOS updates from your server vendor, which may correct CPU problems. Some examples of speed ratings are:
My laptop server Pentium II 266 = 22008
My lab server Pentium III 450 = 36962
Other lab server Compaq Pentium III 500 = 41054
SPOOL Allows you to edit spooler mappings and to provide support for applications that make calls to printer numbers rather than queues. View, edit, or create spooler mappings :SPOOL 2 TO QUEUE HPLJ5L
SPXCONFG The SPXCONFG.NLM is used to set SPX parameters. The parameters that can be used are: A=—SPX Watchdog Abort timeout (in ticks) V=—SPX Watchdog Verify timeout (in ticks) W=—SPX Ack wait timeout (in ticks) R=—SPX Default Retry count S=—Maximum concurrent SPX sessions Q=1—Quiet mode (suppresses display of changed settings, so user intervention is not required to continue.) H=—Displays SPXCONFG help screen Using load SPXCONFG brings up a menu that requires administrator interaction. If the changes are done through SPXCONFG instead of putting them in the AUTOEXEC.NCF, the parameters will be reset to the defaults when the server is rebooted.
Supplement 1:
Server Console Commands and NLMs
267
The SPXCONFG.NLM can also be used with optional parameters without bringing up the menu interface. For example, :LOAD SPXCONFG A=1000 Q=1
would set the SPX Watchdog Abort timeout to 1000 ticks. This setting could also be included in the AUTOEXEC.NCF file. STARTX The STARTX.NCF command is automatically written to the AUTOEXEC.NCF upon installation or upgrade of NetWare 5.x to start the Java GUI. I normally comment it out. START PROCESSORS (NetWare 5) :START PROCESSORS [P# P# P#]
# is the secondary processor number(s) you wish to start—adding no number will start all secondary processors. All processors are started at server boot up by placing the following command in the STARTUP.NCF file: :SET AUTO START PROCESSORS
STOP PROCESSORS (NetWare 5) Stops numbered or all secondary processors. :STOP PROCESSORS 1 4
Stops secondary processors 1 and 4. STUFKEY.NLM This freeware NLM automates server console tasks—like a Windows MACRO. Download it from http://support.novell.com/misc/patlst.htm. Novell provides a number of samples scripts too. You’ll have to search on TIDs to find them. One great one is TID 2952419. SQLC.NCF Adds a search path to SYS:SYSTEM\SQLC and loads: SQLCMON VTXNETD –p1958 SQLCOMON SQLCODBC SQLCMON Used for the SQL server—format is: :LOAD SQLCMON
Chapter 2
268
Supplement 1:
Server Console Commands and NLMs
SYSCALLS.NLM The SYSCALLS.NLM prevents any modules loaded into a protected address space—see PROTECTION earlier—from referencing any memory outside the address space. The SYSCALLS.NLM, and the memory protection subsystem provide the interface to the server’s OS. SYSCALLS.NLM prevents .NLMs in protected memory from having direct access to the core OS—thus preventing corruption to the NetWare OS. SWAP (NetWare 5) NetWare 5 now uses a SWAP file. Heard that term before? A SWAP file allots the OS more memory than the installed RAM, the hard drive is used. The model is made up of primary RAM storage, secondary hard drive storage and the SWAP file. :SWAP [ADD | DELETE volume_name]
MIN or MINIMUM—Minimum SWAP file size, default is 2MB MAX or MAXIMUM—Maximum SWAP file size, default is the total amount of free volume space MIN FREE or MINIMUM FREE—Minimum free space to allocate on a volume outside the swap file, default is 5 Multiple swap files, on lesser-used volumes, will stripe them automatically for better performance in NetWare 5. Some useful command examples are: :SWAP DELETE SYS
Deletes the SWAP file on the SYS volume, where is resides by default. :SWAP ADD VOL1
Adds the SWAP file to VOL1. :SWAP ADD VOL1 MIN=7 MAX=500 MIN FREE = 20
Sets a minimum SWAP size of 7MB, a maximum size of 500MB and leaves 20MB free space available. To configure SWAP commands in MONITOR.NLM use the hidden switch: :MONITOR !H
Then go to Server parameters ➝ Memory. Best Practice: Remove the SWAP file from the SYS volume and put it on a lesser-used volume. Stripe the SWAP file across several volumes. Do not allot more that 2 times the amount of physical RAM. Put SWAP parameters—though not ADDS or DELETES, into the AUTOEXEC.NCF. Finally, before spending too much time on virtual memory and SWAP commands, buy more RAM—256MB total minimum for most servers—it is cheaper than labor.
Supplement 1:
Server Console Commands and NLMs
269
TCPIP.NLM Only two of my clients used command lines to load TCPIP.NLM. The remainder configured it through INETCFG. Parameters include: :LOAD TCPIP [FORWARD = {YES | NO}] [DIRBC = {YES | NO}] [LOADSHARING = {YES | NO}] [RIP = {YES | NO}] [STATIC = {YES | NO}] [TRAP = IP_address]
FORWARD—If this host has interfaces on two TCP/IP network segments, the sever will forward traffic between network segments—default is NO. DIRBC—Specifies whether the server router will forward network specific directed broadcasts when forwarding is enabled LOADSHARING—Distributes equal-cost route traffic learned from OSPF (four is the maximum number of routers to a destination network)—default it NO. RIP—Host server will function as a RIP router when enabled—default is YES. STATIC—Indicates if the server will include static routes in its routing table. The routes are stored in the SYS:ETC\GATEWAYS file and can be edited with a text editor, INETCFG or TCPCON—default is NO Warning: Using TCPCON to configure routes is not a good idea as changes are lost upon reboot. TRAP—IP address of a SNMP host configured to accept traps. Loading the MLID driver is done by :LOAD [path] LAN_driver_name [parameter=value]
TIME Displays the servers local and UTC time. It also displays whether the server is synchronized to the network time. TPING Companion to the PING.NLM. :LOAD TPING host {packet_size [retry_count]]
Packet size—Default is 64. Changes the size of the packet sent Retry Count—Default is 5. Manipulates retries Results will show ALIVE or NOT RESPONDING. TRACKOFF Turns off RIP router tracking screen. TRACK ON Turns on router tracking screen to display packets sent/received by RIP packets.
Chapter 2
270
Supplement 1:
Server Console Commands and NLMs
UNBIND Unbinds a protocol stack from a NIC. UNLOAD Unloads an NLM or other module. Not all modules react well to the UNLOAD command. Some modules are auto-loaded by other modules and require the unloading of others first. Sometimes the server ABENDS when you unload a module. If there is an .NCF to shutdown a process or program, use it. Examples are: NVXNEWDN.NCF—Unloads the NetWare News Server Agents BSTOP.NCF—Unloads the BTRIVE.NLM and agents UNICON.NLM /L INITNWIP—Used to allow the Unix Service Handler to login to an NWIP server /L NFS—Used to allow the Unix Service Handler to login to a server running NFS Using the Parameters and Statistics Screens Set system parameters and view statistics using the following UNICON screens: NFS Server Parameters Form NFS Requests Screen NFS Server Utilization Percentage screen NFS Gateway parameters form NFS Gateway Client Requests screen Memory Utilization screen The function keys operate the screens described in this section: F1—Displays information about a highlighted field. F4—Resets the statistics counter to zero. F5—Saves the currently displayed statistics to a file. Enter the filename when prompted. NFS server parameters form The NFS server parameters form displays the server parameters. Note: The NETDB.NLM is the interface between NFS and NDS—used to assist in name resolution. See the NETDB.NLM information contained earlier in this chapter under console commands.
Displaying the NFS server parameters form From the UNICON Main Menu, select Manage Services ➝ NFS Server ➝ Set Parameters.
Supplement 1:
Server Console Commands and NLMs
271
VERSION I use this command often to see the NOS version and the service pack installed. Starting in NetWare 5.1, the display also shows the NDS version installed. For example: :VERSION
5.00h is NetWare 5.1 5.00i is NetWare 5.1 Support Pack 1 You get the idea. VESA_RSP (NetWare 5) To redetect your mouse and video drivers, type: :VESA_RSP
VMDISMOUNT (NetWare 5) Dismounts listed volumes, which allows the admin to VREPAIR or REBUILD while the server is up. VMMOUNT (NetWare 5) Makes a volume available to end-users :VMMOUNT VOL1 :VMMOUNT 1
VMVOLUMES (NetWare 5) Displays mounted volumes, status, names and numbers. VOLUME Lists the mounted volumes. I like to make an ALIAS as I use this command often. V or VOL for volumes is a good idea. :ALIAS V VOLUME
WTM.NLM Module for the Wan Traffic Manager—WTM.NLM discussed in Chapter 7 XGATEWAY.NLM Xerox’s NDPS gateway. Format is: :XGATEWAY PA= /XRX_IP= / XRX_TYPE=
The XGATEWAY.NLM should not be unloaded by using the unload command at the server console, as it may cause the server to ABEND. Xerox suggests unloading the NDPSM.NLM, which will cause the XGATEWAY.NLM to unload automatically.
Chapter 2
272
Supplement 1:
Server Console Commands and NLMs
Auto-loaded .NLMs NetWare 5 uses the color purple to indicate which .NLM modules are loaded by another .NLM or process. To load an internal NLM, you must add an asterisk to the filename to indicate that the file is located in SERVER.EXE. For example: :*FILENAME.NLM :*NCP.NLM
Should a newer version of an internal NLM ever be released, placing the newer version in the SERVER.EXE startup directory will force the server to use the newer version.
Supplement 2:
SET Commands
273
SUPPLEMENT 2 SET Commands The NetWare SET commands are a way for you to manipulate your NetWare server. It amazes me so few Administrators use this powerful means to change the way your server performs. See Chapter 9 for SET command tuning information. In the old days, if you wanted a SET command to be permanent, you would have to manually add it to the STARTUP.NCF or AUTOEXEC.NCF. You would have to remember which .NCF file it needs to go in and many times where in the .NCF file it should go. The placement of statements in these two batch files is very important. If there were no documentation on the SET command you would have to experiment with the server until it worked. With the advent of NetWare 5.0, Novell has included a small database that saves the SET parameters–NetWare Server Configuration Database Engine (CDBE). The CDBE is simply a permanent file, SERVCFG.000 in the SYS:_NETWARE directory and on the dos partition C:\NWSERVER, that stores all of the set commands. The bad news is that some support packs corrupt this registry. It is therefore, necessary to save your changes. When changes are made in MONITOR in the SERVER PARAMETERS option, the changes are saved to the CDBE settings in memory, but the changes are only written/flushed to the hard disk when the server is gracefully DOWNed. The settings can be forced to write to disk (called flushing). The command to do this is :flush cdbe
SET parameters register with the SETPARM engine. At the time a SET parameter registers with the SETPARM engine it declares it self as either persistent or nonpersistent. To get a list of nonpersistent set parameters, type the following on the server command line: :save notper environment filename.ext
Then edit the file to see which set paramters are not persistent. To get a list of persistent SET parameters, type the following on the server command line: :save per environment
does not allow for drive or path. The file is created at the root of SYS: Edit the file to see which SET parameters are persistent. If nonpersistent SET parameters need to be set to a value other than the default, they must be set in the appropriate NCF file (Startup.ncf or Autoexec.ncf). Other console commands: :display environment
To see all SET parameters and their values. :save environment filename.ext
Chapter 2
274
Supplement 2:
SET Commands
To save all modified SET parameters to a file in the root of SYS. :display modified environment
To see everything the user has set different from default type. :save modified environment filename.ext
To save everything the user has set different from default type to a file in the root of SYS: :save notper environment filename.txt
To save nonpersistent SET parameters the user has changed to a file in the root of SYS. :save per environment filename.txt
To save Persistent SET parameters the user has changed to a file in the root of SYS. Forces a save of Persistent SET parameters to the SERVCFG.000 file. There is no “tool” other than MONITOR.NLM to view the contents of the CDBE registry directly. All of the save command generated text files have the same format. They will include the SET parameters from 16 categories. The following is a partial output example of output from the “save environment” save command (will show all sections, but only show first and last SET parameter for each section to save on document space): I recommend the following: 1.
Download the Novell CONFIG.NLM and type :LOAD CONFIG /S
at the server console. Your servers’ configuration, as well as SET commands are saved to SYS:SYSTEM/CONFIG.TXT 2.
Use Novell’s free CONFIG Reader utility to make a copy of all of your servers’ parameters.
3.
Premium Support customers can use Onsite Admin Pro. If you do not have it, call or e-mail Novell support and ask for it.
4.
If you don’t have a premium support package, no worries. Go to www.netwarefiles.com and get Command Center. This is very close to the same tool as Onsite Admin Pro. An invaluable tool!
5.
ZEN for Servers will let you set policies for server SET parameters
6.
www.netwarefiles.com look for SETSAVE.ZIP with the SETSAVE.NLM. This simple .NLM will save all of your set parameters to the SYS:SYSTEM\SETSAVE.LOG file. It is important to note that these SET commands can be performed at the server console: : SET MINIMUM PHYSICAL PACKET RECEIVE BUFFERS = 2000
Or you can carry out the same changes by MONITOR→SERVER PARAMERTERS. Or you can just type SET at the server console :SET
When you type only SET at the server console you see the menu in Figure S2.1.
Supplement 2:
SET Commands
275
Figure S2.1 Simply typing SET on the server console gives the following menu (NW5.1 shown).
If you type the SET parameter without a value, the server will return the current value If you don’t know or don’t remember what values you have changed on the server, NW 5.1 can tell you. :DISPLAY MODIFIED ENVIRONMENT
You will be returned a screen showing all of the changed SET parameters. I often use SET parameters to “tune” NetWare servers—though I prefer to change them through MONITOR ➝ Server Parameters. I have never been a fan of memorizing 300 or so vague SET commands. I have experienced dramatic increases to response times and alleviate ABENDs.
SET commands organized by their function The SET commands are organized by their function. The headings correspond to the exact screen you would see on a NW5.1 SP1 server if you typed: :SET
Shortcuts to SET parameter changes and comparisons SET parameters are an important part of troubleshooting servers. Two servers will equal hardware and CPU loads Console Commands related to SET Parameters Server console commands are covered earlier in this chapter. Console commands relating to SET parameters are great for troubleshooting are: :DISPLAY MODIFIED ENVIRONMENT :SAVE ENVIRONMENT (filename.txt) :SAVE MODIFIED ENVIRONMENT (filename.txt) :RESET ENVIRONMENT
Chapter 2
276
Supplement 2:
Server SET commands
Figure S2.2 Novell’s unsupported OnSite Admin Pro.
:CSET (set category displayed) :CSET MEMORY PARAMETERS
ONSITE Admin Pro (for Novell Premium Support Customers) Get this utility if you are a premium support customer. (See Figure S2.2.) Command (Shareware) If you do not have a premium support contract, don’t worry. Get this freeware utility. (See Figure S2.3.) SETSAVE (Shareware) SETSAVE.NLM writes all of your SET commands to the SYS:SYSTEM/SETSAVE.LOG
Server SET commands Communication parameters SERVER SET COMMAND=Default setting This is the format for the following commands. IPX CMD Mode Routing = OFF Forces IPX CMD Mode Routing to ON or OFF
Supplement 2:
Server SET commands
277
Figure S2.3 Command shareware.
Discard Oversized UPD Packets=ON Discards UDP packets that come into the buffers that are larger than the current setting of the largest UPD Packet Size Discard Oversized Ping Packets=ON Heard of the PING of death? It was a hack known to overflow the TCP/IP stack by pinging with a packet larger than the largest allowable size. It locked up workstations and servers. I tried it in a lab of workstations—worked most of the time. NetWare is taking no chances. This setting relies on the later value Largest Ping Packet Largest UDP Packet Size=16384 UDP packets larger than this value are dropped. Largest Ping Packet Size=10240 PING packets larger than this value are dropped. CMD DHCP IP Address Maximum Length: 15 IP address for CMD server to poll. MA Communication Time: 10 Limits: 1 to 3000 Use only in a lab setting. Chapter 2
278
Supplement 2:
Server SET commands
No SLP Option: OFF Someone either had a problem with English (double negative) or was on drugs. This vague command is used to set up MAs for Pure IP backbone support. CMD Preferred IP Address: 00.00.00.00 Maximum Length: 15 For use with multiple NICs—choose the NIC IP address that you want to use. Migration Agent List: 00.00.00.00;00.00.00.00;00.00.00.00;00.00.00.00;00.00.00.00/ Maximum Length: 189 Lists up to 5 other MAs. Theoretically, you can use differing agent lists on each server to sort of chain a list of more than 5 together. MAs should discover each other based on information they port into NDS. CMD Network Number: FFFFFFFD Maximum Length: 8 Don’t change this value unless you really know what you are doing. CMD only needs one network number enterprise wide. CMD servers will only communicate, therefore see, other CMD servers with the same network number. Local Clients IP Net Number List: 00.00.00.00;00.00.00.00;00.00.00.00;00.00.00.00;00.00.00.00;00.00.00.00;00.00.00 .00;00.00.00.00;00.00.00.00;00.00.00.00/ Maximum Length: 160 NAT Realm Name: NONE Maximum Length: 30 Fill in your NAT realm name. Public IP Subnet: 00.00.00.00 Maximum Length: 15 Public IP Address: 00.00.00.00 Maximum Length: 15 CMD NAT Support Option: OFF Needed if you are enabling NAT with CMD. SPX Maximum Window Size = 0 Range is between 0 and 16. 0 means use the default. Sets the maximum SPXS windows sizes.
Supplement 2:
Server SET commands
279
SPXS Clear Blocked Queue: 30 Limits: 0 to 600 Clear blocked listen queue SPXS Debug All Messages: 0 Limits: 0 to 4 Print SPXS Debug Messages. SPXS Connection Tear Down Debug: 1 Limits: 0 to 4 Start or Stop SPXS Connection Tear Down Debug. SPXS Connection Setup Debug: 1 Limits: 0 to 4 Start or Stop SPXS Connection Setup Debug. Do Not Initialize IPXCP: OFF Setting this parameter to ON will stop IPXCP being initialized. This SET must occur before the first IPX bind to a WAN board to have any effect. Setting this parameter to OFF (the default) allows IPXRTR to do IPXCP on a PPP link. RIP Track Log: OFF To turn a log file ON or OFF for the RIP TRACK ON server console command. SAP Track Log: OFF To turn ON and OFF SAP Track On logging to a file. IPXRTR Debug: OFF To turn ON and OFF the hiding of hidden IPXRTR SET commands. Turning this option ON reveals the IPXRTR SET commands. Always Pace SAP: OFF To turn ON and OFF the requirement to always adhere to the SAP inter-packet gap rules. IPXCP Support: OFF Turns ON and OFF PPP IPXCP negotiation support. Required Network For Services: OFF Turns ON and OFF exact network number match for services. IPX WAN Client Validation: OFF Turns ON and OFF IPX WAN Client Source Node Validation. Load Balance Local LAN = OFF Load balancing ON or OFF.
Chapter 2
280
Supplement 2:
Server SET commands
ISLL Delay: OFF Alternate way of measuring delay value. Force RIP SAP Updates: OFF Turns forces RIP & SAP updates by sending All Routes and Services Requests ON and OFF. NLSP Log: ON Turns alert message to error log file ON and OFF NLSP. NLSP Packet Drop Rate: 0 Limits: 0 to 100 Sets the rate to drop NLSP packets. NLSP Update Bindery: ON Turns SAP Bindery Update ON and OFF. Global Reset Router: OFF Turns Global Reset Router ON and OFF. NLSP Mem Fail Rate: 0 Limits: 0 to 100 Sets the rate of failure for NLSPAlloc. ISLL Log: OFF Turns ISLL debug log ON and OFF. ISLL EnterDebugger: OFF Turns ISLL debug trap ON and OFF. IPX Exit Node: Maximum Length: 17 Sets the IPX Exit Node for default router. IPX WAN Client Spoofing Time: 14 minutes 59.7 seconds Limits: 0 seconds to 2880 minutes Amount of time the IPX router will spoof watchdog packets to prevent IPX WAN client connections from being logged out by the server. ISDB Debug: 0 Maximum Length: 8 Sets various levels of IPXRTR ISDB debug tracing. A hexadecimal number is entered— each bit displaying different areas of ISDB debug information. Setting this to FFFFFFFF will display all ISDB debug information. Setting this to 0 will disable the ISDB debug.
Supplement 2:
Server SET commands
281
RIP Debug: 0 Maximum Length: 8 Sets various levels of IPXRTR RIP/SAP debug tracing. A hexadecimal number is entered—each bit displaying different areas of RIP/SAP debug information. A setting of FFFFFFFF displays all RIP/SAP debug information. A setting of 0 disables the RIP/SAP debug. ISUL Debug: 0 Maximum Length: 8 Sets various levels of IPXRTR ISUL debug tracing. A hexadecimal number is entered— each bit displays different areas of ISUL debug information. A setting of FFFFFFFF will display all ISUL debug information. A setting of 0 will disable the ISUL debug. ISLL TD: 0 seconds Limits: 0 seconds to 59 minutes 22.5 seconds To send periodic delay and throughput packet. ISLL Debug: OFF To turn ON and OFF ISLL debug trace. Enable Packet Burst Statistics Screen: OFF Display NCP packet burst statistics screen. TCP Disable Nagles algorithm: OFF Set to ON to disable Nagle’s Algorithm. TCP Disable Delayed ACK: OFF Set to ON to disable Delayed ACK. Default value is OFF. TCP Sockets Debug: 0 Limits: 0 to 4 Start or Stop Sockets debug. TCP IPCP Debug: 0 Limits: 0 to 4 Start or Stop IPCP debug. TCP WAN Debug: 0 Limits: 0 to 4 Start or Stop WAN debug. TCP ECB Debug: 0 Limits: 0 to 4 Start or Stop ECB debug.
Chapter 2
282
Supplement 2:
Server SET commands
TCP IP Debug: 0 Limits: 0 to 4 Start or Stop IP debug. TCP Defend Land Attacks = ON Defend against Land Attacks. Some TCP/IP stacks can crash when they receive this kind of packet. The packets consist of identical destination and source ports and IP addresses. Maximum Pending TCP Connection Requests = 128 Limits: 128 to 4096 Maximum Number of Pending TCP Connections. TCP Defend SYN Attacks = OFF Defend against SYN Attacks—TCP handshake attacks. Turning this to ON is appropriate for firewalls. IP Wan Client Validation = OFF Start or Stop IP WAN client validation for remote client dialing through NetWare Connect. UDP Debug: 0 Limits: 0 to 4 Start or Stop UDP debug. MAXIMUM PENDING TCP CONNECTION REQUESTS =128 Maximum=4096 Maximum Interface MTU: 576 Limits: 576 to 5000 IP will use the minimum of this value and the interface’s MTU when the value of Use Specified MTU is set to ON. RIP2 aggregation override: OFF RIP2 only. When this flag is set to ON, do not aggregate subnet routes when crossing network boundaries. Always Allow IP Fragmentation: OFF Force Don’t Fragment Field in IP header. TCP RIP Debug: 0 Limits: 0 to 4 Start or Stop RIP debug. TCP ARP Debug: OFF Start or stop the ARP debug option.
Supplement 2:
Server SET commands
283
TCP Maximum Packet Retransmission: 12 Limits: 0 to 12 Use this option to change the maximum (default=12) number of packet retransmissions in TCP. Use Specified MTU: OFF Forces IP to use the specified MTU size—576 by default. Maximum Interface MTU can be used to change this value. IP Address Management Override: OFF This is only for AT&T. When this flag is set to ON, the use of server based address management and client side address configuration override takes place Allow IP Address Duplicates = OFF TCPIP.NLM will not allow the server to bind an IP address that conflicts with another node in the network. If you want to bind the IP address even if it conflicts with another node on the network, set this variable to ON. Allow non local broadcasts: 0 Limits: 0 to 1 Enables the server to allow the processing of IP broadcast packets from hosts with nonlocal source IP address(es). TCP Minimum Retransmission Timeout: 2 Limits: 2 to 6 Use this option to change the minimum (default=2) packet retransmissions timeout in TCP TICKS. TCP Maximum Initial Window: 4 Limits: 2 to 4 Use this option to change the maximum initial window size for a TCP connection. Specify the maximum in units of packets. TCP Connection Establishment timeout: 0 Limits: 0 to 335 Use this option to change the TCP connection establishment timeout in ticks. Default value is 335 ticks (or 75 seconds). TCP Trace: 0 Limits: 0 to 4 TCP Trace is disabled when set to 0 (default). A value set to 1 writes a summary to a screen. A value set to 2 writes a summary to a screen and a file. To write a detailed dump to a screen set to 3. Write a detailed dump to a screen and a file with a value of 4.
Chapter 2
284
Supplement 2:
Server SET commands
TOS for IP packets: 0 Limits: 0 to 15 Use this option to change TOS in the IP header for all outgoing packets. ARP entry expiry time: 300 Limits: 240 to 14400 Use this option to change the expiry time of ARP Entries in seconds. Default is 5 minutes. Range is from 4 minutes to 4 hours. TCP IP Maximum Small ECBs: 1024 Limits: 512 to 65534 Use this option to change the maximum number of small ECBs. DISPLAY CSL OPERATIONAL STATUS: OFF Display CSL operational status. CALL SUPPORT LAYER DEBUG: OFF Turn ON/OFF CSL debug. Allow IPXRTR load in CMD Mode: ON Whether IPXRTR.NLM (IPX Router) can be loaded on a CMD server is ON or OFF. Allow IPX Bind in CMD Mode: OFF Whether an external IPX network can be bound on a CMD server is ON or OFF. IPX Router Broadcast Delay = 0 Limits: 0 to 2 How long the IPX router should delay between SAP/RIP broadcast packets. 0 = adjust delay to size of SAP/RIP tables; 1 = delay 1 tick; 2 = delay 2 ticks. IPX NetBIOS Replication Option = 2 Limits: 0 to 3—Defines how the IPX router deals with NetBIOS replicated broadcasts: 0: Don’t replicate them 1: Replicate them using the old algorithm (which causes duplicate broadcasts when there are redundant routes) 2: Replicate them using the new algorithm (which squelches duplicate broadcasts but doesn’t go as far 3: Same as method 2, but doesn’t replicate to WAN links Use Old Watchdog Packet Type = OFF Use type 0 instead of type 4 for watchdog packets. Some old router hardware will filter out type 4 IPX packets, which can cause a client to lose its connection to the server when it sits inactive for a few minutes.
Supplement 2:
Server SET commands
285
REPLY TO GET NEAREST SERVER = ON Default = ON An ON value makes this server respond to GET NEAREST SERVER requests from workstations that are attempting to locate a server—IPX only. Some of my clients turn this off and use routers to supply this information. Get nearest server information is an IPX client SAP upon boot up. The client SAPs a GNS packet to obtain a server connection to then ask for a NetWare server housing an NDS replica to login. In an IP world, the SLP multicast accomplishes the same task in a different way. Enable Connection Manager Screen: OFF Turn on/off Connection Manager Activity screen. Maximum Connection Object Reuse Count: 32 Limits: 8 to 128 The number of connection objects to retain for immediate reuse. Disable Broadcast Notifications Process: OFF Turning on this option will inhibit the sending of Broadcast notifications on all loaded protocols. Disable Watchdog Process: OFF Turning on this option will inhibit the sending of watchdog packets on all loaded protocols. Enable Watchdog Screen: OFF Turns the Watchdog Activity Screen ON or OFF. Number Of Watchdog Packets = 10 Limits: 5 to 100 The number of times the server will ask a workstation if it is still alive to stay attached to the file server before terminating the workstation’s connection—if no response has been received. Delay Between Watchdog Packets = 59.3 SEC Limits: 9.9 seconds to 10 minutes 26.2 seconds Amount of time the server will wait for an inactive workstation to reply to a watchdog packet, before asking the workstation again if it is still attached to the file server. Delay Before First Watchdog Packet = 4 MIN 56.6 SEC Limits: 15.7 seconds to 20160 minutes Amount of time the server will wait, without receiving a request from a workstation, before asking the workstation to send a response packet back that it is still attached to the file server.
Chapter 2
286
Supplement 2:
Server SET commands
Console Display Watchdog Logouts = OFF Display an alert on the console when the watchdog logs out a user because of a connection failure. Maximum Packet Receive Buffers = 10000 Limits: 50 to 3303820 Default for NW4.2 is 100 or for SFTIII 400 Maximum number of packet receive buffers that can be allocated by the server. Two to Three buffers per connected node recommended. Support has told me that a jabbering NIC card can flood the receive buffers; therefore, 3000 is normally enough. Many times I go higher than 3000. Leave at default for NW 5.x. Note: See Chapter 9 for server tuning information.
Minimum Packet Receive Buffers: 2000 Limits: 10 to 32768 Minimum number of packet receive buffers allocated by the OS Default in NW 4.2 is 50 SFTIII default is 100 Default in NetWare 5.0 is 128 Default in NetWare 5.1 SP1 is 2000 Two to three buffers per node is Novell’s recommendation. I like to use 2000–3000 as my minimum—assuming you have enough RAM. The IP protocol likes more buffer space than IPX as you can see by the minimums listed above. Use a minimum of 128MB RAM in your servers—I often see 64 and 96MB RAM. RAM is cheap. NetWare is a cache-intensive, not CPU-intensive operating system. 2000 buffers X 1514 bytes packet size max. = 3 MB of additional RAM
Maximum Physical Receive Packet Size = 4224 Limits: 618 to 65642 Default in NetWare 5.1 SP1 is 10,000. Size of the largest packet that can be received by an MLID—or NIC card driver. This setting should be indicative of your server segment’s MTU. On Ethernet installation, I automatically change this value to 1518; for IPX on PPP, 1524. New Packet Receive Buffer Wait Time = 0.1 SEC Limits: 0.1 seconds to 20 seconds Minimum time to wait before allocating a new packet receive buffer.
Supplement 2:
Server SET commands
287
Maximum Interrupt Events = 10 Limits: 1 to 1000000 Maximum number of interrupt time events (such as IPX routing) allowed before guaranteeing that a thread switch has occurred (when maximum reached switch to thread time processing of events).
Tuning and optimization See the last chapter in the book for sever tuning and optimization recommendations. Many of the parameters in this first communication section are covered. NDS tuning is covered in the NDS chapter and client tuning is covered at the end of Chapter 1.
Memory Parameters Wakeup Page Cleaner Delay: 25 Limits: 1 to 10000 Every time a page is cleaned we get notified of the event. The delay amount is the number of pages that are cleaned before we force a wakeup of the page cleaner in order to fill the I/O channel. Max Page Cleaner Outstanding IOs: 50 Limits: 10 to 4000 This is the maximum number of I/Os that the page cleaner will have outstanding. On some systems the page cleaner can get ahead of the I/O channel. If we continue submitting I/ O requests, we will run out of system resources trying to fulfill the requests. Max Page Cleaner Pushes: 50 Limits: 5 to 10000 Maximum number of pages on the dirty list that the page cleaner will examine. Max Page Cleaner Looks: 80 Limits: 5 to 10000 Maximum number of pages on the dirty list that the page cleaner will examine. VM Cache Pool Maximum Pages Percentage: 0 Limits: 0 to 100 Maximum amount of physical pages the VM subsystem, based on a percentage of total system memory. A value of 80 would allow the VM subsystem to take up to 80% of the physical memory on the system. A value of zero disables this feature. VM Cache Pool Free Minimum Pages: 8 Limits: 0 to 2147483647 This is the minimum number of pages the VM system cache needs for proper operation.
Chapter 2
288
Supplement 2:
Server SET commands
VM Cache Pool Free Lots of Pages: 64 Limits: 0 to 2147483647 This is the number of pages the VM system cache consideres to be excessive. Memory may be transferred to another cache subsystem if necessary. VM Cache Pool Free Desired Pages: 25 Limits: 0 to 2147483647 Number of pages the VM system cache needs for proper operation. VM Cache Pool Minimum Pages: 10 Limits: 4 to 1024024 Minimum number of pages that can be allocated to the VM cache pool. VM Cache Pool Maximum Pages: –1 Limits: 4 to –1 Maximum number of pages that can be allocated to the VM cache pool. Upper Page I/O Threshold: 32 Limits: 16 to 512 Upper page I/O threshold, above which the number of I/Os caused by the VM subsystem are limited. Maximum RSS Pages: 5000 Limits: 10 to 1073741824 This parameter sets the level at which trimming occurs. This, however, only happens if the Dynamic Maximum RSS value is set to OFF. If that value is set to ON, then this value is ignored. If the value is set to OFF, trimming (if necessary) will occur for any address space exceeding this value. Max Deficit: 256 Limits: 128 to 1024 Maximum deficit of memory that the VM system needs when performing its memory calculations. FS Cache Pool Transfer In Yield Type: 0 Limits: 0 to 1 Sets the type of yield to use when the old file system cache pool needs to yield as blocks of memory are being transferred into it. The possible values are: 0 – yield (faster), and 1 – delay (slower). FS Cache Pool Minimum Percentage To Transfer Out: 4 Limits: 1 to 100 Minimum percentage of the number of pages that can be transferred out of the old file system cache in one operation—controlled by the FS Cache Pool Constrain Transfer In Type SET parameter.
Supplement 2:
Server SET commands
289
FS Cache Pool Minimum Percentage To Transfer In: 4 Limits: 1 to 100 Minimum percentage of the number of pages that can be transferred into the old file system cache in one operation—controlled by the FS Cache Pool Constrain Transfer In Type SET parameter. FS Cache Pool Minimum Pages To Transfer Out: 5 Limits: 1 to –1 Minimum number of pages that can be transferred out of the old file system cache in one operation—controlled by the FS Cache Pool Constrain Transfer In Type SET parameter. FS Cache Pool Minimum Pages To Transfer In: 5 Limits: 1 to –1 Minimum number of pages that can be transferred into the old file system cache in one operation—controlled by the FS Cache Pool Constrain Transfer In Type SET parameter. FS Cache Pool Minimum Pages: 1000 Limits: 0 to –1 Minimum number of pages the file system cache needs for proper operation FS Cache Pool Maximum Percentage To Transfer Out: 10 Limits: 1 to 100 Maximum percentage of the number of pages that can be transferred into the old file system cache in one operation—controlled by the FS Cache Pool Constrain Transfer In Type SET parameter. FS Cache Pool Maximum Percentage To Transfer In: 10 Limits: 1 to 100 Maximum percentage of the number of pages that can be transferred into the old file system cache in one operation—controlled by the FS Cache Pool Constrain Transfer In Type SET parameter. FS Cache Pool Maximum Pages To Transfer Out: 20000 Limits: 1 to –1 Maximum number of pages that can be transferred out of the old file system cache in one operation—controlled by the FS Cache Pool Constrain Transfer Out Type SET parameter. FS Cache Pool Maximum Pages To Transfer In: 2000 Limits: 1 to –1 Maximum number of pages that can be transferred into the old file system cache in one operation—controlled by the FS Cache Pool Constrain Transfer In Type SET parameter.
Chapter 2
290
Supplement 2:
Server SET commands
FS Cache Pool LRU Medium: 30 Limits: 1 to 86400 seconds LRU threshold, above which memory is removed from the file system cache. FS Cache Pool LRU Low: 45 Limits: 1 to 86400 seconds Lower LRU threshold, below which memory is removed from the VM system cache and given to the file system cache. FS Cache Pool LRU High: 60 Limits: 1 to 86400 seconds Upper LRU threshold, above which memory is removed from the file system cache. FS Cache Pool Lots of Pages: 1500 Limits: 0 to –1 Number of pages the file system cache considers to be excessive—memory may be transferred to another cache subsystem if necessary. FS Cache Pool Desired Pages: 1250 Limits: 0 to –1 This is the desired number of pages the file system cache needs for proper operation. FS Cache Pool Constrain Transfer Out Type: 1 Limits: 0 to 2 Value specifies how the pages being transferred out of the FS Cache Pool should be constrained. 0) No constraints: the minimum and maximum pages to transfer will not be limited; 1) Absolute values: the pages will be limited by the absolute values set with FS Cache Pool Minimum Pages To Transfer Out & FS Cache Pool Pages To Transfer Out; 2) Percentage: the pages will be limited by a percentage of the cache pool set with FS Cache Pool Minimum Percentage To Transfer Out & FS Cache Pool Maximum Percentage To Transfer Out. FS Cache Pool Constrain Transfer In Type: 1 Limits: 0 to 2 Specifies how the pages being transferred into the FS Cache Pool should be constrained. 0) No constraints: the minimum and maximum pages to transfer will not be limited; 1) Absolute values: the will be limited by the absolute values set with FS Cache Pool Minimum Pages To Transfer In & FS Cache Pool Maximum Pages To Transfer In; 2) Percentage: the pages will be limited by a percentage of the cache pool set with FS Cache Pool Minimum Percentage To Transfer In & FS Cache Pool Maximum Percentage To Transfer In. FS Cache Pool Blocks Transferred In Before Yield: 10 Limits: 1 to –1 Sets the number of contiguous memory blocks to transfer into the file system cache pool before yielding the CPU to another process.
Supplement 2:
Server SET commands
291
External Judge Autoload Threshold: 1073741824 Limits: 0 to –1 Memory threshold where the external judge is auto-loaded. When the physical memory on the machine equals or exceeds this value, THEJUDGE.NLM will be loaded automatically. Dynamic VM Versus Cache Subsystem Differential: OFF A setting of ON means physical memory distribution will be normal. Otherwise, it will be set according the VM Versus Cache Subsystem Differential SET parameter. Dynamic Maximum RSS: OFF This parameter changes the behavior of the trimming operation of the VM system. If this parameter is ON (default), then the level at which trimming takes effect is adjusted dynamically by the system. If this parameter is OFF, then trimming will occur at the level set by the Maximum RSS Value. Desired VM Versus Cache Subsystem Differential: 0 Limits: 0 to 5 Only valid if the Dynamic VM Versus Cache Subsystem Differential is set to OFF. This value is the differential where the VM physical memory needs in comparison to other cache entities are attempted to be kept. Deficit Age: 10 Limits: 1 to 20 Deficit age is the fraction by which deficit is reduced per second. That is, if deficit_age is 10, then deficit is reduced to 90% of its previous value each second. The available (free) memory count is reduced by deficit, in guiding further decisions for swapping processes in or out. If the system demonstrates a high percent of idle cycles with processes swapped out, then it may be advisable to reduce the deficit_age factor so that deficit is revised downward quickly and swapins are encouraged. If, on the other hand, deficit is decayed too quickly, the system may swap processes in too quickly and experience memory thrashing. Cache Pool Thread Yield Type: 0 Limits: 0 to 1 Sets the type of yield to use when the cache pool thread needs to yield. Possible values are: 0 – yield (faster), and 1 – delay (slower). Cache Pool Thread Timeout: 5 Limits: 1 to –1 seconds Number of seconds to allow the cache control thread to run before canceling the transfer process. Cache Pool Pages Transferred Before Yield: 100 Limits: 1 to –1 Number of pages to transfer to/from any cache pool before yielding the CPU to another process. Chapter 2
292
Supplement 2:
Server SET commands
Cache Pool Minimum Percentage To Transfer Out: 4 Limits: 1 to 100 Minimum percentage of physical pages that can be transfer out of any cache pool. Cache Pool Minimum Percentage To Transfer In: 4 Limits: 1 to 100 Minimum percentage of physical pages that can be transfer into any cache pool. Cache Pool Minimum Pages To Transfer Out: 5 Limits: 1 to –1 Minimum number of pages that can be transferred out of any cache pool. Cache Pool Minimum Pages To Transfer In: 5 Limits: 1 to –1 Minimum number of pages that can be transferred into any cache pool. Cache Pool Maximum Percentage To Transfer Out: 10 Limits: 1 to 100 Maximum percentage of pages that can be transferred out of any cache pool. Cache Pool Maximum Percentage To Transfer In: 10 Limits: 1 to 100 Maximum percentage of pages that can be transferred into any cache pool. Cache Pool Maximum Pages To Transfer Out: 20000 Limits: –1 to –1 Maximum number of pages that can be transferred out of any cache pool. Cache Pool Maximum Pages To Transfer In: 10000 Limits: –1 to –1 Maximum number of pages that can be transferred into any cache pool. Constrain Pages To Transfer Out Type: 0 Limits: 0 to 2 Specifies how constrained pages should be transferred out of all cache pools. 0 – No constraints: the minimum and maximum pages to transfer will not be limited; 1 – Absolute values: the pages will be limited by the absolute values set with Cache Pool Minimum Pages To Transfer Out & Cache Pool Maximum Pages To Transfer Out; 2 – Percentage: the pages will be limited by a percentage of the cache pool set with Cache Pool Minimum Percentage To Transfer Out & Cache Pool Maximum Percentage To Transfer Out. Constrain Pages To Transfer: 0 Limits: 0 to 2
Supplement 2:
Server SET commands
293
Specifies how to constrain the pages to transfer into all cache pools. 0 – No constraints: the minimum and maximum pages to transfer will not be limited; 1 – Absolute values: the pages will be limited by the absolute values set with Cache Pool Minimum Pages To Transfer In & Cache Pool Maximum Pages To Transfer In; 2 – Percentage: the pages will be limited by a percentage of the cache pool set with Cache Pool Minimum Percentage To Transfer In & Cache Pool Maximum Percentage To Transfer In. Cache Pool Block Transfer Mode: ON Specifies whether the cache pool thread will attempt to transfer pages in the block mode. A setting of ON causes the cache pool to attempt to transfer pages in blocks of contiguous pages. OFF the cache pool will attempt to transfer pages one at a time. Average Page In Alert Threshold = 2000 Limits: 1 to –1 If the average page IN’s for the VM system reaches this level an alert is sent to the console. Min Age Quantum: 1 Limits: 1 to 400 Minimum amount of time that an address space can be aged. Max Age Quantum: 60 Limits: 5 to 400 Maximum amount of time that an address space can be aged. Init Age Quantum: 5 Limits: 1 to 400 Initial amount of time that an address space is set to be aged. Increasing this value makes the address space age at a slower rate (and vice-versa). Elapse Time Ager Interval: 144 Limits: 3 to 86400 Time (in ticks) between successive iterations of the elapse time ager. Nonlocked Minimum Pages: 5 Limits: 1 to 10 Number of pages that an address space must have available locked in order to age it. Low Grow Rate: 2 Limits: 0 to 2 Number of pages an address space increases between metering processes to be considered a low-growth rate for the address space. An address space exhibits a low-growth rate, the VM system tends to age/page it more often since it is not growing and aging/paging may help other processes.
Chapter 2
294
Supplement 2:
Server SET commands
High Grow Rate: 8 Limits: 4 to 8 This is number of pages that an address space increases between metering iterations to be considered a high-growth rate for the address space. When an address space exhibits a highgrowth rate, the VM system tends to age/page it as often since it is growing and aging/paging will stiffle the growth. Maximum Pages To Trim: 10 Limits: 0 to 1000 Number of pages that the VM system can trim for all address spaces. A trimming operation will remove a certain number of pages for a given trimming operation. These pages are removed without any regard to the frequency of page usage. Dynamic Age Quantum: OFF By default, this parameter is TRUE, which means that the aging quantum will be set dynamically by the VM system. If this parameter is set to FALSE, then the aging quantum will be a static quantum, adjustable only by the value of the initial aging quantum. Engage Ager: ON ON means that the OS’ ager process will function properly. If this parameter is set to OFF, the ager will not be engaged and no VM memory will be aged out. APT Free Dirty Page Threshold: 200 Limits: 1 to –1 This parameter is used to control the dirty page threshold so the OS’s ager can be made to acquire only clean pages. For example, if this parameter is 20, then if the number of dirty pages goes above 20, the ager will concentrate on getting clean pages rather than any pages. APT Free Clean Page Threshold: 50 Limits: 1 to –1 This parameter is used to control the clean page threshold so the ager can be told to that it doesn’t need to get any pages. For example, if this parameter is 20, then if the number of clean pages goes above 20, the ager will not try to get any pages. VM Debug Screen: OFF Setting this parameter to on enables the VM debug screen. Memory Protection Restart Count = 1 Limits: 0 to 1000 This set parameter works in conjunction with the Memory Protection No Restart Interval set parameter. Administrators can use this value to specify the number of restarts allowed during the Memory Protection No Restart Interval. The default value for this set parameter is 1 such that if more than one protection fault occurs in an address space, then the address space will only be restarted once. If you wish to configure NetWare to allow two restarts during a three minute period, then you should set the Memory Protection Restart Count to 2 and the Memory Protection No Restart Interval to 3.
Supplement 2:
Server SET commands
295
Memory Protection No Restart Interval: 1 Limits: 0 to 525600 Don’t restart a user address space if the address space is faulting more than once during the specified number of minutes. A value of 0 disables this set parameter. If a memory protection violation is attempted in a restartable address space, the offending address space and its loaded NLMs are removed and their resources are returned to the system. A new user address space with the same name is created and the NLMs are reloaded. The restart feature is disabled if the user address space was restarted more recently than the interval specified by this set parameter. Memory Protection Fault Cleanup = ON ON or OFF This SET command provides memory clean up after user address space memory protection faults. If an NLM loaded in a user address space attempts to violate memory protection and this parameter is set to ON, the offending user address space and its loaded NLMs are removed, cleaned and their memory resources are returned to the system. If an NLM loaded in a user address space attempts to violate memory protection and this parameter is set to OFF, no effort is made to handle the fault and the situation is left to the ABEND recovery mechanism. See the server console command PROTECTION earlier in this chapter. Garbage Collection Interval = 5 MIN Limits: 1 minutes to 60 minutes Maximum time between garbage collection processes. Garbage collection is a function of the OS to salvage dirty RAM memory and return it to the OS. Alloc Memory Check Flag = OFF Do corruption checking in Alloc memory nodes. This is for developers. Reserved Buffers Below 16 Meg = 300 Limits: 8 to 2000 Number of file cache buffers to be kept for device drivers unable to access memory above 16 megabytes. This used to be a confusing command in the NetWare 4.x days, now Novell has graciously made this an automatic load process. You may never need to touch this in NetWare 5. Jiggle Memory: OFF Enable memory jiggling—for testing purposes. Check Cache: OFF Enable cache and dynamic memory checking.
Chapter 2
296
Supplement 2:
Server SET commands
File caching parameters Maximum Rights Vector Entry Pool: 7 seconds Limits: 7 seconds to 239 minutes 58.4 seconds Maximum number of Rights Vector Entries to be allocated while the file system is running. Read Ahead Enabled = ON Specifies that as long as sequential file access is occurring, do background reads to get the blocks that will be requested soon into the cache. Read Ahead LRU Sitting Time Threshold = 10 SEC Limits: 0 seconds to 60 minutes If the Cache LRU sitting time is below this threshold, read ahead will not take place. Minimum File Cache Buffers = 20 Limits: 20 to 2000 Number of file cache buffers to be left by the server (not allocated for other uses). Maximum Concurrent Disk Cache Writes = 750 Limits: 10 to 4000 Maximum number of concurrent writes of dirty disk cache buffers. Dirty Disk Cache Delay Time = 3.3 SEC Limits: 0.1 seconds to 10 seconds Minimum amount of time the system waits before writing a not completely dirty disk cache buffer. Minimum File Cache Report Threshold = 20 Limits: 0 to 2000 How close the number of cache buffers has to get to the minimum before a warning is issued.
Directory caching parameters Dirty Directory Cache Delay Time = 0.5 SEC Limits: 0 seconds to 10 seconds Minimum time the system waits before writing a dirty directory cache buffer to disk. Maximum Concurrent Directory Cache Writes = 75 Limits: 5 to 500 Maximum number of concurrent writes of directory cache buffers the system stores before the disk head sweeps across the hard disk head—see Chapter 9 for tuning recommendations on this parameter.
Supplement 2:
Server SET commands
297
Directory Cache Allocation Wait Time = 2.2 SEC Limits: 0.1 seconds to 2 minutes Minimum time to wait before the file server allocates another buffer—see Chapter 9 for tuning recommendations on this parameter. Directory Cache Buffer NonReferenced Delay = 5.5 SEC Limits: 1 seconds to 60 minutes Normal time to wait after a directory cache buffer is referenced before it is overwritten. Maximum Directory Cache Buffers = 500 Limits: 20 to 200000 Maximum number of directory cache buffers that can be allocated by the system—see Chapter 9 for tuning recommendations on this parameter. Minimum Directory Cache Buffers = 150 Limits: 10 to 100000 Minimum number of directory cache buffers to be allocated by the server before allocating more after waiting the Directory Cache Allocation Wait Time parameter—see Chapter 9 for tuning recommendations on this parameter. Maximum Number Of Internal Directory Handles = 100 Limits: 40 to 1000 The Maximum number of directory handles retained for NLMs using connection zero. This setting facilitates rapid acquisition of access rights in a given directory. Maximum Number Of Directory Handles = 20 Limits: 20 to 1000 The Maximum number of directory handles each connection can obtain to facilitate rapid acquisition of access rights in a given directory.
File system parameters Maximum Wait Time For Limbo Space during Volume Mount: 19.8 seconds Limits: 1 second to 19 minutes 46.4 seconds Amount of time to wait for Limbo space to be freed up when mounting a volume Purge Files On Dismount = OFF. A setting of ON will purge all deleted files—thereby removing them forever—every time the volume is dismounted. Keep in mind that the volumes are dismounted at every boot. Purge Files On Dismount: OFF Purge all deleted files on a volume when it is dismounted.
Chapter 2
298
Supplement 2:
Server SET commands
Maximum Concurrent opens per file and connection: 10000 Limits: 10 to 1000000 Maximum number of concurrent opens allows on the same file and connection. Automatically Repair Bad Volumes = ON When a volume fails to mount, automatically run VREPAIR to fix it. Upon boot up each volume is checked. If the OS sees a problem, then it automatically runs VREPAIR when this value is set to on. Check SubAllocation: OFF Enable suballocation checking. Minimum File Delete Wait Time = 1 MIN 5.1 SEC Limits: 0 seconds to 10080 minutes Minimum time to wait after a file is deleted before purging it. File Delete Wait Time = 5 MIN 25.9 SEC Limits: 0 seconds to 10080 minutes Normal time to wait after a file is deleted before purging it. Allow Deletion Of Active Directories = ON Allow the deletion of a directory when another connection has a drive mapped to it. NT users will lose their drive mappings if the currently accessed directory is deleted. Maximum Percent of Volume Space allowed for Extended Attributes = 10 Limits: 5 to 50 Percent of volume space allowed for Extended Attributes storage. Maximum Extended Attributes per File or Path = 16 Limits: 4 to 512 Allowable number of extended attributes for files or paths. Fast Volume Mounts = ON Relax checking less important fields for faster volume mounts. This is not recommended unless the volume was dismounted abnormally the last time. Why wouldn’t you want your volumes to mount faster? For data security reasons it should be switched to OFF. NSS is much faster than the traditional file system. Maximum Percent Of Volume Used By Directory = 13 Limits: 5 to 85 Maximum percent of each volume that can be allocated for the directory.
Supplement 2:
Server SET commands
299
Immediate Purge Of Deleted Files = OFF Purge all files immediately upon deletion. Purges all files immediately upon deletion—for all volumes on the server. You can set this attribute on a volume or directory basis with the NetWare client. Right-click any volume or directory ➝ Properties ➝ NetWare Info ➝ Immediate Purge. Best Practice: I like to set this on a directory or volume level for print queues. Some clients use the SYS volumes infrequently and find this setting works on the volume.
Maximum Subdirectory Tree Depth = 25 Limits: 10 to 100 Maximum depth of subdirectories. Volume Low Warn All Users = ON Send volume low warning to all users Volume Low Warning Reset Threshold = 256 Limits: 0 to 100000 Number of disk blocks above the volume low warning threshold where the warning trigger is reset. Volume Low Warning Threshold = 256 Limits: 0 to 1000000 Threshold where a warning is issued that the volume is getting low on disk space (number is in disk allocation units). Turbo FAT Re-Use Wait Time = 5 MIN 25.9 SEC Limits: 0.3 seconds to 65 minutes 54.6 seconds Minimum time to wait before re-using a closed Turbo FAT. Compress Screen: OFF Creates/Destroys the compression status screen. Compression Daily Check Stop Hour = 6 Limits: 0 to 23 The hour (0 = midnight, 23 = 11 p.m.) when the file compressor ends scanning each enabled volume for files that need to be compressed (if Compression Daily Check Stop Hour is equal to Compression Daily Starting Hour, start checking every day at Compression Daily Starting Hour and run as long as necessary to finish all files meeting the compressible criteria.) Military time expression of when the OS should stop searching for unopened files to compress.
Chapter 2
300
Supplement 2:
Server SET commands
The compression process is a low priority thread that can keep the CPU utilization at or near 100% for several minutes. This is important as you do not want to have compression running while users are starting to login during the morning hours. Compression Daily Check Starting Hour = 0 Limits: 0 to 23 The hour (starting hour in military time; 0 = midnight, 23 = 11 p.m.) when the file compressor starts scanning each enabled volume for files that need to be compressed. Best Practice: Set this parameter to a time after your backup has completed. In theory, this shouldn’t be a problem as backups are a high priority thread—my experience has sometimes shown differently.
Minimum Compression Percentage Gain = 20 Limits: 0 to 50 Used to decide how much space a file must save before it is considered for compression. Enable File Compression Allow file compression to occur on compression-enabled volumes. If disabled, no compression will take place. Immediate compress requests will be queued until compression is allowed. Default is on. :SET ENABLE FILE COMPRESSION = OFF
This setting deactivates file compression on all volumes of the server, but does not turn off file compression as that may be done only upon volume creation. File compression is still enabled, just not active—files that may be compressed are queued until the compression is enabled again. This setting applies to all volumes on the server. Best Practice: Upon creation of a new server, disable compression on the SYS volume. It inhibits file access performance.
Compression Unopened files chosen for file compression are based on other SET parameters:
Enable File Compression must equal yes
File must be unopened
Minimum Compression Gained value
Days Untouched before Compression value
Compression Daily Check Stop Hour value
Supplement 2:
Server SET commands
301
You may view compression statistics from client utilities, in:
NetWare Administrator ➝ volume_name ➝ details ➝ statistics
or through FILER
or Windows Explorer ➝ right-click a volume or mapped drive ➝ Properties ➝ NetWare volume statistics
You may set compression attributes on files and directories with the above utilities. Available options are:
ICImmediate Compress the file or directory—and any sub-directories
DCDon’t Compress files or directories—and any subdirectories—even if the volume supports compression
Maximum Concurrent Compressions = 2 Limits: 1 to 8 Simultaneous compressions allowed by the system (simultaneous compressions can only occur if there are multiple volumes). Note: Novell recommends not changing this number as it represents the number of concurrent volumes that may be compressed at the same time.
Convert Compressed To Uncompressed Option = 1 Limits: 0 to 2 Specifies to the OS what to do to the uncompressed version when the server uncompresses a file (0 = always leave compressed version, 1 = if compressed file is read only once (within the time frame defined by “Days Untouched Before Compression”) then leave the file compressed (on second access leave uncompressed), 2 = always change to the uncompressed version). Sets what to do with the uncompressed version of a file after it is decompressed. Options: 0: Always leaves the compressed version 1: Default; leaves the file compressed after single access within the untouched period 2: Always changes to an upcompressed version Decompress Percent Disk Space Free To Allow Commit = 10 Limits: 0 to 75 Newly uncompressed files cannot fill up the volume as there must be a minimum of 10%—defined by this value—disk space available to uncompress a file. Decompress Free Space Warning Interval = 30 MIN 57.2 SEC Limits: 0 seconds to 42710 minutes 3.8 seconds
Chapter 2
302
Supplement 2:
Server SET commands
The time interval between displaying warning alerts when the file system is not permanently changing compressed files to uncompressed files due to insufficient free disk space (setting the display interval to 0 turns off the alert). Deleted Files Compression Option = 1 Limits: 0 to 2 How to compress unpurged deleted files: 0: Don’t 1: Compress next day 2: Compress immediately Days Untouched Before Compression = 14 Limits: 0 to 100000 The number of days to wait after a file was last accessed before automatically compressing—see earlier Compression section. Allow Unowned Files To Be Extended = ON Controls whether or not an unowned file can be extended. It is suggested that unowned files have their Owner changed to SUPERVISOR, as this user will never be deleted. A number of third party utilities exist which allow amendment of the file Owner from the command line.
Locks Open Callback Timeout: 29.7 seconds Limits: 0.3 seconds to 2 minutes 17.3 seconds Number of ticks a request will wait for a client flush. Maximum Record Locks Per Connection = 500 Limits: 10 to 100000 Maximum number of record locks per connection (physical, logical & semaphores). Maximum File Locks Per Connection = 250 Limits: 10 to 10000 Maximum number of file locks per connection (including open files). Maximum Record Locks = 20000 Limits: 100 to 400000 System wide maximum number of record locks (physical, logical & semaphores). Maximum File Locks = 10000 Limits: 100 to 2000000 System wide maximum number of file locks (including open files).
Supplement 2:
Server SET commands
303
Transaction Tracking (TTS) Transactional Tracking is useful for databases. NDS utilizes the TTS attribute. In reality, NDS must use TTS. NSS version 3.0 supports TTS, thus NDS, on the SYS volume— finally. If you want the benefits of TTS, use disk duplexing or mirroring. TTS Screen: OFF Enable the TTS debug screen. Auto TTS Backout Flag = ON Automatically do TTS backouts on re-boot (skip the prompts). TTS Abort Dump Flag = OFF Enable dumping of data from aborted transactions to a log file. Maximum Transactions = 10000 Limits: 100 to 10000 System wide maximum number of concurrent transactions. TTS UnWritten Cache Wait Time = 1 MIN 5.9 SEC Limits: 11 seconds to 10 minutes 59.1 seconds Maximum time a cache buffer write can be delayed by TTS. TTS Backout File Truncation Wait Time = 59 MIN 19.2 SEC Limits: 1 minutes 5.9 seconds to 1581 minutes 51.3 seconds Minimum time to wait before truncating the TTS backout file.
Disk parameters Sequential Elevator Depth = 8 Limits: 0 to –1 Set the maximum elevator depth for sequential requests. Media Manager will send the number of sequential requests up to this value to the same device. When the device contains this number of requests AND another device in the mirror group is empty, Media Manager will begin sending requests to the idle device. Enable IO Handicap Attribute = OFF Drivers and applications can set an attribute to inhibit or handicap read requests from one or more devices. Setting this parameter to ON will enable the attribute to function. Setting this parameter to OFF allows NetWare to treat the device as any other device. Do not set this parameter to ON unless instructed to do so by a device manufacturer. Mirrored Devices Are Out Of Sync Message Frequency = 28 Limits: 5 to 9999 Sets the frequency in minutes where NetWare will check for Out Of Sync devices.
Chapter 2
304
Supplement 2:
Server SET commands
Remirror Block Size = 1 Limits: 1 to 8 Sets the remirror block size in 4K increments (1 = 4K, 2 = 8K, ... 8 = 32K). Concurrent Remirror Requests = 32 Limits: 2 to 32 Sets the number of remirror requests per mirror object. Ignore Partition Ownership = OFF Setting this parameter to ON will allow partitions owned by other servers in the cluster to be activated on this server. Ignore Disk Geometry = OFF Ignore Disk Geometry when reading or writing the disk partition. Turning this setting on while modifying or creating partitions will allow the creation of non-standard and unsupported partitions. CAUTION: This may adversely affect other file systems on the disk. Enable Hardware Write Back = OFF Allow drivers to utilize hardware Write Back if supported. I/O write requests may be cached and succeeded before data is actually committed to media. Write performance is typically increased. (Excludes Transaction Tracking requests). Enable Disk Read After Write Verify = OFF Read back all data written to disk and verify correctness.
Time parameters TIMESYNC Configuration File = SYS:SYSTEM\TIMESYNC.CFG Maximum Length: 254 Selects a configuration file path. This File will be automatically updated when the TIMESYNC parameters are changed, using either Monitor NLM or Set parameters from the command line. TIMESYNC reads from this file when TIMESYNC Restart Flag is set to ON. Time Zone = EST5EDT Maximum Length: 79 Time zone string indicating the abbreviated name of the time zone, the offset from Universal Time Coordinated (UTC), and the alternate abbreviated time zone name to be used when daylight savings time is in effect. The default is . Issuing this command causes UTC time to be recalculated from local time. Start Of Daylight Savings Time = (APRIL SUNDAY FIRST 2:00:00 AM) Maximum Length: 78 Local date and time when the switch onto daylight savings time should occur. Formats include a simple date and time or rules introduced by a “(“. For example, April 4 1993 2:0:0 a.m., (April 4 2:0:0 a.m.), (April Sunday >= 1 2:0:0 a.m.), (April Sunday First 2:0:0 a.m.).
Supplement 2:
Server SET commands
305
Only rules cause rescheduling for the next year. You must set both the start and end dates before either will be scheduled. End Of Daylight Savings Time = (OCTOBER SUNDAY LAST 2:00:00 AM) Maximum Length: 78 Local date and time when the switch off of daylight savings time should occur. Formats include a simple date and time or rules introduced by a “(“. For example, October 31 1993 2:0:0 am, (October 31 2:0:0 am), (October Sunday
Login script variables include the following: # (execute external program) Use this command (the # symbol) to execute a program that is external to the login script. # [path ] filename
[parameter ]
Replace filename with an executable file (e.g., files that end in .EXE, .COM, or .BAT). Do not include the extension. Replace parameter with any parameters that must accompany the executable file. Using # Use the # command (symbol) followed by the name of the file you want to execute if you want the LOGIN utility to execute a program external to the login script. Warning: This command fails when:
The given directory is invalid
Proper security rights are lacking
The executable file cannot be found
Insufficient workstation memory is available to load the file
Examples To define a default print queue and printer, make the login script execute the NetWare CAPTURE utility. You may enter the following command in the login script, providing you have a search drive mapped to SYS:PUBLIC where the NetWare utilities are stored: #CAPTURE Q=PQ_HPLJET NB TI=10 NFF
No path is needed when the executable is located in a search path. When you do not have a search drive mapped to a directory, include the path to that directory in the command. For example, to run a batch file named PAYME.BAT in the EXPENSES directory, use the following format: #Z:\EXPENSES\PAYME
Chapter 2
322
Supplement 3: Login Script Variables
ATTACH Use ATTACH to connect to a bindery-based NetWare server (NetWare 2 or NetWare 3), or to a NetWare 4 server using bindery services, while the login script is running. Command format ATTACH [server [/username [;password ]]]
Using ATTACH Replace server with the name of the NetWare server to which you want to attach. Replace username with the login name. The user is prompted for a login name when the ATTACH command is executed from the login script, if a username is not include. If the username and password are the same as the primary login username and password, you do not need the password and will not be prompted for it. Note: It is not a good idea to include passwords in a login script. It is more secure to eliminate the password. You will be prompted for the password when the login script executes where the ATTACH command is executed; the user is prompted for the password.
Example To attach user OSANCHEZ (whose password is JETSKIING) to a server named REPORTS (which is a bindery-based server running NetWare 3), add the following line to her login script: ATTACH REPORTS/OSANCHEZ;JETSKIING
BREAK Use BREAK ON to allow the user to terminate execution of the login script. The default is BREAK OFF. Command format BREAK ON|OFF
Using BREAK If BREAK ON is included in a login script, you can press + or + to abort the normal execution of your login script. When the BREAK option is ON, type-ahead keyboard input is not saved in the buffer. CLS Use CLS to clear the display from the workstation’s screen during the login process. CLS
Using CLS When a user logs in, a login script may display messages on the user’s workstation screen. If the CLS command is added to the login script, any messages generated by commands earlier in the login script are cleared from the screen.
Supplement 3: Login Script Variables
323
COMSPEC Use COMSPEC in the login script to execute DOS commands from the network. Specify the directory where DOS and the DOS command processor (COMMAND.COM) is loaded. COMSPEC is originally set when DOS is booted. It must be reset after you log in to change the location that COMMAND.COM loads from while you’re in the network. Command format: COMSPEC=[path ]COMMAND.COM
Replace path with either a drive letter or a full directory path starting with the NetWare volume name. Using COMSPEC If users are running DOS from a network directory, map a search drive first in the login script to that directory, then add the COMSPEC command to the login script. You may use a fake root to the DOS directory. For information about mapping a fake root, see MAP. When all users use the same version of DOS from the network, you can add the COMSPEC command to the container login script. When more than one version of DOS is used on your network, a network directory should exist for each DOS version—use COMSPEC commands in either profile or user login scripts, to make sure each workstation can access the version of DOS it needs. When users run DOS from their local drives, do not add COMSPEC to login scripts. To use an environment variable as the value in a COMSPEC command, precede it with the percent sign (%), as follows: COMSPEC=%environment variable
CONTEXT Use CONTEXT to set a user’s current context in the Directory tree. Command format: CONTEXT context
Using CONTEXT To change the current Directory tree context, replace context with the context you want the user to exist in after login. You may enter a complete name to move down through the context, or use periods to move up toward the root of the tree the workstation CX utility. The CONTEXT command only sets the context, it does not support all options that the CX workstation utility does.
Chapter 2
324
Supplement 3: Login Script Variables
Example To change the context to the Organizational Unit LABRATS, under the Organization ACME, use: CONTEXT .LABRATS.ACME
For a shortcut, you may type a single period instead of a container name to specify you want to move up one level. CONTEXT .
To move up two levels, enter two periods. DISPLAY DISPLAY shows the contents of a text file on a workstation’s screen as the user logs in. This command works best with an ASCII file. Command format: DISPLAY [path ] filename
Replace path with either a drive letter or a full directory path starting with the NetWare volume name. Replace filename with the complete name and the extension Using DISPLAY When you use DISPLAY to display the contents of a file on the screen, the exact characters in the file, including any printer and word-processing codes, appear on the workstation screen. To display only the text and suppress codes, use FDISPLAY. See FDISPLAY There will not be an error displayed if the given directory does not exist or if the file is not found, when the user logs in. Example You put messages in a file called XTERRA.TXT, in the directory SYS:PUBLIC\MESSAGES, and want the file to be displayed to your users as they log in on Monday. Add the following lines to the login script: IF DAY_OF_WEEK=Monday THEN DISPLAY SYS:PUBLIC\MESSAGES\XTERRA.TXT END
DOS BREAK Use DOS BREAK to set the + checking level for DOS. If DOS BREAK is set to ON, you can terminate a program (other than the login script) by pressing +. This command is not the same as the BREAK command used to terminate a login script. Command format: DOS BREAK [ON|OFF]
Supplement 3: Login Script Variables
325
Using DOS BREAK Enter the following command in the login script: DOS BREAK ON
The default is DOS BREAK OFF. DOS VERIFY Use DOS VERIFY to verify that data written to a local drive is not written to a bad sector and can be read without an error. Command format: DOS VERIFY [ON|OFF]
Using DOS VERIFY The NCOPY and DOS COPY commands do not make sure data copied to a local drive may be read after the copy. To ensure each copy operation after login, add the VERIFY ON and DOS VERIFY ON commands to the login script—for network and DOS copies. Another option, since VERIFY ON can affect performance by slowing down write operations, is to use the /V option at the command line with each COPY or NCOPY operation. The default in the login script is DOS VERIFY OFF. DRIVE Use DRIVE to change the default drive while the login script is executing. Command format: DRIVE [drive :|*# :]
Replace drive with a local or network drive letter, or replace # with a drive number. You may not use this command in the login script if the driver letter or number hasn’t already been assigned in the login script. Using DRIVE The default drive is set to the first network drive, unless set by this command in your login script Instead of specifying a drive letter such as F: or G:, you may use an asterisk followed by a number # to represent the #th network, which allows drive letters to reorder themselves automatically if the previous drive mappings are deleted or added. Example Use the DRIVE command to position your default drive to so your end-user won’t have to change to a default drive manually every time he logs in. Verify that the letter you want to connect to is valid, then enter the following command in the login script: DRIVE S:
Chapter 2
326
Supplement 3: Login Script Variables
EXIT Use EXIT to terminate execution of the login script and execute an external program. Command format: EXIT [filename
[parameters ]]
Using EXIT The length of information between quotes may not exceed your keyboard buffer length minus 1 (normally 15 – 1 = 14 characters). Use the EXIT command to stop the login script and execute a program, such as a word processing or menu program. See the # command. Put this command at the end of the login script because it stops the login script from continuing. Use EXIT in an IF...THEN statement, to exit the login script and to an external program if a certain condition is met. If the program you are executing with the EXIT command requires any DOS paths or NetWare search drives to be set, they need to be specified in the login script ahead of the EXIT command. If you add EXIT to a container login script, it prevents other profile or user login scripts from running. Putting the EXIT command in a profile login script prevents the user login script from running. FDISPLAY Use FDISPLAY to show the text of a word processing file on a workstation’s screen when the user logs in. To display both the text and the printer and word processing codes of a file, or to display an ASCII file, see DISPLAY. Command format: FDISPLAY [path] filename
Replace path with either a drive letter or a full directory path beginning with the NetWare volume name. Replace filename with the complete name and file extension of the file you want to display. Using FDISPLAY When you use FDISPLAY to display the contents of a word processing file on the screen, the text in the file is filtered and formatted so that only the text itself is displayed. FDISPLAY will not display tabs. If the given directory does not exist or if the file is not found, no error message appears on the screen when the user logs in. Note: There is a SAYIT.EXE freeware utility that will display messages better than the FDSIPLAY command. Get it at Novell’s cool solutions Website.
Supplement 3: Login Script Variables
327
Example You may put messages in a file called YOUWON.TXT, in the directory SYS:PUBLIC\MESSAGES, and have your users see this file on their screens when they log in on Fridays. Container login script: IF DAY_OF_WEEK=Monday THEN FDISPLAY SYS:PUBLIC\MESSAGES\YOUWON.TXT END
FIRE PHASERS FIRE PHASERS signals the workstation to emit a phaser sound. Command format: FIRE #
Replace # with the number of times you want this sound to occur. Using Fire Phasers Use this command by itself to generate the phaser sound whenever a user logs in. Use FIRE PHASERS with the IF...THEN command to make the sound execute a different number of times depending on the circumstances of the login. Example The following line executes the phaser sound four times upon login: FIRE 4
To use an environment variable as the number of times to fire, use % before the variable, as follows: FIRE %environment variable
Either of the following lines fires the phaser five times on Thursdays: IF DAY_OF_WEEK=Friday THEN FIRE 5
or FIRE %#DAY_OF_WEEK
The identifier variable %#DAY_OF_WEEK indicates a number that corresponds to the day of the week. Friday is the sixth day of the week, so the phasers fire five times on Thursdays. GOTO Use GOTO to execute a portion of the login script out of the regular sequence. Command format: GOTO label
Use label to indicate where the login script should continue executing.
Chapter 2
328
Supplement 3: Login Script Variables
Using GOTO Set BREAK ON in your login script before experimenting with GOTO loops so that you can break out of a login script if necessary. The GOTO command should not be used to enter or exit a nested IF...THEN statement. Example Use IF THEN commands to execute a loop of commands in your login script. SET X=1 AGAIN: SET X=<X> + 1 ;see compound strings for this WRITE <X> IF <X> < 9 THEN GOTO AGAIN
The GOTO command looks at the value of <X> (a DOS environment variable). If the value of <X> is less than 9, then <X> increments by 1 and GOTO loops back to the AGAIN label. When <X> gains the value of 9, the IF...THEN test becomes false, the GOTO is ignored, and the script continues normally. See the IF...THEN command below. IF...THEN Use IF...THEN when you want the login script to perform an action only under certain conditions. Command format IF conditional [AND|OR [conditional ]] THEN commands [ELSE command ] [END]
Replace conditional with identifier variables. Replace commands login script commands you want to be executed if the specified condition is met. Using IF...THEN Use IF...THEN statements to execute commands only under certain conditions. An example of a conditional statement is IF MEMBER OF ADMINS IF DAY_OF_WEEK=FRIDAY
The IF...THEN statements have the following syntax rules:
Use AND or OR to include two or more conditionals in an IF...THEN statement
Values of conditional statements must be enclosed in quotation marks
The ELSE statement is optional
IF, ELSE, and END must be on separate lines. THEN does not need to be on a separate line
If you include a WRITE command as part of the IF...THEN command, the WRITE command must be on a separate line
Supplement 3: Login Script Variables
Table S3.1
329
Login Symbols Symbol
Definition
=
Equals
Does not equa
>
Is greater than
>=
Is greater than or equal to
. SET PROMPT=$P$G WRITE My path is %<path>
To include an environment variable in a MAP command, precede the variable with a percent sign (%). For example, you might include lines in a login script to set and map a drive to the variable NCS: SET NCS=C:\XYZ MAP S16:=%
SET_TIME Use SET_TIME to set the workstation time equal to the time on the NetWare server that the workstation first connects to. Command format: SET_TIME ON|OFF
Using SET TIME The default value is SET_TIME ON, which means the workstation time is set to the NetWare server time whenever the user logs in. If you include SET_TIME OFF in the login script, the workstation time does not update to the server’s time. SHIFT Use SHIFT to change the order in which %n identifier variables are interpreted in the login script. SHIFT allows users to enter LOGIN parameters in any order. Command format: SHIFT [# ]
Replace # with the number of places you want the variable to shift—default is SHIFT 1. Chapter 2
336
Supplement 3: Login Script Variables
Using SHIFT You can shift up to 10 arguments. SWAP Use SWAP to move the LOGIN utility out of conventional memory into higher memory (if available) or onto the disk. This allows execution of a # command and LOGIN at the same time. Command format: SWAP [path ]
You can replace path with either a drive letter or a full directory path beginning with the NetWare volume name. TREE The TREE command may only be used with clients that support multiple Novell Directory tree attachments. Use TREE to attach to another Novell Directory tree within your network and to access its resources. The TREE command changes the focus of your login script, so that all NDS object references in subsequent script commands—for drive mappings, print captures, and so on— apply to the Novell Directory tree specified in the TREE command. You can include multiple TREE commands within a login script, either to attach to additional Novell Directory trees or to switch the login script’s focus back to a tree that you’re already attached to. Use TREE to authenticate to multiple Novell Directory tree within your network or switch to the login script’s focus back to a tree that you’re already attached to. You must either use the same passwords for all trees used, place the password(s) in plain text in the login script, or just place the tree command in the login script with no password and you will be asked for your password. TREE treename/fdn-of user-object TREE tree_name [/complete_name [;password]]
Realize that the TREE command changes the focus of your login script. All NDS object references in subsequent script commands (e.g., drive mappings, print captures, etc.) apply to the Novell Directory tree specified in the TREE command.
Table S3.2
Write Command Switches Character
Meaning
\r
Makes a carriage return occur
\n
Starts a new line of the text
\"
Displays a quotation mark on the screen
\7
Makes a beep sound
Supplement 3: Login Script Variables
Table S3.3
337
Write Command Operators Operator
Meaning
*/%
Multiply, divide, percentage
+-
Add, subtract
>>
3 becomes 1)
WRITE Use WRITE to display messages on the workstation screen when a user logs in. Command format: WRITE "[text ]"[%identifier ] [;][identifier ]
Replace text with the words you want to display on the screen. Replace identifier with a variable you want to display, like a user’s login name. Using WRITE Text you want to display must be enclosed in quotation marks. Variables are displayed in several ways. The variable in the WRITE command is determined in the display by the method you enter the format. Enclose the identifier variable inside quotation marks, precede the variable with a percent sign (%), and type it in uppercase letters. Text strings may include the special characters listed in Table S3.2. There are additional operators you can use to form compound strings—in addition to the semicolon—to join text and identifier variables into one command. These operators are listed in Table S3.3, in order of precedence. Examples WRITE examples: WRITE "Bonjour" WRITE "You’re late," ;%LAST_NAME WRITE "Why so glum?, %LAST_NAME" WRITE "Good %GREETING_TIME" \7
Chapter 2
This Page Intentionally Left Blank
3 NDS Management
NDS is the emphasis of Novell now. Knowing NDS is not a given. I’ve found very few administrators who know NDS. NDS is both simple and complex. I can’t tell you how many times I’ve been in technical training sessions with administrators who think that running DSREPAIR is all you have to do to maintain NDS. Novell often describes NDS as a distributed, hierarchical naming, object oriented, global, replicated, and partitioned database. Novell has made NDS the centerpiece of its future—at one time it was, of course, the NetWare OS. You know, by now, that a directory service is a special database. Its purpose is to allow logical, immediate access to objects (printers, servers, applications, policies, whatever you define as objects) based on access privileges and regardless of physical location. Roughly, the NDS database works like this: A resource is requested by some client ➝ response from server ➝ the object is located in NDS ➝ location of resource ➝ validity and authority of requesting client verified ➝ client is connected to resource
For more information on NDS or other Novell products mentioned, consult http://www.novell.com/documentation/ and http://www.novell.com/ products/nds. Novell has banked its future on NDS. I have not seen any news on a server OS past NetWare 6. There was a time that NetWare 5.1 was considered the last NetWare platform. I certainly hope that’s not true, but it looks like it will be Linux, SUN, and Windows 2000 from here on. NDS, though, will run on all of those platforms, and more.
339
340
3.1 NDS Administration Guide
I’ve seen NDS, at BrainShare 1999 run on a mainframe. I have never seen it since—it was supposed to come out not too long after that. Understand that a directory service is apparently not a compelling reason to buy a NOS. If it were, you would see SUN, IBM, and Linux adopt one. Microsoft’s Active Directory certainly is a good 1.0 directory, but even they haven’t ported SQL, SMS, and many of their other applications completely to Active Directory. Novell is betting the farm on a directory service being the central “identity” or authentication point. They, seemingly, are the only ones. Time will tell if they are visionaries or horribly wrong.
3.1
NDS Administration Guide Novell now publishes the eDirectory Administration Guide online. I highly recommend it. It is 504 pages and free. Great news. Find it at www.novell.com/documentation/lg/ndsam/pdfdoc/taoenu.pdf.
3.2
NDS versions and types NDS, unlike Active Directory that is integrated into the OS, runs as a separate application on top of the OS/NOS. Therefore, NDS maybe upgraded without having to always upgrade the NOS. NDS runs on NetWare, NT, Windows 2000, Linux, Compaq Tru64, IBM’s AIX operating system. Novell keeps adding OSes, so check back often. The legacy NDS database we most often refer to is NDSv7 for NetWare 4.11. NDS in NetWare 4.11 was as solid as a rock. Clients tell me they could golf and never worry about their NOS or NDS directory service. This is no longer the case.
3.2.1
Versions NDS comes in the following versions: NDS—Just plain NDS, which we refer to as versions 6.x and 7.x. SKADS or NDSv8—SKADS was the code word for NDS 8. It stands for super kick-ass directory services. Seriously. TAO, the New NDSv8—The latest version of NDS, TAO supports filtered replicas, DirXML and other advanced feature sets. Look for information on iMonitor—the new NDS troubleshooting utility— found in NetWare 6.
3.3
Which NDS version should you use?
341
Novell Account Management version 2.x (formerly called Corporate Edition)—Novell Account Management NDSv8 is Novell’s new super-charged billion-user object directory service. BrainShare demos have shown billion user trees on servers and one Solaris server. NDSv8 exists in two forms, Novell Account Management and eDirectory. Novell Account Management distinguishes itself as a file and print plus user account management directory service. It is the evolution of NDS 7.x versions. Novell Account Management has been enabled to run on several platforms (and is scheduled for more) and is managed by ConsoleOne/NetConsole. eDirectory—NDSv8 is eDirectory and is tailored to Internet usage. It can run on various operating systems such as NT 4.0, NT2000, Linux, Solaris, OS390, etc. NDS eDirectory has no support for file and print integration—it is solely used for the entry/authentication point into your Internet/Intranet. The newest version of eDirectory is version code named TAO.
3.3
Which NDS version should you use? The latest. I don’t mean to be smart, but being in the field at some of the largest NetWare/NDS clients has shown me the need for fresh code. Obviously, fresh code doesn’t solve every bug fix and new code introduces new bugs, but the evolution of Novell products has taught me that newer is generally better. Even if you don’t need a billion user tree with millions of objects in each partition, you should be using NDSv8. This is a no-brainer for clients that use the directory for more than just network access, file, and print. If you are using DNS/DHCP, any ZEN product or other directory-enabled product, you are putting double or triple the amount of objects into the tree. Novell’s internal IS department reports (found in the Novell Beige Papers— www.tinypineapple.com/luddite/beigepapers) that it went from 18,000 NDS objects to 120,000 after implementing DNS/DHCP. The size of the old database was almost cut in half (before adding DNS/DHCP) from 200MB to 110MB by using NDSv8—pretty cool to add more than five times the objects and still cut the amount of space used by the database. This is because of the power of the FLAIM database used first by Novell’s GroupWise, now NDS (Microsoft uses their JET database for Active Directory, which was first used by/and made for Exchange). NDSv8 uses the Direct File System (DFS) which lets the database control the data directly. Chapter 3
342
3.3
Which NDS version should you use?
NDSv8 is more scalable, more stable, more reliable, faster, smaller and supports more advanced features (LDAPv3, Filtered Replicas, DirXML, etc.) than its version 7 cousin. If that doesn’t excite your upper management, use Novell’s marketing stuff online @ www.novell.com/products/nds and tell them it is a free upgrade—nothing can get attention faster from a budget-monger than the words free upgrade.
3.3.1
Upgrading to NDSv8 The following are my recommendations for upgrading to NDSv8. You may upgrade through a file or CD ROM: :NWCONFIG ➝ Product Options
Or you may upgrade DS versions through an OS upgrade to NetWare 5.1 or 6, which give you the option of upgrading to NDSv8. I would recommend upgrading your OS to the latest and greatest—especially if you have purchased upgrade protection from Novell. NetWare 6, though, may be the exception. NetWare 6 mostly provides multiprocessor upgraded NOS modules and other minor pieces which may not be necessary for many smaller installations. Before you upgrade:
Verify time synchronization in DSREPAIR—fix it if it is broken. Also, verify you are using the same TIMESYNC.NLM on your servers—that is the same on the same versions of NetWare.
Repair the database until you have no errors (though sometimes NDS will always report a couple of errors). Troubleshoot all synchronization problems.
Backup your old database. Use your backup software to backup NDS. Afterwards create a dump file. :DSREPAIR ➝ Advanced Options ➝ Create a database dump
or :DSREPAIR –rc
Realize that a large database may take a couple of minutes to create the file
Verify that you have IPX running on the server—Novell requires it for an upgrade
3.3
Which NDS version should you use?
343
Verify you are using the latest DSREPAIR.NLM version available—if not, download it and put it on your server. Some older versions do not fix database errors properly. DSREPAIR > Time Synchronization will list the DS.NLM versions
Start upgrading at the [Root]. There are many arguments about where to start. Some say never at the [Root] some say always the Master of the [Root]. I like to start, at least, somewhere in the [Root] partition—I like the Read/Write. You are, obviously, going to do all testing in a lab first.
Finish upgrading the [Root] partition, then work your way through the tree at your discretion—work at upgrading within replica rings completely before going to the next, if possible.
Know that a mixed version NDS tree (NDSv8 and NDSv6 or NDSv7) will experience some errors and problems.
Force a replica sync and update your backlinks after you finish the upgrade :SET :SET :SET :SET :SET
DSTRACE=*U DSTRACE=*S DSTRACE=*SSA DSTRACE=*H DSTRACE=*B
After you upgrade to NDS eDirectory, you may see –601 errors on NetWare 4.11 servers trying to authenticate to the NDS eDirectory server. Verify you have the latest DSREPAIR.NLM supporting (usually on the eDirectory download site) on each of the NetWare 4.11 servers in the same replica ring and select Verify Remote Ids
Stay on top of your NDS health by doing NDS health checks. NetPro provides a great solution for your NDS health check needs—DS Expert. www.netpro.com.
Note: I can’t overstate the importance of NDS health (and monitoring utility for medium to large enterprises). Working with developers has convinced me of the need to constantly monitor your NDS health and be proactive with problems. I learned the term called code rot. That simply means that code sits around until it breaks. Your job is to monitor, patch, workaround, and proactively fix, before it breaks. Relax, it is a theoretical joke.
Chapter 3
344
3.4
3.4 NDS terminology
NDS terminology Dilbert teaches us how to talk like managers, router boy talks in routing algorithms of shortest path, NetWare NDS techies need to learn NDS lingo. If you work with NDS every day, you need to read and understand this section. As some of you reading may be Active Directory Administrators, I contrast Active Directory with these terms at the end of this chapter.
3.4.1
Tree Objects can exist singly and access resources globally within an authenticated domain, called a tree. There can be only one [Root]. The [Root] represents a single name space. Best Practice: When naming a tree use a name underscore tree— ACME_TREE—as it is easier to distinguish in sniffer traces and other server display settings for troubleshooting.
3.4.2
Partitions The NDS database can be broken into smaller pieces called partitions. Partitions are managed by NDSManager in the SYS:PUBLIC\WIN32 directory or recently through ConsoleOne/NetConsole. Any user with Supervisor rights to the partition object, almost always an OU, can completely manage the partition—anything less than full Supervisor rights to the partition object will not allow the user to manage the partition. A partition should not usually span a WAN. “Never span the WAN,” Novell used to say. The information replicated is based upon time stamps. Using time stamps means that your entire enterprise of NetWare servers must share the same time. Active Directory uses Update Sequence Numbers (USN). An NDS tree can contain many (hundreds) partitions. You may view the partitions on any server by using one of the aforementioned management tools or: :DSREPAIR ➝ Advanced Options ➝ Replica and Partition Operations
3.4
NDS terminology
345
Best Practice: I like the DS Designer third-party utility to document and model the NDS tree(s). www.dsdesigner.hypermart.net You can create partitions with ConsoleOne or NDS Manager. Partition root entry information Successful NDS operations need information contained in the partition root entry. This attribute and value information must include: Replica Pointers—The local server stores a pointer to the remote servers that contain a replica of this partition (the replica ring servers). This pointer structure contains the server’s ID, address, and the type of replica (master, read/write, subordinate) stored on the server and other attributes and values. Partition Control attribute—Tracks the progress of operations such as splitting and joining partitions and repairing timestamps. Partition Status attribute—Local server attribute to store information about the success of the last synchronization cycle. Synchronized Up To attribute—An attribute to store timestamp information that indicates the last update the local replica received from each remote replica—NetWare 4.x servers only. Transitive Vector attribute—Introduced in NetWare 5.x, the transitive vector attribute allows servers to use this attribute to store information about each replica in the ring—includes a modification timestamp. It is used to make NDS replication more efficient. Don’t concern yourself with partition root entry information. It is not information you will need—it is background information that you don’t really see and used to teach the concepts of NDS.
3.4.3
Replicas To provide fault-tolerance to a partition, replicas, or copies, of the partition may be made. It is possible, though not advisable, to make many copies of a partition. A server may contain an unlimited amount (theoretically) of replicas. I think the most I have seen is 130—which is too many. It is hard to give specific numbers as your design is dependent upon many variables.
Chapter 3
346
3.4 NDS terminology
The best tool to use to model your tree/upgrade or new design is through DS Designer. http://dsdesigner.hypermart.net/. Public NDS design guide lines are discussed in the following sections. NDS replica design and placement principles—very important The replica design principles are slightly different for NDSv8 than previous versions. Check the Novell Website for basic information. www.novell.com/ coolsolutions/nds/basics.html. Your replica design should give you:
Fault tolerance and high availability (more than one replica of a partition)
Fast user login and name resolution
Low WAN impact (don’t “span-the-WAN”)—actually, you’ll have to sometimes, but the principle says not to when you can help it. Realistically, larger bandwidth WAN links (256KB and up) are not usually a problem—unless you are swamped with other network traffic.
Realize that there are trade-offs to every design need. Your job is to determine where the points of diminishing returns are. Of course the best fault tolerance it to have a replica on every server, but you can’t afford the network traffic or the possibility of the replica having too many partners to finish its mandatory synch every 30 minutes—and therefore within every 30 minutes. If a replica ring does not finish synching in 30 minutes, it keeps running the synch process until it can. Novell’s recommendations are to use replicas to provide:
Local name resolution
Bindery service access—any server that supports BINDERY emulation must have a replica of the bindery context it is supporting Novell gives replica design principles, like:
Three replicas minimum for fault tolerance
Fast authentication of clients—clients need an NDS server (SAP type 278) to authenticate to. The login process is explained in Chapter 9 under Security.
No more than 15 per server. Novell has updated its recommendation to 20 per server. This is an important number as outbound synchronization is a multi-threaded process, while inbound replication is a
3.4
NDS terminology
347
single threaded process—meaning that a server with many replicas might show a high CPU server utilization because of the queued synchronization processes waiting for a chance to update their partition. I’ve seen more than 130 replicas on a server before. It stayed at above 80% utilization all of the time. Note that using a multiprocessor server would do no good as the inbound synch process will still use only a single thread. The only answer is to split the partitions between several servers—I recommend staggering the Master replicas wherever the administration is being done (centrally versus de-centralized). NDSv8 says that a dedicated replica server (a server used for NDS only—no file and print, user home directories, etc.—you get the idea) may have 150 to 200 replicas. I have never seen or heard of this kind of design, but I guess it must be possible if Novell published the numbers—they will be responsible for supporting it too. An NDSv8 non-dedicated replica server is limited to 50 replicas.
No more than 10 replicas per partition. NDSv8 says unlimited, but I wouldn’t believe it.
Design replica placement based on your WAN infrastructure
Partitions should contain no more than 5000 objects (1500 max. is recommended). Novell has updated its site to say 10,000 objects— whatever.
Minimum server RAM should be 64 MB—I recommend a minimum of 128. RAM is cheap; better yet, use 256 and fast I/O access. If you have 50+ NetWare servers, you should consider 256 MB RAM as a minimum. Remember, NetWare is a cache an I/O intensive NOS— not CPU intensive. See later in this chapter for more tuning recommendations.
Note: The eight-byte entry field limits 64,000 entries per partition as a technical limit. Replicas are designated as Master, Read/Write, Read Only, and Subordinate. Again, replicas are best viewed by NDSManager ConsoleOne or third party software DSDesigner. I have been at many clients that have sorely abused replicas. One client had 21 replicas of one partition. This is crazy. NDS must synch every 30 minutes and trying to synch 21 partitions in 30 minutes, along with all of Chapter 3
348
3.4 NDS terminology
the other many partitions will probably cause NDS synch problems which will manifest themselves in different ways. Synchronization between partitions causes all servers in the replica ring to contact each other—subordinate replicas are included in the synch process. Therefore, a replica ring of a partition put on 20 servers equals 380 routes—20 servers each contacting 19 partners. Consider 380 routes, some probably across WAN links, each needing to contact and update each other. Outbound synchronization is multi-threaded, inbound synchronization is single threaded. Availability of the directory Novell provides the ability to partition off small pieces of the database—at any OU level—for redundancy and load sharing. Users may notice faster logins when a replica of their partition exists on their local LAN. Replication provides performance enhancements based on directory queries too. Replica ring All servers given copies of any particular partition participate in a replica ring. NDS synchronization requires that all partitions communicate constantly to share NDS database changes. Master replica The master replica is the authoritative source for all replicas in any partition. It is the first created replica type of any partition. The master initiates and controls partition operations, answers object reads and writes, accepts client updates, bindery information and tree authentication and connectivity. Any replica can be promoted to a master replica through DSREPAIR, NDS Manager and/or ConsoleOne. When you promote a replica, the old master is demoted to a Read/Write replica. Read/write replicas Read/Write replicas do everything that the master replicas do, but are not the authoritative source of information and do not initiate synchronization. Fault tolerance and increased performance—at the expense of synchronization traffic—are the read/write replica’s purpose in life. Novell recommends at least 2 read/write replicas for every master. Do not exceed 10 replicas, if possible. Try not to “span-the-WAN,” which means don’t put a copy of a replica across a slow link, if possible.
3.4
NDS terminology
349
Read only replicas Read only replicas are for object reads, fault tolerance and tree connectivity. Do not use or concern yourself with the use of read only replicas—they are part of the X.500 standard. Design your tree with a master replica and at least two read/write replicas—taking into account the reduction of subordinate replicas. Subordinate replicas Subordinate replicas are made automatically, never manually, when a parent replica of a partition is placed on a server without having the child. Subordinate replicas are like icons—a shortcut pointer to where the real information is. It is used for tree connectivity and does participate in NDS synchronization. Subordinate replicas contain only a partition root object. Subordinates are to be avoided, but not treated like the plague. Do not delete them. Larger implantations cannot help but have them—just keep subordinates to a minimum. Reduce the number of subordinates by reducing the number of parent replica partitions. Replica states Replica states are used to troubleshoot replica/synchronization problems— for experienced, advanced administrators. Replica states may be viewed when looking at DSREPAIR information. On New Dying Locked Change type 0, 1 Transition on Split 0,1 Join 0, 1, 2 Logins affect replicas When as use authenticates (logs in successfully) user properties are updated—network address, login time, last login time, and revision. An authenticating client needs master or read/write replica to update these
Chapter 3
350
3.4 NDS terminology
property values. As these values are updated in a replica, they are synchronized to the rest of the replica ring. When a user logs out, the network address and revision property values are updated. To see the effect of logins on NDS, use NetPro’s DS Analyzer. This is the only tool I know that can effectively relate the impact of group membership and ZEN policies on login—which are probably the two largest “slow logon” culprits.
3.4.4
Synchronization/replication A directory is read to, maybe, a hundred times more than it is written to. Therefore, a directory is optimized, by the vendor, for reads. Data in directories is loosely consistent, which means that it is possible to have different information in the directory in two places. At the determined synchronization time, NDS automatically updates all information in a partition with the Master Replica. Some attributes are flagged to synchronize immediately–DS_SYNC_IMMEDIATE—like user passwords, while other information is not as important, like phone numbers, and will wait to be synchronized at the pre-set Novell NDS programmed 30-minute interval. The 30-minute interval makes it difficult (though not impossible) to synchronize with more than 10 replicas in one partition replica ring; thus, the recommendation to have no more than 10 replicas—three to five recommended—for any one partition. Changes to any object must be time stamped (via timesync) and updated to all parts of the partition, or replica ring. Synchronization requires network bandwidth and server CPU cycles. For example, each login triggers a synchronization of the entire partition within minutes and causes a slowdown for the server holding the partition. Outbound synchronization is multithreaded, but inbound replication uses a single thread—same as Active Directory. NDS synchronization schedule:
Immediate Sync—10 seconds after save
Slow Sync—22 minutes after a change (like a logout)
Schema synchronization—every 4 hours
Heartbeat—every 30 minutes
Limber—5 minutes after boot, then every 3 hours
3.4
NDS terminology
351
Backlink—2 hours after boot, then every 13 hours
Connection management
Server status check—every 6 minutes
Synchronization is an NDS background process that is event driven. Synchronization can be triggered manually, as you’ll see later. In the NDS code, synching is sometimes referred to as skulking. Skulking is the process to make sure that all replicas have the same information when no changes have occurred. The heartbeat process is an example of skulking. :SET DSTRACE=ON :SET DSTRACE=*H
Each server must authenticate to the other server’s in its replica ring to send and receive changes. Disabling login (through the server console command) will not only keep users from logging in, but also servers from authenticating to each other. Synchronization traffic Realize that synching takes up network bandwidth. The following NDS processes generate network traffic:
Immediate sync—only changes (deltas) sent
Slow sync—viewed by: :SET DSTRACE=ON :SET DSTRACE=+SYNC :SET DSTRACE=+IN
Heartbeat process—force started by: SET DSTRACE=*H
Note: Read-only and subordinate replicas participate in the heartbeat process
Schema sync process—forced by: :SET DSTRACE=*SS
Viewed by: :SET DSTRACE=+SCHEMA
Chapter 3
352
3.4 NDS terminology
Limber process—force by: :SET DSTRACE=*L
Viewed by: :SET DSTRACE=+LIMBER
Backlink process :SET DSTRACE=*B
Viewed by: :SET DSTRACE=+BLINK
Connection management process—viewed by: :SET DSTRACE=+VCLIENT
Server status check process
Fast synchronization Fast synchronization occurs 10 seconds after a selected client update occurs on the server. Property values that cause a fast sync are defined by the NDS internal code. A password change is an example of a fast sync process. Slow synchronization Slow sync works at 30-minute intervals. Every replica must synchronize every 30 minutes. This is one reason to keep your number of replicas under 10. Too many replicas can cause the partition (thus the CPU) to thrash constantly and never finish synching. The slow sync is sometimes called the heartbeat. You may initiate a sync heartbeat by: :SET DSTRACE=*H
Password change effect on synchronization I’m often asked how a password change affects NDS and the synch process. After a user changes a password, the public key for the user’s object is updated. The password is immediately (10 seconds after it is saved to the database) synched to all servers in the replica ring. Servers with external references to the object also need to be updated, but this is not done automatically. When a user request hits a server with an external reference, the server returns a –669 error to a server holding the object. The replica server holding this object should then know that the server holding the external refer-
3.4 NDS terminology
353
ence needs an updated public key, and should synchronize—which will then allow the user to authenticate to that (external reference) server with the new password. If this process gets held up (which it sometimes does for a number of reasons) the backlinker process will automatically resolve the problem when it runs (within 13 hours).
3.4.5
Synchronization design considerations How do you know if your tree design is working optimally? Novell doesn’t have a utility to tell you how to design your tree, only guidelines. NetPro is a third-party vendor that sells two great NDS products. DS Analyzer is an NDS sniffer. DS Expert is a health and alerting application. Designing your NDS tree is the most important part of your NetWare deployment/migration/upgrade. Novell doesn’t really put out too much information about NDS tree designs. It would rather you purchase consulting time to design your network. You are stuck, if you have a big tree because there are very few people outside of Novell that can give you good information. I’ve been involved with several “experts” that have done more damage than good. You are going to have to go with Novell Consulting if you have a medium to large tree for the best information. Again, outbound synchronization is multi-threaded, but inbound replication uses a single thread. When planning replica placement, realize that each replica server must contact all of the others with the same replica (called a replica ring). So the formula would be something like O(n²) That’s the order of n squared. Twenty replicas on a server with 20 other replicas per partition would equal about 400 synch patterns—which is too many Make sure that router boy does not block IPX SAP types 278 (used by servers to locate other replica servers), type 4 (used by servers to identify other NetWare servers) or type 26B (used by the NetWare servers for time synchronization). Never ever let router boy filter IPX RIP broadcasts. TAO—The new NDSv8 The latest version of NDS, TAO supports filtered replicas, DirXML and other advanced feature sets.
Chapter 3
354
3.4 NDS terminology
Filtered replicas types The filtered replica types are: Sparse Read/Write—Contains only desired classes Fractional Read/Write—Contains only desired attributes Sparse replicas can be created only if the master partition is on a TAO NDS version server. The ERR_ILLEGAL_REPLICA_TYPE error message will otherwise be generated. Sparse/Fractional replicas are useful for the following reasons:
Permits administrators to limit the amount and type of data per server
Custom tailors applications to access local data more efficiently
Decreases search time
Decreases synchronization of undesired attributes
Decreases size of NDS database on the server
Customizable indexes (which enhance performance)
DirXML and LDAP use sparse replicas
Read/Write replicas allow modifications to attributes and classes if all mandatory attributes are within the filter. Read only do not allow local modifications.
TAO filtered replica synchronization A replication filter contains a list of wanted classes and attributes. Each server may have only one filter—therefore, every sparse/fractional replica on a server must use the same filter. Inbound synchronization occurs on all type of replicas—regardless of NDS version. Outbound synchronization must be controlled—since they contain only a subset of NDS information. Outbound changes are not dependant upon NDS versions but have limitation. For example, changes can only be sync’ed to partition roots. TAO can outbound filter to reduce network traffic. New DSTRACE commands are introduced :SET DSTRACE=*OD
Disables outbound filtering. :SET DSTRACE=*OE
Enables outbound filtering.
3.4
NDS terminology
3.4.6
355
Bindery emulation Bindery emulation is a bad word in the realm of NDS speak. It automatically requires a replica on each server supporting bindery services and causes the server to support bindery connects that are single threaded, unlike NDS connections. All bindery requests to the server are made over a single bindery thread that can monopolize the CPU. NDS is multi-threaded and uses the CPU more efficiently. Bindery access is very limiting too. A bindery user is limited to access resources only inside the bindery contexts he has an object in. Access to resources outside his context would require a replica on the server accessed or an object has to be redefined. Bindery objects are able to recognize only NDS users, groups, print queues, print servers and bindery objects. Display the bindery context for any server by: :CONFIG
NDS version 8 (eDirectory) provides two bindery QoS parameters. The default, in NDS version 8.59 for:
NDS Bindery QoS Mask = 8
NDS Bindery QoS Delay = 150
Search for a TID if you are having problems with bindery emulation and using NDS version 8. I have experienced several significant client problems with bindery emulation. One client used Microsoft’s NetWare services with bindery emulation which causes many users to use the same NetWare bindery client login connection. You read that right, one connection. You can’t really scale past ten users using the same connection. Another client was using Microsoft’s SMS desktop management product that used the NetWare server as a workstation software staging point, but used one bindery connection for all users—at the same time. It drove the NetWare server’s utilization to 90%+. The client told us to fix the problem (which was not ours to fix) or they were going to replace NetWare. That was the first time I have ever heard a customer tell a NOS vendor to fix a third-party software problem or they will replace the major NOS. Only one company can muster that much power (marketing) in its third party software.
Chapter 3
356
3.4 NDS terminology
Best Practice: Upgrade or replace all bindery dependant software programs and hardware devices. Major culprits are old NetWare workstation clients and older print devices.
3.4.7
Schema Schema are rules. A directory service has rules about what is allowed in the directory. For instance, every user object requires a password, a login name, and a login time property. Schema defines the rules as to what objects can exist in an NDS database tree and the relationships between object types (e.g., users can go into groups, groups do not have passwords, etc.) and lastly the information (stored as attributes) that can and must be maintained by the NDS object. NDS uses an extensible schema format that defines the rules for data types—what kinds of objects can exist in NDS. There are three data types: Object classes—Each object belongs to an object class that specifies which properties or attributes can be associated with an object Attribute type definitions—Identifies and defines the syntax for the values for each object’s attribute store of information Attribute syntax definitions—Defines the type of data that an NDS object stores Other good schema info includes Novell’s Developer Notes “NDS Schema Overview” October 1998 on http://developer.novell.com/research and the Logic Source CDs (there are two for NDS). Extending the NDS schema The NDS schema, as any LDAP v3 compatible directory service schema, is extensible. This allows for greater use of the directory as a policy and management tool. Novell lets you use ConsoleOn/NetConsole, Schemax or Schema Manager to extend the NDS schema—you must have Write rights to the [Root] to extend the schema. As you add products that are “directory-enabled,” you extend the schema. For example, when you load DNS/DHCP from the product OS CD ROM, you copy an .SCH file, from the CD, that extends the database schema. Schema extension should be loaded at the [Root] of the NDS tree—that is one of the server’s that hold the master or a read/write replica
3.4
NDS terminology
357
of the [Root] partition. Schema extensions are replicated across the tree and down—they do not travel up the tree. These extensions need to be copied down the entire tree—every DS server needs to accept the schema extension change. Sometimes these changes do not get replicated down the tree and cause problems. Later in this chapter I show how to force schema synchronization down the tree. My consulting friends also recommend a Novell freeware schema compare utility DSDIGN.NLM with the –DS switch or the third-party DSDESIGNER tool, mentioned later, with the SCHCMP.EXE program. Never consider a tree merge without checking and re-checking the schemas are exactly the same. Specialized schema files are available from the NDS eDirectory download site. To apply a schema file (*.SCH): :NWCONFIG.NLM ➝ Directory Options ➝ Extend Schema.
You will be prompted for the Administrator’s name, password, and the location and name of the schema file. Novell also provides Schemax, a free download that lets you extend the directory schema by dragging and dropping—no programming needed. ConsoleOne also allows this ability. What sort of things would you want to extend the schema for? Easy, user’s social security number, employee number, employee badge number, cell phone number, photograph, contract number for a workstation, asset tag number for a workstation, etc. The possibilities are endless really. The trick is to get the user to enter this information or bulk load it into NDS versus someone typing it in. The Schemax free utility (which is now integrated into ConsoleOne) gives you the ability to make user’s enter his/her own information. Schema Manager tool in NDS Manager Although schema is now controlled via ConsoleOne for eDirectory, many of you are still using the NDS Manager with an older version of NDS so I’ll quickly show the older NDS Schema Manager which is a Windows-based GUI utility off of the Object menu in the NDS Manager tool. It allows you to manipulate the NDS schema: Creating a New Class Deleting a class Adding an optional attribute to a class Managing classes Chapter 3
358
3.4 NDS terminology
Figure 3.1 NDS Schema Manager’s look at a User Object
A Tree Compare Schema utility—Very important to use before tree merges A schema report utility—My test lab shows 100 classes with 634 attributes NDS Manager ➝ Object ➝ Schema Manager (see Figure 3.1). Schema problems Many schema problems occur simply because of mismatched version of NDS (the DS.NLM) or schema extensions getting stuck somewhere in the tree. If you have standardized all servers in the tree on the latest DS.NLM, you need to check the schema. Check the schema by: :SET :SET :SET :SET :SET
TTF=ON DSTRACE=ON DSTRACE=*R DSTRACE=+SCHEMA DSTRACE=*SS
1.
Toggle to the DS server console screen
2.
Wait to see that all processed=yes or no
3.4
NDS terminology
359
3.
:TTF=OFF
(saves the log file)
4.
Look in the SYS:SYSTEM/DSTRACE.DBG to decode problems
Again, you may also use schema manager to compare schemas between trees, but there is a need to compare schemas between servers sometimes. Novell also publishes a schema compare tool DSDIAG.NLM –DA (for server-to-server compares) freeware.
3.4.8
Auxiliary classes Auxiliary classes are added to the object class attribute of individual objects in the NDS database. For example, a pager number and social security number can be added to the user class NDS object. The pager and social security attributes are auxiliary classes and the values of these properties (the actual numbers) are auxiliary attributes. Auxiliary classes can be optional or mandatory attributes. To extend the NDS schema you must have Write rights to the [Root]. To add an auxiliary class you must have Write rights to the object class attribute. Auxiliary classes are not supported on non-NDSv8/eDirectory servers. Auxiliary classes can be a lifesaver if you only want to modify a subsection of your users, for example. If you extend the user class with an additional attribute, all users will inherit that attribute and it cannot be removed. With an auxiliary class, you need only apply it to the users you want and you can remove it later—at any time.
3.4.9
External references External references are temporary placeholders, on a server, containing information about an NDS object it doesn’t hold locally in one of its replicas. Simply, external references are created to track all NDS objects not physically residing on a server. The external reference life span is 192 hours, by default (don’t change it). The information stored about an external reference object is: Relative distinguished name Local object ID The external reference information is stored in the server’s partition and held by a server that does not hold a replica of the NDS object.
Chapter 3
360
3.4 NDS terminology
External reference problems External references are another NDS problem area. For some reason, they have a hard time clearing themselves sometimes. Novell provides a great TID that uses the STUFKEY.NLM process to automatically generate a report on replica information and external references. Find external reference errors by: :SET :SET :SET :SET :SET
TTF=ON DSTRACE=ON DSTRACE=*R DSTRACE=+BLINK DSTRACE=*B
1.
Wait until the server’s DS screen says all processed=yes or no
2.
:SET TTF=OFF
3.
Look in SYS:SYSTEM/DSTRACE.DBG and decode
4.
Remove a server’s external references by :LOAD DSREPAIR –xk3
5.
Advanced Options Menu ➝ Repair local database
6.
Choose to rebuild operational schema and check local references
7.
Then to repair
Note: This option is for advanced administrators that understand the ramifications of such an extreme repair. Use the following DSTRACE commands to start the backlink process: :Set DSTRACE=+blink :Set DSTRACE=*b
If you wanted to watch the backlink process, you would, of course, begin the DSTRACE commands with: :SET DSTRACE = ON
Note: Always work on one server at a time with external reference errors and work within a replica-ring before going on.
3.4
NDS terminology
3.4.10
361
Backlinks Backlinks are created by NDS to point to an external reference. It is a logical pointer to information contained somewhere else—much like an icon on your desktop. Backlinks verify external references and removes them when they are not needed. Each object has an attribute for backlinks and backlink obituaries. Because backlink is an attribute of an NDS object, it is synchronized between replicas and you can query its value with the NLIST command. For example, a group object contains a membership list. When users contained within a partition outside of where the group object’s partition replica ring is, NDS creates external references and backlinks for each of those user objects. The backlink process runs every 780 minutes. You can use NLIST to see what objects have a Back Link by typing the following at a workstation. Syntax: NLIST Where "Back Link" EXISTS Example: NLIST "Directory Map" Where "Back Link" EXISTS To see what objects do not have Back Links type the following.: Syntax: NLIST Where "Back Link" NEXISTS Example: NLIST "Directory Map" Where "Back Link" NEXISTS
3.4.11
Obituaries Obituaries are pieces of information (object attributes) that have been changed and need to be removed from Directory Services—they are part of the synchronization process. When an object is deleted, moved, or renamed a new obituary value is added to the object. It normally takes four (4) synch cycles to eradicate a deleted/changed object or attribute. Obituary problems Obituary problems are one of the most frequent you will see when troubleshooting NDS. Obituary problems in mixed tree environments—when you have more than one version of NDS—are quite common. Best Practice: As much as humanly possible, upgrade all of your NetWare servers to the latest DS.NLM version.
Chapter 3
362
3.4 NDS terminology
Obituaries do take some time to clear by the NDS janitor process (SET DSTRACE=*J). When obituaries get stuck it is because servers in the replica ring have not acknowledged the NDS change associated with that NDS object. In other words, the synch process got stuck on the deleted/changed information. Obituaries go through four NDS flag stages: 0000—Not modified 0001—Notified 0002—Okay to purge 0004—Purgeable Types of Obituaries: Type=0002—Moved; attached to an object that has been moved from this container Type=0003—Inhibit_Move; attached to an object that has been moved from another container to this one Type=0006—Backlink; attached to an object that points to another server holding an external reference of the NDS object to be notified as the object is edited (modified, moved, deleted, renamed, etc.) Best Practice: Obituary problems rarely occur on the server with the Master replica of the partition—as it is the Master’s responsibility to process obits. You may promote a Read/Write partition with obituary problems to a Master replica, and then run a DSREPAIR on it—which should clean up all of the obit problems. You may then demote the Master back to a Read/Write. Otherwise, look up support TIDs to help troubleshoot obituary problems. To generate information on obituaries, do a :SET DSTRACE=ON :SET DSTRACE=*sto
To clear obituaries: :DSREPAIR ➝ Advanced Options Menu ➝ Check External References
Then verify they are gone by: :SET DSTRACE=ON :SET DSTRACE=+S
3.4
NDS terminology
363
:SET DSTRACE=+J :SET DSTRACE=*H :SET DSTRACE=*F
Then run the DSREPAIR to check external references from the Advanced Options menu. The obits should purge within the next couple of minutes. DSREPAIR.LOG file Found in the SYS:SYSTEM directory, this file contains information about database repair processes. You are able to read it with any text editor. Best Practice: The DSREPAIR.LOG is populated with more detailed information when you load DSREPAIR with the –A switch. Example of the DSREPAIR.LOG: Found obituary at VID: 00054980, EID: 11000FE8, DN: CN=PHARVEY.OU=LABRATS.O=ACME.ACME_TREE TV: 1999/12/06 06:45:01 0004, Type = 0001 DEAD, Flags = 0000
Some helpful decodes: VID = Value ID—This is a record number in the Value.NDS file that has been used as an Obituary Attribute for the Object identified by the EID. EID = Entry ID—This is a record number in the Entry.NDS file that specifies the object that has the Obituary Attribute assigned by the VID. DN = Distinguished Name—This is the full Distinguished name of the object identified by the EID. TV = Time Vector—This is the timestamp that denotes when the Obituary Attribute was created. Type = Indicates both a number and a text description—There are 3 categories of types, Primary, Secondary and Tracking. Primary obituary indicates an action on an object. 0000 Restored 0001 Dead 0002 Moved 0005 NEW_RDN – New Relative Distinguished Name Chapter 3
364
3.4 NDS terminology
0008 Tree_NEW_RDN – Tree New Relative Distinguished Name. This specifies a Partition Root name not an NDS Tree name. 0009 Purge All Secondary obituary indicates the servers that must be contacted and informed of the Primary obituary action 0006 Backlink—Specifies a target server that needs to be contacted regarding an obituary 0010 Move Tree—Similar to the Backlink obit. There is one Move Tree obit for every server that needs to be contacted regarding a Tree_NEW_RDN operation Tracking obituary is associated with certain Primary obituaries. The following is a list of the valid obituary types: 0003 Inhibit Move 0004 OLD_RDN – Old Relative Distinguished Name 0007 Tree_OLD_RDN – Tree Old Relative Distinguished Name. This does not specify a NDS Tree name but rather a Partition Root name. Flags = Indicates the level or stage that the obituary is processed to— The following is a list of valid Flags: 0000 ISSUED: Indicates the obituary has been issued, created and ready for processing 0001 NOTIFIED: Indicates that the obituary is at the notify stage—the servers identified in the Backlink or Tree Move obituaries have been contacted and notified of the operation or action of an NDS object 0002 OK-TO-PURGE: Indicates that the obituary is being cleaned up on the local database of each server identified in the Backlink or Tree Move obituaries. The clean up includes resolving all objects that reference the object with the obituary and informing them of the change. (Deletion, rename move, etc.) 0004 PURGEABLE: Indicates that the obituary is ready to be purged. The purge process essentially recovers the value to the free chain and enables it to be reused. Check for a backlink trying to notify a server that is no longer in the tree. Remove the dead
3.4
NDS terminology
365
server’s objects with NDS Manager. The obituary should then process. Find obituary errors Besides the above, you can: :SET :SET :SET :SET :SET
TTF=ON DSTRACE=ON DSTRACE=*R DSTRACE=+J DSTRACE=*J
1.
Toggle to the DS server console screen
2.
Wait to see that all processed=yes or no
3.
:TTF=OFF
4.
Look in the SYS:SYSTEM/DSTRACE.DBG to decode problems
You may also start a purger process on obituaries that have not finished purging. :SET DSTRACE=ON :SET DSTRACE=+J :SET DSTRACE=*F
3.4.12
Janitor process The janitor is an under-paid, under-appreciated worker—there is little glamour for dirty work. The janitor keeps DS clean, running the flat cleaner process at 60-minute intervals—some of the other janitor tasks are run every two minutes. The process is run after a synchronization process occurs. Intervals may be seen with the following commands: :SET DSTRACE=ON :SET DSTRACE=*P
Toggle to the Directory Services screen Janitor processes include:
Verifies connectivity to all servers in the NDS databases :SET DSTRACE=*U
Temporarily sets the UP and DOWN flag status of the NetWare server NCP entries—servers whose status goes back to down usually shows that there is a communication problem between your server
Chapter 3
366
3.4 NDS terminology
and the server showing down. Use the DISPLAY SERVERS server console command to see if the server entry is still in your server’s SAP cache table. Try to PING the server, too (IPXPING.NLM or PING.NLM). :SET DSTRACE=*U
(yes, the same *U)
Takes calls from the flat cleaner process as well as schedules the flat cleaner :SET DSTRACE=*J
3.4.13
Issues synthetic time errors
Flat cleaner The work of the flat cleaner process is simple:
Generates server Certificate Authority keys
Returns deleted space from bindery and external reference partitions
Updates status and version attribute values of NCP server objects (e.g., SAP table cleanup when entries timeout)
Validates the UP status of servers it holds the Master copies of; similar to: :DSREPAIR ➝ Advanced Options ➝ Servers known to this database ➝ Local Status
3.4.14
Limber process The automated limber background process runs every three hours—unless they don’t finish, then they retry every five minutes—and checks:
Server network address verification of all servers in the partitions the server holds
Maintaining the version attribute for the server in the NDS database
NDS tree name changes when the:
Server boots NDS is restarted :RESTART SERVER
or :SET DSTRACE=*.
The server receives a request
3.4
NDS terminology
367
This information is stored in the server’s local system partition. The limber process is started manually by: :SET DSTRACE=*L
And is viewed by :SET DSTRACE=+LIMBER
3.4.15
NDS background processes NDS background processes are checked by: :SET :SET :SET :SET :SET :SET :SET :SET :SET :SET
3.4.16
TTF=ON DSTRACE=ON DSTRACE=*R DSTRACE=+IN DSTRACE=+S DSTRACE=+SCHEMA DSTRACE=+LIMBER DSTRACE=+MISC DSTRACE=+AGENT DSTRACE=*H
1.
Toggle to the DS server console screen
2.
Wait to see that all processed=yes or no
3.
:TTF=OFF
4.
Look in the SYS:SYSTEM/DSTRACE.DBG to decode problems
(saves the log file)
Unknown objects If you have ever spent any time with NetWare Administrator or ConsoleOne/NetConsole you have probably seen objects with question marks next to them. This indicates that NDS cannot read required information from the object or the management utility (ConsoleOne or NetWare Administrator) is missing a snap-in. For example, every user object requires a last name (or surname). If, somehow, the object gets corrupted and the property value for the last name disappears, the object becomes unknown. Many times, I can update the schema, management snap-ins or connect to the master of the replica to resolve the unknown objects into readable objects. You may delete unknown leaf objects if you know how to restore them, but do not delete unknown container objects.
Chapter 3
368
3.4 NDS terminology
Unknown objects can appear during NDS synching processes. This is normal and should be worked out automatically by NDS—when they don’t, they can prevent the sync process from completing. When you can’t, use DSDIAG. Note: You may use the NetWare Administrator to search for unknown objects. You can also query for unknown object by: C:\>NLIST unknown /D /S /C /R >filename.txt
Using DSDIAG to report on unknown objects DSDIAG does not fix the unknown objects; it only reports on them. :DSDIAG -DA ➝ Distributed Repair ➝ Mutate Unknown Objects ➝ ➝ Delete unknown class base ➝ Resend Mutated Entries
3.4.17
NDS startup When the DS.NLM loads, like upon boot up or a SET DSTRACE=*., the DS.NLM automatically starts a heartbeat and limber process (which is equal to a SET DSTRACE=*H and SET DSTRACE=*L). You can prevent NDS from loading upon boot, by: :SERVER -NDB
Other useful NDS startup commands: :SET DSTRACE=*A
Clears the NDS database cached in RAM :SET DSTRACE=1
Resets all of the DSTRACE switches
3.4.18
TTS Novell uses the Transaction Tracking System (TTS) to preserve the integrity of data. A transaction in the process of being written to the hard drive when the system crashes is backed out upon reboot—preserving the integrity of the original data. TTS is a simple file attribute. Administrators may option-
3.5 SYS:_NETWARE hidden directory
369
ally flag any file with the TTS flag—though the purpose of this flag is for NDS and it is useful for other databases—typically those that have no rollback features. NDSv7 must use TTS—which is why the SYS volume may not be an NSS volume, as NSS for a long time did not yet support TTS—until NetWare 6. You must leave room on the SYS volume for TTS or it may shut down—taking NDS with it. TTS tracks 10,000 transactions, by default. Each TTS write uses a small piece of memory.
3.5
SYS:_NETWARE hidden directory Best viewed from either RCONSOLE or CPQFM.NLM (I prefer), the SYS:_NETWARE hidden directory houses the NDS database.
3.5.1
NDS versions 6.x and 7.x Files found in the directory: PARTITIO.NDS—Contains information on all partitions used within the database on this server—schema, system, external reference and bindery ENTRY.NDS—The entry database contains records pertaining to bindery, schema and user created objects. The objects name and its location within the schema, bindery or tree are among several fields held by an entry record. In short, it is the object database. VALUE.NDS—This file contains information on specific object attributes—attribute database. BLOCK.NDS—The block database contains records referenced by the value database. It also holds overflow information from the value record (VALUE.NDS) file—when the data field of an attribute exceeds the record length of the value record. Numerous blocks may be assigned to a given value record. It is the overflow for values and blocks. STREAM FILES—Streams files contain information such as login scripts, printer control files and print job definitions. The link between a specific streams file and its owning attribute is determined by the name of the file. The first eight characters of the name (standard DOS 8.3 naming convention) references an offset within the value database—the record in the value database at that offset is the owning attribute. ZENworks for Desktops’ application objects Chapter 3
370
3.5
SYS:_NETWARE hidden directory
extends the stream files in NDS version 7—this does not happen in NDS 8. MLS.000—License VALLINCEN.DAT—License validation DIB files A .DIB is an unofficial backup of the NDS database—unofficial, as there is no restore mechanism short of calling Novell technical support and getting them to do a restore with their specialized DSDUMP utility. They are copied to the SYS:SYSTEM/DSREPAIR.DIB. How big is a .DIB file? A client had one partition that contained:
32 groups
1 organization role
32 print servers
31 printers
16 profiles
27 queues
34,980 users
37 containers
4 file servers
The .dib file, on a NetWare 4.11 server running NDS version 7.47 was about 335MB. This same configuration on NDSv8 uses only 74MB. The biggest difference is in the stream files.
3.5.2
NDSv8 files in SYS:_NETWARE The structure of the database is different. The database scales to over a billion objects (tested) on one server. _NDSDB.INI —Holds the tunable parameters for DS (seen by SET DSTRACE=*P) and cache information _NDSDB.NST CONNHAND.DAT
3.6
How to manipulate the NDS directory
371
NDS.01—All records and indexes. When this file reaches 2GB, another starts—NDS.02 NDS.DB—The control file that contains all of the rollback information for incomplete entries NDS.LCK NDS00001.LOG—Roll forward file to apply completed transactions not yet written to disk NLSHAND.DAT NLSLIST1.DAT NLSSECUR.DB SERVCFG.000—All server SET parameters SERVHAND.DAT EMGRCFG.INF XMGRCFG.KS0 XMGRSEED.INF NDS version 8 DIB files found in SYS:DSR_DIB This specialized directory stores your .DIB files from NDS 8. The directory stands for DSREPAIR_DIB. A .DIB is an unofficial backup of the NDS database—unofficial, as there is no restore mechanism short of calling Novell technical support and getting them to do a restore with their specialized DSDUMP utility.
3.6
How to manipulate the NDS directory Novell provides several tools to expand maintain and troubleshoot the NDS database. They are:
ConsoleOne/NetConsole The single future one stop utility for all of your NDS needs
NetWare Administrator You may add, delete, and rename, objects and their corresponding properties with the NetWare Administrator As Novell’s products are expanded, NetWare Administrator becomes less of a player. Novell’s newest products are ported to ConsoleOne Chapter 3
372
3.6
How to manipulate the NDS directory
only. The NetWare Administrator 5.19f, according to Novell, is the last release of the utility. For now on, you must use ConsoleOne to do everything.
NDS Manager Partition and replicate the directory database with this utility. This utility will go the way of the dinosaurs too. ConsoleOne, because of its Java cross-platform ability will now contain all future NDS management functionality.
DSREPAIR.NLM A server centric database repair utility—notice the keywords “servercentric” as this utility will not fix the NDS tree, only the partitions contained on the server you are running it on
DSTRACE SET Commands Force specific parts of the database to sync or display on a screen—a great troubleshooting utility, but will not repair the database, only force specific NDS synchronization or background processes. Great TIDs for DSTRACE commands include 10011026 and 10011027—note that TID numbers sometimes change upon Novell’s support staff updating them. Just search on DSTRACE or SET DSTRACE commands.
DSBROWSE The DSBROWSE utility lets you dissect NDS objects, schema, and attribute values. This is for the advanced NDS administrator. The utility also list all NDS error codes—great, great, great feature. Just press to display a list of error codes.
DSMERGE DSMERGE’s APIs do not match the NDSv8 DS.NLM—it is for DSv6 and 7.x. DSMERGE lets you rename or merge NDS trees.
TREEINST.NLM New module to merge one-server trees into any size trees. Great for staging the OS at a central site, sending the server to its home and merging it into the production tree. The TREEINST.NLM needs no subtree move to accomplish the merge—a huge plus. Find this .NLM buried on Novell’s developer site. Third-party tools worth mentioning are:
3.6
How to manipulate the NDS directory
373
NetPro I hesitate to give too much space to third-party products, but this is a company that makes two very important DS monitoring and alerting utilities. DS Expert proactively monitors and alerts you about NDS problems. DS Expert can monitor 30+ NDS conditions and provides SNMP alerts. I go into more detail about these utilities later in the chapter.
DSDesigner This is a utility that no medium to large NDS shop can do without. It is cheap and extremely useful. I used it often as a consultant for Novell. dsdesigner.hypermart.net
3.6.1
ConsoleOne The ConsoleOne utility has evolved so quickly that an explanation of all of the menu items seems useless. Major renovations have been done to the speed and functionality. Look for downloads of newer versions of ConsoleOne (maybe renamed NetConsole) on Novell’s Website—www.novell.com/download. ConsoleOne may be used for the same functionality of NetWare Administrator, Schemax, Schema extension manager, specific product management (ZEN for desktops, ZENworks for Servers, DirXML, etc.), and as replacement for the old NDS Manager utility.
3.6.2
NetWare Administrator The NetWare Administrator manipulates the object and property values of NDS. It is not really for NDS troubleshooting.
3.6.3
NDS Manager This utility is replaced by ConsoleOne for NDS database partitioning and management. As an interesting side note, Novell published an NDS tuning guide using NDS Manager (in an AppNote—look it up online), though I know of no one that would use NDS Manager for detailed troubleshooting—I always use DSTRACE and DSREPAIR as does every consultant that I know.
Chapter 3
374
3.6
3.6.4
How to manipulate the NDS directory
NWCONFIG The NWCONFIG utility allows you to add or remove NDS. You may remove NDS from a server without an Administrator’s password by: :NWCONFIG –DSREMOVE
Therefore, always secure your server physically.
3.6.5
DSDIAG.NLM DSDIAG Tool Manager is not an intuitive tool, but does include four important report types:
Check NDS Versions provides information about servers as it may relate to the NDS database. The information provided by this report includes: Version Server Name Address NDS Version Replica Depth Network Cost
Check Partition Status menu choice provides information about servers and their partitions. The data provided by this report includes: Partition Status Number of Readable Rings Subordinate References in each ring
List Replica Rings menu choice provides a logical view of NDS partitions. The report includes: Documents replica rings Does a cursory consistency check Reports unreachable partitions Locates partition roots by NDS or servers
List Server’s Partition Table menu choice documents the association of the servers and their partitions. It grants a physical view of the logical NDS database. The information provided by this report includes:
3.6
How to manipulate the NDS directory
375
Server Partition State Type.
3.6.6
DSMERGE.NLM Use DSMERGE.NLM to:
Change your NDS tree name
Merge two NDS trees—does not work for NDSv8
DSMERGE uses low level APIs such as DClient and CIA. DSMERGE merges the source tree into the destination tree at the root. It first compares the schema in the two trees to ensure they are exact prior to doing the merge. If differences are present, the utility will warn you that it can’t continue. TREEINT (a freeware utility on Novell’s developer Website used to merge a single server tree into any other tree) also compares the schema, and will attempt to reconcile those differences by modifying/extending the destination tree’s schema. If reconciliation cannot be achieved, you are warned of this fact and given the choice to continue or end. DSMERGE can merge any two NDS trees and can recover from a stopped or stalled merge, due to error(s), by backing out the changes made through the transaction tracking system—regardless of tree size and the number of servers in either tree. Tree merging It should go without saying, but to merge trees, you should look up Novell TIDs first. Plan carefully for a tree merge. For one customer, I’ve seen a month of planning, lab work and NDS patching take place before the merge. The merge took only 15 minutes. You are going to need to make sure that your schemas match—go through DSREPAIR and import the schema both ways twice. All relevant OS and NDS patches need to be installed. Lab testing should be done until you can dream through a tree merge. Clean up any NDS error in both trees before you start and verify that timesync is consistent in both trees—I would recommend using the same time source for both trees. Verify licensing and make sure every replica server is either up or removed from the tree—NDS will need to contact every replica server to complete the tree merge.
Chapter 3
376
3.6
How to manipulate the NDS directory
There is, of course, a little more to it, but those are the most important concerns. You can do tree merges from the information in Novell’s TIDs— that’s where I got tons of my NDS information as a consultant for Novell.
3.6.7
TREEINT Use this freeware utility to stage a server in a central location with a bogus tree name and then merge it into your production tree (prune and graft) at the local site. Realize its one server tree limitation and read the readme file. Search for it on the developer.novell.com site.
3.6.8
DSREPAIR.NLM DSREPAIR.NLM is a server-centric tool to repair the global NDS database. This is important. There is no global tool to repair the database. NetPro, a third-party company, makes the DS Expert and DS Analyzer tools that give you better management and reporting of global NDS information but still do not repair it globally. Best Practice: Download and use the latest NDS versions that, many times, include updated DSREPAIR.NLMs. The ability to repair the database is an integral part of NDS health. The first most important piece of NDS health is to upgrade to the minimum patch listed version of NDS—http://support.novell.com/misc/patlst.htm. Note: Know what you are doing before running the XK killer switches! The DSREPAIR.NLM supports the following switches: DSREPAIR switches Note that not all switches work on all versions of DS.NLM. :DSREPAIR -switch
–41x—Deletes the 41x files after an upgrade –CV #—Enter a number greater than value to show attributes with more than # values. Example DSREPAIR –cv 75 shows all attributes with more than 75 values. –A—Enables advanced mode—I use this often
3.6
How to manipulate the NDS directory
377
–D—Alternate DIB files mode (dsrepair –ext) is requested –INS—Extend Schema –xk2—Destroy all replica roots by: Make all objects external references Zero the creation and modification time stamps Clear all flags except EF_PRESENT Class = –1 (not backlinked) –xk3—Clear backlinks EF_BACKLINKED Flags = 8001 which is present and verify creation timestamp Class = id_invalid =FFFFFFFF=–1 All ext-ref attributes time stamps set to zero Note: It is advisable to run the backlinker after this DSREPAIR switch to re-backlink SET DSTRACE=*B
–L—Sets a flag so the file will be deleted and a new log file name created –M—Report move inhibit obituaries –MR—Removed –N#—Number of days before deleting user object net-address—if it is older, it is deleted (default is 60 days). For example, to release connections that are older than 1 day, on NetWare 4.x, go to the Master replica ➝ DSREPAIR –N1 ➝ Advanced Options ➝ Repair local DS ➝ –P—Mark all unknowns per-replica as referenced –RC—Remote load create dib dump file. Use this in STUFKEY.NLM scripts. –RD—Repair local database (automated). Use this in STUFKEY.NLM scripts. –RI—Verify and repair remote server IDs; dependant upon IPX or SLP
Chapter 3
378
3.6
How to manipulate the NDS directory
–RL—Specifies an alternate DSREPAIR log file name—the first one is deleted. To keep the old one and append to it, use the –L switch. –RM <partition_root_ID>—Make this server the master for the specified partition ID. I prefer doing this manually through DSREPAIR ➝ Advanced Options ➝ Replica and partition operations ➝ <Enter on partition> ➝ Designate this server as the new master replica. Use this to troubleshoot external reference and backlink problems. –RN—Repair network addresses—dependant upon the server’s IPX SAP table or your SLP infrastructure –RR <partition_root_ID>—Repair replica with specified partition id –RS <server_ID><partition_root_ID>—Remove specified server id from the specified partition id –RV—Repair volume objects and trustees –736—Terminates the 0.DSB file—used to troubleshoot a specific 736 NDS error –V—Ignore API version checking –wm—Clears the wm:registered workstation attributes that can sometimes cause high utilization from ZEN for desktops registry entries when the workstation is not being imported into the NDS database as a workstation object. Some of the switches that I use most often are: :DSREPAIR –RC –RD
This repairs the local database and dumps a .DIB set of the database :DSREPAIR –A
Opens advanced options in DSREPAIR (see Figure 3.2). DSREPAIR’s menu screen: Unattended full repair—When you run an unattended full repair, you check: Records: Verifies validity of links between entry, value, block and partition records. There are pointers between all of these 4 files and running the repair checks all of the pointers to be sure they are accurate.
3.6
How to manipulate the NDS directory
379
Figure 3.2 The DSREPAIR.NLM C-Worthy menu of Advanced Options
Structure: Verifies that all entry records are linked to the [ROOT] and that all properties are linked to the corresponding entry record. Schema: Compares existing schema to base class schema, changes objects missing mandatory attributes to unknown, and checks for illegal containment. External References—Discussed earlier Mail Directories—A holdover from the bindery days Stream Syntax Files Network Addresses Warning: If you are using IP in NetWare 5, the network addresses are verified via SLP. If you have a poor SLP design, you will have problems—see the IP chapter for more info Remote IDs—How the NDS database “tags” the OT Replica Ring Volume Object and Trustees: This option will temporarily lock the database. Users logged in already will be able to continue to work, those trying to log in will not be able to until the repair process unlocks the database. Before you run the repair, backup your
Chapter 3
380
3.6
How to manipulate the NDS directory
current database with the following command, just in case. I have seen the server hang doing Unattended full repairs. :LOAD DSREPAIR -RC
Time synchronization—Use this option to check the time synchronization health of your severs. Realize that you can run this option five times and get five different results. I always start an NDS health check here. Troubleshoot all time problems. You cannot have stable NDS health without almost perfect time synchronization. Best Practice: Use an NTP utility to keep your NT servers in time with your NetWare servers. One utility is Time Lord for NT www.cix.co.uk/ ~ossytems/os_syst/time_lord.html Report synchronization status—Reports the replica ring status. This is a very important troubleshooting screen. Document all errors and go to Novell’s TIDs to look for answers. View repair log file—Displays the SYS:SYSTEM\DSREPAIR.LOG file which is updated each time you run a repair Advanced options menu—Portal to a whole new choice of options. Use the DSREPAIR –A switch to enable even more advanced menu choices Exit—Sortie in French DSREPAIR ➝ Advanced Options menu The options under this choice: Log file and login configuration—Self-explanatory items concerning the DSREPAIR.LOG file Repair local DS database—When you do a local DS database repair you are checking the local records, structure and schema. It is basically the first three parts of an Unattended full repair. This option will temporarily lock the database. Servers known to this database Replica and partition operations—Window to other advanced features covered later Check volume objects and trustees—Make sure all volumes are mounted as all links to rights and trustee assignments are verified
3.6
How to manipulate the NDS directory
381
Check external references Global schema operations View repair log file—Views the SYS:SYSTEM\DSREPAIR.LOG file Create a database dump—Shows a path to the dump file. This dump file is a snapshot of NDS that only Novell support can restore. Do make frequent backups; don’t use these in place of regular backup. You can restore the backup only by a support call in to Novell. Return to main menu DSREPAIR ➝ Advanced Options ➝ Replica and Partition Operations ➝ Partition name <Enter> Options include: View replica ring—Displays replica ring and opens to other choices if you press <Enter> on a replica Report synchronization status on the selected server Synchronize the replica on the selected server Send all objects to every replica in the ring Floods the network with NDS traffic temporarily Best Practice: Use Send all objects to every replica in the ring to fix inconsistencies in your replica ring—run from the Master only. Receive all objects from the master to this replica: Able to only on servers with Read/Write replicas to receive from master replicas View entire server name: Shows the Full Distinguished NDS name Return to servers with replicas list: Return to previous screen Report synchronization status of all servers Synchronized the replica on all servers Repair all replicas Repair selected replica Repair Ring, all replicas Repair Ring, selected replica Schedule immediate synchronization—Why do you schedule something that is starting immediately?
Chapter 3
382
3.7 LDAP support
Cancel partition operation—Easier to hit during an operation though either choice may take a while to register—just be patient Designate this server as the new master replica—Great troubleshooting tool View entire partition name—Full Distinguished NDS name Return to replica list Repairing NDS with DSREPAIR.NLM DSREPAIR.NLM is a server specific utility to troubleshoot NDS problems. Remember, with DSREPAIR.NLM, you are not troubleshooting the TREE, rather replica(s) of partition(s). It is much like VREPAIR. DSREPAIR does not resolve global problems with the NDS database. How often do we need to run DSREPAIR.NLM? When you find an error. You do not need to run it every week or every day. Verify that the replica rings are clean—i.e., there are no replicas in a non-ON state. The fastest place to check this is DSREPAIR ➝ Report Synch Status.
3.7
LDAP support LDAP is supported in NDS 8 or e-directory as well as later NDS version of 7.x. Novell is embracing many open standards. ConsoleOne is the management utility for LDAP integration. Realize, though, that NDS, unlike Active Directory, is not a “pure” LDAP directory service. NDS uses the NLDAP.NLM to provide LDAP support. Is this a big deal? No, but it does require a bit more work when communicating with a “pure” LDAP directory—such as mapping the NDS attribute names to the LDAP attribute names. This can also be done with Novell’s DirXML product—which is made for you to use NDS as the central directory to publish selected content to other directory services. The term LDAP has several meanings. LDAP is a protocol riding on top, or within, an IP packet. LDAP is an API for developers to hook into directory-enabled applications. LDAP is a format defining data in a directory. LDAP is a format to exchange information—referred to as LDIF.
3.7
LDAP support
383
LDAP version 3 is supported by NDS. The complete LDAP v3 specification can be found in RFCs 2251 through 2256. Lightweight Directory Access Protocol (LDAP) is an open standard protocol riding on IP that rivals Novell’s proprietary Novell Directory Access Protocol (NDAP). Novell includes LDAP support as it has taken center stage as the new de facto standard to allow clients access of directory service—any directory service—information. The Lightweight Directory Access Protocol is an open-standard protocol riding within IP to access any directory service that supports the LDAP standard. For LDAP to return data to an unauthenticated client (such as Netscape Communicator or Microsoft Internet Explorer), the NDS [Public] trustee must have appropriate NDS rights, including the Browse object right. In addition, the Compare and Read property rights must be on all property rights on the specific set of attributes which need to be searched on or read. If the entire tree is to be accessible from LDAP, these rights should be granted at [Root]. Administrators should grant property rights access only to those properties and portions of the NDS tree they would like to be publicly accessible—which shouldn’t be much. Administrators should also consider the security advantages offered by the Proxy User feature of LDAP services. LDAP may use an SSL connection for security. For applications that authenticate with a distinguished name via LDAP, the appropriate rights should be granted to the authenticating DN. Auxiliary classes Auxiliary classes are not supported on non-NDSv8/eDirectory servers. You may create Auxiliary classes in mixed environments. Schema extensions will synchronizes from the point of installation, down the tree. The non-NDSv8/eDirectory servers will accept the schema extensions as unknown but will add the schema extensions without error. LDAP provides for: A data form—Defines the kind and how you update information put into an LDAP compatible directory A naming form—Defines how to organize the information in the LDAP directory A security form—Defines how to access information based on rights Chapter 3
384
3.7 LDAP support
LDAP also defines the LDAP Data Interchange Format (LDIF) format, which provides a text based means to describe directory information. Using LDIF you can import and export bulk information between directories— similar to the OIMPORT and OEXPORT NDS tools. LDIF support The LDAPv3 specification defines LDIF as a text-based bulk-loading format. LDIF file creation, in NDSv8, is comprised of BT.EXE which creates three files:
Filename.add
Filename.del
Filename.mod
Looking at the extensions, you can probably figure out that you may add, delete or modify database entries. Like any technology, LDIF does have limitations. LDIF is great to use to import and export directory information from, say, Active Directory to NDS—or vice versa. Novell also supplies a BULKLOAD.NLM which may be used to add many users at once to NDS—great for lab scenarios. LDAP protocol operations LDAP offers nine basic protocol operations: Search—A query function Compare—A query function Add—An update function Delete—An update function Modify—An update function Rename—An update function Bind—A security function equivalent to a login Unbind—A security function equivalent to logging out Abandon—A security function equivalent to closing a connection— like the watchdog process logging you out of NDS
3.8
NDS objects
385
BULKLOAD.NLM BULKLOAD imports LDIF format information into directory services— much like OIMPORT. To use the BULKLOAD.NLM: 1.
Copy LDIF files to the SYS:SYSTEM
2.
Load BULKLOAD.NLM
3.
Login with proper rights—admin is always preferable
4.
Select Apply LDIF File to run
5.
Output creates a .LOG file
Best Practice: Using a password will eat up about 250ms for each object created, versus 5ms for those without. The process will also run faster if you cache DS. TAO introduces a new import/export feature called ICE. This is run from ConsoleOne and will allow import/export via LDIF. It will also allow you to import from any LDAP server.
3.8
NDS objects NDS objects are the building blocks of the database. It is an object-oriented database. Objects are manipulated by NetWare Administrator and ConsoleOne/NetConsole.
3.8.1
NDS object properties A user object represents a physical person authenticated to the network. The User object contains properties such as: Login restrictions Intruder detection limits Password Password restrictions Security equivalencies Account Balance
Chapter 3
386
3.9
Repairing NDS
Last Name Last Login Login Script Minimum Password Length When you create a User object, you can create a home directory for that user who then has default rights to that home directory. You can also provide default property values by applying a user template object to new user objects as they are created. Note: Login script variables are explained later in this chapter.
3.9
Repairing NDS The first step to checking anything with NDS is checking time synchronization. :LOAD DSREPAIR > TIME SYNCHRONIZATION
NDS allows for a + or –2 second time differential. Anything within this differential is considered synched. This 2-second standard can be changed through the set command :SET TIMESYNC SYNCHRONIZATION RADIUS = 2000 (default)
The 2000 number is in milliseconds. The Time Synchronization screen in DSREPAIR.NLM will show you the DS.NLM version number—hopefully they are all the same. Make sure that your versions are all up to date. This is a very important point. Remember that many DS version updates are part of a support pack update. In the README.TXT file that comes with the support packs, Novell recommends applying the entire support pack and not individual modules/files within the support pack Troubleshoot any time problems. Check if you have configured sources on or off on your servers. Check to see if your servers are pointing at the right time source. PING your servers that report errors. Then work from finding trouble spots. Ping the router interfaces. Try to find out if you have a network communication problem. : LOAD IPXPING : LOAD PING
3.10
NDS health check
387
Use the DSTRACE commands to check for NDS synchronization errors and troubleshoot them. Look up Novell’s support TIDs for information on specific errors.
3.9.1
NDS error codes Rather than list all of the error codes and possible causes, I recommend going to Novell’s support site with the error code and looking up a TID. Look up the appropriate support TID to get the information you need. The following is a guideline: –1 through –255—DS OS error codes –301 through –399—Client error codes –400 through –599—NLM client library error code –601 through –799—Agent error codes. You will probably see these the most Other NDS resources include the LogicSource CDs (I and II for NDS) though they are not free.
3.10 NDS health check Novell publishes some TIDs and AppNotes on NDS health checks. I have taken the recommendations, that change from time-to-time, and made a detailed excel sheet on how to maintain your directory database. I haven’t included it as there are too many changes to NDS lately to be thorough. I post them on my Website www.netadmincentral.com. Go to Novell’s site and look up the TIDs on NDS health. NetPro’s DS Analyzer and DS Expert can perform constant NDS health checks automatically. I prefer using one of these automated applications to a manual health check. DSDesigner is used by some to do NDS health checks, though it is not really made for it—it is an NDS design and documentation tool. Check support.novell.com for a detailed NDS health check document.
3.11 NDS dependence on SLP I am often asked, “When do I need to plan for SLP?” The answer is as soon as the second NW5.x server is added into your network—as SLP is used to Chapter 3
388
3.11 NDS dependence on SLP
locate other servers in an IP network. An IP network may be either IP only or a dual IP/IPX stack. NetWare 5.x is tuned to prefer an IP connection— versus an IPX connection, even if both protocol stacks are loaded—and, therefore, needs a service resolution and name space provider in the IP world. NetWare 5.x provides the functionality of the Service Location Protocol—to locate network resources via multicast. SLP is a distant cousin to DNS. I explain it in detail in the IP chapter. NDS doesn’t need SLP to discover other servers or NDS information. NDS can resolve names within itself as it is a database of names and NDS object properties such as IP addresses and IPX addresses provide the information that NDS needs to be a name resolver. NDS is its own name space provider—like DNS. NDS needs no assistance to resolve server names when a server holds a replica copy of all the other servers in the tree— though it is nearly impossible to do and a very inefficient design. A NetWare server can resolve any name that it holds in the NDS database that it houses locally. NDS tree information is partitioned, distributed and replicated across the enterprise. For NDS to resolve an object, it must rely on the referral List, which is a list of network address of the servers that hold a Mater or R/W copy of the partition that the object resides in. NDS can accomplish this if, and only if, every server in the NDS tree has a replica on it with a copy of the partition of the server’s own NDS context, because NDS already has the network address of all the servers in the tree. For example, a request to resolve a name is made to a NDS server. The server scans its local database to find the object. If the object is there, then the server returns to the client the Referral List, only with its own Network Address in the list. If it doesn’t hold the object, the server responsibility is to create a referral list for the client—the server acts like a client itself. The server has its own view of the tree, and has a connection table—viewable via MONITOR.NLM ➝ Connection Information. The server uses the network address information in the connection table contacts the servers in the list one by one and asks them if they hold the object. As soon as the server finds another server with a copy of the object, it receives the Referral List and sends the list to the client. If server asks all the servers in the connection table, and doesn’t find a server with a copy of the object, the server “falls back” to its bindery information, multicasts for a service or unicasts—depending on the bound protocols: IPX—NDS uses SAP to build its bindery table
3.11 NDS dependence on SLP
389
IP—NDS uses SLP to either multicast for an NDS replica server service or contacts a DA by unicasting to the address(es) listed in the server’s SLP.CFG to query for a replica server service—ndap.novell. When an SLP infrastructure—using a Directory Agent—is set up, every server’s Service Agent should know about the IP addresses of all the DAs. DAs are found via the 224.0.1.35 multicast, by DHCP queries on options 78 and 79 (which the NetWare server can operate as a DHCP client to query for DAs within the DHCP database) or by statically configuring the DA in the server’s SYS:ETC\SLP.CFG file. DAs know about all of the services in their scope (because all of the SAs register with the DA), and normally hold the top NDS partitions layers of the tree. Best Practice: Pick servers to be Directory Agents that have the top layers of the NDS tree on them. A Referral List is built by looking at the Replica attribute, since it holds the Replica Type (Master, Read/Write), and the Network Address of each server—UDP, TCP, and IPX if both protocols are bound. SLP is dependant upon IGMP multicast, much the same as IPX is dependant upon SAP/RIPs. You may statically configure the server’s SYS:\ ETC\SLP.CFG to unicast directly to a DA—thus avoiding router boy’s possible decree that no multicast is allowed on the enterprise. For more information on SLP see the SLP section in the IP chapter. Novell hasn’t done a good job of educating everyone on Service Location Protocol (RFC 2165). A Pure IP implementation is dependant upon an SLP infrastructure. SLP is used for:
Server-to-server discovery (remember you do not have SAPs)
Client discovery of servers (upon boot up, multicasts are sent to look for services, i.e., servers)
Support for browsing Network Neighborhood.
Support for IPX short names. They may be resolved a number of ways:
IGMP multicast allowed across the network Through the SLP.CFG if you have implemented a DA Through NDS if you partitioned the SLP OU and have it on a server that you can get to
Chapter 3
390
3.12 NDS dependence on time sync
Through the server’s HOSTS file Through a DNS lookup—if the name exists in the same DNS subzone
3.12 NDS dependence on time sync A distributed database has constant changes occurring at about the same time—thus the dynamic nature of NDS. How do you make sure that the most recent change is the one that takes effect in such a dynamic system? You have to time-stamp every database (NDS) transaction. To ensure time consistency across all servers and partitions, all times must be the same. For times to be the same, logic dictates that all server times come from the same source. That’s where time sync comes in. Every time a password is changed or an object is renamed NDS requests a time stamp. Timestamps ensure that the order of events written into the database is correct. When you troubleshoot NDS, time synchronization is the first thing to verify. :DSREPAIR ➝ Time Synchronization
If you get errors here, troubleshoot them first before looking at NDS. Many NDS errors are symptomatic of time sync problems. The primary time servers make up to a 50% correction in their time per polling interval. In NetWare 5, the TIMESYNC.NLM works differently than in a 4.x environment. The native IP nature of 5 allows references to Internet sources, via NTP (UDP port 123), that we could not use in NetWare 4.x (at least, not without a third party NLM or extra hardware). Time synchronization should be administered centrally.
3.12.1
NetWare 4.x RDATE.NLM, a shareware utility, has been used with great success by many of my clients. The RDATE.NLM allows for NetWare IPX servers to sync to IP time sources. Check the favorite NetWare shareware sites for this utility.
3.12.2
NetWare 5.x/6 NetWare 5.x provides the legacy TIMESYNC.NLM and the new NTP.NLM. TIMESYNC.NLM version 5.12 and above can support older
3.12 NDS dependence on time sync
391
IPX dependencies as well as NTP reference sources. RFC 2030 outlines the NTP specification. I recommend TIMESYNC.NLM and configured sources. Best Practice: If you have an Internet connection, use TIMESYNC.NLM to sync your reference server to an atomic clock resource.
3.12.3
NTP and Timesync New in NetWare 5 is the NTP.NLM (Network Time Protocol). Use it when you want to set up NTP relationships. I haven’t had a need to use the NTP.NLM as I can do NTP from the TIMESYNC.NLM. TIMESYNC.NLM can poll an NTP time source without the need for NTP.NLM and NTP relationships. I find the complexity of NTP.NLM and the NTP.CFG unnecessary for any of my clients. The SYS:ETC\NTP.CFG file follows: #The syntax for logfile is "logfile <etc\ntp.log>" #Logging NTP messages, uncomment the line below to enable logging #logfile etc\ntp.log #The syntax is SERVER IPADDRESS or server HOSTNAME #server bitsy.mit.edu #or #server 18.72.0.3 #This is the local clock timer. #Only turn it on for the primary time source or in an isolated network. #The primary time source is the server which acts as a time source #for all internal servers (or the server that has the connection to the #Internet or remote time source). #Local clock timer will kick in when all outside sources become unavailable. #server 127.127.1.0 #Uncomment line below to point to time server at #Lawrence Livermore National Laboratory #server clock.llnl.gov
Chapter 3
392
3.12 NDS dependence on time sync
#Uncomment line below to point to time server at #NASA Ames Research Center #server ntp.nasa.com #Uncomment line below to point to time server at #U.S. Naval Observatory #server ntp2.usno.navy.mil #MIT server 129.7.1.66 #NIST Central Computer Facility server 129.6.16.36 #Sony server 198.93.3.1
The NTP.CFG file is found where the most other .CFG files areSYS:ETC The TIMESYNC.CFG follows: # TimeSync.Cfg is now updated automatically, # when changes are made on the System Console # TIMESYNC Configuration Parameters Configured Sources = OFF Directory Tree Mode = ON Hardware Clock = ON Polling Count = 3 Polling Interval = 600 Service Advertising = ON Synchronization Radius = 2000 Type = SINGLE # TIMESYNC Configured time source list
3.12.4
Timesync server types Reference—The definitive time source Time provider that is on the network. Use reference time servers in implementations of more than 12 servers. Set the reference server’s time to an NTP time source, for best results. Only one reference server is needed on the network. Use with primary time servers too. Uses a multiple of 16 (overrides every other type) to vote on time.
3.12 NDS dependence on time sync
393
Note: I normally use one reference, two to five primaries, and the rest are secondary. Single Reference—Stand-alone definitive time provider for use in smaller networks that use only this server and secondary time servers Primary—Time Providers that need to connect to one other time provider—primary or reference—to adjust their network time and set the time synchronization flag. Uses a multiple of one to vote on time. Secondary—A consumer or subscriber; must set time according to received values
3.12.5
SET Commands Relating to TIMESYNC The following server SET commands are related to TIMESYNC and explained in detail in Chapter 2. :SET TIMESYNC Configuration File = SYS:SYSTEM\ TIMESYNC.CFG :SET Time Zone = EST5EDT :SET Start Of Daylight Savings Time = (APRIL SUNDAY FIRST 2:00:00 AM) :SET End Of Daylight Savings Time = (OCTOBER SUNDAY LAST 2:00:00 AM) :SET Daylight Savings Time Offset = +1:00:00 :SET Daylight Savings Time Status = OFF :SET New Time With Daylight Savings Time Status = OFF :SET TIMESYNC Correction Floor: 1
Minimum default clock value, in milliseconds, before time correction is applied. :SET TIMESYNC Configured Sources = OFF
Default uses either SAP type 26B for IPX or SLP timesync.novell for IP. Turn configured sources on for better reliability. :SET TIMESYNC DEBUG: 0
A value of 7 will enable a server console screen to show timesync messages—great troubleshooting tool. :SET TIMESYNC Directory Tree Mode = ON :SET TIMESYNC Hardware Clock = ON
Chapter 3
394
3.12 NDS dependence on time sync
Note: If your NetWare server is setup as a reference server and pointing to an external time source be sure to turn this hardware clock parameter to OFF. :SET :SET :SET :SET :SET
TIMESYNC TIMESYNC TIMESYNC TIMESYNC TIMESYNC
Immediate Synchronization: OFF Maximum Offset: 600 Offset Ceiling: 315532800 Polling Count = 3 Polling Interval = 600
Default of 10 minutes (600 seconds) to poll other servers. :SET TIMESYNC RESET = OFF
Change to on every time a timesync value is changed. :SET TIMESYNC Restart Flag = OFF
Change to on every time a timesync value is changed. :SET TIMESYNC Service Advertising = ON
Using configured sources enables you to turn this value off and decreases network traffic. :SET TIMESYNC Short Interval: 10 :SET TIMESYNC Synchronization Radius = 2000
Default of 2 seconds for server to adjust time. :SET TIMESYNC Time Adjustment = None scheduled
Used to set the Tree time—never use “set time” to adjust server/tree time :SET TIMESYNC Time Sources = ; :SET TIMESYNC Type = SINGLE :SET Default Time Server Type = SINGLE
3.12.6
Timesync troubleshooting Look at a single server by typing :TIME
and reading the resulting info. Query the network’s time health through DSREPAIR.NLM :DSREPAIR ➝ Time synchronization
3.13 The NDS security model
395
Turn on the timesync debug screen by: :SET TIMESYNC DEBUG=7
Toggle to the Timesync Debug screen and look for error messages.
3.13 The NDS security model NDS security includes object and object property rights. NDS is an objectoriented database that assigns each object various attributes (e.g., a user object has a full name, phone number, fax number, password, etc., all of which are properties/attributes of the user object). These attributes are also referred to as properties. Novell allows security permissions to be placed on objects and each property of an object. For instance, when a user object is created, the object automatically inherits the Read right to the OU’s login script property. User objects are created to assign each person a digital identity on the network. Network and resource access is based on rights assigned to the user object. Some rights are given explicitly others are inherited. For instance, the earlier example of a user gaining the Read right to the OU’s login script property is one assigned in NDS by default—it is therefore, considered inherited. Enforcement of rights are automatic and immediate. Unlike NT 4.0 where each user logs in and gets a token to keep during the entire login process, NDS permissions are dynamic. Each restriction or addition of rights are applied as soon as the database syncs—10 second default for access rights. Fast enough for you? If not, consider that NT requires you to logout and login again to receive the new rights addition/restrictions via its 15 year-old LANMAN access token technology—sarcasm intended. The information about who can access object properties is stored in the object itself—in a property known as the access control list (or ACL). Please see Chapter 8 on security.
3.13.1
Object names Objects are limited to 64 characters and are not case-sensitive. Bindery services are limited to 47 characters. Any object made with a space is replaced in NDS with an underscore. Slashes, backslashes, colons, commas, asterisks, and question marks are not allowed.
Chapter 3
396
3.13
3.13.2
The NDS security model
NDS object rights NDS object rights are: Supervisor (S)—This is the sum of all other rights. Unlike the Supervisor right in the file system, the Supervisor NDS object right can be blocked through an IRF. Granting this right implies granting the same Supervisor right to all NDS properties. Browse (B)—The browse right allows trustees of the object(s) to search the tree in NWAdmin and through NLIST and CX commands Create (C)—This right, available only on container objects, allows an object trustee to create objects in and below the container. Delete (D)—Permits the removal of objects from the NDS Tree Rename (R)—Grants the object trusted the ability to change the object’s name Inheritable (I)—Only in NetWare 5. Assigned object rights are inherited by default in NDS. Unchecking this feature on a container object will restrict inheritance by causing the Administrator to explicitly granting objects trustee rights to the container.
3.13.3
NDS property rights Users have over 55 property rights (or attributes), groups have more than 20. This level of granularity is ideal for security. For more information on NDS security, see the chapter on security. NDS property rights include: Supervisor (S)—Still the sum of all other rights Read (R)—The ability to see/read the attributes, or properties, of an object Compare (C)—The Compare right works in tandem with the Read write and is used to query any property returning only a true or false response. Write (W)—Automatically includes the Add/Remove Self right, you can modify, add, change, and delete property values. This right granted to the object trustee ACL property of any object effectively gives Supervisor access.
3.13 The NDS security model
397
Add/Remove Self (A)—An object trustee can add or remove itself as a value of the object property Inheritable (I)—Only for NetWare 5. Used only at the container level, this right enables inheritance of property rights from a container. Warning: Rights granted through selected properties overwrite property rights granted through All Properties radio button.
Access control lists An NDS object’s trustee is an NDS object that is placed in the Object Trustees ACL property of another object. To change the trustee’s access to an object, change the trustee’s entry in the object’s ACL. Right-click an object ➝ trustees of this object
Only trustees with the Write right for the ACL property may change the trustee assignments or the Inherited Rights Filter. Every object listed in an ACL may have separate/different rights to an object’s properties. Granting property rights to an object allows a user to see or edit the trustees of the object. ACL list property An Object Trustees Control List (ACL) holds information about who (what NDS objects) may access the object properties stored in the object itself— specifically in the property known as the Access Control List (or ACL). An object’s ACL will display all objects that are explicit trustees of the object. The ACL property also stores the object’s Inherited Rights Filter.
3.13.4
Default NDS rights Default NDS rights are:
Rights granted to the [Public] object are passed to everything connected to the network-connected, not authenticated
[Public] receives the [R] right to the messaging server
Admin receives the [S] and [I] right to [Root]
Chapter 3
398
3.14 Login script variables
Users inherit the rights of their containers which are [R] property right to the login script and [R] to the print job (non NDPS) configuration
Users are granted the [R] right to the [Root] properties of Network address and group membership, [R] to the default server property of [Public], [R] and [W] to the user’s own login script property and print job configuration property and finally [R] to all of the user’s property rights
The [S] right to the server object is given to any user who installs a server into the NDS Tree
A server receives the [S] object right to itself-permitting the server to modify parameters of its own object
Note: Refer to Chapter 9’s section on security for best practices and more information on NDS security.
3.14 Login script variables This section describes the commands you can use in a login script—presented in alphabetical order. Login script property It may seem unusual to put all of the login commands in the NDS chapter. Login scripts, though, are NDS properties of user, container and profile objects. The following is a list of login script commands to customize your end-user’s experience. Most clients use little more than simple MAP commands. Login Script—This property is displayed under the Login Script page. The Login Script page lists commands that are executed to customize the user environment after the user authenticates to NDS. Giving property rights to this object will allow the user to see and edit the login script. The Login Script property replaces the system login script from the NetWare 2.x and 3.x days. When a user logs in, the LOGIN.EXE utility searches one level above (to either the Organization or Organizational Unit) and runs that script (if any), then runs the user’s login script.
3.15
NDS design guidelines
399
Mobile users seem to cause problems for administrators, as you do not want to flood the dialup line with unnecessary updates and traffic. Use the %NETWORK login script variable, which tells you the network segment being used to access the network. Read about it in the July 1994 AppNote, “Configuring NetWare 4 for the Mobile User,” written by none other than Marcus Williamson. Login scripts are available via the following: Container—Use as a system login script Profile—Useful when you have a group of users in a container that need additional customization—only one profile login script is assignable per user User—Use sparingly as they are administratively heavy Default—Used only when no other login scripts are assigned. Provides a simple search mapping to the SYS:PUBLIC directory. Login script variables are listed on Novell’s Website.
3.15 NDS design guidelines Novell’s NDS recommendations for NDS versions 6.x and 7.x are:
Use replicas to provide Local name resolution
Use replicas to provide bindery service access
Note: Any server that supports BINDERY emulation must have a replica of the bindery context it is supporting.
Three replicas minimum for fault tolerance
No more than 15 replicas on a single server—15 is Novell’s guideline, I have been to several clients that have had more than 100 replicas on a single server working fine
No more than 10 replicas per partition—I prefer 3 to 5
Design replica placement based on your WAN infrastructure
Partitions should contain no more than 5000 objects (1500 max. is recommended)
Minimum server RAM should be 64—I recommend a minimum of 128 Chapter 3
400
3.15 NDS design guidelines
3.15.1
NDS design ideas I presented Novell’s recommendations for NDS tree designs. Seeing many trees—many of Novell’s largest NDS trees in the world—allows me to make the following recommendations which lists a few of my favorite design ideas.
3.15.2
Separate the [Root] in its own partition
Separate the O into its own partition
Separate any SLP container into its own partition
Each DA must have a replica of its SLP partition on it to work properly
Keep all search policies—from ZEN and licensing—from extending past the immediate partition, if at all possible
Use OUs and other container objects to administer group rights when possible—avoiding the NDS group object as it may have to walk to tree to resolve rights and names
For larger installation, use a dedicated server for NDS only
Cache your entire local NDS database—explained earlier in this chapter and in Chapter 9
Keep your replicas down to 3–5 per partition
Remove bindery dependencies ASAP
Use alias objects to organize printers, servers and other administrative objects, in their own container
Use alias objects to support the old context when you move user objects into a different context—clean the alias objects up with the freeware alias object cleanup utility on Novell’s cool solution site
Look for other design ideas in Novell AppNotes
Upgrade to NDSv8 and NetWare 5
NDS version 8.x (eDirectory) NDSv8 breaks many of the existing rules. Your directory design should be predicated on variables not considered in earlier versions. Novell publishes some great guidelines in AppNotes (http://developer.novell.com/research). Also, Novell’s Cool Solutions NDS site has several design guidelines and troubleshooting articles.
3.16
NDS tuning and optimization
401
You will have to first define what you using the directory for. If it is just network authentication, file and print, you would design your tree the same as in NDS versions 6.x and 7.x, but without the numerical partition restrictions—NDSv8 is more scalable. If, however, your directory needs go beyond normalcy—LDAP, DirXML, NDS for NT, etc.—you will need to evaluate your design on many new variables. The general rule is that you want local access without clogging WAN links with synchronization traffic. Use a third-party tool like NetPro’s DS Analyzer to verify the efficiency and effectiveness of your tree design and to document NDS traffic patterns.
3.16 NDS tuning and optimization Tuning the database is like tuning your car. You can’t get to work without either. Keep the database healthy and up-to-date with the following recommendations. Some of the most common culprits of NDS errors are:
3.16.1
Corrupted packets—physical layer errors
Differing versions of DS.NLM
Lack of SLP infrastructure
LAN/WAN connectivity problems
Obituary problems in the DS.NLM code
Schema not synchronized fthroughout the tree
NetWare server(s) in the NDS database, but not in the NDS tree
Mixed (NetWare 4.x and NetWare 5.x) tree
IP preferred connections on NetWare 5 servers timing out talking to IPX preferred connection NetWare 4 servers
Improperly designed tree
TIMESYNC.NLM problems
SYS volume out of room; NDS crashes
Tuning the directory—Novell’s recommendations It would not be unusual for a piece of directory information to be read thousands more times than it is written. It would, therefore, behoove you to tune a heavily used NDS NetWare server to support more reads than writes. Chapter 3
402
3.16 NDS tuning and optimization
Best Practice: Compaq allows this ability within the RAID array card—set it to 75% read to 25% write on dedicated DS servers. Check with your vendors support to see if you may “tune” your RAID card. By default NDS never uses more than 8MB of RAM cache. This may seem odd, but NDS is made to run on small servers. I have seen trees with over 40,000 objects have their [ROOT] partition on a server with 64MB of RAM. The access speed of RAM is almost instantaneous—100 times faster than a request from the hard drive. Therefore, on larger trees, Novell gives you the opportunity to cache as much of the NDSv8 database as you would like. Since RAM is cheap, and login times are the standard measure for how your end-users view the network, I would recommend reserving as much RAM as possible for NDS. Cache the whole database if you can. In NDS 8 you can set the cache size for NDS on a server by typing: :SET DSTRACE=!mb[bytes]
Realize that the number is bytes, not kilobytes, nor megabytes. Novell says that the smallest tested size is 0 bytes and the largest tested size is 2 GB. NDS will run on either. To increase the amount of memory available to the NDS, SET DSTRACE=!MB(memory in bytes), the number of bytes in a megabyte is 1000000 (1 million) = 1MB SET DSTRACE=!MB55000000
In this example I allocate 55MB of memory to DS caching. Novell makes the following recommendations: 1.
Look up TIDs to do an NDS Health Check and follow them.
2.
Use the DSTRACE commands and filters to view NDS synchronizations. Document all error codes and troubleshoot them—use the TIDs.
3.
For servers being used for applications, assign up to 40% of the memory for DS cache.
4.
For servers being used for dedicated NDS fault tolerance, assign up to 80% of the memory for DS cache. (ArcServe sometimes gets errors if set at 80%, if you are using ArcServe, set no higher than 60%).
3.16
NDS tuning and optimization
5.
403
Sufficient memory should remain for file caching, backups and mounting the volumes. Existing documented recommendations should be followed for these settings to avoid problems.
It is possible to set a zero cache size, but a bad idea. Make sure that the syntax is correct when entering the SET statement. There is a SET parameter which allows a HEX value to be used, but if it is not used correctly the cache will be set to zero. The best way to set the cache is to use the decimal SET parameter shown. Check the cache setting after changing it—to check that the cache is not zero: SET DSTRACE=OFF SET DSTRACE=ON SET DSTRACE=*P
Toggle to the DSTRACE debug screen and check the SMI Max cache setting. Make sure! The DS cache setting is automatically stored in file SYS:_NETWARE\ _NDSDB.INI, therefore not necessary to place it in the AUTOEXEC.NCF. Best Practice: See the last chapter for information on tuning the NetWare OS and the Chapter 1 for client tuning recommendations. Products that leverage NDS, such as NDS for NT, Border Manager, ZEN, the login process and bindery support (not only bindery emulation), can double, or more, the number of NDS object entries in the database— which places a heavier load on everything that relies on NDS. Warning: Do not to assign more memory to DS than is actually available, the server will run out of available memory and freeze up.
Configuring the NDS cache size Although the following parameters are available, I have only seen the !mb used. !me#—Entries to cache per thread !mp#—Partitions to cache per tread
Chapter 3
404
3.16 NDS tuning and optimization
!ma#—Attribute overflow objects to cache per thread !mb#—Bytes of RAM memory to cache !m#—KB of RAM memory in hex to cache
3.16.2
Tuning the directory—my recommendations My recommendations are based upon much experience and talking to someone who has seen/worked on Novell’s NDS source code.
Use 256 MB RAM as a minimum for NDS servers
If using NDSv8, or above, cache the entire NDS database in RAM
Use a RAID 5 configuration with a hot-swappable spare
Use SCSI hard drives (for the best I/O)
Use the same NDS version throughout your entire tree—and upgrade within a replica ring before moving on to the next replica ring
Use the same DSREPAIR version within replica rings
Never upgrade LOW PRIORITY THREADS (a server SET command)
Patch your current NDS and NetWare version
Keep the SYS volume free of print queues, applications, user home directories, etc.—dedicate the SYS volume to NDS and the OS installed utilities
Remove the Java SWAP file from the SYS volume—you can use the following server console commands :SWAP ADD VOL1 then :SWAP DELETE SYS
Up the MINIMUM PACKET RECEIVE BUFFERS in SERVMAN (4.x) or MONITOR (5.x). Check your available free buffer space first (you can’t do this tuning on a 48MB RAM machine). I like to use 3000 as my minimum, 10,000 as my maximum.
Set the minimum service processes to 1000 or 3 per connection—not per user, per connection. NDS will take this last number (Minimum Service Processes) and divide it by 2 and limit its authentication buffers to this limit. Thus this number needs to be ≥2 × the MAXIMUM number of simultaneous expected concurrent logins.
3.17 Tools for NDS
405
Also set the new service process wait time to 0.3. MONITOR > SERVER PARAMETERS > MISCELLANEOUS
Also make sure you don’t share interrupts on your hot cards (LAN, disk, etc.). Always use BUSMASTER cards to offload work.
Realize that your bottleneck, in medium to large sites, may be network traffic. Use more than one network card and use specialized network cards in your server. For example, companies like Alaritech (www.alacritech.com) makes a network adapter that offloads CPU processing to its LAN card chipset. They brag of an average performance gain of 238% over Intel’s PRO/1000 Gigabit Ethernet adapter—with non-Gigabit tests running at more than a 400% improvement. Intel and Cisco have teamed up for a proprietary solution. You can also look for 3Com and other major NIC vendors to have load balancing solutions.
3.17 Tools for NDS Many clients ask me for NDS tools and recommendations. There are not too many tools for such an important database. I outline my most important tools and advice. Most of these freeware tools can be downloaded at http://www.novell.com/coolsolutions/freetools.html.
3.17.1
NDS Aware RCONSOLE Freeware. A very cool tool written by a friend. RCONSOLE is normally a service a NetWare server advertised with a type 107 SAP. You can let router boy filter the SAP and still connect to every server in your enterprise via the type 4 (NetWare server) SAP. Don’t be without this tool.
3.17.2
REMADR.EXE Freeware. Advertised for NetWare 4.10 that might experience problems with concurrent connection restrictions on users where the simultaneously user connection property has been limited. This utility clears out the network address attribute on a per user basis. Read the documentation for more information.
Chapter 3
406
3.17 Tools for NDS
3.17.3
(NDS) Report Generator Freeware. Tool to generate complete documentation reports from NetWare 4.x (and 2.x/3.x) servers.
3.17.4
DS Designer If you have a large tree, you can hardly do without this utility. DS Designer is an excellent third-party utility for modeling and recording your NDS tree, partitions and replica rings. DS Designer is very useful for proactive modeling and current documentation. The utility is cheap and should be in every shop with over 25 servers as well as in every consultant’s toolbox that consults on NDS tree designs. You can use DSDesigner to run a schema comparision. The program uses SCHCMP.EXE to do the schema comparison for you, and analyzes the report file. You can use it for NDS Health Checks too. http://dsdesigner.hypermart.net
3.17.5
SAP Snoop Freeware. Find all of the SAPs on the network. This is not purely an NDS utility, but worth mentioning.
3.17.6
Script Freeware. Allows you to import/export login scripts.
3.17.7
Sync scrsav pwd AOT This tool uses a ZENWorks AOT file to set the workstation screensaver to the NDS password. The marquee is the NDS user name.
3.17.8
SCANTREE Novell’s SCANTREE utility can analyze the NDS tree and to provide essential information—number of levels of NDS, types of leaf objects, etc. SCANDS.EXE is available from http://support.novell.com.
3.17 Tools for NDS
3.17.9
407
Schemax Schemax is a free NDS tool to extend the schema. It should now be integrated into ConsoleOne—Novell has been talking about doing this for some time. If not, it is a free download.
3.17.10
TREEINT.NLM A freeware NDS tree integration utility buried on Novell’s developer site that merges a one server tree into any other size tree—great for new server rollouts. Search at developer.novell.com.
3.17.11
NDS Aware TIMESYNC TIMESYNC is an NDS module/NLM that provides uniform time between NetWare servers. TIMESYNC.NLM is dependent upon SAP type 26B. The NDS Aware TIMESYNC uses full NDS names to locate other NetWare time servers. It sort of piggy backs on top of the NetWare server SAP type 4—thereby allowing router boy to filter SAP 26B. Like DSTRACE, this version of uses color to highlight critical information. This utility is backward compatible with previous versions.
3.17.12
Dream LAN DreamLAN Consulting publishes some great NDS tools (www.dreamlan.com).
3.17.13
DSDIAG.NLM DSDIAG is available for free download from Novell—or comes with NetWare 5.1. This is a multipurpose C-Worthy utility used to run reports on NDS. For example, you could run a schema comparison report with DSDIAG.NLM using the –DA switch, and then run the List Schema report. You will then be able to identify schema inconsistencies. Note: This utility is also used to run reports to import into the third party software DSDESIGNER.
Chapter 3
408
3.17 Tools for NDS
Check the Novell TIDs to explain the functionality of this module. Information gathered by DSDIAG.NLM includes:
Detailed diagnostic information on the NDS tree partitions and replica rings.
Partition status
Number of Readable Rings
Documents Replica Rings
Subordinate References in each ring—important
Version and Server name
Address of NDS—the DS.NLM
Replica depth of Network
Consistency check
Locates partition roots by NDS or by servers
Unreachable partition reports
Isolates duplicate IPX internal addresses This is not a very intuitive tool.
3.17.14
CRON.NLM Just about any server task can be automated with CRON. CRON.NLM is an unsupported administrator tool used to schedule command line tasks. This is a great utility to automate mundane tasks. Some best practices are to use CRON jobs to: Backup NDS—save .DIB sets daily Run the CONFIG.NLM PURGE Volumes—use a CRON job to purge your SYS volumes monthly. Warning: I see many shops using STUFFKEY.NLM to run DSREPAIRs— don’t. DSREPAIR can error out or ask for additional keystrokes—which can keep the database locked. Use CRON.NLM and the provided switches to run DSREPAIRs.
3.17 Tools for NDS
3.17.15
409
Backing up the NDS database Back up your NDS database nightly—this, of course, can and should be done by your backup software. You would be wise to make a .DIB set of the database too. A .DIB is a proprietary copy of the database dumped to the SYS:SYSTEM directory. The .DIB set can only be restored by Novell’s technical support; therefore, don’t substitute it as a backup in place of the nightly NDS backup with your regular backup software. Best Practice: Make a CRON job to do a DSREPAIR –RC nightly.
3.17.16
NetPro http://www.netpro.com/ NetPro is one of my favorite third party tools. Two of the NetPro line of Novell supported products include DS Expert and DS Analyzer. DS Expert version 3.2 for NDS Sister product would be Directory Analyzer for Active Directory. DS Expert is an NDS monitoring utility. Do an NDS health check from one tool—no going from server to server. Multi server trace features can set up multiple DSTRACE screens together. Monitor and report NDS schema inconsistencies or stuck obits—probably the two most problematic NDS issues. NetPro’s DS Expert monitors over 30 conditions in real time. Alerts are sent via SNMP so any application or alerting system that supports SNMP will page, e-mail, call, alert what ever way is supported.
Smartly, the application is event driven (real time)—versus a less efficient polling interval
NDS alerts are given via SNMP
Health check information is presented 24X7 in real time
The admin can get an at-a-glance view of the tree—tree and partition view of the NDS database. You can decide how you want to view the information. You set thresholds and when there is an event, the agents alert-by e-mail, pager or any SNMP enabled device. Chapter 3
410
3.17 Tools for NDS
DS Expert focuses on the infrastructure of NDS. Does not report on locked out users, attribute changes, etc. Supports NDS versions 6, 7 and 8.
Will integrate with MangeWise
37 different alert Events; most are DS or low SYS space
600K minimum RAM footprint
3-tierd architecture
Stores log files and communicates with all agents
Alert logs displayed in GUI, may be viewed by Novell’s portal Portal > NDS Management
The DS commands page allows DSTRACE commands to be executed on the server—which gives you the chance to correct many replication problems. It is protocol NCP dependant.
DS Analyzer monitors their monitors, and will send alerts about agents not loaded on servers.
DS Analyzer 2.0 DS Analyzer is NetPro’s look inside of NDS from a network traffic view—a protocol independent NDS sniffer. (See Figure 3.3.) The product includes:
DS Analyzer sports a distributed architecture
Uses two NLM’s that do not poll
2MB RAM minimum footprint (16MB RAM was reported once based on a box of 133 replicas and a DIB set of over 600) footprint minimum, 2%–16% utilization hit on server CPU
Agent is distributed on each server
DS Analyzer uses a proprietary database
Admin can trend information
Admin can see the effects of a ZEN for Desktops, DCHP, or other directory enabled applications in the NDS tree. Background processes are identified
Saves info for 30 days (configurable) in DB by default or by size of the DB (up to 1 GB)
Server specific—even the servers without replicas
3.17 Tools for NDS
411
Figure 3.3 NetPro’s DS Analyzer version 2.0
Specific information (e.g., can see how many hops that a client uses to login).
Relies on the Administrator to make a change to NDS—the program does not make changes.
Runs on NetWare 4.11 up to current eDirectory
Displays background processes associated with NDS—tree walking, schema, synchronization
A client specifies a time range to poll information and unicast it back to the client
Knowledgebase in the product with possible causes, NDS resolution items and corresponding NDS error codes
Knowledge based information written by former Novell NDS gurus
Best Practice: Make a NDS change, and then validate your change with before and after graphs using DSAnalyzer. This can help you make your tree more efficient.
Chapter 3
412
3.17 Tools for NDS
3.17.17
Visio Now owned by Microsoft, Visio is an impressive utility. It is supposed to auto-discover your network though I have never gotten this part to work very well (in older versions). It can discover your entire NDS tree, but I would prefer to use this utility for design purposes. I like DSDesigner better for NDS design purposes.
3.17.18
DSBROWSE.NLM The DSBROWSE.NLM allows you to view a NetWare 5.x DIB file. Similar functionality to the DSVIEW for NetWare 4.x, but better. This is for advanced administrators.
3.17.19
NDS links www.netwarefiles.com www.novellfans.com www.novellshareware.com http://www.novell.com/coolsolutions/freetools.html www.visualclick.com www.netwarefiles.com www.novellshareware.com www.novell.com/coolsolutions http://developer.novell.com http://developer.novell.com/research www.connectotel.com www.dreamlan.com www.netadmincentral.com There are more. Most are linked from within these main sites.
4 IP and IPX Management
Forget what you think you know about Pure IP starting in NetWare 5.0 and read this chapter. Service Location Protocol and name resolution are probably the two most misunderstood networking concepts in NetWare 5. The use of IP in NetWare is not new with 5.x or 6.x. NetWare has long supported IP. Novell has supported IP and NetWare IP (NWIP) starting in NetWare 4.01. NWIP is an ugly solution where the IPX legacy traffic is encapsulated into IP packets—NCP, RIPs and SAPs still needed IPX for transport. In NWIP, there are elements like DSS servers that store SAPs and a lot of planning is required to use this proprietary solution. Many large customers adopted the NWIP solution. It was imperfect at best. Support, troubleshooting, and requisite expertise were difficult as few people inside Novell were experts. Enter Pure IP. Pure IP is Novell’s marketing term for NetWare Core Protocol (NCP) within IP. Up to NetWare 4.2, IPX was the core protocol that existed within the kernel programming of NetWare. It is no small task to recode the kernel for IP. Novell, smartly, did not tie NCP to IP, but rather programmed the kernel modular—able to accept any supported protocol running NCPs. This important change will enable Novell to embrace future protocol changes more efficiently. Novell’s direction of support for openstandards may lead them to embrace replacements to NCP, like HTTP, LDAP and WebDAV. Until NetWare 6.x, Novell’s IP stack was not optimized to handle today’s super hardware platforms—it makes no use of additional server CPUs. Novell hasn’t needed beefy hardware to accomplish file and print as it is more of a cache machine—relying more on the I/O subsystem and the amount of RAM than the speed of the CPU. I have included IP and IPX performance tuning information in the last chapter. 413
414
4.1
NetWare 6 TCP/IP improvements
Some important points about Novell’s IP stack:
4.1
Supernetting is supported, in NetWare 5.1 and 6, as an end-node only; you cannot use the server as a router in this function. Novell’s TCP/IP stack does allow for the 1-bit subnet mask
The IP stack supports multi-threading over more than one processor—but ONLY with NetWare 6.x
NetWare 6 TCP/IP improvements The IP stack has been rewritten for NetWare 6. Some of the improvements are realized only through NIAS—the new name of Novell’s multiprotocol router.
4.2
It is now multiprocessor safe—obviously implying that it was not before. Your old multiprocessor server hardware was a waste as NetWare couldn’t make proper use of the processors. Anyway, NetWare is rarely CPU intensive; it is mostly I/O intensive—see the tuning section in the last chapter.
You can now set multiple default gateways—great for mesh environments
Dead gateway detection—what good is multiple gateways when you have no mechanism to automatically “rollover” to the next one
IP packet types The IP stack creates the following packet types:
Broadcasts 255.255.255.255 addressed packets go to all hosts on the network— routers do not normally propagate IP broadcasts
Multicast A single IP address is used to join a group of other “like” multicast addresses—in SLP the general 224.0.1.22 address is used to join a multicast group—the multicast group members are maintained by the router
Unicast The most efficient method of transportation is a unicast packet which is sent directly from one host to another
4.3
IP management utilities
415
Anycast A feature of IPv6 only, anycast is similar to multicast, but sends the packet only to the closest member of the group
4.3
IP management utilities The NetWare 5 operating system enables you to use pure TCP/IP rather than IPX/SPX on your network. IP allows you to have one manageable protocol on your network—which, in turn, reduces the amount of network traffic in your network. However, IP networks require more configuration and administration of addresses than IPX networks. Again, when was the last time you set a default gateway for your IPX clients?
4.3.1
DNS/DHCP management console DNS functions as a name space provider. It is used as a database to map IP addresses to host names. The name www.novell.com means nothing to the network. DNS gives meaning to the name by matching the name to an IP address—much like the government matches your name to a social security number. Other name space providers are NDS and WINS. Your workstation’s NWHOSTS file can map IP addresses to host names too, but doesn’t provide the functionality of DNS. NDS is a distributed, replicated naming service that maintains information about and provides access to every resource on the network. Interestingly, Novell has made a separate Java console to support DNS and DHCP. The DNS/DHCP Management Console is made up of the following: Object Hierarchy pane—On the left displays objects to manage as well as showing their relationships Detail pane—On the right gives detail configuration parameters for the currently selected object Server pane—Bottom shows an icon for each server running the DNS service—notice mine has a red X through it signifying something isn’t working correctly on the server Toolbar—Interestingly, Novell chose not to put a menu, rather a set of toolbar objects. All commands, therefore, are run from the toolbar—different buttons are illuminated depending upon which object(s) you highlight Chapter 4
416
4.3 IP management utilities
Figure 4.1 The DNS/DHCP Java Management Console utility.
Toolbar Exit—Sortie in French Create—Why a box icon means create, I’ll never know. This button is dependent upon the highlighted object you pick. For example, you cannot create certain objects without highlighting their relational object. Delete—Take out of the tree Save Data to NDS—Port the current configuration into the NDS tree Tree Refresh—Refresh NDS and the current screen Import DNS Database—Bring in a DNS database previously exported Export DNS Database—Export the database periodically for backup purposes
4.3
IP management utilities
417
View Events/Alerts—Dependant upon CSATPXY.NLM; add to your AUTOEXEC.NCF View Audit Trail Log—Dependant upon CSATPXY.NLM; add to your AUTOEXEC.NCF Start/Stop Service—Unloads/Loads the NAMED.NLM on the server console Help ZONES tab (in the right pane when the DNS server is highlighted) For the most part, the data is informational. Forwarding List tab Used to reduce name resolution packet traffic over WAN links by adding a name server to the forwarding list. No-Forward List tab Used to prevent the DNS server from resolving names for specified domains. Attributes tab For a zone object: Domain Name—Domain name associated with the zone object— cannot be changed after it is created Zone Type—Primary or secondary Available DNS Servers—Lists DNS servers defined in NDS but not authoritative for the zone Authoritative DNS Servers—List NetWare 5 DNS servers authoritative for the zone Dynamic DNS Server—DDNS server designated to receive all address record changes from DHCP and to update NDS Comments—I like your hair, router boy—and other stuff like that Note: The server, specified in the Zone-In DNS Server field, will perform the zone transfer to retrieve the zone data and then will populate NDS with the required objects. Other NetWare 5 DNS servers in the same NDS tree that are authoritative for the secondary zone obtain data from NDS. Chapter 4
418
4.3 IP management utilities
SOA (Start of Authority) Information tab Edit the SOA number upon each change to signify to other DNS servers a zone transfer is necessary—no change, no update. An SOA record declares the domain for which a server is authoritative—in NDS the SOA record is represented by detail parameters for the Zone object. Zone Master—Name of the zone E-mail Address—Primary contact person for the zone—the @ is not accepted, use a period instead, as the @ command has a specific meaning in DNS Serial Number—Used for updates and changes, this number is a mix of year, month, date, and revision number. Secondary zone DNS servers initiate an update based on this number. Refresh—Minutes for a secondary DNS server to check the serial number on its source name server to determine if a zone transfer is necessary—default is 180 minutes (may be too long on medium sized networks) Retry—Time in minutes a secondary DNS server waits after a failed zone transfer before reattempting—default is 60 minutes (I like to use 15 or 20 minutes) Expire—Hours that a secondary name server will keep trying to perform a zone transfer—if the secondary name server cannot perform a zone transfer, it discards the data for the zone Minimum TTL—Value to determine how long DNS servers can keep the queried zone record responses in its cache (unless things change often, a longer time in cache is preferred) Options tab Configures logging for events and auditing. None—What can I say? Major Events—Preferred setting All—Be careful, this is useful when troubleshooting a specific problem
4.3
IP management utilities
419
Note: You must load the CSATPXY.NLM on the target server to enable the DNS/DHCP Management Console to retrieve logs—load this module/ NLM in the DNS server(s) AUTOEXEC.NCF file. For DHCP logs, load the DHCP server with the –d3 switch to create a server log file to troubleshoot.
DNS resource records DNS zone database entries are called resource records. There are many, but the most important are: Address Resource Records—Commonly referred to as an A record. Every host referred to by name must have at least one address record. Some hosts have several names for one IP address, sometimes you want to have several IP addresses for the same host name to load balance between the two. Note: If you have a stable DNS environment, put all of your NetWare servers into DNS and use it for name resolution. Some of my clients are using SLP DA DNS names to load share and provide fault-tolerance among DAs in the same scope. Note that load sharing in DNS works backwards, in that names are read from the bottom up. CNAME Resource Records—Canonical name are used to assign alias names to hosts Pointer Resource Records (PTR)—Maps an IP address to its associated host name. PTR records are only found in reverse naming—INADDR.ARPA zones. Mail Exchange Resource Records—E-mail server record—used by outside mail exchangers to query DNS to identify MX resource records for your domain. Name Server Resource Records (NS)—Required for both forward and reverse naming zones. Each authoritative DNS server, per zone, must be defined in an NS or the zone.
Chapter 4
420
4.3 IP management utilities
BIND database files Boot—Master configuration file Cache—Defines the addresses of the root name servers for DNS— host information for basic DNS communication 0.0.127—Reverse lookup data for IP addresses on the loopback networks Reverse-netid.in-addr.arpa—For each netid managed by the DNS server, a reverse lookup file is required to specify address-to-name mappings Domain—Name to address mappings for a forward lookup zone database—needed for each domain managed by the DNS server Novell’s DNS RFC support NetWare’s DNS is BIND—Berkeley Internet Name Domain—4.9.6 compliant. Novell’s DNS can exist in a network with other BIND 8.1.1 servers—and accept a BIND master file from an 8.1.1 version of BIND and import it into Novell’s DNS database using the import options. RFC 1996—notify This is a procedure for a DNS Master to notify secondary DNS servers that changes have taken place, and then they can perform zone transfer in order to get the updates. This isn’t very important for Novell’s DNS server as NDS is used to replicate between the servers (for example, secondary DNS servers “pick-up” zone change themselves directly from NDS rather than from primary DNS servers as these changes are replicated across the NDS partitions. RFC 2136—dynamic update (without security) Novell has implemented the dynamic update in a proprietary fashion. Novell’s DNS server receives DNS updates—from Novell DHCP Servers—via a server-to-server IP link. This is not yet supported with other non-Novell servers, but may be in a future release by implementing this RFC as an option—and also possibly enhanced by offering DNSSEC as an option as well. Other than the two RFCs, BIND releases (8.1.1 to 8.1.2 or 4.9.6 to 4.9.7) generally add only minor fixes from version to version. Every change of BIND is not necessarily supported by Novell or any other vendor.
4.3
IP management utilities
421
DNS was supported in NetWare 4.11 through BTRIEVE and only one zone was supported. DNS in NetWare 5 uses NDS to store DNS-related information. As you configure DNS on a NetWare 5 server, you are configuring NDS information and objects too. This way your DNS infra-structure on/in NetWare is replicated via NDS replication—which provides fault-tolerance and, hopefully, closer end-user query resolves. Realize that DNS entries may be input separately from NDS on a perserver basis too—but it would be very inefficient in large installations. DNS is not the primary name resolution mechanism in NetWare’s post NetWare 5 releases—SLP and NDS are. Contrast this to Microsoft’s Active Directory which uses DNS as the name resolution mechanism. Microsoft’s DNS implementation may be put into Active Directory, or used as a separate database—again, putting it in the directory service takes advantage of the benefits of a directory service.
4.3.2
DHCP management A NetWare 5 DHCP server can issue an IP address to any client, which follows the RFC 1541 specification—UNIX, MAC, Windows, or NT client. The version of DHCP that ships with NetWare 5 does not have any redundancy built in. This means that if Server X goes down, Server Y does not automatically take over. However, you can achieve a certain level of redundancy through a design that uses 2 servers on the same segment that have the same scope defined—only one server would have the DHCP service turned on. If the server went down, it would be an administrator’s duty to manually start the services on the other server. A manual IP assignment must be an IP address outside of any address range allocated in the range object. For example if you have an address range 130.57.48.0 to 130.57.48.100, you won’t be able to create a manual assignment of 130.57.48.87. The manual assignment must be an IP address that does not fall between 130.57.48.0 to 130.57.48.100. In this case you may be able to create a manual assignment using any number between 130.57.48.101 to 130.57.48.125, in other words, 130.57.48.120 can be a valid manual IP assignment. By default, DHCP will not pass through a router—the DHCP discovery uses an IP broadcast packet of 255.255.255.255. Router boy will need to enable either BOOTP forwarding, or some kind of IPHELPER on router
Chapter 4
422
4.3 IP management utilities
set to forward requests to the DHCP server—a NetWare server can be used to forward BOOTP requests. The fix for this problem is to configure BOOTP Forwarding or IPHLPR on the routing device between the DHCP client and the DHCP server. The Forwarder needs to direct the DHCP broadcast packets to the DHCP server’s IP address. DHCP support NetWare 5 includes support for Dynamic Host Control to reduce the level of address configuration in your IP network. Its purpose is to provide hosts with configuration information such as subnet masks and IP addresses. I love DHCP as:
Administrators can configure one source of DHCP database information to send down to clients—versus manually inputting values on the client
Administrators can change any setting in one place for every client serviced by DHCP (per scope, subnet or globally)
This structure is a hierarchy of domains that is similar to the inverted tree structure used in Novell Directory Services (NDS). RFCs 1033, 1034 and 1035 describe the DNS standard. The DHCP management console The Java DNS/DHCP Management Console is not intuitive. You’ll have to play with it to learn it. Toolbar The toolbar begins with: Exit—Sortie in French Create—This button is dependant upon the highlighted object you pick. For example, you cannot create certain objects without highlighting their relational object. Delete—Erase, rub out, remove, obliterate Save Data to NDS—Saves your configuration to the NDS database—it can always be edited Tree Refresh—NDS information refreshed for this management console
4.3
IP management utilities
423
Figure 4.2 The DHCP portion of the DNS/DHCP Java Management Console utility.
Global Preferences—Here is your one stop shop to configure like options for every assigned IP address you are giving out—WINS servers, NDS servers, Preferred NDS tree, DA options are a few that might be applicable Import DHCP Database—Bring in a DNS database previously exported Export DHCP Database—I use the export option as a backup option—consider it. Periodically export the database a file to your admin workstation or another server View Events/Alerts—Dependant upon CSATPXY.NLM; add to your AUTOEXEC.NCF View Audit Trail Log—Dependant upon CSATPXY.NLM; add to your AUTOEXEC.NCF Start/Stop Service—Unloads/Loads the .NLM from the server console Help—Assistance; try it once Chapter 4
424
4.3 IP management utilities
Options tab Configures logging for events and auditing. Set SNMP Traps Options None: Select if you are not using SNMP Major Events: Preferred setting All: Be careful, this is useful when troubleshooting specific problems, but can generate too much traffic. Many medium to large sites have SNMP enabled and can use a management console for DHCP problems. Audit Trail Events and Options None: Nada Major Events: Preferred setting All: Be careful, this is useful when troubleshooting a specific problem, but can generate too much traffic. Note: The CSATPXY.NLM must be loaded on the target server to retrieve logs to display in this console. Enable Audit Trail Log (check box)—DHCP records entries in the audit trail log only when checked Mobile User Option—Mobile users are supported by the following options: No Mobile User Allowed: No duplicate policy—will not assign a node more than one IP address (e.g., a user gets one on their network card that lasts for a three day lease then goes home and gets another on their modem/PPP connection) Allow Mobile User But Delete Previously Assigned Address: Delete duplicate policy—permits a client to change IP addresses and deletes the old IP address as a new one is assigned Allow Mobile User But Do Not Delete Previously Assigned Address: Allow Duplicate Policy—uses same IP address for same node every time it connects to the same segment. Will allow one node to have potentially several IP assignments (least efficient approach)
4.3
IP management utilities
425
Ping Enabled (check box)—Always check this box. This sends a PING packet to see if the IP address is in use before assigning it. The tradeoff is a short delay—it is worth the delay. Levels of DHCP options Choose to set DHCP tag options by:
Global Applies to all addresses and subnets unless explicitly overridden by Subnet or IP Address options
Subnet Apply to all client IP address assignments within a subnet unless overridden by IP Address options
IP Address The most granular, thus the most administratively heavy, of the choices
DHCP numerical options I list only the most important options I have run into in Table 4.1. (For the complete list go to www.iana.org.) All of these options can be manually set at the client too—better to configure them to be handed out by the server if at all possible. See Chapter 1 for more information on any of these parameters. Table 4.1
DHCP Option Numbers Option Code
Name
Description
1
Subnet Mask
The subnet mask for the client
3
Router
List all of the default gateways
6
Domain Name Server
IP address(es) of DNS server(s)
12
CMD
Specifies the network number of the CMD feature—usually FFFFFFFD
13
CMD
Specifies the minimum value in minutes before clients attempt to refresh their MA addressing information
Chapter 4
426
4.3 IP management utilities
Table 4.1
DHCP Option Numbers (continued) Option Code
Name
Description
14
CMD
List of address for MA servers (servers running the SCMD /MA option)
44
NetBIOS over TCP/ IP Name server
List of IP addresses of WINS servers in order of preferences
45
NetBIOS over TCP/ IP Node Type
1=b-node; 2=p-node; 4=m-node; 8=h-node
62
NetWare/IP Domain Name
NWIP domain name
63
NetWare/IP Info
All other NWIP information
63-12
CMD IPX Network Number
Hex value to indicate the CMD network number. By default this is FFFFFFFD. I do not recommend changing it. All clients and servers participating in CMD should use the same value.
63-13
CMD IPX Stale Time
Used to discover MAs through SLP. 0 disables the timeout
63-14
CMD MAs
Lists up to 10 MAs, no entries make the client use SLP to discover MAs
69
SMTP-Server
Simple Mail Transfer Protocol Server
70
POP3-Server
Post Office Server Address(es)
71
NNTP-Server
Network News Server Address(es)
72
WWW-Server
Web Server Address(es)
78
Directory Agent
SLP DA IP address(es) with scope information and to multicast or not option (to locate the DA)
79
Service Scope
SLP scope listing(s)
85
NDS Server
Identifies a server(s) with a replica on it— used for name resolution and authentication
86
NDS Tree Name
Client’s assigned NDS Tree
87
NDS Context
Client’s assigned NDS context—where he exists in the NDS tree
4.3
IP management utilities
427
Troubleshooting tools Novell’s IP troubleshooting tools and tips include:
Novell provides a DCHP locator object utility (http://support.novell.com).
Look for the log file in \ETC\DHCPSRVR.LOG when you use the log file switch option—DHCPSRVR –d3
Reload the DHCP objects in NDS by the DNIPINST.NLM— DNIPINST –R. Be careful as you are wiping out all of the objects and reloading them.
NSLOOKUP.NLM freeware from Novell’s CoolSolutions Website to use the server to query A, NS, MX, CNAME, and PTR records (syntax can be found in Chapter 2)
Use a sniffer program to find DHCP (and many other) problems
Look up TIDS
Go to freeware/shareware sites Valid DHCP sniffer packets decodes would include: 1 DHCPDISCOVER—Client broadcast to locate available servers 2 DHCPOFFER—Server-to-client response to DHCPDISCOVER with offer of configuration parameters 3 DHCPREQUEST—Client broadcast to servers requesting offered parameters from one server and implicitly declining offers from all others 4 DHCPDECLINE—Client to server indicating configuration parameters (e.g., network address) is invalid 5 DHCPACK—Server to client with configuration parameters, including committed network address 6 DHCPNAK—Server to client refusing request for configuration parameters (e.g., requested network address already allocated) 7 DHCPRELEASE—Client to server network address relinquishing and canceling remaining lease
RFCs related to Novell’s DHCP RFC 1533—DHCP Options RFC 1534—Interoperation between DHCP and BOOTP Chapter 4
428
4.3 IP management utilities
RFC 1541—This is the main RFC for DHCP RFC 1542—Clarifications and extensions for the bootstrap protocol Modules related to DNS/DHCP A list of modules related to the DNS and DHCP services: DNSDHCP.EXE—Java Console –d: Turn on debug window –mr: Force GUI to Read/Write/Update to the Master Replica –c: Default Context –p xxx: TCP port of CSAUDIT proxy (CSATPXY.NLM)— default is port 2000 –mx xxxxxx: Java heap size. Default is 16 MB. –mx 48000000 equals 48MB –s : Start to browse the subtree DHCPSRVR.NLM—Loads the DHCP service on a NetWare server :DHCPSRVR [–Dx][-Py][-S]
–D2: Debugging operations written to the screen –D3: Displays debug screen and logs information to \ETC\ DHCPSRVR.LOG –P#: Specifies global polling interval in minutes –h: help –s: Specify master replica for directory operations—reads and writes Note: In larger implementations of DHCP use the –s switch to specify the master of the partition. NAMED—Loads the DNS service on a NetWare server. More specifically, NAMED is the server module that accepts DNS queries, resolves them and sends a reply back to a query. NAMED never generates DNS requests, it only resolves them. It does this by searching in its local database first, then forwarding the query to another DNS server—if not found.
4.3
IP management utilities
429
–V: Verbose/shows all information on the screen –PC: Purge old cache entries/can be used while the NLM is loaded –v: Loads in verbose mode –q: Turn off verbose mode –s [zonename]: Print current status of named –m zone.dat [context]: Create zone from master file zone.dat –u zone.dat: Update an existing zone from master file zone.dat –l: Login as admin –r some.zone.com: Remove (delete) some.zone.com –f <scriptfilename> [context]: Create zones using BIND boot file like script file –zi : Force zone in for the argument zone –a: Turn on auto-detect for new zones –b: Turn off auto-detect for new zones –rp : List of characters in domain name to be replaced with “–” –help: Shows these parameters DNIPINST.NLM—Adds the NDS schema extensions related to DNS/DHCP –R: Removes the DNS/DHCP objects, schema extensions and licenses All zones and subnets should be exported before using this option. They can be imported back in afterwards. After the command: :DSREPAIR ➝ Advanced Options ➝ Repair Local DS Database
1.
Set Check Local References and Rebuild Operational schema to YES
2.
Hit F10
3.
Repeat until 0 errors. Wait for DS to synchronize. Then load DNIPINST to put the schema extenstions back and reimport the zones and subnets.
Chapter 4
430
4.3 IP management utilities
Save existing information and remove/recreate the objects in the desired context. You will have to reload DNS/DHCP from the OS CD. –F: Recreates the DNS/DCHP objects if they do not exist—Locator, Group, RootServerInfo objects BOOTPFWD.NLM—Relay agent to forward DHCP request to a remote DHCP server. NIAS can also perform this function. :BOOTPFWD servers_IP_address SERVER=IP_address [LOG = {YES | NO}][FILE=filename][INFO]
SERVER: DCHP Server’s IP address LOG: YES indicates that forwarding activity is recorded in a log file or to the screen FILE: Specifies the name of a log file—default is SYS:ETC/ BOOTP.LOG INFO: Current operational status BootP configuration through INETCFG or NIASCFG: :INETCFG ➝ PROTOCOLS ➝ TCP/IP ➝ Expert Configuration Options
BootP Forwarding Configuration DNSCONVRT.NLM—DNS conversion utility used to convert the IntraNetWare DNS database to the DNS file needed in NetWare 5. This method searches for a SYS:ETC\DNS\HOST.DB BTRIEVE file and translates it into SYS:\ETC\DNS\H.DAT. Start the administration console ➝ click on “Import the files” ➝ Browse to SYS:\ ETC\DNS\H.DAT. The BIND database format is converted into NDS format and will automatically create all the objects for you. NDS objects relating to DNS/DHCP The recommended method for organizing DNS and/or DHCP NDS objects is to create a separate container for them. Then partition the OU to allow for a small replica ring to be placed according to NDS best practices for DHCP. DNS Zone Object—The DNS Zone object is a container object that contains all the data for a single DNS zone. Each DNS zone is represented by a ZONE object in NDS—which is the first level of the
4.3
IP management utilities
431
DNS zone description. A zone object serves as a container for resource records and can be contained under an O, OU, C, or L. DNS Resource Record Set Object—The DNS Resource Record Set (RRSet) object is an NDS leaf object contained within a DNS Zone object. An RRSet object represents an individual domain name within a DNS zone and do not appear as individual objects in NDS. Resource Record (RR) Object—Stores all DNS resource records, but not represented in NDS as separate objects—each RR object is stored as a property of a RRSet Object. RR objects must be created in a Zone container object. DNS Name Server Object—The DNS Server object (or Service object) is different from the NetWare Core Protocol (NCP) Server object in that it identifies a DNS Name Server—running the NAMED.NLM. A DNS Server object can be contained in an O, OU, C, or L. Note: A name server must be defined by a ARR and a NS resource record— you must create the Address Resource Record yourself DNSDHCP—Group Object—An NDS object is necessary for the DNS and DHCP servers to gain rights to DNS and DHCP data within the tree through the group object. Only one Group object is allowed in a each NDS tree. This object is automatically created at the time of installation. Locator Object—This is the most important object for the DNS/ DHCP services. It contains global defaults, DHCP options, and lists all DNS and DHCP servers, subnets, and zones in the tree. The DNS/DHCP management console can display these objects without having to search the tree by using the Locator object. The Locator object cannot be displayed by the DNS/DHCP management console; it can only be seen by NetWare Administration. This is also allowed one per tree. This object is automatically created at the time of installation. Subnet Pool Object—A Subnet Pool object provides support for multiple subnets through a DHCP or BOOTP forwarder by identifying pools of subnets for remote LAN address assignments. Subnets must be configured before adding to a pool. A Subnet object is an NDS leaf object. Chapter 4
432
4.4 Best practices
Subnet Object—A container object that represents an entire IP address range that is assigned to a network segment. It does not allocate any addresses DNS/DHCP Management Console ➝ DHCP Service tab ➝ click the create icon on the toolbar
Subnet Address Range Object—Specifies the addresses on a given subnet that are available for dynamic assignment IP Address Object—NDS object representing an individual IP address assignment—manual or dynamic. Also used to exclude IP addresses. DHCP Server Object—Specifies a server running the DHCPSRVR.NLM. Leaf object DNS/DHCP Management Console ➝ DHCP Service tab
4.4
1.
Click the create icon on the toolbar ➝ select DCHP Server
2.
Select the NCP server object to become the DHCP server
Best practices I’ve complied a list of best practices from experience:
Extra NDS DHCP objects affect the SYS: volume—as each IP address taken will port an object into NDS. This means that each user in NDS will have a corresponding IP address NDS object too (and maybe a workstation object), doubling (or tripling) the space in NDS—NDSv8 and above can handle it easily though. Each NDS object consumes roughly 4 KB of space—plan for it. You can use a freeware utility from NetPro (DSCOUNT) to automatically count the number of objects in your tree. Novell’s Console One now will generate NDS reports too—you can use it to count the number of general NDS objects.
For administrator manageability and to reduce NDS traffic, it is recommended that you maintain the DNS and DHCP objects in a separate container. This is always a good practice for any IP related NDS objects (like SLP objects too). The possibility of corrupting the NDS database grows as you put more objects into it, which causes more synchs, which causes more NDS collisions, you get the idea. Keeping objects in separate containers helps by giving you only one smaller NDS OU container to restore.
4.4 Best practices
4.4.1
433
Put the DNS/DHCP Group, DNS/DHCP Locator, and the RootServerInfo objects in a separate partition that is replicated to all parts of the network where NetWare 5 DNS/DHCP servers are located. It will provide NDS DNS and DHCP information everywhere the replicas are—such as DHCP server, zones, and subnets. Realize, the management utility is required to read this information, in NDS, before it will allow you to modify the configuration.
Create either an OU, L, or C container object near the top of your NDS tree. This container object should be easily and widely accessible. Locate the DNS/DHCP Group and Locator objects under the container object. It is recommended that the location of these objects should not be more than 2 or 3 levels deep.
Create an Administrator Group object under this container also. An Administrator Group should have Read and Write rights to all DNS/ DHCP Locator object attributes except the global data and options fields. Members of this group can use the DNS/DHCP Management Console to create and modify DNS and DHCP objects. Again, it should not be more than 2 or 3 levels deep.
Whenever possible, try to place your DNS and DHCP servers at locations where they are geographically close to the hosts that require their services. Plan to have one DHCP server in each partition of your network to minimize any WAN communications problems caused by normal load, configuration changes, or replication.
Restrict size of DNS Zones to 5,000 objects or less.
DHCP allows for no more than 2,048 objects in a single subnet.
Turn on Ping enabled—in the DHCP management utility—to test the IP address before sending out the address. This should keep you from accidentally handing out taken IP addresses.
When planning your DNS replication strategy, consider that replication is employed for load balancing when you provide multiple name servers within the DNS zone.
Fault tolerant DHCP Novell doesn’t have a good solution to this yet. Effective, but inefficient strategies include:
Two boxes run DHCP services on both, but split the DHCP scope addresses between the two servers Chapter 4
434
4.5 SLP
4.5
Configure two boxes on the same segment with identical DHCP information—manually start the second when the first goes down
SLP NetWare 5’s IP implementation uses Service Location Protocol (SLP) for service resolution—and sometimes short name (sometimes called IPX names) resolution. SLP is an optional part of NetWare 5. SLP is mandatory if you:
Support network browsing via Network Neighborhood
Use the Compatibility Mode Drivers (CMD and SCMD)
Support short name resolution—DNS can support short name resolution within a sub zone though
SLP is a multicast IP protocol used to replace the IPX RIP and SAP protocols. In an IPX world, RIP and SAP packets—riding within the IPX packet—would proliferate the network automatically via broadcasts. Multicast does not broadcast, instead, it only sends a single packet to the router— therefore, SLP is a passive “pull” technology (responding only when there is a query). The router keeps track of nodes that request to be a part of the multicast group. The nodes that are members of the multicast group are the only ones that receive multicast traffic—assuming router boy has set up the router to support multicast (not always a safe assumption). If SLP is implemented on the network, router boy will have to enable multicast support on his routers—there is an exception (manual configuration of clients and server configuration files to locate resources), read on. The obstacle with most NetWare 5 IP implementations is that the multicast IP protocol needed by SLP, and therefore, NetWare 5 Pure IP, is not turned on routers by default. The routers will drop the multicast packets, if not configured to support multicast, and you would be unable to resolve names via IP until you can configure around the routing problem. You could ping resources, but to resolve services and names, you need SLP, NDS, and/or DNS or the NWHOSTS file. SLP is an open standard TCP/IP protocol—detailed in Request for Comment (RFC) 2165. SLP is a distant cousin to DNS. SLP is a service location protocol, not a name resolution protocol–although it can resolve short IPX names within multicast range. The difference between a service location protocol and a name resolution protocol is simple. A service resolution protocol queries for a service on
4.5 SLP
435
the network, such as a server—any server, not a specific name of a server. SLP queries the network, via multicast, for a server. SLP works a little like a broadcast SAP. A server service can be queried on the wire, then a specific service name can be resolved using NDS. Any server that can hear the broadcast will respond. A name space provider, like NDS, DNS or WINS, matches a specific name to a specific machine or node IP address—which is name resolution. In other words, SLP makes a general query, whereas, a name resolution protocol makes a machine specific query (i.e., “I want a server” versus “I want the fileserver named ATLFS01”). Warning: Do not implement Pure IP—or even the dual IPX IP stack using NetWare 5—without first planning for an SLP infrastructure. Without an SLP infrastructure, you will notice long login times from your clients, intermittent server communication problems, NDS problems and other anomalies that you may not be able to explain. NetWare 5 servers are coded to prefer an IP connection versus an IPX connection. This can be a problem if your IP infrastructure does not support IP name resolution for your NetWare servers—most don’t. Server to server IP communication is done just like IPX—through short names. Without a method to resolve the short name, the IP requests will timeout. If both IP and IPX protocols are bound, the server will fall back to IPX, but there will be latency. Therefore, implement your SLP design as soon as you have the second NetWare 5 server into the tree. Migration methods are discussed later in this chapter. SLP basically serves four main functions: 1.
It replaces the Get Nearest Server (GNS) IPX SAP for client location of servers to connect to upon boot up. As your client boots, it sends out multicast packets. These packets are looking for a server to connect to in order to begin the authentication process.
2.
Provides short name resolution within multicast range—NDS, DNS and the NWHOST file can provide the same functionality
3.
Supports the browsing of network resources via Network Neighborhood—Microsoft does this in IP by encapsulating NETBIOS in the IP packet.
4.
SLP multicast provides server-to-server name service resolution communication; therefore, NDS communication. NDS is somewhat (but not fully) dependent upon SLP. Chapter 4
436
4.5 SLP
The RFC defines the SLP version 1 standard to have two required elements and one optional. UA (User Agent)—The UA makes a request for a service. It is a client or consumer of service information. Both workstation clients and NetWare servers are UAs (it is coded into the software) SA (Service Agent)—The SA is a service that advertises itself when asked. SAs will answer the request of the UA only if the query matches the service type. Each NetWare server is an SA as is any client that has a service to make available to the network. If a service needs to advertise it will make the node an SA. Every server will advertise itself as a bindery.novell SLP service—nwserver.novell shows up if you are using NW5.1 SP1, but is reserved for future use. If the DA is present, the SA will register its service to the DA. DA (Directory Agent)—The DA is optional. It is used as a repository of SA information; I sometimes compare it to a “routing table.” Novell enhances the RFC by porting the DA information into NDS. This was done to replicate the same information among DAs (you will want more than one), as there is no defined DA-to-DA protocol within SLP. The Directory Agent (DA) is used to let a client UA request unicast directly to all known/registered network services (SAs). Note: The TAO release of NDS eDirectory includes a DA for NT servers. Realize that the client acts as a client UA and may act as a SA if it has a service to register (not likely nowadays). Every NetWare server running IP will be a UA and an SA. In the IPX world the server would want to register (via the IPX SAP protocol) at least its server services, print services, RCONSOLE service, etc. It is the same in IP—though done in a different way. The server will request other information (e.g., where is there a DA) via an SLP client UA function—even though it is a server, it acts as a client. The UA request is done via multicast (by default, you can change its behavior to broadcast or unicast directly to a DA) which has a default limit of 32 hops. An example of the process is a client boot. The client sends out a multicast (224.0.1.35) looking for a DA. If none are present, a general multicast (224.0.1.22) is sent out for a NetWare server to login to. Every NetWare server, which is an SA, will respond.
4.5 SLP
437
The RFC allows for the use of “scopes.” A scope is used for two purposes: 1.
To limit client browsing through Network Neighborhood A client’s UA will search only the scopes that it is assign to. Each scope is the limit of the client’s browsing ability. Administrators should be assigned all available scopes—which allows them to query and browse all scopes. SLP Scopes may be handed out via DHCP, manually configured on the client, or sent down to the client via a login script registry hack, or configured via desktop management software—like ZENworks for desktops.
2.
Support for larger installations The RFC also specifies that an SLP query can return only a 64K data packet. The 64K limit translates to approximately:
Bindery.Novell (NetWare server) service—700 to 1100
NDAP.Novell (an NDS server containing a replica on it) service—1200
MGW.Novell (Migration Gateway) service—1200.
Sapsrv.Novell (CMD server services that port IPX SAPs into NDS) service—540—which would mean no more than approximately 108 servers running the CMD module (based on 5 IPX service advertising SAPs per server).
Larger installations that have more service information than the 64K payload data packet will fit must break the SLP service information into scopes. More information on scopes follows later in this chapter. SLPv2 should address these limiting issues—though it is in draft form. Warning: Don’t mess with scopes unless you are an expert or have a very large installation. I consider myself an expert and I don’t want the administration overhead—too much to troubleshoot when you can’t find or see services. The SLP protocol uses a URL structure (per RFC 1738) to send attributes. The services that use the URL structure are listed in Table 4.2.
Chapter 4
438
4.5 SLP
Table 4.2
4.5.1
SLP Registered Services SLP Registered Service
Explanation
BINDERY.NOVELL
Equivalent to SAP type 0004h—all NetWare servers will advertise this URL
NWSERVER.NOVELL
Found starting in NW5.1 SP1, but reserved for future use. Some customers have complained that the bindery.novell attribute is too confusing with Novell’s old Bindery NetWare 3.x servers
NDAP.NOVELL
Equivalent to SAP type 0278h—only servers with an NDS partition may advertise this URL
RCONSOLE.NOVELL
Equivalent to SAP type 0107h—although this is the Pure IP console advertising, not the SPX RCONSOLE
MGW.NOVELL
Displays servers running SCMD.NLM with the /MA switch
SAPSRV.NOVELL
Displays all IPX SAP services from servers running SCMD.NLM
SRS.NOVELL
Equivalent to SAP 282NDPS service running on server
RMS.NOVELL
RMS registry service – a part of NDPS
PORTAL.NOVELL
The portal service runs on NW5.1 servers
DIRECTORY-AGENT
Signifies a server running the SLPDA.NLM
SLP’s URL structure SLP, as stated, uses the standard RFC URL format. The URL structure is service:service_type[.name_authority]://[address_spec]
The URL’s format is ?gX-X-X-XXXXXXXX?h
The first digit is the protocol family—2 for TCP/UDP, 6 for IPX. The second digit is the socket type—1 for socket stream (TCP), 2 for datagram (UDP and IPX). The third is the protocol—6 for TCP, 17 for UDP, and 1000 for IPX. Finally the IP address of the interface that is registered, or in the case of IPX, an IPX network number is displayed. These services register in the NDS tree through the DA.
4.5 SLP
439
Figure 4.3 The SLP Service Agents register their services with the Directory Agent, which is ported into NDS. Notice that the IPX SAPs are registering because I loaded SCMD /MA.
The IPX SAP types in SLP will all register as sapsrv_novell, then the server’s internal IPX number, the IPX port number, underscore, IPX SAP type. The IPX services in SLP are not needed. They are an automatic function of the CMD module on the server. Do not use it unless you need it. Only about 540 of these sapsrv_novell services can register per SLP defined scope because of the 64K data space limitation in the SLP IP packet defined in the RFC. If each server registers 5 services in the IPX world, you can see that the CMD modules can only support about 108 servers—the packet will get truncated and you will have NDS and SLP anomalies. See the CMD section below. Note: Notice the SLP registry entries in NDS use underlines instead of the periods used on the server’s console display. Periods in the X.500 NDS world mean changes in contexts, so underlines had to be used. You can see the same information at the server console by typing :display slp services
Chapter 4
440
4.5 SLP
This command is a UA function of the server, which queries a DA for SLP service information. Sometimes the displayed information is not the same as that in NDS. The only true picture of SLP service entries is from dumping the information directly from the DA server. SLP dump command Dump SLP information to a file by: :SLP OPEN filename.log
And/or use the follow method: :slpda /d :SET SLP DEBUG=8 + <ESC> and choose the SLP DEBUG screen
SLP does not broadcast like SAP SLP is a pull technology. Queries are multicast and responses are unicast back. This is in stark contrast to the push technology of the IPX SAP/RIP protocol. UAs and SAs discover the optional DAs in three ways: 1.
Through a 224.0.1.35 multicast
2.
Through static configuration On the client this is done through the client properties On the server, which acts as both a UA and an SA, this is done through the \ETC\SLP.CFG file
3.
Or finally, through DHCP (option 79). I recommend using DHCP. This is not always possible when your company chooses another OS or hardware vendor to distribute DHCP addresses. Most do not support the options 78 and 79.
Novell does something interesting with DHCP. The server will actually send a DHCP request for option tags 78 scope and 79 DA. The server can learn about a DA through DHCP without being a full DHCP client. Note: NetWare 5.1 actually comes with a DHCPCLNT.NLM which acts as a full DHCP client. This is useful to offices that use their NetWare servers as gateways to the Internet and need to request an IP address from their ISP.
4.5 SLP
441
Again, since broadcasts are not used, SLP is a pull technology that queries instead of broadcasts for service (SA) information. There are no broadcasts. Still, with every NetWare server responding to a workstation UA bindery.novell query upon boot—which is like the get nearest server request in an IPX world—you can understand how a large implementation of NetWare servers could flood the network. It is essential that you have an SLP infrastructure created before you implement a NetWare 5 Pure IP infrastructure. NetWare 5 servers prefer an IP connection. You can change this protocol preference by the server SET command: :SET NCP PROTOCOL PREFERENCE=IPX TCP UDP
The reason is simply that NDS needs a name space provider for name resolution—when it cannot use itself. Many times, NDS can use itself to resolve names by NDS tree walking. This works fine if every server had a replica on it of the partition that the server was in. We know that many servers do not have replicas at all—which is as it should be. In that case it causes the server to try to contact another server with a replica on it to resolve a name request. This process is known as an NDS backlink—or external reference. To find servers with replicas on them, NDS relies on IP SLP. In an IPX world, this is accomplished through the server querying its bindery where SAPs are stored. Each NetWare server sends out a SAP type 4 every 60 seconds—and a RIP broadcast every 60 seconds—the resulting queries are stored in the server’s bindery. Name space providers for IP are SLP, DNS and NDS. The NWHOST file is not a true name space provider, but can resolve host names to IP addresses. In a Pure IP world, SLP would request, by multicast, a service only when needed. If your client has used the service since boot up, chances are the service IP address is still in cache and the client will send a unicast packet directly to the service. There would be no additional network traffic generated. With a DA configured, a new SA request for a service (e.g., HP Laserjet Printer) would be queried against the DA’s SLP SA information—which is ported into NDS. The DA needs to refresh its cache with every service-SA register-every hour, by default. This parameter is changeable by a SET command, which I recommend to set to two hours. Compare this to SAP and RIP IPX protocols that broadcast every 60 seconds. The trade-off is that as
Chapter 4
442
4.5 SLP
a service lifetime is set to two hours, it may go down and not be recognized/ advertised as down for up to two hours. :SET SLP SA DEFAULT LIFETIME=7200 (default value is 3600)
SLP does not maintain a global database of services like IPX—unless you use the optional DA and only one scope for your enterprise. Registration of services is limited by the multicast region—e.g., how far the multicast traffic is able to travel in your network. SLP also assumes that a client’s UA is able to find services via a request. That request may either be a multicast for an SA or a request to the DA, which is a repository of SA services. The request to the DA is either multicast 224.0.1.35 or the statically configured DNS name or the IP address of the DA on the client. SLP scopes Scoping is a means of breaking up your advertised services into smaller pieces. Scopes are optional and should only be considered for use if: 1.
You have exceeded the SLP RFC’s 64K data response packet with the number of similar services on your network
2.
You want to restrict the client’s browsing to a specific set of services—client’s are only allowed to browse, in network neighborhood, services in their own scope.
In SLPv1 if you do not create a scope you will be using the scope “UNSCOPED”. This scope is not supported in SLPv2, rather the scope “DEFAULT” is used. So if you do not create a scope and simply use “UNSCOPED” you will have to reconfigure to use the “DEFAULT” scope when SLPv2 gets deployed. According to the SLP RFC 2165, the data pertaining to the length in the header packet is 16 bits. This translates into the 64KB limitation. In SLP version 2 (RFC 2608), the length data in the header has been expanded to 24 bits. SLP version 1 is implemented in NetWare 5. This means that the number of services of each type that may live in a single SLP scope—thus a reply packet—is limited to the number of services that fit inside a 64KB response data packet. Specific SLP service queries are for explicit types of service such as ndap.novell, replica server, or bindery.novell, a NetWare server. The number of services in a reply packet varies depending on the length of the service names. Realize that no server is known as ATLFS01, but rather by its full NDS contextual name, which may be
4.5 SLP
443
ATLFS01.ATLANTA.SOUTHEAST.NA. The approximate number of service types that may be included in a single scope, which also means in a single 64K data reply packet is:
Bindery.Novell (NetWare server) service—700 to 1100
NDAP.Novell (an NDS server containing a replica on it) service— 1200
MGW.Novell (Migration Gateway) service—1200.
Sapsrv.Novell (CMD server services that port IPX SAPs into NDS) service—540, which would mean no more than approximately 108 servers running the CMD module (based on 5 IPX service advertising SAPs per server).
Scopes are configured in NDS first, then on the server to tell the server’s SA where to register its services, and on the client (to tell the client what scope to query for the services). Note: Minimize the number of scopes used. Scopes add another layer of support/complexity to your environment. Filtering scopes It is possible to filter services into scopes. Though filtering is unnecessary, you would want to do this to better organize your services into a container. Some larger clients organize only the binery.novell and ndap.novell services into a single global scope and keep all services, based on geographic regions, into regional scopes. In that scenario, some services would register with two different scopes. All filtering is done at the server in the \ETC\SLP.CFG file. After changing any values, you must: :SET SLP RESET = ON
Scope configuration in NDS NetWare Administrator ➝ right-click the Scope Object ➝ Details Scope configuration on the server There are two configuration tasks on a NetWare server, one is a SET command :SLP SCOPE LIST = scope_name, another_scope_name Chapter 4
444
4.5 SLP
Tell the server’s SA where to register his services. Next, edit the \ETC\SLP.CFG file to reflect any filtering REGISTER TYPE “type_name” to SCOPE “scope_name” REGISTER TYPE “bindery.novell” to SCOPE “ACME-SCOPE”
Don’t filter services, unless Novell support tells you to. It requires a lot of time to troubleshoot problems when services aren’t registering correctly. For scope names, use a dash instead of an underline as name space providers like DNS, and NDS better support a dash. Remember that naming conventions affect future technologies like LDAP too. Don’t forget that after every SLP change, do a reset on the server. :SET SLP RESET = ON
Occasionally you may have to unload and reload the SLPDA.NLM on the DA server. Scope configuration on the client This is covered in Chapter 1. Know that client SLP scopes can be handed out via DHCP—which is the preferred method. If a client is manually configured with a scope and receives a different scope via DHCP, the client will append the scope list to include both. The client will, therefore, query and be able to browse both scopes. Realize that every client that has multiple scopes will query both scopes every time the client generates an SLP query. This can lead to excessive traffic—allow only the administrators and a few power users to query multiple scopes, if needed. SLP NDS objects Three types of NDS objects are created when you load the SLPDA.NLM. You may create these NDS objects manually first. SLP Directory Agent Object—Leaf object specifying the DA server and associated, assigned Scope(s). The object is edited like any NDS object. Status: UP=running; DOWN=not running; UNKNOWN=service has never been loaded Host server: Server running the SLPDA.NLM Clear: Disassociates the SLP DA object with its current NetWare server
4.5 SLP
445
Cache Limit: Maximum KB size of cache maintained by the DA Start Purge Hour: DA does a purge every 24 hours at this specified time SLP Scope Unit Object—Container object defining the scope. The Scope object is represented as a square with four smaller squares at each corner. You may partition this object into it’s own NDS partition. I recommend creating an OU above it, at or near the top of the tree, and partitioning the OU into its own partition. Place the partition on all of the DAs. Place the SLP Scope Unit Object in its own OU and partition it off, placing it only on the chosen DA servers. SLP Service Object—Leaf objects that represent and describe services that need to advertise themselves—every service that registers with the DA is represented by an NDS object
4.5.2
Implementing SLP I have many war stories about SLP. In one of the largest clients I have ever been to, they had great difficulty understanding SLP and argued with me about how to implement it. Unfortunately, they didn’t take my advice (hard to believe when you work for the vendor and know how to implement your own software). We had a very painful time rolling out NetWare 5. The NDS synchs were taking too much time (because of their poor design) so the customer just unbound IP. They continued to roll out NetWare 5 running on IPX only and all was well—except their mandate from management was to get IPX off their backbones ASAP. I would caution you to read the latest Novell TIDs and technical information on SLP as Novell sometimes releases upgrades to the SLP module that could affect design considerations I have listed below (doubtful, but possible). In medium to large environments, it is almost as easy as choosing a couple of DAs and pointing everything (servers and workstations) to them. That’s it, not technically, but conceptually. Warning: Remember, start your SLP design when you put the second NetWare 5 server into production. All servers should be running both IPX and IP until all NDS replica servers are migrated to at least NetWare 5.
Chapter 4
446
4.5 SLP
To implement SLP best, consider the following: 30 servers or less implementations This is the default configuration for SLP. Turn on IGMP multicast by letting all of your router interfaces pass 224.0.1.22 and 224.0.1.35 throughout your enterprise, except out to the Internet, of course. All service and name resolution will be done through multicast. This is all you need to do. This design is practical for implementation of fewer than 30 servers. 31–100 server implementations There are several ways to implement an SLP design based on several variables. I will give the three most common ways. The best way The best way is to use Novell’s DHCP, because other vendor’s DHCP servers don’t natively support option tags 78-Directory Agent and 79-Scope. For 30–100 servers, you will need a Directory Agent (DA) or two. Pick servers with a lot of replicas on it, preferably replicas at or near the top of the NDS tree. Create a separate OU for SLP information ported into NDS. Then under the new OU, create the SLP Scope object and the SLPDA Object. Assign the SLP SCOPE Object to the DA and the SLPDA Object to the server hosting the SLPDA.NLM. Load the SLPDA.NLM and place the load statement in the AUTOEXEC.NCF. The DHCP option 78 will send the IP address(es) of the DA(s) to the client. Clients will be configured, at that point, to unicast to the DA first for resolution, then a general multicast. This is analogous to a WINS h-type broadcast—where a WINS server is looked for first, then the client resorts to a broadcast for name resolution. Statically configure all of the server’s SYS:ETC\SLP.CFG exactly the same. Set the SLP DA DISCOVERY OPTION to 7 :MONITOR→SERVER PARMATERS→SERVICE LOCATION PROTOCOL→SLP DA DISCOVERY OPTIONS
Use a separate OU to set up your SLP infrastructure; there are many reasons for this. You will partition this OU and have each DA in the same scope hold a replica. This will ensure immediate NDS name resolution for SLP requests. Set the SLP SA RESET to ON in the same menu.
4.5 SLP
447
Figure 4.4 SLP infrastructure set up.
Verify you can see all of the servers—after you are finished configuring all of them by: :DISPLAY SLP SERVICES BINDERY.NOVELL
You should now see all of the servers listed. It is most important for all of your servers to see each other. If not, check your configurations. Ping by IP addresses from the server console. Go to DSREPAIR ➝ Advanced Options ➝ Servers Known to this database ➝ Repair all network addresses. Check to see if the servers have registered in the SLP scope in NDS. Note: Support pack 5 for NetWare 5.0 and SP1 for NetWare 5.1 introduces the nwserver.novell URL that may eventually replace the bindery.novell URL. The bindery.novell service confuses many customers into thinking that something bindery is going on in NetWare 5—it isn’t.
Chapter 4
448
4.5 SLP
The second best way: with Multicast, but without Novell’s DHCP It is always possible to enable multicast throughout the enterprise. It would work, but in medium to large environments, it may be too much network traffic. Again, choose a server that has a lot of replicas on it. Create a separate OU for SLP information ported into NDS. Then under the new OU, create the SLP Scope object and the SLPDA Object. Assign the SLP SCOPE Object to the DA and the SLPDA Object to the server hosting the SLPDA.NLM. Load the SLPDA.NLM and place the load statement in the AUTOEXEC.NCF. The DHCP option 78 will send the IP address(es) of the DA(s) to the client. Clients will be configured, at that point, to unicast to the DA first for resolution, then a general multicast. This is analogous to a WINS h-type broadcast—where a WINS server is looked for first, then the client resorts to a broadcast for name resolution. Statically configure all of the server’s SYS:ETC\SLP.CFG exactly the same. Set the SLP DA DISCOVERY OPTION to 7 :MONITOR→SERVER PARMATERS→SERVICE LOCATION PROTOCOL→SLP DA DISCOVERY OPTIONS
Set the SLP SA RESET to ON in the same menu. Verify you can see all of the servers after you are finished configuring them by :DISPLAY SLP SERVICES BINDERY.NOVELL
You should now see all the servers listed. If not, check your configurations. Load the SLPDA.NLM and place the load statement in the AUTOEXEC.NCF. The clients are configured to multicast to find a DA first (224.0.1.35), then a general multicast to find a service (224.0.1.22). Turn on IGMP multicast and let all of your router interfaces pass 224.0.1.35 only throughout your enterprise. General 224.0.1.22 multicasts will form islands. Routers will not pass the general multicast, but chances are, most users will be on the same segment as a server. That will allow for redundancy. The SLPDA multicast of 224.0.1.35 will traverse the router and find the configured DA—thereby finding the repository of SA services registered throughout the enterprise. The server’s SA will register with the DA because of the SLP.CFG file and the DA multicast.
4.5 SLP
449
Verify you can see all of the servers, after you are finished configuring all of the servers, by :DISPLAY SLP SERVICES BINDERY.NOVELL
You should now see all of the servers listed. It is most important for all of your servers to see each other. If not, check your configurations. Ping by IP addresses from the server console. Go to DSREPAIR ➝ Advanced Options ➝ Servers Known to this database ➝ Repair all network addresses. Check to see if the servers have registered in the SLP scope in NDS (with ConsoleOne or NetWare Administrator). Last best way: without Novell’s DHCP and without Multicast The clients and servers are going to use SLP for service resolution and NDS for name resolution on this design—the same as all of the other designs. The implementation will take longer and there will be more support involved because of the manual configuration. Clients will need to be manually configured, by going to each workstation and inputting the DA information, or save time by using ZEN for desktops, or a registry change in the login script. Figure 4.5 Notice the Static checkbox. It tells the client to unicast to a DA, and not use multicast at all.
Chapter 4
450
4.5 SLP
For large installations of over 101 servers It is difficult to show only one way because Novell’s implementation involves many tools to overcome possible cooperation problems with “router boy” or the DNS crew. The absolute best way to resolve IP addresses on an enterprise, for now, are DNS names. Novell supports mapping to DNS names or IP addresses. This is difficult for end-users as they cannot browse network neighborhood for resources. Browsing is a function of SLP. If you have to support end-user browsing, then you have implement SLP. The best way for 100+ servers The best design would be to use SLP locally and resolve names globally via DNS. The next best way for 100+ servers Most companies will not follow the best advice anyway. I recommend the following design. Other designs can be found in Novell’s AppNotes http://developer.novell.com. This design makes the following assumptions:
Router boy is not going to turn on IGMP multicast over the enterprise, which is smart in a large environment. It would almost be like SAPing again.
DNS man is not going to let you put all of your NetWare servers into his DNS server yet. Maybe sometime in the future, we’ll see.
We will use 3 scopes. This will limit browsing on the client to only one scope, unless the client is configured see all three scopes. Because of the network traffic involved by querying all three scopes, only the admin workstations need to see all three scopes. SLP version 1 defines, per the RFC, only a 64K data in a response packet. This limits the number of services a query could return, as the response would be truncated. The steps to support 100+ servers:
1.
Create an OU to contain SLP information (it registers into NDS) under each regional OU in your tree.
2.
Choose 2 DA servers for each scope.
3.
Make each new SLP OU its own partition. Then, put each partition on the two chosen DA servers. There are too many variables
4.5 SLP
451
as to which server to put it on to list here. Know that SLP registers and de-registers NDS objects and that the SLP partition may be very active; therefore, you may want to avoid putting it on a server over a slow WAN link. The sync traffic in a large installation of 300 servers is about 2.5MB every two hours. 4.
Turn on IGMP on your routers where possible. Large networks need to define boundaries, therefore, you may want to implement IGMP in LATAs. To do this you can either turn off multicast (IGMP) in specific core routers interfaces, or leave it on and just block the 224.0.1.22 address at the core routers. I recommend the second of the two suggestions. The reason is simply that multicast, left unto itself, becomes very chatty. The 224.0.1.22 address is for SA queries and you will want to use DHCP or statically configure DA’s at the desktop (do it via ZENworks, a registry change in the login script or ACU). The 224.0.1.35 multicast address is for DA discovery. This is traffic is minimal. The DA is roughly equivalent to a core router, having all of the available services register in it and able to resolve client requests.
5.
If you cannot get your router guys to turn on multicast, then you have to compensate by static configuration. I recommend using Novell’s DHCP to aide you in your Pure IP Implementation because it uses the option tags 78 and 79.
6.
Do not use the CMD modules unless upper management forces you to. Run a dual IP IPX protocol stack.
The big way: installations of over 1000 servers The largest designs are going to require a visit from Novell Consulting to make sure you are leveraging the technology correctly. There are many variables that you may want to consider. Engage Novell Consulting at http:// www.novell.com/consulting/. Server SET commands relating to the SLP They can be found on the server through MONITOR ➝ Server Parameters ➝ Service Location Protocol and MONITOR ➝ Server Parameters ➝ Communications All SET commands are covered in Chapter 2.
Chapter 4
452
4.5 SLP
4.5.3
Migrating from IPX to IP The actual migration process from IPX to IP is simple—not easy, just simple. 1.
Your SLP infrastructure should have been designed and implemented already
2.
Run a dual stack of IPX and IP on your servers
3.
Upgrade all of your servers to NetWare 5.x and the latest version of NDS. This task can be moved up in the order.
4.
Identify all IPX dependant applications on your network—this is going to be “grunt” work. Next, upgrade all apps to support the new IP stack.
5.
All clients should be running a dual-stack. The client software will “prefer” an IP connection—assuming you are running the latest client versions. Remove the IPX protocol and check connectivity and all client apps.
6.
As you monitor NDS, remove the IPX stack from the servers
Your SLP design will have already been implemented—see the designs earlier in the chapter. Converting a LAN segment from IPX to IP 1.
Pick two servers to be Migration Agents (MAs) on your local segment. Each server should be centrally located within the LAN.
2.
Upgrade all servers to NetWare 5.x minimum. Clients should be upgraded to the latest NetWare client too. All servers should be running IPX and IP simultaneously. Clients should be running IP and CMD. You can use Novell’s DHCP to pass clients the MA server’s IP addresses.
3.
Convert your printers to NDPS printers. Optional, but important.
4.
Remove the IPX protocol from the server and load the SCMD.NLM /MA module.
5.
That’s it. Clients will only use a tunneled IPX call over IP when a legacy application makes an explicit call to the IPX stack on the client. The client CMD module intercepts it and tunnels it in an IP packet which the server uses the SCMD module to strip the information from the IP packet and send it for processing.
4.5 SLP
453
Remember that when you turn of IPX on the routers that no IPX services may be reached across the WAN link. Seems common sense, but think through the potential issues first. Many older BTRIEVE applications have some user that needs access even though they have moved departments 5 times since the application was loaded. You may not know who it is now, but you will when you turn IPX off of your WAN links. Communicating IPX It will be necessary to run IPX or implement MAs—discussed later—on every server until all of your NetWare 4 servers are upgraded. If you run a dual IP IPX stack on each NetWare 5 server with NetWare 4 servers in your tree, you must implement SLP. It is possible to get around the SLP limitation. Some clients unbind IP from NetWare 5 servers and others change the NCP protocol preferences for NCP to prefer IPX instead of the default IP (discussed earlier). NetWare 5 workstation client software will attempt an IP connection then timeout to an IPX connection (if both protocol stacks are running). You may experience unsatisfactory latency in client communications until you have the SLP infrastructure implemented. Each time an NDS server tries and fails to communicate with another NDS server via IPX, it waits through a 30 second timeout before it tries communicating via IP. The continual IPX communication timeouts can cause sluggish server and network performance. The timeouts become more of an issue as IPX is removed from routers on each network segment and IPX communication is no longer possible between servers even though IPX is bound to the servers. Keep an eye on NDS at all times. If you have implemented SLP incorrectly, NDS will let you know. You may see slow sync times or –625 and –634 NDS errors. Do not allow router boy to block the addresses listed in Table 4.3 within your network. Compatibly mode driver—CMD Everything changes in SLP, and at the packet level, if you are using the compatibility mode drivers (CMD). Compatibility mode drivers are simply ways to encapsulate legacy IPX traffic inside of an IP packet—sort of like the old NWIP, which to me, is reason enough to stay away from it.
Chapter 4
454
4.5 SLP
Table 4.3
Ports and Protocols Used for NetWare 5. IP Functions
Protocols
NCP
TCP or UDP 524 – source port will be a high port (1024-65535)
NCP for TimeSync
UDP 524 – source port will be a high port
NTP
UDP 123 – source port will be a high port
SLP Requests
UDP 427 – source port will be the same (427)
SLP Requests
TCP 427 – source port will be the same (427)
CMD
TCP 2302 – source port will be a high port
CMD
UDP 2645 – source port will be the same (2645)
RCONPRXY.NLM
TCP 2035
The only use for CMD is as a migration tool to get IPX dependent applications talking IP. Many times administrators have an ultimatum to get IPX off of your LAN and/or WAN links quickly. The use of CMD would enable Pure IP communications via IPX encapsulation inside an IP packet. I recommend against using the CMD modules, if possible. I try to persuade clients to use dual IPX IP stacks until all IPX dependencies can be identified. The offending applications would need to be upgraded. Identify BTREIVE dependant applications as your first priority. Warning: BTREIVE in NetWare 5.1 does not come with an unlimited user license. You will need to call Pervasive SQL, and find out what you need to do to upgrade your old application. Novell sold BTREIVE to Pervasive. I had a fellow Novell consultant describe the CMD modules as tools of satan. Lesson—don’t use it if you don’t need it. There is a client side CMD and a server side CMD. The client side module is loaded during the installation of the client. You must reload the client to load the IP protocol with CMD support. It is possible to use your server as a Migration Agent (MA) without loading the CMD support on the clients—they would use a dual IPX IP stack.
4.5 SLP
455
The server side is an .NLM loaded by typing: :SCMD
There are a number of switches you can use with this parameter. List of SCMD switches Novell has changed the SCMD.NLM switches and functionality of the module many times through support packs. The listing I give here should be confirmed by looking up the appropriate TIDsfrom support. :SCMD /option
NET=hex_network_number—By default the SCMD loads with an FFFFFFFD network number. I always leave it that way. If you have a need to change it, know that all CMD servers will communicate only with others with their same network number. This change is temporary, unless you put the command into the AUTOEXEC.NCF. Optionally, the server SET command :SET CMD Network Number: FFFFFFFD
will perform the same function. See the SET commands in Chapter 2 for more information. MA—Configures the module to load the Migration Agent (MA) option. The migration agent is responsible to support an IPX and IP segments Note: To set up a Pure IP backbone between two NetWare servers running the SCMD.NLM, follow the directions.
NetWare 4.x SCMD commands SCMD.NLM provides IPX compatibility in an IP only environment. The functionality of SCMD has been ported to NetWare 4.11 with service pack 8a. It can encapsulate IPX packets in IP—similar to NetWare IP. In order to set up your NetWare 4 servers to talk to each other with IP you must: :Load SCMD /ma /noslp / maaddr=;;/
Chapter 4
456
4.5 SLP
You need only one IP address in the list—though you can include multiple IP addresses for fault tolerance. It should be the IP address of an MA across the WAN. Novell recommends configuring MAs in a star or a circle, so that all MA’s point to one or two other MA’s. Clients installed with the CMD driver rely on SLP and will not work in a NW 4.x environment. Clients only need IPX installed to reach the server, the server will then take care of encapsulating and routing the packets to a remote MA server. With SCMD loaded on both MA servers, time and DS synchronization with work as well as all IPX routing information and services. On the client side, CMD is loaded only during the client install. There is no way to get around this other than reloading the client and choosing IP and CMD as your protocols. CMD is dependent on SLP. SLP writes network resource—IPX SAP information into NDS—therefore, all of your CMD information is written into NDS as sapsrv.novell objects. This can get ugly fast. Each legacy IPX SAP is written to NDS as a sapsrv.novell object. There may be 5 SAPs, or more per server—depending on how many services the server must advertise. Do the math. A single SLP scope, defined in the RFC, can only return a 64K data payload. You can fit about 520 sapsrv.novell objects per scope— roughly 84 CMD servers. Migration agents Migration Agents, or MAs, provide another migration strategy option. The MAs are servers that speak IP and IPX to the local LAN and only IP across a WAN link. I have used MAs many times. It is a viable option to get IPX off of the WAN links, but should be used conservatively (or not at all) for migration purposes other than Pure IP WAN links. I have had more heartbreak than success with MAs, so you do the math. MAs require:
Each IPX disconnected network must have a MA.
All MAs should have NLSP enabled and the same CMD network number
SLP visibility exists between all MAs
UDP port 2645 is allowed on every interface that routes traffic between MAs MAs require no client side configuration if the client is running IPX.
4.5 SLP
457
Backbone support About the only time I use MAs is when a client insists that they need an IP only WAN link before the LAN segments are converted to IP only. The backbone support option of the SCMD module is loaded by: :SCMD /BS
The BS stands for backbone support, of course. This option makes the MAs—each server that loads this module is considered an MA—independent of SLP. For example, take two servers. Each is across a WAN link from the other. IPX and IP is allowed on both LAN segments, but router boy has denied all IPX traffic across the WAN link (and IP multicast too). I can use my servers to tunnel IP only traffic while fooling all of the other servers and client’s IPX requests. IPX requests will always work as intended because of the tunneling capabilities of the SCMD /BS option. To do that we must first turn off SLP on the servers: :SET NO SLP OPTION=ON
Then set your migration agent list statically on both servers: :SET MIGRATION AGENT LIST=the_other_ma_server_across_WAN
From here, you will need to look up a TID. Novell has changed the TID that explains how to implement a Pure IP backbone as the functionality of the SCMD module has changed. Consult the TIDs for the most recent information.
4.5.4
When you don’t have to use SLP SLP can get confusing. You do not need to worry about SLP support or configuration:
When you don’t require browsing in Network Neighborhood
When you can use another form of name resolution—like DNS—to map to resources via login script, NWHOST, preferred server or preferred tree
When you put in or use DHCP to populate the Preferred Server and Context values for the client
When you use the NWHOST file to map names to IP addresses
When you use IPX and set the NCP protocol preferences to IPX— found only on the NetWare 5 server as a SET command Chapter 4
458
4.5 SLP
4.5.5
When you do not route traffic on your network—routers do not allow multicast traffic through by default
When you must use SLP SLP is required in most networks. SLP is absolutely required:
4.5.6
When you need to browse via Network Neighborhood
When you are using the CMD modules
When you do not have DNS setup and must rely on another method of name resolution, which would be SLP to locate services for NDS to name resolve
What is the SLP route of least configuration? When you enable multicast to propagate across all router interfaces between NetWare 5 servers—not a good idea in large environments. Many documents put the maximum number of servers at 25–30. In the larger environments, consider a couple of DA’s assigned to clients by DHCP and allow only the DA multicast of 224.0.1.35 to pass through all routing interfaces—its insignificant network traffic. This obviously implies blocking the SA multicast of 224.0.1.22.
4.5.7
SLP best practices SLP can be confusing. I have assisted many large clients and have compiled the following list of best practices:
It is essential to implement the SLP design as your second NetWare 5 server goes into the tree, even if you are running dual IP and IPX stacks
Enable IGMP multicast on all routers between NetWare servers in an environment less than 30 servers—no other configuration is necessary
If you are using DAs and NDS for your design, keep them in a separate partition
The Novell client provides a setting for specifying the number of hops a client’s multicast can travel. Set this to the maximum number of hops to a DA or replica server in your environment—4 or below in most environments
4.5 SLP
459
Novell Client Configuration ➝ Advanced Settings ➝ SLP Multicast Radius
Don’t use more than 2–3 DAs per scope
Always put a replica of the SLP Scope partition on your DAs
Pick DA servers based on the amount of traffic that a server ALREADY supports, thus, no need to reroute traffic because of DA placement
Pick DA servers that hold replicas of the higher parts of the NDS tree
Use DNS names or IP addresses when possible in your login scripts
Limit you dependence on SLP in larger environments—especially via multicast
In larger environments, lock the 224.0.1.22 address from crossing into the core via filter configuration on the routers, (ie; only sites actually within a particular market will receive the 224.0.1.22 multicast sent by a device in that market). The 224.0.1.35 multicast address does not need to be filtered—as it does not make up much traffic—and should be allowed to propagate throughout the network.
How Cisco Switches handle multicast traffic I worked with a couple of Cisco engineers at a client. I asked them how their hardware handles multicast traffic. This was their reply. Ethernet directly supports the sending of local multicast packets by allowing multicast addresses in the destination field of Ethernet packets. All that is needed to support the sending of multicast IP datagrams is a procedure for mapping IP host group addresses to Ethernet multicast addresses. See Extensions to an Ethernet Local Network Module (RFC 1054). An IP host group address is mapped to an Ethernet multicast address by placing the low-order 23-bits of the IP address into the low-order 23 bits of the Ethernet multicast address 01-00-5E-00-00-00 (hex). Because there are 28 significant bits in an IP host group address, more than one host group address may map to the same Ethernet multicast address. So what the switch needs to do is to map the Ethernet Multicast address to specific ports of receivers that are interested in receiving the multicasts. The end nodes indicate their interest in receiving the multicast by using IGMP described in detail in RFC1054: ftp://ftp.isi.edu/in-notes/rfc1054.txt. IGMP is used between the host and the router, so the switches either need to talk to the router (CGMP) or snoop the IGMP packets to get the mapChapter 4
460
4.5 SLP
ping information that they need. Using CGMP as detailed in http:// www.cisco.com/warp/public/cc/cisco/mkt/ios/mcastip/tech/ipcas_dg.htm the router sends the switch the Ethernet multicast address and the individual Ethernet node that requested the multicast traffic. The switch then adds a filter in the bridging table to direct any traffic destined for the Ethernet multicast address out the port that the individual Ethernet node is attached to. The switch also directs that traffic to the routers. High performance switches can use IGMP Snooping, which requires the LAN switch to examine, or “snoop,” some layer 3 information in the IGMP packet sent from the host to the router. When the switch hears an IGMP Report from a host for a particular multicast group, the switch adds the host’s port number to the associated multicast table entry. When it hears an IGMP Leave Group message from a host, it removes the host’s port from the table entry. On the surface, this seems like a simple solution to put into practice. However, depending on the architecture of the switch, implementing IGMP Snooping may be difficult to accomplish without seriously degrading the performance of the switch. The CPU must examine every multicast frame passing through the switch just to find an occasional IGMP packet. This could be a problem when streaming high bandwidth video such as MPEG 1 or MPEG 2. This results in performance degradation to the switch and in extreme cases switch failure. Unfortunately, many low-cost, Layer-2 switches that have implemented IGMP snooping rather than CGMP suffer from this problem. The only viable solution to this problem is a high-performance switch designed with special ASICs that can examine the layer-3 portion of all multicast packets at line-rate to determine whether or not they are IGMP packets. The Catalyst 5000 NFFCII card and the Catalyst 6000 PFC card has the ASICs capable of IGMP snooping. Cisco switches handle multicasts through the use of IGMP snooping or CGMP (Cisco Group Messaging Protocol) and properly identifies multicast separate from broadcasts. The routers do partake in the IGMP multicast group and they recognize the multicast IP and MAC address used by devices registered in the particular group on an Ethernet segment. SLP router support addresses Make sure you tell router boy that he needs to support SLP multicast addresses. SLP uses the following Multicast Addresses:
224.0.1.22 in IP and 01005E000116 in Ethernet for general SLP requests and registrations.
4.6
Name resolution
461
4.5.8
224.0.1.35 in IP and 01005E000123 in Ethernet for SLP DA advertisements.
Why didn’t Novell use DNS instead of SLP? I don’t know specifically, but I imagine they wanted to provide the same IPX plug-and-play ability for small businesses. Active Directory uses DNS. Consider that small businesses have junior LAN administrators straight out of CNE/MCSE classes. Making smaller networks as simple as possible (via plug-and-play) may be a good idea. Remember SLP is an RFC standard protocol—though not widely used. DNS may have been a better idea, in my humble opinion. Most of my clients would have preferred DNS.
4.6
Name resolution My travels to some of Novell’s largest clients reveal a glaring need for administrators to understand how a name is resolved on the network.
4.6.1
How to resolve a name on the network Name resolution is maybe the most misunderstood basic function of applications. On IPX networks, you could browse through Network Neighborhood looking at servers—you were seeing SAPs—and get to the servers by double-clicking—which would send out a RIP request for route information on that server. Everyone bitches about IPX, but it was an administrator’s dream—no configuration. IP has no such plug-and-play capability (although Novell wants us to believe SLP is a plug and play protocol for IP, ha). DHCP, DNS, SLP, and routing configuration are done manually. An end-user’s view is simply address the e-mail and press SEND. A name (e.g., www.netadmincentral.com or
[email protected]) is entered in an application (e.g., e-mail or a browser) ➝ WINSOCK.DLL resolves to kind of name (DNS, NDS, or NETBIOS) and port number (port 80 for HTTP) ➝ your client then goes through a resolution order (listed later) ➝ a packet is formed to query a name service (DNS, NDS or NETBIOS) to resolve the request for an IP address which must be resolved to a MAC address. DNS host name resolution order Normally (I say normally because Microsoft’s Win9x and NT/W2K clients handle name resolution differently—see Chapter 1 for more info), when Chapter 4
462
4.6 Name resolution
you have a name to resolve, winsock.dll knows to go through the following order: 1.
Local host name in cache
2.
HOSTS file
3.
DNS Server
4.
WINS Server
5.
B-node broadcast
6.
LMHOSTS file
WINS host name resolution order When you are using Microsoft’s NETBIOS protocol, you are resolving names in the following order: 1.
NetBIOS Name Cache NetBIOS Name Cache Local cache containing the locally registered computer names and computer names the local computer recently resolved
2.
WINS Server NetBIOS Name Server A RFC 1001/1002 compliant computer to provide NetBIOS name resolution. Microsoft implements this as Windows Internet Names Server (WINS).
3.
B-node broadcast Local broadcast. A b-node broadcast on the local network for the IP address of the destination
4.
LMHOSTS file Local file that maps IP addresses to NetBIOS computer names
5.
HOSTS file Local file in same format as a 4.3 BSD hosts file. Maps host names to IP addresses and is typically used to resolve host DNS names for TCP/IP applications and/or utilities.
6.
DNS Server Domain Name Server configured with DNS daemon that maintains database of IP address/host name mappings. May be maintained on a NetWare server, NT or UNIX
4.6
Name resolution
4.6.2
463
Browsing Browsing in a Microsoft environment in Network Neighborhood is a function of NETBIOS or via the read-only global catalog via an LDAP call in Active Directory. In NetWare 5’s implementation, SLP is used—without it you cannot browse. In an IPX environment, you browse by client requests to the server’s bindery—which is like a routing table and stores a list of all other NetWare servers and network services by the SAP types it hears by network broadcasts. You see servers because of their SAPs type 4 IPX broadcasts. Realize that NetWare servers running IPX do not store the SAP information. It is only kept in cache and cleared at every boot. You can also clear the cache by the server console command RESET ROUTER. This internal table uses both SAPs and RIPs to match up. Any SAP without a corresponding RIP will be aged out of the cache. Note: In an IPX environment, I have sometimes seen servers displayed in Network Neighborhood, but got various error messages when I clicked on the resource. This means that the SAP advertisement is valid, but that the RIP route request isn’t. The resource may be down or you may have a router with a corrupted RIP table—NEVER let router boy filter RIP. It is possible to be on the same segment and not see a NetWare server. If your IP address is incorrectly figured, you may not see a NetWare server resource–even if you are running both IP and IPX. The cause is simply that IP is the preferred protocol—even when both IP and IPX are loaded—in NetWare 5. :SET PERFERRED NCP PROTOCOL =
It is possible to change this parameter to prefer an IPX connection. :SET PERFERRED NCP PROTOCOL = IPX IP UDP
4.6.3
Name resolution via IP How do I get to www.netadmincentral.com or ATLFS01? It is the job of the IP stack—winsock.dll—to interpret the name, port number and find the name space provider. IPX may resolve via queries to the server’s bindery which is populated by network broadcast SAPs. IP routers do not forward broadcasts Chapter 4
464
4.6 Name resolution
(255.255.255.255) by default, so must rely on other transport processes. Name resolution is a function of name space providers. Databases are used to match host names with IP addresses and IP addresses with MAC addresses. IP may use:
SLP SLP uses multicast, instead of broadcast to locate a name space provider which, in turn, will resolve an IP addresses to names. SLP is the only method, in NetWare 5, to support browsing via Network Neighborhood.
DNS Domain Name Service matches host names to IP addresses
DHCP Provides IP or DNS names to client requests (server’s can be clients too)
NDS Novell’s Directory Service is a name space provider that matches network IP or IPX addresses with names (like HPDJ620)
Static Configuration Files HOSTS files, LMHOST files and/or other static configuration files—such as registry entries via the properties of the NetWare Client
Use DHCP as much as it is convenient to send clients information, use DNS for name resolution for the rest. SLP is optional, in NetWare 5, and should be considered as a last resort for medium to large installations. Go to www.packet-level.com for more information on name resolution.
4.6.4
Name resolution modules in NetWare Specific NetWare modules related to name resolution include: NETDB.NLM Name resolution for the server TCP/IP stack is usually provided by NETDB.NLM. Novell’s BorderManager proxy, however, doesn’t use NETDB functions—instead does name resolution by itself. NETDB tries to resolve a name in the following order: 1.
Local cache
2.
SYS:ETC\HOSTS file
4.6
Name resolution
465
3.
First DNS name server in SYS:ETC\RESOLV.CFG
4.
NIS server configured in SYS:ETC\NWPARAMS
Changes to HOSTS or RESOLV.CFG are not dynamic. You not only have to unload and reload NETDB.NLM, but also the TCPIP.NLM. If there are multiple DNS servers in the RESOLV.CFG, NETDB.NLM will send the request to the last DNS server in the list. If this server does not respond then NETDB will send the request to the next DNS server up the list. A DNS server responding negatively will cause NETDB.NLM to stop the queries, regardless if there is another DNS server listed in RESOLV.CFG. A NIS server is queried only if no DNS is available and either NFS or NWIP is configured. Note: Network Information System (NIS) is a name database used by several NetWare-based UNIX services.
PROXY.NLM Novell BorderManager proxy does name resolution without using the functions provided by NETDB.NLM. The search order is: 1.
Local cache Any entry that has already been resolved and not flushed from cache yet
2.
SYS:ETC\HOSTS The server host name to IP mapping file
3.
SYS:ETC\RESOLV.CFG The server file used to map DNS servers to IP addresses to query the DNS servers for name resolution—INETCFG ➝ Protocols ➝ TCP/IP ➝ DNS Resolver Configuration
The proxy is notified by the BRDMON.NLM when changes are made to configuration files. You will see a message on the proxy cache server screen telling you the modified hosts entries in the SYS:ETC\HOSTS file are now being used—same will happen if you make a change to the RESOLV.CFG file. The other major difference to using NETDB is that all DNS servers specified in RESOLV.CFG are queried. If the first name server responds Chapter 4
466
4.7 INETCFG
negative, PROXY.NLM will query the second one, and then the third if it’s still no hit. Both NETDB and proxy will search for a “.” in the name to be resolved. If no “.” is found, they will append the domain name specified in RESOLV.CFG to the string and try to resolve the resulting name, which is how short names may be resolved within DNS zones.
4.7
INETCFG INETCFG.NLM is the most important IP (and IPX) configuration utility. This C-Worthy menu is used by BorderManger, NAIS, MPR and other packages that require protocol configuration. Boards—Used to identify NIC boards <Enter> on board_name
Configuration information Board Name: A unique name for the board—10 character limit (numbers, letters, dashes and underlines allowed). Pressing allows you to load another network board, which you can also do through NWCONFIG ➝ Driver Options ➝ Configure network drivers Slot: PCI physical slot number that matches the physical expansion slot Media and Line Speed: Auto-Sense media type Twisted Pair 100MBPS Twisted pair—Full Duplex 10MBPS Twisted pair—Full Duplex 100MBPS Fast Ethernet 100MBPS Node Address: Specifically for the 802.2 specification which overrides the random generated IPX address given at installation Comment: I like your hair, router boy—something like that up to 50 characters Board Status: Disabled—This choice disables the binding but does not remove any of the load statements. Perfect for using it as a troubleshooting method; the load statements are there for a fallback (e.g., Ethernet to Token Ring or IPX to IP)
4.7 INETCFG
467
Enabled Force—Causes all frame types to be loaded for the board (I have never seen a need for this) Driver Info Network Interfaces—Information describing each NIC card. No further configuration is necessary on LAN cards. WAN Call Directory Protocols—Supported Protocols are: IPX IP Protocol TCP/IP Status: Enabled/Disabled Can’t do anything with IP disabled IP Packet: Enabled/Disabled Should only be enabled when the server is being used as a router—with two network boards RIP: Enabled/Disabled Enabled the server becomes a RIP router—good for medium to small networks. I have never seen any NetWare server need more than 5% CPU cycles to handle even the largest routing tasks. OSPF: Enabled/Disabled Enabled, the server will become an OSPF router OSPF Configuration: Opens the OSPF configuration dialog Static Routing: Enabled/Disabled Enabled the server will read static routes from its table (at boot up and reinitialization) Static Routing Table: User input Allows you to define default gateways, hosts or networks SNMP Manager Table: Manages the list of host that receive SNMP updates from this node DNS Resolver Configuration: User Input Domain and up to three possible DNS servers
Chapter 4
468
4.7 INETCFG
Filter Support: Enabled/Disabled Enabled TCP/IP will forward packet filters and routing information filters—filters configured through FILTCFG NAT Implicit Filtering: Enabled/Disabled Enabled assumes all inbound packets are responses from communications initiated by a node on the internal network Expert Configuration Options (Opens another menu) Directed Broadcast Forwarding: Enabled/Disabled Only for applications that require it Forward Source Route Packets: Enabled/Disabled Enabled forwards source route packets—token-ring BOOTP Forwarding Configuration: Enabled/Disabled Enabled lets the server/router forward received broadcast DHCP packets and then unicasts the DHCP packets to the statically configured BOOTP Server list—also logs the requests if desired EGP: Enabled/Disabled Exterior Gateway Protocol support EGP Configuration: Static Parameters for EGP configurations Bindings—The bindings options are used to bind protocols to network boards. Before a protocol is bound, the upper-layer protocol stack must be loaded and an MLID must be loaded to define a virtual network adapter for the physical adapter plus a frame type to be used. Network Interface IPX Network Number Frame Type Ethernet_II: Used by default for TCP/IP—IPX may use this frame type too Ethernet_802.2I: The open-standard IPX frame type—default frame type for IPX in NetWare 4.x and 5.x Ethernet_802.3I: Novell’s old, raw, proprietary frame type—it was the default frame type for IPX in NetWare 3.x and is required to run NetWare 2.x
4.7 INETCFG
469
Ethernet_SNAPI: IEEE 802.2-compliant frame type to support TCP/IP and other SNAP encapsulation compliant protocols TOKEN-RING: Standard frame type for IPX TOKEN-RING_SNAP: SNAP encapsulation allows for IP and AppleTalk support over token-ring networks Expert Bind Options Manage Configuration—Used to configure the server’s SNMP information, remote access and import/export the configuration View Configuration—Displays the configuration commands that you chose through the C-Worthy menu Reinitialize System—<Enter> to reinitialize the system and reload all of your choices—without downing the server (sometimes the server gets stuck and you will have to restart the server).
4.7.1
INETCFG configuration files INETCFG stores information in several files—be cautious when editing these files (there are some TIDs that show you how).
TCPIP.CFG
IPXSPX.CFG
NLSP.CFG
NETINFO.CFG
AURP.CFG
IPWAN.CFG
NLSPSTAT.CFG
When you agree to allow INETCFG to remark out the LOAD and BIND operations from the AUTOEXEC.NCF file, they are copied to the NETINFO.CFG. AUTOEXEC.NCF calls SYS:ETC\INITSYS.NCF.
4.7.2
Protocol best practices Recommendations from the trenches:
Ethernet II is the cleanest frame type—use it for both IP and IPX
Each IPX frame type generates its own RIPs and SAPs, therefore, standardize on one frame type Chapter 4
470
4.8
4.8 Configuration files related to TCP/IP
Configure your print servers with only the needed frame types— some will auto-load all frame types and SAP on each frame type
Use filters on the routers to block unnecessary frame types
Configuration files related to TCP/IP Wondering which configuration files relate to IP? NetWare can use any or all of the following statically configured files. Files related to INETCFG configuration are listed earlier in the chapter.
4.8.1
SLP.CFG The SLP.CFG file is used only in a NetWare 5 server running IP. It is used for the server’s SA to find the other servers SAs—by querying the configured DA server. For example, the server needs to know the IP addresses of other replica servers ndap.novell. SLP.CFG is located in the SYS:ETC directory.
4.8.2
RESOLV.CFG The RESOLV.CFG file is used to assist in the name resolution process by pointing the server to a DNS server. The file is updated by:
4.8.3
The install process-choosing IP will force the DNS configuration to appear
INETCFG ➝ Protocols ➝ TCP/IP ➝ DNS Resolver Configuration
Or a text editor
SYS:ETC\HOSTS The HOSTS file, like any client’s HOSTS file, maps host names to IP addresses (ASCII format) File format: IP_address hostname [alias1][alias2] #comment
The IP address may be expressed in dotted decimal form or dotted-hex form. Host names may not contain a space, tab or # characters and must be unique. Aliases are nicknames that may be used in place of host names. The same host file may be used on all nodes in a network—distributing updates to the file is the difficult part.
4.8 Configuration files related to TCP/IP
4.8.4
471
SYS:ETC\GATEWAYS This file is for static routing information (RIP and OSPF do not support static routes). The TCPIP.NLM will need to be loaded with routing enabled through INETCFG or :LOAD TCPIP STATIC=YES
File formats include defined routes to remote hosts or remote networks HOST {IP_address / hostname} GATEWAY router_address [METRIC cost] [ACTIVE | PASSIVE] NET {netid / netname} GATEWAY router_address [METRIC cost] [ACTIVE | PASSIVE]
A host entry can be an IP address or host name already defined in the HOSTS file. A NET entry can be a destination network name or the network portion of the IP address. A default route (default gateway) is expressed with a 0. Net 0 Gateway 192.178.00.3 Metric 1 Passive
4.8.5
SYS:ETC\NETWORKS Supplies logical names for networks. netname netid[/netmask] alias #comment
A netname is a logical name for the network and must use the same format as the host name in the HOSTS file. The netid is the portion of the IP address associated with the network—in dotted decimal or hex-decimal form. The netmask is the subnet—the default IP class subnet is used if none is specified. The alias is just a nickname. When a network is described in this file, it will be identified in the TCPCON utility.
4.8.6
SYS:ETC\SERVICES Specifies the IP port and transport protocols that a service utilizes. service port/transport [alias] [#comment]
The service is a name of a service which cannot contain spaces, tabs or # characters. Port is the port number to be used.
Chapter 4
472
4.9 LAN drivers and protocol modules
4.8.7
SYS:ETC\PROTOCOL RFC 1700 defines assigns official protocol numbers used to complete the protocol ID field in the IP header portion of the packet. protocol_name number [alias] [#comment]
A protocol name may not contain a tab, space or # character. The alias is to specify an alternate name. Best Practice: In larger implementations, you may distribute one HOSTS file to all servers with a server management tool like OnSite Admin Pro, Command Center freeware or ZEN for Servers.
4.9
LAN drivers and protocol modules NetWare can support up to 16 NICs in a server. NetWare can handle up to 16 logical networks. I have never seen more than three NICs in a server— two for load balancing and another separate one dedicated to backups.
4.9.1
LOAD statement used for LAN drivers I always use INETCFG to configure my LAN drivers—it is easier and there is no syntax to remember. A few clients I’ve been to don’t want to document their exact INETCFG for other junior administrators to follow. They would prefer to standardize the commands in the AUTOEXEC.NCF and document the LOAD commands on each server. If you use the LOAD commands, the following format is appropriate: :LOAD [path] LAN_driver_name [parameter=value]
DMA—Defined by the hardware. Reserves a DMA channel for the network board FRAME—Frame type. Choices are shown earlier in the INETCFG menu explanations INT—Defined by the hardware, but may be changed in BIOS Interrupt LS—Defined by the hardware. Number of token-ring stations to be configured for the driver.
4.9 LAN drivers and protocol modules
473
MEM—Defined by the hardware. Memory address reserved by the driver. NAME—Unique board name (numbers, letters, dashes and underlines allowed). Specifies a board name (up to 17 characters). NODE—12 digit hex value. Specifies a node address—specifically for the 802.2 specification which overrides the random generated IPX address given at installation. PORT—Defined by the hardware. Memory address reserved for I/O use by the adapter. RETRIES—(0–255) Defines the number of times the LAN driver will attempt to retransmit a packet. SAPS—Defined by the hardware. Specifies the service access point for the 802.2 token driver. SLOT—(1–8) Specifies the EISA slot—hardware configuration is then taken from the EISA configuration. TBC—(0–2) Transmit buffer count for the TOKEN driver—default is 2. TBZ—(0 = use default OR 96-65535) Transmit buffer size for TOKEN driver—default is the maximum physical receive packet size SET parameter.
4.9.2
Using the BIND command Binding the protocol to the network board is normally done through INETCFG, but there are some command line lovers out there. :BIND IP TO board_name [ADDR=ip_address][MASK=subnet_mask][GATE=default_gateway ] [BCAST=broadcast_address][DEFROUTE={YES | NO}][ARP={YES | NO}] [POISON=={YES | NO}][COST=hop_count]
ADDR—IP address MASK—Subnet mask GATE—Default gateway. Not needed when using RIP as RIP will discover the default gateway.
Chapter 4
474
4.9 LAN drivers and protocol modules
DEFROUTE—A YES specifies that the server advertises itself as a default gateway through RIP—default is NO; FORWARD must equal YES, too ARP—Uses the server to resolve IP addresses to MAC or node addresses—Address Resolution Protocol is turned on by default (YES) POISON—Specifies the use of poison reverse for routing updates sent to this interface—default is NO; split horizon is used as default. COST—(1–16) Metric specification for the interface. Routing information NetWare supports many routing functions. SPLIT HORIZON is a routing method where routing loops are prevented by an interface not sending out updates on interfaces it received the information from. POISON REVERSE updates are sent to overcome routing loops. Routing updates indicate that a network is explicitly unreachable—versus implying it is unreachable by not including it in its routing updates. NetWare 5 also supports PIM by a PIM.NLM. Protocol Independent Multicast is a unicast routing protocol, which can be run in dense or sparse mode. PIM DM is PIM Dense Mode that uses a data-driven flooding behavior to forward on all outgoing interfaces until pruning and truncation occurs. PIM SM (PIM Sparse Mode) attempts to constrain data distribution by sending packets to specified rendezvous points (RP). Receivers are widely distributed I have designed, with Cisco engineers, an SLP infrastructure that uses PIM Sparse-Dense mode. Check the version needed of the Cisco’s IOS to support this function. Our concern was SLP general multicast traffic (224.0.1.22) from SAs. We allowed all DA traffic (224.0.1.35) through all interfaces but confined the general SA service queries to defined LATAs.
4.9.3
TCPIP.NLM I have only been to two clients who used command lines to load the TCPIP.NLM. The remainder configured it through INETCFG. Parameters include:
4.10 IP management through your browser
475
:LOAD TCPIP [FORWARD = {YES | NO}] [DIRBC = {YES | NO}] [LOADSHARING = {YES | NO}] [RIP = {YES | NO}] [STATIC = {YES | NO}] [TRAP = IP_address]
FORWARD—If this host has interfaces on two TCP/IP network segments, the sever will forward traffic between network segments— default is NO DIRBC—Specifies whether the server router will forward network specific directed broadcasts when forwarding is enabled LOADSHARING—Distributes equal-cost route traffic learned from OSPF (four is the maximum number of routers to a destination network)—default it NO RIP—Host server will function as a RIP router when enabled— default is YES STATIC—Indicates if the server will include static routes in its routing table. The routes are stored in the SYS:ETC\GATEWAYS file and can be edited with a text editor, INETCFG or TCPCON—default is NO Warning: Using TCPCON to configure routes is not a good idea as changes are lost upon reboot. Using command lines to configure LAN drivers and routing loses many of the advanced features NetWare provides in INETCFG. TRAP—IP address of a SNMP host configured to accept traps
4.10 IP management through your browser Is this Novell we are talking about? Yes, some server management is available through a browser. How can Novell do this and still keep a secure connection? That’s what Novell’s Certificate server is for as well as SSL. Browser-based administration is now native to the NetWare OS. Novell started the browser-based administration pieces with the Netscape Fastrack Server and has since expanded the range of products and options. Benefits of browser-based administration are obvious—the ability to manage your server and services from anywhere in the world that you have an Internet connection. You, of course, want a secure VPN connection (BorderManager) and public addresses on your server’s behind the firewall. Chapter 4
476
4.10 IP management through your browser
4.10.1
NetWare Web Manager The NetWare Web Manager is Novell’s new management utility for Internet related products such as Web Server, News Server, Portal, FTP Server, and Web Search Server. Although you see a link to NDS, it is a hokey browser-based proof-of-concept show. Look the for Web Manager. It may be automatically loaded when you choose IP and FTP during installation. To get to it, simply type in the IP address of your server using https. :https://172.0.1.2:2200
A server certificate is issued to the client for PKI authentication. The following screen pops up. Figure 4.6 The NetWare Web Manager.
4.10 IP management through your browser
477
The NetWare Enterprise Web Server, News Server and Web Search Server are covered in Chapter 7.
4.10.2
Portal 0.5MB of space needed on SYS FREE; loaded in the installation/upgrade of NetWare 5.1 This is the most exciting part of NetWare 5.1. Finally, we do not need a mega-intrusive Novell client on my workstation to get server specific information. I can now use my browser to manage the server. Novell now supports HTTP as an access protocol. This portal is viewed by typing in the IP address of your NetWare 5.1 server, in your Internet browser and accessing port 8008. http://x.x.x.x:8008
Example: http://10.2.3.5:8008 The best way to learn it is to play with it. If you have many servers you will notice that you must authenticate to each server to configure the server’s parameters—inefficient if you plan to use this all day every day. Hopefully, Novell can come up with some solution to authenticate once and access information on a global level—on a browser level. Novell published an AppNote on server management from the PORTAL (http://developer.novell.com/research). NLMs related to the portal PORTAL.NLM—Use the /buttons switch when loading PORTAL to enable menu browsing on C-Worthy NLM screen—can be done from the AUTOEXEC.NCF HTTPSTK.NLM—Should be auto-loaded by PORTAL.NLM; however, you may wish to load it before PORTAL so you can enable any desired switches such as SSL parameters
4.10.3
FTP server This product option takes up a whopping .37MB of extra SYS space. The FTP server is controlled through the NetWare Web Manager. Connect to the Web Manager by pointing your browser to: https://172.0.1.35:2200 Chapter 4
478
4.10 IP management through your browser
Figure 4.7 The NetWare Management Portal. Click on the black banner at the top of the page after authenticating to change PORTAL parameters.
Notice the https which is a secured connection. A certificate will be generated and you will be asked to authenticate to the NetWare server through your browser. After doing so, you will notice an option for the FTP server. File Transfer protocol is a simple protocol tuned to transfer files. FTP has no capability for searching, no incremental update facility and no attribute-based directory model. NDS provides an authentication piece to FTP. FTP services are loaded on NetWare at installation or anytime thereafter through the X Window System GUI ➝ Novell (button) ➝ Install ➝ Add ➝ search to the root of the NetWare CD (you may need to mount the
4.10 IP management through your browser
479
CD with the CDROM server console command) ➝ highlight the PRODUCTS.NI ➝ OK ➝ OK. FTP server NLMs FTPIF.NLM FTPSTAT.NLM NWFTPD.NLM FTP server files FTPIF.NLM—FTP server and Statistics Interface Utility—takes up only 1.3K in RAM UNICON.NLM—Used to configure NFS and other IP related features. Installed and available when Unix print services for NetWare are loaded. FTPD.LOG—The FTP Daemon log shows the FTP Server activity. FTPREST.TXT—The FTP server restriction file. The access rights are taken in the order that they appear in this file. Separate access rights by a comma. This file allows administrators to configure access rights based on: DENY: Deny access to the FTP server for a client READONLY: Read only access NOREMOTE: Restricts access to navigate remote server GUEST: Guest only access to the user which means he can see his home directory and subdirectories below—cannot navigate to remote servers ALLOW: Permits access to a user The following are key words to base restrictions on: ADDRESS: Restricts a singular node by IP address ADDRESS_RANGE: Restricts an IP range of nodes—separate the ranges with a space DOMAIN: Restricts based on a specific DNS Domain name *: Container level restrictions ACCESS: Mandatory for each line—followed by access rights ALL: Applies restrictions to all domains Chapter 4
480
4.11 IP services
The format for this file follows: FTPSERV.CFG—FTP Server Configuration file. Contains information on: Home directories for FTP users Default directories Intruder checking Invalid login attempts Lockout period for invalid attempts threshold Minimum and maximum port numbers for passive connections Path of welcome banner file Message file name FTP Catalog Object Name FTP Log file creation parameters Audit and Intruder as well as Statistic log files FTP intruder logs Intrusion detection is available and based on host or user access. Log files are kept in SYS:ETC/FTPINTR.LOG. FTP clients Download one of the freeware or shareware FTP clients to give you a GUI interface. Many support drag-and-drop so you do not have to memorize all of the UNIX command-line options. www.download.com www.shareware.com www.tucows.com FTP server configuration Done through your browser—I love it.
4.11 IP services Most additional services/products can be found in a later chapter. Some of the IP services are described in the following sections.
4.11.1
Novell Certificate Server (formerly PKIS) 39.7MB extra SYS volume space needed for installation, free download.
4.11 IP services
481
Figure 4.8 FTP server for NetWare is configured through a browser. It is started with the NWFTPD.NLM.
The Certificate Server—renamed from its days as PKIS—provides for:
Authentication, via NDS or other directory service—without the use of the Novell workstation client software
An encrypted session between client and server—without the use of the Novell workstation client software—appropriate for e-mail, Web server authentication and secure network applications (like LDAP applications)
See a pattern here? Many people do not want, nor do they use, the Novell workstation client software to authenticate to servers—especially Web servers. Novell must, therefore, embrace other authentication standards to gain/keep a foothold in the Web services arena. The digital equivalent of a secure, personalized ID card, public key infrastructure provides a foundation for secure transactions. Public Key Chapter 4
482
4.11 IP services
encryption is the basis for the security functions of Novell’s Certificate Server. Some third-party vendors that Novell’s Certificate Server supports are Baltimore Technologies, Verisign and Entrust. Popular e-mail applications supported by Certificate Server include Outlook98, Outlook2000, GroupWise 5.5, Netscape Messenger, and others. Server application support includes Novell LDAP, BorderManager Proxy Services, Netscape Enterprise Server on NetWare 5.1, and the NetWare Management Portal. Though the popular Netscape and Microsoft browsers do not natively recognize NetWare’s Certificate Authority—they do still work upon accepting the certificate trust warning. Authentication and decryption are accomplished through the use of key pairs (digital codes). Key pairs are generated by Novell’s Certificate Server.
Public Key Published openly by a key pair owner to a requestor—public keys are generated by a Certificate Authority (CA)
Pair owner validates signatures of the key—certified through a Certificate Authority (in Novell’s case the CA is stored in NDS) Encrypts data between requestor and key pair owner for private transmittion—public key encryption can only be decrypted by a private key Public keys contain a public key, subject name, an expiration date (optional) and a CA generated signature
Private Key Closely guarded key used to:
Create digital signatures—by Novell’s International Cryptographic Infrastructure (NICI) Decrypts data from the owner’s public key
For example, if I wanted to send you an encrypted e-mail, I would encrypt the e-mail with your public key and only you can decrypt it with your private key. PKI services allow the administration of key pairs using the NDS database. Standards Support for the PKIS generated certificates according to the X.509 v3 standard. PKIS is compatible with X.509 v 1 and v 2 certificates. Also supported are: PKCS #7—S/MIME and multiple certificate-packaging format PKCS #10—Certificate Signing Request format PKCS #12—Personal Information Exchange format
4.11 IP services
483
PKI has a dependant relationship upon Novell’s International Cryptography Infrastructure (NICI)—therefore, keep both updated/ patched. The role of NDS in Certificate Server NDS is used to:
Replicate and store public and private keys
Provide central administration through ConsoleOne
Provide users access to manage their own certificates—admin willing
X.509 v3 The X.509 version 3 format provide for the following information to be contained in a certificate:
Name of the organization or user (subject name)
Public key of the organization or user
Public key certificate validity length of time
Public key certificate serial number
Public key certificate issuer CA name
CA-generated digital signature
Alternate names
Phone numbers
E-mail addresses
Key usage constraints
Certification practice statements
Other critical or noncritical attributes
Novell Certificate Server 2.0 is available as a no cost download and can mint an unlimited number of certificates—other solutions charge per certificate. It can also work with other third-party vendors to share minting duties. Novell Certificate Server can support a considerable demand for certificates, PKI queries, and certificate storage and management—use a beefy server. Certificates are minted using cryptography technology and managed automatically—through NDS and with NICI. Novell Certificate Server and NICI use the strongest legally allowable cryptography algorithms— NICI is loaded by an .NFK file and tied to the server-based license. The Certificate server is a great solution for an authentication into a Website. Chapter 4
484
4.11 IP services
Unfortunately, Netscape and Microsoft browsers do not natively recognize the certificates. All NDS supported platforms will work with Novell’s Certificate Server—NetWare, NT, Solaris, Linux, etc. Configuring PKI support for NDS Use ConsoleOne to configure support for PKI—from a workstation (oddly, ConsoleOne cannot yet be used from the server to configure the Certificate Server). Server certificate object Create one for each application that is cryptographically enabled. A server can have many server certificate objects associated with it, but an object cannot be shared among servers. Server Certificate objects must reside in the container where the server object exists—if the server is moved, the certificate objects must be moved. Do not rename a server certificate object— instead, re-create a new one. Associated NDS objects Certificate Authority Object Key Material Object Security Container Object—This is that little lock icon under [Root]. It is created when the Secure Authentication Service (SAS) is installed CRLDistributionPoing MASV:Security Policy SD Key Access Partition Trusted Root Container Object—Provides the basis for trust in public key cryptography and are used to authenticate/validate certificates signed by the CA. Trusted Root container object allows for secure e-mail (S/MIME), certificate based authentication, and SSL. NDS leaf objects contained by the Trusted Root Container Object are Trusted Root Objects. This container object must be created in the Security object container. Trusted Root Object—Different than the container object, this leaf object contains only a valid CA’s trusted root certificate. This NDS object can only exist in the Trusted Root container.
4.11 IP services
485
Note: Verify that you have the latest NICI components installed through NWCONFIG ➝ Product Options ➝ View/Configure/Remove installed products.
The Certificate Authority A Certificate Authority mediates the exchange of public keys by verification of identity—which NDS may do—then, the CA issues a public key certificate for each of the parties in the conversation (analogous to a Tom Clancy spy novel where two parties talk over a public wireless medium with cell phones that use 128-bit encryption on each end). 1.
The CA verifies your identification
2.
Creates a public key certificate containing the required information
3.
Mathematically hashes the information in the public key certificate to arrive at a value data string—normally, 16 to 20 bytes
4.
Encrypts the data string using the CA’s private key
5.
Sends the public key certificate containing the public key and the CA’s signature to the requestor
6.
Requestor receives the public key certificate which is verified by the same mathematical hash against the value. An unaltered message should have the same hashed value and be opened
The Certificate Authority NDS object resides in the Security container under [Root]. It contains the public key, private key, certificate, certificate chain, and other configuration information. Normally, it is created upon installation of the first NetWare 5.1 server as it is used for SSL and the NetWare Portal, if not, install it on a reliable server at a location convenient for the entire enterprise—as all servers may access this server. The Certificate Authority service runs on only one NetWare server. Setting up PKI services in NetWare Public Key Infrastructure, in NetWare, relies on NDS—rightly so. NDS provides PKI a way to manage security objects (certificates), verify that certificates are up to date, revoke them when compromised and handle other functions.
Chapter 4
486
4.11 IP services
NetWare Administrator (or ConsoleOne) ➝ look in [Root] context for the security container then right-click the security object ➝ create ➝ Certificate Authority ➝ OK ➝ follow prompts Creating other key material objects NetWare Administrator (or ConsoleOne) ➝ right-click container of context that server to run application is ➝ Key material object ➝ OK PKI NLMs The PKI NLMs are: PKI.NLM PKIAPI.NLM
4.11.2
NICI NICI is the location library that SAS uses to define encryption and authentication rules for different regions. NICI is installed by default when you install SAS. It is a dynamically bound cryptographic library that delivers controlled cryptographic services to your applications regardless of where they are used. In the past, applications had to provide their own services if they wished to employ cryptography. Because of the way the Novell cryptographic services are designed and will be provided via a standard SDK, application vendors can take full advantage of the services without having to incorporate cryptography in their applications. They can ship just one version of their product worldwide, instead of having multiple versions to accommodate the many and varied national cryptography policies. Novell will assure compliance with international laws and export requirements. NICI is the encryption capability written into NDS.
The ability for international applications to receive expedited U.S. export approval.
Integrity of key management.
An infrastructure supporting key escrow in future releases.
A uniform cryptographic services API.
Network security services built on NICI
Note: NICI is copied to the server during installation as the licensing file is on the MLA diskette. NICI foundation keys are named serial_name.NFK.
4.11 IP services
487
NLMs related to NICI As a reference: CCS.XLM DOMXENG.XLM EXPXENG.XLM XIM.XLM XMGR.XLM XSUP.XLM Note: XLMs are cryptographic module NLMs.
Troubleshooting Error messages for NICI may be found in the SYS$ERR.LOG
4.11.3
LDAP support The term LDAP has several meanings. LDAP is a protocol riding on top of IP. LDAP is an API for developers to hook into directory-enabled applications. LDAP is a format defining data in a directory. LDAP is a format to exchange information—referred to as LDIF. LDAP version 3 is supported by NDS. The complete LDAP v3 specification can be found in RFCs 2251 through 2256. The Lightweight Directory Access Protocol is an open-standard protocol riding within IP to access any directory service that supports LDAP. LDAP provides for:
A data form, which defines the kind and how you update information put into an LDAP compatible directory
A naming form, which defines how to organize the information in the LDAP directory
A security form, which defines how to access information based on rights Chapter 4
488
4.11 IP services
LDAP also defines the LDAP Data Interchange Format (LDIF), which provides a text based means to describe directory information. Using LDIF you can import and export bulk information between directories—much like the OIMPORT and OEXPORT NDS tools. LDAP offers nine basic protocol operations: Search—A query function Compare—A query function Add—An update function Delete—An update function Modify—An update function Rename—An update function Bind—A security function equivalent to a login Unbind—A security function equivalent to logging out Abandon—A security function equivalent to closing a connection
4.11.4
MIB-II support NetWare 3, 4 and 5 support the Management Information Base II (MIB-II) standard. The standard defines 10 object groups and 171 objects (RFC 1213). SMI is the structure of management information (MIB), which specifies the rules used to define managed objects in the MIB—RFC 1155. NCAgent v3 freeware The NCAgent v3 for NConsole contains MIB support for over 300 items to an SNMP Management console.
4.11.5
SNMP support Simple Network Management Protocol is a simple request-response protocol. SNMP is defined in RFC 1157 and runs over the UDP protocol when using IP—SNMP is independent of protocols and can be run on IPX, too. NetWare 5 supports SNMP server and client components. The NT client does not have an SNMP agent for it, but you can use ManageWise. SNMP enabled nodes send packets in two ways: 1.
Polling—A predetermined interval is configured to return information such as CPU usage, traffic levels, etc.
4.11 IP services
489
2.
Events—As a configured threshold is exceeded, alert messages are sent to defined management stations
All SNMP functions are founded upon manager and agent operations. Five operations are the basis of all SNMP manager-agent communications: 1.
GetRequest—Management agents poll an agent to get information
2.
GetNextRequest—The manager uses this function to request next in line information
3.
SetRequest—Manager uses to change the value in an agent’s MIB
4.
GetResponse—Agent request used to satisfy a manager’s request
5.
Trap—Agents inform response to an exceeded threshold event
SNMP configuration in NetWare :INETCFG ➝ Manage Configuration ➝ Configure SNMP Parameters
Configures SNMP support for agents outside this node: rights, Monitor state, Control State, and Trap State: Monitor Community—Grants read access to all MIBs by default. The monitor community must be specified (public is the default community name) Any Community May Read: Almost no security Leave as Default Setting: Monitor community name with be PUBLIC No Community May Read: Most restrictive—no access given to the MIB Control Community—Grants read and write access to MIBs Any community may write: You are very trusting—some would call it foolish Leave as Default Setting: No write access No Community May Write: No write access Specified Community May Write: You’ll have to specify the community name
Chapter 4
490
4.12
NetWare 5 TCP/IP APIs
Trap Community—Defines how SNMP traps are generated—managers accept traps that match their community name (e.g., like group membership in NDS) Do Not Send Traps: Send no evil Leave as Default Setting: Traps sent to the PUBLIC community Send Traps with Specified Community: You’ll have to specify the community name Other SNMP Parameters—Supports two optional parameters VERBOSE or VERBOSE=YES: SNMP parameter information is written to the server’s console screen. This option is on by default, to turn it off, put in a VERBOSE=NO. AUTHENTICATION TRAPS=YES: Sends traps to trap targets—defined in the SYS:ETC\TRAPTARG.CFG when authentication failures occur in GET, GET-NEXT or SET operations INETCFG ➝ Manage Configuration ➝ Configure SNMP Information
Configures SNMP support information for this node only Configuring trap addresses :INETCFG ➝ PROTOCOLS ➝ TCP/IP ➝ SNMP Manager Table
Configures where this server host will send SNMP trap messages. Logging SNMP traps The SNMPLOG.NLM must be loaded after TCPIP.NLM to log trap messages in the SYS:ETC\SNMP$LOG.BIN. No size restrictions are placed on this file—you’ll have to keep an eye on it and delete it when it gets too big. Use TCPCON to read the file.
4.12 NetWare 5 TCP/IP APIs There are 4 APIs:
WinSock 2.0 New in NetWare 5. WinSock 2.0 is not dependant upon any particular protocol stack and can simultaneously support UDP, TCP, IPX, SPX and SPX2. WinSock 2 is the preferred API for protocol independent applications and is required for SLP and Novell’s IP gateway.
4.13
IP utilities and troubleshooting tools
491
CLIB Standard API to NCP—NetWare’s Core Protocol. Applications written to the CLIB API will be compatible with IP or IPX
Transport Layer Interface (TLI) API developed by AT&T—uses the Streams interface to support both IP and IPX
4.3 BSD Sockets BSD UNIX sockets application operate only over the TCP/IP stack
4.12.1
HTTP Hypertext Transmission Protocol (HTTP) support is found via the NetWare 5.1 PORTAL.NLM. HTTP is an application layer protocol that uses mostly browsers—like Netscape and IE—to present information. HTTP supports hypermedia access to resources. HTTP/1.1 (RFC 2068) provides for persistent connections.
4.13 IP utilities and troubleshooting tools Look in the SYS:ETC\CONSOLE.LOG for error messages. Other troubleshooting (client and server) tools include: PING TPING TRACERT ARP ROUTE ICMPLOG TCPCON MONITOR NETSTAT WINIPCFG IPCONFIG Network Monitoring Sniffer Programs Chapter 4
492
4.13
4.13.1
IP utilities and troubleshooting tools
PPPTRACE.NLM WAN troubleshooting C-Worthy menu tool
4.13.2
INETCFG.NLM INETCFG.NLM is the most important IP configuration utility. This CWorthy menu is used by BorderManger, NAIS, MPR and other packages that require IP configuration. See earlier in this chapter for complete INETCFG information.
4.13.3
NIASCFG The Novell Internet Access Server C-Worthy menu provides remote access configuration and protocol configuration. Protocol configuration is done through a link back to INETCFG. NIAS is the new name for the old Multi Protocol Router. NIAS is a free add-on product during install—or anytime thereafter—which supports complex routing functions, remote access and Wide Area Networking. TCP/IP enhancements with NIAS
4.13.4
NAT support in the base OS
Packet Filter support
ICMP Router Discovery Protocol support
RIP II Support
OSPF Support
BOOTP Forwarding
Directed IP broadcast forwarding
TCPCON.NLM TCPCON and its cousin IPXCON are used for troubleshooting protocol operations. TCPCON provides real-time TCP/IP statistics and configuration parameters. Remote nodes may be accessed from TCPCON by SNMP MIBs. The console information displayed is: IP Received—Sum of all IP datagrams received
4.13 IP utilities and troubleshooting tools
493
Figure 4.9 The TCPCON utility.
IP Sent—Number sent by this node—not including those forwarded IP Forwarded—Sum of IP datagrams forwarded—DISABLED means that routing is turned off TCP Received—Sum of TCP datagrams received by this node TCP Sent—Sum of TCP datagrams sent by this node—excluding those sent as re-transmissions TCP Connections—Real-time view of TCP connections to the server Available Options From the menu choices: SNMP Access Configuration—SNMP agent selection Protocol Information—Change and view TCP/IP protocols IP Routing Table—Displays and configures IP routes and tables Statistics—Real-time TCP/IP statistics Interfaces—Information based on specific interfaces Display Local Traps—View this server’s SNMP trap log created by the SNMPLOG.NLM SNMP access configuration in TCPCON First choice under Available Options: Local System—Manages the local server
Chapter 4
494
4.13
IP utilities and troubleshooting tools
TCP/IP—Manages TCP/IP stacks on computers running SNMP agents IPX—Uses SNMP over IPX to access a remote node’s TCP/IP information Community Name—SNMP Community Timeout—(0–120 seconds) Number of seconds that TCPCON listens for a response after polling Poll Interval—(0–900 seconds) Configures the number of seconds between polls; 0 equals constant polling Protocol information in TCPCON Choice under Available Options: EGP ICMP IP OSPF TCP UDP IP routing table in TCPCON Choice under Available Options: Proceed—Press <Enter> when ready to view information Mask—Displays the currently configured masks Next Hop—* displays all next hops, enter an IP address to display information about Protocol—Select the protocol to view information about Cost—All routes are displayed by default. Choose a specific cost and you can view all routes by that cost Interface—Specific interface selections Flush All Routes—Causes the server to rebuild its routing tables— you can do the same for at the server console by :RESET ROUTER
4.13
IP utilities and troubleshooting tools
495
Use a sniffer to watch router convergence after doing a RESET ROUTER. Additional information on TCPCON can be found in a series of TIDs.
4.13.5
PING.NLM Use the PING utility to test connectivity. Don’t forget that Novell provides an IPXPING.NLM to ping via IPX. The PING command creates an ICMP Echo Request and message sent to a host. A return PING will be an ICMP Echo Reply that lets you know the host is up and its IP stack is functioning. :PING
or :PING IP_address
or :PING host_name :PING
You may only ping a host name if a name space provider is available to resolve the name—e.g., DNS. Command line syntax :PING [-t][-a][-n #][-][-l length][-f][-I ttl][-v tos] [-r #][-s #][-j computer_list][-k computer_list] [-w timeout] destination_list
–t—PING until interrupted –a—Displays the computer name of the IP address –n #—Number of times to ping –l—Length of packet in bytes—use this to see if the router is fragmenting properly. Force a length to find out your segment’s MTU. –f—Instructs routers not to fragment the packet –I ttl—Modifies the TTL field to the specific value—default is 64 in NetWare –v tos—Type of Service field setting
Chapter 4
496
4.13
IP utilities and troubleshooting tools
–r #—Shows the current route taken by the packet –s #—Shows the timestamp for the number of hops –j computer_list or hosts—Uses the loose route specified by the computer_list or hosts –k computer_list or hosts—Uses the strict route specified by computer_list or hosts—must touch every router in exact order –w #—Specifies a timeout interval in milliseconds Destination-list—Specifies a list of computers to PING Return information displayed on C-Worthy PING screen To help understand the PING information: Node—IP address of node being pinged—destination host Sent—Number of packets sent Received—Number of packets received High—Longest reply time of destination node Low—Fastest reply time of destination node Last—Most recent reply time of destination node Average—Average reply time of destination node replies Trend—Information messages that may include the following: No Data: Not enough information/data to calculate status Down: This host has received no replies Failing: 2/3 of the requests have gone unanswered Drop: 1/3 of the replies have not been received PING error messages Error messages may be interpreted: Bad IP Address—Usually means a name space mapping to an IP address is incorrect—try the IP address Destination Unreachable—Communication is active but there is some sort of routing problem Packet needs to be fragmented but DF not set—MTU size is too large to pass or do not fragment bit is set
4.13
IP utilities and troubleshooting tools
497
Request Timed Out—The TTL has incremented until the packet has “died” on the network For DNS queries (e.g., PING CNN.COM). PING uses NETDB.NLM to make a call to DNS for name resolution. NETDB only handles HOST (A) records and PTR records—it does not support the resolution of other records like MX. See also TPING.NLM. Don’t leave the server constantly pinging other nodes. Exit out of the screen by ESC until you are asked to exit. IP Ping troubleshooting First test the IP stack on the server by doing a :PING LOCALHOST
A positive response shows that the server’s local IP stack is working. Next, use the server’s IP address. :PING 10.x.x.x
Again, a positive response shows that the server’s IP address is working as designed. Next, ping the default gateway. The default gateway, if not known, may be found by calling router boy, or INETCFG ➝ PROTOCOLS ➝ TCP/IP ➝ LAN STATIC ROUTING ➝ Route Type ➝ Default Route :PING default_gateway_IP_address
4.13.6
TPING :LOAD TPING host {packet_size [retry_count]]
Packet size—Default is 64. Changes the size of the packet sent Retry Count—Default is 5. Manipulates retries Results will show ALIVE or NOT RESPONDING
4.13.7
NLSLookup utility This is a DNS troubleshooting freeware .NLM you can download from Novell’s CoolSolutions Website at www.novell.com/coolsolutions/freetools.html. :NSLOOKUP [nameserver][record-type][for-name] Chapter 4
498
4.13
IP utilities and troubleshooting tools
Nameserver—DNS server Record-type—A, NS, MX, CNAME, PTR are supported record names
4.13.8
DHCPCLNT.NLM The NetWare server can now be a DHCP client—starting in NetWare 5.1. This .NLM enables the server as a DHCP client—useful when you are using the server as a gateway to the Internet. :DHCPCLNT name=board_name [options] [- | /][flags]
HOST=—Host name—must appear in the SYS:ETC\HOSTS file RS=—Release the assigned IP DHCP secondary address TIMEOUT=—Value in seconds DHCP client waits for reply—flags either – or / supported –HELP—Displays the help screen –INETCFG—Update INETCFG –RELEASE—Release the primary DHCP address—as well as any secondary addresses –SECONDARY—Forces the server to request a secondary address for the board –INFO—Displays address, gateway, net mask, lease length, expiration time, etc.
4.13.9
PIM.NLM Novell’s PIM.NLM is a routing helper for multicast. It supports IGMP version 1.
4.13.10
PPPTRACE.NLM See Chapter 2 for complete PPPTRACE information. Link http://www.ipmulticast.com/community/links-intro.html
4.13
IP utilities and troubleshooting tools
4.13.11
499
TCP/IP SET commands Look under Communications in the SET parameters for many of the related SET commands. Server tuning is covered in Chapter 9.
4.13.12
ARP Address resolution protocol is responsible to map a 4-byte IP addresses to a 6-byte MAC or NIC addresses. It is not needed in an IPX environment as an IPX node uses its MAC address as part of its IPX node address.
4.13.13
IPTRACE.NLM Roughly equivalent to the TRACERT command line utility, IPTRACE reports the route taken between two hosts. Usage: :IPTRACE. <destination (which is an IP address or DNS name)> [Hops=maximum hops (default is 30)][Wait=maximum time(default is 5 seconds][Port=destination port number (default is 40001) value cannot be less than 6000)][Noresolve][NewLog(restart iptrace.log)]
Display description Destination—An IP address or DNS name Hops—Maximum hops traced (default is 30) Wait—Maximum time, in milliseconds, IPTRACE should wait for a reply (default is 5 seconds) Port—Specifies the IP port used on the destination host (default is 40,001) Noresolve—Commands IPTRACE not to resolve host names Newlog—Starts a new trace log file—the IPTRACE.LOG is found in the /ETC directory
4.13.14
INETCFG configuration information Save the information to a file :INETCFG ➝ View Configuration ➝ Configuration Summary ➝ Save Summary To A File
Chapter 4
500
4.13
IP utilities and troubleshooting tools
The file is saved as \ETC\CONFIG.SUM and can be read with the CPQFM.NLM or any text editor. For a more complete and detailed account of all of the information, use the CONFIG.NLM. :load config /s
This will save all of the server’s configuration files to SYS:SYSTEM\ CONFIG.TXT. You may read the information with a text editor, though the Config Reader GUI freeware utility is better. Download it from Novell’s support site. Use the configuration information to compare against other servers Compare the CONFIG.TXT to other servers by using the CONFIG READER GUI freeware utility from Novell. Onsite Admin Pro can do comparisons also, but you need to be a large customer for Novell to give you this freeware utility.
4.13.15
How to obtain the IP address of all the users on my NetWare 4.11 network Enter these lines in a container login script: ;BEGIN RECORDING IP ADDRESSES HOMEMADE SCRIPT #C:\WINDOWS\WINIPCFG /BATCH H:\IPADD.txt
Do this after the personal folder mapping (which, for example, maps to drive U:\). The IP.TXT file created is dumped into the root of each user’s H: drive. You can also use ZEN for Desktops to import the workstations and view their IP addresses. The IP address is a property of the workstation object and will appear under the Network Address property.
4.13.16
Tune the server for IP See Chapter 9 for information on how to tune the server’s communication parameters. Realize that the IP packet is big and bulky and, therefore, requires more buffer space. At minimum you should adjust the minimum packet receive buffers, minimum service processes, new service process wait time and maximum physical receive packet size for medium to large environments.
4.14
Subnet addressing
501
Also, reference a Novell TID 2945062, “Server Configuration Suggestions for TCP/IP,” which makes many tuning recommendations.
4.13.17
Sniffer programs Sniffer programs are an excellent method to obtain troubleshooting data. More network traffic information can be found in the last chapter and the Appendices. Also, Novell provides TID 2937503, “Basic Lanalyzer Trace Reading Information,” to aid newcomers.
4.14 Subnet addressing RFC 950 defines subnet addressing. http://www.net3group.com/download.asp has an IP subnet-addressing calculator to assist you or you can find one on most shareware sites. I do, however, want to give you a quick-reference to subnet information. Subnet IP addresses to:
Isolate the network into subnets
Reduce network traffic Routers, by default, do not pass broadcast traffic—allowing you to restrict traffic within a subnet
Improve security About the only traffic passing outside of a subnet is unicast traffic to a specific host—there are few ways for outsiders to see sensitive packets
Expand the network
I run into mostly B and C class subnets. To help, I’ve provided references in Tables 4.4, 4.5, and 4.6. Class A Addresses—1–127.x.x.x 126 possible class A networks, each supporting up to 16,777,214 hosts The first bit is zero, the final three bytes identify the node
Chapter 4
502
4.14 Subnet addressing
Table 4.4
Table 4.5
Binary to Decimal Conversions Binary
27
26
25
24
23
22
21
2
Decimal
128
64
32
16
8
4
2
1
Quick Reference Binary Octet
Octet Bit Value
Octet Decimal Value
00000000
0
0
10000000
128
128
01000000
128+64
192
11100000
128+64+32
224
11110000
128+64+32+16
240
11111000
128+64+32+16+8
248
11111100
128+64+32+16+8+4
252
11111100
128+64+32+16+8+4
252
11111110
128+64+32+16+8+4+2
254
11111111
128+64+32+16+8+4+2+1
255
11000110
128+64+0+0+0+4+2+0
198
Class
First Octet Decimal Range
Class A
1-127.x.y.z
Class B
128-191.x.y.z
Class C
192-223.x.y.z
Class D
224-239.x.y.z
Class E
240-255.x.y.z
4.14
Subnet addressing
Table 4.6
503
Class C Subnet Masks Quick Reference Number
Binary Mask Decimal Equivalent
Available Subnets
Hosts per Subnet
Total Hosts Available
0
00000000
255.255.255.0
0
1
10000000
255.255.255.128
0
0
0
2
11000000
192
2
62
124
3
11100000
224
6
30
180
4
11110000
240
14
14
196
5
11111000
248
30
6
180
6
11111100
252
62
2
124
7
11111110
254
126
0
0
8
11111111
255
254
0
0
254
Class B—128–191.x.x.x 16,384 possible class B networks, each support up to 64,534 hosts The first bit is 1, the second is zero, and the last two bytes classify the node Class C—192–223.x.x.x 2,097,152 possible class C networks, each supporting up to 254 hosts The first three bits of the first byte are one, one and zero, Class D—224–239.x.x.x Class D addresses are used for multicast packets Class E—Reserved Host addresses of either all zeros or all ones are not valid. Calculating subnets and hosts Available networks = 2 to the power of (# of bits unmasked) –2 Available subnets = 2 to the power of (# of bits subnetted) –2
Chapter 4
504
4.15 Links
3-bit subnet mask 255.255.255.224 Each of the 6 subnets has 30 host Ids: 1–30 33–62 65–94 97–126 129–158 161–190 193–222 225–254
4.15 Links www.internic.net www.cis.ohio-state.edu/hypertext/information/rfc.html www.nexor.com/public/rfc/index/rfc.html
5 Installing a NetWare Server
A clean installation of NetWare 5 and 6 is discussed in this chapter. I go over each of the installation options and describe how to use one of the advanced installation tools for larger environments, too. Before you install the second NetWare 5/6 server, read the SLP section in the IP chapter—the significance of the second server is that NetWare 5/6 servers prefer an IP connection and will try to locate resource via SLP. Knowledge of SLP is essential for a successful NetWare 5 implementation. If you are upgrading, rather than installing a NetWare 5.x/6 server in a new environment, skip to the next chapter. Either way, read the next chapter to get a better understanding of planning and best practices in your environment. If you are upgrading from NetWare 3.x or another NOS, learn to design your NDS tree first by reading the NDS chapter.
5.1
Minimum hardware requirements Minimum requirements will work but are for the smallest of shops. (See Table 5.1.)
5.1.1
Hardware recommendations I have the experience of seeing many of the largest companies in the world’s NetWare server configurations. Over the years, I have come to a favorite starting configuration recommendation. The following is some of it; more detailed information follows later in under the Server Tuning heading in the last chapter. 200MB DOS Partition—No need to have more or less. The importance of the DOS partition size cannot be taken lightly. You can now 505
506
5.1 Minimum hardware requirements
Table 5.1
Minimum Hardware Requirements 4.11
5.1
Notes
CPU
A PC (or PC compatible) with a 386, 486 (SX or DX), Pentium, or higher processor
Pentium Pro 200 MHz or higher
NetWare is cache engine-RAM intensive, not CPU intensive
RAM
A minimum of 20 MB of RAM
Requires 64MB RAM, but 128MB RAM is recommended
Many hardware vendors, such as Compaq and Dell, have Novell RAM sizing tools on their Websites. Use 256MB if you plan to use IBM’s Web Sphere software
A CD-ROM drive that can read ISO 9660 formatted CDROM disks
A CD-ROM drive that is able to read ISO 9660-formatted CD-ROMs
Computers with CD-ROM drives must fully support the El Torito BIOS specification.
Volumes
The minimum amount of storage space required is 90 MB for a NetWare disk partition containing volume SYS:
A SYS: volume with 1.3GB minimum
Use a 2GB SYS volume for expansion, patches, support packs, etc.
NIC
At least one network board
At least one network board
Use a PCI network card with bus mastering for best results.
DOS Partition
15 MB for a DOS partition
35MB
I recommend a 200MB DOS partition.
CD-ROM
You do not need a CD-ROM drive if you plan to do an upgrade “across-the-wire.”
take a coredump with the cacheless option—I have seen a cacheless coredump from a server with 4GB RAM leave only a 20MB dump file. File cache is rarely needed for a coredump. 2GB SYS Volume—More is okay, but since you are not going to use SYS for user home directories, print queues, or applications, the SYS volume will stay relatively the same size. If you are going to have a large tree, calculate the number of objects and multiply them by
5.1 Minimum hardware requirements
507
about 4K per object. For example, I have a test tree with 12,000 user objects that is 18MB. Hardware Mirror the SYS Volume—Hardware mirroring is more efficient than NetWare’s software mirroring through NWCONFIG. Mirroring the SYS volume helps protect against a hard drive failure bringing down the server and NDS. RAID 5 the rest of the Volumes and use a hot on-board spare hard drive—Software mirroring does not mirror the DOS partitions— only the NetWare partitions. A client had a server that had mirrored drives and the drive with the active DOS partition failed. Although the NetWare partition was still intact the DOS partition was out of date. During the original install they copied the C:\NETWARE directory to D: drive, however all subsequent service packs only updated C:\NWSERVER. This is especially important for remote sites that can’t afford to be down. A hard drive failure with RAID 5 will still preserve all information, but the spare hard drive will allow you the time to order a new hard drive and visit the remote site to replace the drive at your convenience. Be sure to investigate how your vendor’s RAID card works under NetWare. Vendors handle the logical drives differently—one needs to have the maximum size of the logical drive specified before, and then reports to NetWare, which may give false readings on the amount of free space. Expanding the RAID Array is different depending on the vendor’s card. For example, one vendor merely requires a new drive inserted and a couple of settings in an .NLM while another requires a wizard with numerous steps to be done on each logical drive.
5.1.2
NetWare client considerations It is important to upgrade/install the Novell Clients first. Sometimes Novell publishes upgrade plans that have the client installs near the bottom of the upgrade checklist. Novell assumes that you have the prior version of its client—a bad assumption based on my experience. Many times new versions of NetWare or NetWare patches introduce new schema or bug fixes that are incompatible with older clients, thus reducing the functionality of older clients. Consider using Novell’s Automatic Client Upgrade Utility (ACU) to upgrade many clients with the same configuration. For more information about the ACU, see Chapter 1. Current client software can be found at Chapter 5
508
5.2 Step-by-step instructions
www.novell.com/download. See Chapter 1 for more information and optimizations.
5.1.3
Customized CD install I am often asked to make customized installation CDs for clients. The idea is to load the client’s custom environment into one installation scripted CD, which would include third-party .NLMs, NetWare Support Packs, Compaq NSSD (if applicable), Compaq or other vendor agents, other vendor specific support, etc. I can tell you that it is possible to do so, but I don’t recommend it. Certain vendor patches and pieces are better off loaded one at a time. I have confirmed this with Compaq support and other vendors. Use a response file, covered later in the next chapter, to install many servers with the same configuration.
5.2
Step-by-step instructions Starting with the release of NetWare 5.0, you do not need a DOS boot diskette to create a DOS partition on the server. The NetWare CD is bootable—providing your BIOS supports the El Torito standard. If not, update your BIOS. Further documentation can be found at www.novell.com/documentation.
5.2.1
NetWare 5.1 and 6 I go over the installation of NetWare 5.1, but NetWare 6 is almost exactly the same. NetWare 6 provides two more options (express installation and pre-migration choices) a couple more product choices to install and a prettier Java GUI. The NetWare 5.1 and 6 installation involves both a C-worthy menu and a Java GUI install. Most of the time, throughout the install, you can press F1 for pertinent help information. 1.
Plan the upgrade. Read through the list provided and make decisions on Volumes, sizes, hardware, vendor patches, NDS planning and design, etc. I give recommendations later in this chapter and in the last chapter.
2.
Power on the server and immediately insert the NetWare CD. The INSTALL.BAT file is initialized and a directory C:\NWUPDATE is checked for new drivers. The C:\NWUPDATE direc-
5.2 Step-by-step instructions
509
tory is for you to place updated drivers in for the installation routine to use instead of those on the NetWare CD. Place new drivers in this directory before the upgrade or install, and the INSTALL.BAT will know to look and use the updated drivers. 3.
Novell will ask you to read and/or accept the license agreement.
4.
Upon accepting the license agreement, the boot partition will be examined. If you do not have one, you will be prompted to create one. If a boot partition already exists, you will be asked if you want to overwrite the existing partition. Notice at the bottom of the C-Worthy display a gray bar shows your choices. F3 will display the discovered existing partitions on the server’s hard disk(s).
5.
6.
Continue with Existing Partition—The server has recognized an existing, valid DOS boot partition that seems to meet NetWare’s minimum requirements. It is up to you how much if you want to overwrite what is already there. If there is not enough room I have been known to go in and delete files and directories—be careful. One of the largest space culprit may be an old server.exe that has been renamed.
Create a New Boot Partition—Start over by creating a new DOS partition. This option will not erase Compaq’s system/ utility partition installed by the Smart Start CD. 200MB is plenty of DOS partition space.
Creating a new boot partition will send you to one of two menus. If you already have a NetWare partition on the server, you will see a menu:
Remove Existing NetWare Partition—Goodbye DRDOS.
Exit—Sends you to Z:\install, which is on the CD
Assuming you remove the existing NetWare partition or create a new one, you will be taken to a menu that asks for the size of the new boot partition. My NetWare 5.1 CD shows that NetWare requires a 30MB boot partition, but recommends 100MB (I have done it with as little as 16MB but will never do that again).
Continue—Accept what is here and keep going
Modify—Change the menu defaults Use a 200MB partition DOS partition. NetWare used to require the boot partition to be the size of your RAM plus some extra for ABEND coredumps. It is now possible to coreChapter 5
510
5.2 Step-by-step instructions
dump an image to hard disk without the entire server’s cache—using only the cached components of the NetWare OS that contain the ABEND info. A server with 2 GB of RAM gave me only 26MB. Always choose Full w/o cache to do a coredump. For more ABEND info, see Chapter 2. 7.
An annoying “are you sure” menu follows. Obviously, creating a new boot partition will erase the old one—along with any info on it.
Back—Go back to the last menu
Continue—Go west young man
8.
A new boot partition will successfully be created and you will be presented with one choice—which is to press any key to reboot. I recommend that you press the any key.
9.
The server reboots, re-recognizes the CD, reformats the hard drive’s boot partition and starts to load the OS. The server will look like it is already done. An informative pictorial window will let you know that NetWare 5.1 is the #1 Internet Enabled Networking Software.
NetWare 6 only asks if this is an express install or custom install:
Is this a new server or an upgrade? (NetWare 6 adds a premigration option)
Custom is just that Express install auto-selects NDPS, NetWare Enterprise Server, NetWare Administration server, NFS server, IBM Websphere Application server
The default is upgrade. Press <ENTER> to choose New server (see Section 5.2.2). See the next chapter if you are upgrading. NetWare 6 Pre-Migration option chooses this server to be a destination server for the migration wizard utility
Startup Directory Defaults to C:\NWSERVER. Leave it unless you have a strong reason to change it.
Continue
Modify
5.2 Step-by-step instructions
511
F3=Response file A response file is a fast way to upgrade many new servers with the same configuration. I talk about response files in the next chapter. Another possibility is to image\ghost all of the new servers and install the servers into your tree by either:
Removing and reinstalling DS. NWCONFIG ➝ Directory Options ➝ Remove Directory Services from this server
Use Novell’s TREEINT.NLM (http://developer.novell.com/ ndk/treeint.htm) This utility will merge a single server tree into an existing production tree. Read about it in the DeveloperNotes January 2000 issue (http://developer.novell.com/research/devnotes/2000/january/03/d000103_.pdf)
10.
If you choose the response file, you are done. If you are still reading, you have not chosen the response file. The Server Settings menu is presented with the following options:
NDS version—NDS 8 is the default. Press enter to choose version 7. I recommend using NDS 8. It is the present and future development platform that you will receive the best support for, plus it has many important technical enhancements. If you choose NDS8 be sure that your tree is properly prepared to handle it. Upgrade the DS.NLM versions in your current tree. There are several TIDs on http://support.novell.com which explain the nuances with mixed replica rings of NetWare 4.x’s DS version 6.x and NetWare 5.x’s DS.NLM version 7.x mixed with NDS version 8.x—eDirectory.
Server ID number—This used to be called the IPX internal number. The chosen value will be written in your AUTOEXEC.NCF file. This value is not needed for IP communication, but unless you are installing a new network with absolutely no IPX, leave some value in here. If you still plan on using IPX it makes sense to choose a meaningful number. At one installation the following format is used: F00A0501—where F0 designates a sever, 0A designates a building. 05 is the fifth floor of the building and 01 is the first segment defined on that floor. An NLIST on the server objects will return the internal IPX number—which will show Chapter 5
512
5.2 Step-by-step instructions
exactly where each server is. This can come in handy with hundreds of servers.
Load server at reboot—This is a fancy way of asking whether you want the installation to write: Server.exe
in your AUTOEXEC.BAT file. It is up to your preference, but if you are loading a remote server think about rebooting and needing someone there to type in the word server.
11.
12.
Server SET parameters—This only allows you to add rote commands in the STARTUP.NCF file. Unless there is a pressing need, I would wait until later to change SET commands.
Continue
Modify
Select the regional settings for the server.
Country—Just what it says
Code Page—Choose the 3 digit country code
Keyboard—Choose the Country supported keyboard
Continue
Modify
The mouse type and video mode for the server are now displayed. A mouse is not required, but comes in handy for work done in ConsoleOne on the server and later on in the GUI piece of the server installation. Remember that the NetWare server runs a Java virtual machine that supports Java applications. You can now use the Pure IP RCONJ—the replacement to the SPX RCONSOLE utility—to remotely administer other servers from any NetWare server running IP. If this support doesn’t interest you, then choose no mouse. In the graphical mode of ConsoleOne, about 5% of the CPU cycles are taken up by servicing the mouse interrupt. Another 10% are taken by servicing video.
Mouse type
PS/2 Serial COM1 Serial COM2
No Mouse
5.2 Step-by-step instructions
513
Video
Super VGA Standard VGA for cards that do not support 256 colors
Continue
Modify Disable all hardware interrupts, in BIOS, not used. For example, disable IRQ 7 if you are not going to use the LPT port 1 on the server.
13.
The installation program copies files to the hard drive. You can see the files copied in the top right hand light blue bar. The files copied are .HAM, .CDM, .DDI, .NLM, .FNT, .XLM, SERVER.EXE, .NAM, .NCF, .NSS, .001. The files are copied to either the C:\NWSERVER, C:\NWUPDATE, or C:\ NWINST.TMP directories.
C:\NWUPDATE\—This directory is for updated drivers. Put any updated drivers in this directory and the installation program smartly overwrites older drivers that were supplied on the CD. This directory will be deleted upon successful install of the server. The C:\NWUPDATE\ directory can foil your upgrade if older drivers are placed in it. I have spent over an hour troubleshooting a problem where incorrect drivers would display during an upgrade. I had to delete the directory as it had 16 old driver files still in it from an older NetWare 5.0 OS upgrade that the client never finished.
C:\NWSERVER\—The familiar directory that houses the SERVER.EXE file. This directory, unlike NetWare 4.x, also contains redundant .NLMs that also exist in the SYS:SYSTEM directory. If you update an .NLM in SYS:SYSTEM look for another copy on the DOS partition and in this directory— as it will need to be updated too. Use Compaq’s freeware CPQFM.NLM to view the DOS partition (www.novellshareware.com). When you type MODULES or M on the server console, it will now show the directory from where the module is loaded. Some drivers now load from the DOS partition—from C:\ NWSERVER. MONITOR is an example. This is helpful information when you are upgrading or replacing a module. Chapter 5
514
5.2 Step-by-step instructions
You will also notice that module names are color coded: CYAN—module was loaded by SERVER.EXE (several NLMs are bound to SERVER.EXE). RED—module was loaded from the startup directory (e.g., C:\NWSERVER). WHITE— module was loaded from AUTOEXEC.NCF. PURPLE—the module was auto-loaded by another module. The server load stages are listed in Chapter 2.
14.
C:\NWINST.TMP\—This is a temporary directory used to stage the server. If you have chosen a small DOS partition and botch an install, clean out this directory manually before starting the install again. I have experience many “out of space” errors for this very reason—all the more reason to have a larger (200MB DOS partition). This directory will be deleted upon successful install of the server.
The HDETECT.NLM and HWDETECT.NLM files are loaded and used to auto-detect your current hardware configuration. The Hardware detect screen is displayed with:
Platform Support Module—The supporting .PSM driver is a vendor specific file that allows the optimization of hardware. Novell says that if one is not detected, you don’t need it. Higher performance models of Compaq servers, for example, show .PSM support.
PCI Hot Plug Support Module—Computer models that support Novell’s new PCI Hot Plug technology should be detected and displayed here, if not add in the specific .HDI driver.
Storage adapters—Hard drives and detected will be displayed here. Specifically, this displays any adapter that links the server and storage devices. Novell has re-architected the way storage adapters communicate and called it the NetWare Peripheral Architecture (NWPA). NWPA consists of two separate pieces—.HAM and .CDM files. Novell provides many host adapter modules (.HAM file) on the CD. In some instances, your vendor may provide an updated .HAM that you can copy to a diskette and load at this point. Your vendor can also supply the custom device module (CDM). A single adapter can control more than one type of storage device. Older .DSK files are no longer supported.
5.2 Step-by-step instructions
15.
515
The appropriate .HAM file is loaded. .CDM drivers will now be selected.
Storage devices—Hard disks, CD-ROMs, and tape devices require .CDM files
Network boards—Hopefully, your NIC is auto-detected. If not, the install will not let you continue. A functioning network board is essential—unless you have scripted and/or imaged install. Check your LAN board and auto-negotiation speed at the conclusion of the install—the values sometimes get changed.
16.
NetWare Loadable Modules—.NLMs and their corresponding .NDI description files are loaded here. I have never used this option.
The drivers are initialized. Loads .LAN, .DDI, .CDM, .NSS modules and displays the NWCONFIG screen. INSTALL.NLM has been replaced in NetWare 5 by NWCONFIG.NLM. The partition screen is displayed.
NetWare Partition Size—The input number for NetWare 5.1 has to be between 797.9 and 6275.9. Use this setting for your SYS volume only. Other volumes will be created later in the install—this screen does not let you know.
Hot Fix Size—The size is automatically input for you. Hot fix area on a hard disk is for bad block redirection. As NetWare finds bad blocks on a volume, they are redirected to the hot fix area. If the hot fix area starts incrementing (in production) back up the volume information and replace the hard drive. Don’t change this value.
Volume SYS Size—The value reflects the size of your SYS volume. Plan you SYS size carefully. I recommend a minimum of 2GB. For larger installations, calculate the size needed for NDS then add 2GB. NDS averages 4K per object.
Unpartitioned Disk Space—The sum of the space left. Do not be alarmed if you see only 8GB of hard drive space, as this is the limit that DR DOS can see. You will see the remainder later in the Java GUI part of the install. displays configurable Volume Properties. save changes. Chapter 5
516
5.2 Step-by-step instructions
Volume Name—SYS; you can’t change it
Volume Block Size—Make sure this is at 64KB blocks for NetWare’s older file system. NSS version 3 supports all the functionality that you would need and will create its own 4K block size—don’t worry about it. 64KB is the only block size that sub-allocation supports in the older file system. Volume block size is calculated automatically based on the size of your volumes—see below. 64KB is recommended for optimal performance.
0MB to 32MB—4KB block size created by default 32 to 150MB—8KB block size created by default 150 to 500MB—16KB 500MB to 2,000 MB—32KB 2,000MB and over—64KB
Status—Unchangeable
File Compression—File compression is a blessing. NetWare, by default, automatically compresses files not used or “touched” for 14 days if the compression algorithm can squeeze out a minimum of a 20% space gain. For more information about the important SET parameters associated with compression, see Chapter 2. Turn file compression off on the SYS volume. This will aid in response time as the file server will not have to spend CPU cycles uncompressing client requested files.
Block Suballocation—Suballocation is a method of reclaiming unused hard drive space—it is not used in the new NSS filesystem. 64KB block minimums are too big for many smaller files. A 1K text file would waste 63K of each block if suballocation was not enabled—which would cause 1000 1K files to take up 64MB instead of only 1MB. NetWare will automatically lop off 512-byte sections of unused blocks and re-allocate them to storage space. When sub-allocating, make sure you watch your “freeable blocks in salvage system.” The statistic was referred to as “freeable limbo blocks” in NetWare 4.x. If the percentage of this parameter is less than 10% of total blocks it could result in high utilization from disk thrashing when NetWare is searching for free blocks to sub-allocate. Again, this is not applicable to NSS volumes.
5.2 Step-by-step instructions
517
Data Migration—Change this to on when you are using a device, like a jukebox, to automatically migrate information from the volume to another storage device. This is invisible to end-users, though they may notice a slight delay while the information is referenced from the other source. The migration attribute may be placed on individual files or directories To change any of these values after the volume is created, you would have to backup the volume data, delete the volume, recreate the volume then restore the data.
Warning: Heads up here. Do not define NSS Partitions during the server installation if you want to leave unallocated space for use in the future. The install program will create an NSS partition equal to the total size of NSS volumes defined and not allow you to define the remainder—unless you delete another partition. The traditional NetWare file system allows for no more than four partitions per disk. For example: 1. Compaq System Utilities 2. DOS 3. Traditional NetWare volume for SYS 4. 110GB NSS volume Imagine the frustration trying to extend the NSS into the unused space or trying to create another partition. 17.
Mounts the CD with the CDINST.NLM. A menu displays a file copy process. System, Java, files are unzipped from CD and copied to their appropriate directories. Note that .001 files are unicode files.
18.
A Java GUI starts and initializes a wizard. The help is disabled and replaced by a GUI help button. This is the time when you wished you loaded a mouse driver. If you did not load a mouse driver, you will need to navigate via the keyboard (see Table 5.2) or back to the server console and type: :VESA_RSP
The server will attempt to locate a PS/2 mouse or ask you to specify which serial port it is attached to.
Chapter 5
518
5.2 Step-by-step instructions
Table 5.2
Keyboard Navigation Keystroke
Action
Tab
Move focus to next element
Shift+Tab
Move focus to previous element
Enter
Select
Up-arrow or (keypad 8)
Move cursor up
Down-arrow or (keypad 2)
Move cursor down
Right-arrow or (keypad 6)
Move cursor right
Left-arrow or (keypad 4)
Move cursor left
Hold Shift while pressing keypad
Accelerate cursor movement
Keypad 5
Select or click an object
Keypad 0
Lock a selected object (for dragging)
Keypad . (period)
Unlock a selected object (to drop)
Keypad + (plus)
Double-click an object
Alt+F7
Move to next window
Alt+F8
Move to previous window
19.
A unique server name is requested.
Advanced—The Advanced button opens a window with four tabs
20.
Edit CONFIG.SYS—This is your opportunity to change the CONFIG.SYS before the server reboots for the first time Edit AUTOEXEC.BAT—If you don’t care for the SERVER.EXE file to auto load, you can REM it out Server Properties—The Internal IPX number is now renamed to the Server ID Number. Change it here Language—Language support
Volume Information is displayed. Notice that your DOS, SYS and system partition, if your vendor supports it, is displayed along with the remaining free space.
Create—Create a new volume using the displayed free space
5.2 Step-by-step instructions
519
Delete—Provides a chance to delete any changes to volumes other than SYS
Modify—Actually, you will need to go into Advanced ➝ Modify to change default values of volume creation. See Advanced below
Advanced—Provides for three tabs and five buttons
Volume View tab—This view, as well as the two proceeding views, is the same as what you would see on the Compaq Smart Start installation Partition View tab—A logical view by partitions Disk View tab—Provides a physical, hardware view of installed disk drives New Volume button—Available only when you create a new partition and highlight the resulting blue pie NetWare Traditional New Partition button—Available only when you highlight Not Partitioned space Delete button—Remove your mistakes Modify button—Enables modification of certain attributes Mount Volumes button—Used to mount, for example, a newly created volume and copy programs to it during this installation process—you can always copy data after the installation These menus are not intuitive. To create an NSS volume, select Unpartitioned Free Space ➝ check the box for NSS ➝ OK ➝ choose the NetWare NSS blue pie picture ➝ New Volume button ➝ highlight NSS ➝ type in a volume name ➝ OK. Software mirroring of NetWare volumes also may be configured here, but not on NSS volumes, by selecting free space ➝ New Partition ➝ Mirror Partition to: Do not use software mirroring when possible, use hardware mirroring via your vendor’s RAID card. Some clients, smartly, use two 4 GB hard drives to hardware mirror the SYS volume and use RAID5 on the remainder of the hard drives with one hot swappable spare. Hardware mirroring is vastly more efficient than any software mirroring.
21.
Choice of whether to mount all volumes now or when server reboots. Chapter 5
520
5.2 Step-by-step instructions
22.
Protocol choices. Highlight the NIC card:
IP—If, at this point, you don’t know what an IP address is, you’re in big trouble –GO BACK INTO MANAGEMENT. If you do not choose IP at this point, there are products that you will not be able to load later—like LDAP, the Web server, etc. Realize that as of NetWare 5, the server prefers an IP connection which means that with IP loaded you will need to have some sort of SLP infrastructure defined. If you don’t know what I’m talking about, see the IP chapter. I had one very large customer that didn’t want to mess with SLP until after the upgrade of all servers (they only bound IPX to the NICs)—it worked well for them.
Subnet Mask—Ask if you don’t know. All protocol information can be put in later thorough INETCFG if you don’t do it now.
Router (Gateway)—Default gateway on this segment—RIP I can find it, but RIP I is limited to subnet masking only within the class of IP used—see INETCFG utility in the IP Chapter for more RIP I info.
IPX—If you have other NetWare 4.11 servers in the tree, you must choose this option for NDS to communicate—NetWare 4.x servers can only send NCPs through the IPX protocol (even NWIP is an IPX packet packaged inside of IP). All NetWare 4.x servers will have to be upgraded before you turn off IPX on any server. The CMD options can be used for migration purposes, but see my warnings in the IP chapter—I would not use the CMD option in larger environments.
Advanced button—This is the portal to the following tabs and choices
Protocol tab—Displays your choices to this point and gives the option to choose/change your frame types. Ethernet II is your best choice for both IP and IPX communications. See the tuning sections in the last chapter for more recommendations. IPX Compatibility—Load IPX Compatibility (check box)—which is only available if you did not choose IPX to bind to the NIC. This check box will initiate the
5.2 Step-by-step instructions
521
SCMD.NLM to auto-load by writing it in the AUTOEXEC.NCF. Do not make any choices on this tab unless you thoroughly understand SLP and how it works. See the SLP section in Chapter 4 for more information.
Load the Migration Agent on this server—Auto-loads the SCMD.NLM with the MA switch (SCMD /MA), which makes the server a gateway between IPX and IP traffic. This choice is used to support IP on WAN links leaving IPX on local LANs. I have used this option often with good success. This is a migration option, not a permanent solution. Compatibility Mode Network Number—Not available when IPX is chosen. Leave this value alone unless you are in a large environment, understand the implications of changing it and have a good reason to do so. Every CMD Network number must be the same to communicate via CMD mode. Preferred IP address (drop-down box)—Enabled only by checking the above Load IPX Compatibility box. IPX compatibility can only support one IP address. If you have a multi-homed server, choose the preferred IP address to support IPX compatibility mode (CMD). SNMP Hardware Description—text field for SNMP enabled application Server Location—text field for SNMP enabled application Administrator—text field for SNMP enabled application IPX Trap Destination Address IP Trap Destination Address
23.
The installation now binds the chosen protocol(s) to the NIC(s). Interestingly, with both IPX and IP loaded (no default gateway chosen), the following happens, on the wire, at this point: a. IP RIP I request for the entire rip table b. IP ARP request c. Two IGMP multicast (224.0.1.22) membership packets, join requests
Chapter 5
522
5.2 Step-by-step instructions
d. A DHCP inform packet seeking DHCP option information for SLP options 78 (DA) and 79 (scope). See Chapter 4 SLP heading for information on how IP SLP functions e. A SLP multicast to the DA (224.0.1.35) After loading the SLPDA.NLM on another local server, thus making my other lab server a Directory Agent—which is a repository of SLP service information—the entire packet sequence changes. This is important. Use Directory Agents to support installations of more than 25 servers. The following shows the behavior illustrated: SLP query for Timesync information SLP query for a replica server SLP query for a NetWare server f. Two more DHCP inform packets for options 78 and 79 g. Another search for a DA by a multicast 224.0.1.35 h. Four additional multicast general service requests 224.0.1.22 for Service Agent information (SA) i. Two IGMP multicast (224.0.1.22) membership packets, join requests j. The rest of the packet trace is dependant on various configuration factors. If you are using Sniffer Pro to view packet information, SLP functions are differentiated by IP multicast IGMP requests for membership to the multicast group and SLP UDP queries for service information. 24.
DNS information is displayed if you chose IP as one of your protocols. The information you input will be written to the RESOLV.CFG file in the SYS:ETC directory. You can always get to input the DNS information through INETCFG ➝ Protocols ➝ TCP/IP ➝ DNS Resolver Configuration
25.
Time Zone information is requested.
26.
NDS is about to be installed on the server. Your first choice is whether to install this server into its own tree or an existing tree.
27.
The next choice is dependant upon the previous tree question.
New NDS Tree—A new screen opens and asks for a tree name, context for your server, admin name, admin context, and password. After inputting the information, the installa-
5.2 Step-by-step instructions
523
tion goes out on the wire to check for potential tree naming conflicts and begins the NDS installation.
Existing Tree—If you choose to install into an existing tree, you will be asked what tree and context. You will need NDS admin rights to the container you are installing the server into. If this is the first NetWare 5 server into an existing tree, you will need to extend the NDS schema, which requires NDS admin rights to [Root]. NDS Trees are not shown unless you click on the small tree icon next to the context for server object option. If your NDS tree is not listed, you will need to input the tree name and either the IP address of the server holding [Root] of the tree, or the IPX Internal number of the server—now called the Server ID. You should move onto the next screen, if not, you have a server communication problem, which you must troubleshoot.
28.
The licensing screen asks you to load pertinent licenses. The licenses are written, as objects, into NDS and referenced differently than in previous versions of NetWare. See Chapter 2 for more licensing information.
29.
Encryption is dependant upon your licensing diskette. Without installing a license in step 26, you are faced with providing proof, via a licensing diskette, of your region specific cryptography support—.NFK files.
30.
Last, you are presented with server specific product installation options. Some of these options will be grayed out if you do not choose IP as an installed protocol during this install process. Product options include:
Novell Certificate Server—39.7MB extra SYS volume space needed for installation
LDAP services—10.23MB Lightweight Directory Access Protocol (LDAP) is an open standard protocol riding on IP that rivals Novell’s proprietary Novell Directory Access Protocol (NDAP). Novell includes LDAP support as it has taken center stage as the new de facto standard to allow clients access of directory—any directory service—information. LDAP information may be found in the IP chapter.
Chapter 5
524
5.2 Step-by-step instructions
NetWare Management Portal—0.5MB This is the most exciting part of NetWare 5.1. Finally, we do not need a mega Novell client on my workstation to get server specific information. I can now use my browser. Novell now supports HTTP as an access protocol. This portal is viewed by typing in the IP address of your NetWare 5.1 server and accessing port 8008. See chapter 2 for more information on the new NetWare Portal. http://x.x.x.x:8008
Example: http://10.2.3.5:8008
Storage Management Services—9.47MB Novell’s proprietary backup solution, SMS has come a long way. I have used this at client sites to backup servers before I start upgrading. Still, other solutions, like Backup Exec, can do a backup in literally half the time.
Novell Distributed Print Services (NDPS)—184.32MB 185MB? Yes, this is much bigger than the NetWare OS as it provides for many workstation print drivers for different workstation OS’s.
NetWare Enterprise Web Server—85.05MB No longer are you relegated to using the Fast Track “mini-Web server.” This is the same Web server Novell uses to front its Website that takes some million hits per week. Novell brags that it is the fastest Intel based Web server on the market. Lately Novell has been pushing the Apache Web server on the NetWare platform.
NetWare News Server—61.66MB
NetWare Web Manager—30.07MB Control the Web Server securely with your browser. The default IP port is 2200. https://10.1.2.3:2200
NetWare FTP Server—.37MB File Transport Protocol support.
IBM WebSphere Application Server—47.65MB
NetWare Web Search—1.75MB
5.2 Step-by-step instructions
525
Novell DNS/DHCP Services—Installation size not listed
Novell Internet Access Server—7.78MB Formerly MultiProtocol Router (MPR) this option supports a better INETCFG and using your NetWare server as a gateway and/or router. This is often the case with smaller companies, which need a server to be their Internet gateway/router.
WAN Traffic Manager—4.05MB I have never recommended using this option. Yes, I know what it is for—preventing NDS traffic from replicating during normal operations. I haven’t been to third world countries where I could possibly imagine the need for this—maybe over a dialup leased line. IPX SAPs and other broadcast network traffic should be your focus—not restricting NDS database synchronization. The WTM.NLM and WTM.MSG modules are loaded.
NetWare MultiMedia Server—1.26MB
NetWare 6 NetWare 6 both upgrades many of the previous modules and adds new ones:
NDS eDirectory—It’s required
LDAP services—Novell’s a directory company now. LDAP is still done on a translation basis. It is not a pure LDAP directory like iPlanet and Active Directory.
ConsoleOne v 1.2d—The new NWAdmin. It is a sluggish Java utility—even on my PIII 450 with. I haven’t met anyone outside of Novell that likes it. Nonetheless, it is Novell’s direction to embrace Java since Java runs on Macs, Unix, Linux and Windows.
Reporting Snapin—This is a snapin for ConsoleOne
NetWare NFS Server—The Network File System allows a network admin to access, manage and administer UNIX services—name services, NFS print services, FTP, file sharing, gateway file sharing, reverse address resolution protocol, and SNMP error reporting service
Pervasive SQL 2000—Novell’s old BTREIVE has been sold to Pervasive and evolved into SQL 2000 Chapter 5
526
5.2 Step-by-step instructions
NetWare Remote Manager—Allows a non-NetWare client to access server management via a browser. It requires the JVM v1.2 and the JCE 1.2.1. NetWare 6 Remote Manager provides secure browser access to NetWare servers for instant server health information and the ability to troubleshoot and configure any NetWare 6 server. CIFS, NFS, and AFP, WebDAV, FTP, TelNet protocols are included/supported in NetWare 6.
NDS iMonitor—iMonitor is an NDS monitoring utility.
31.
Novell Certificate Server Objects are now defined. You will create a Certificate Authority object called TREE_NAME Organizational CA, by default. The exported trusted certificate is copied to SYS:PUBLIC\ROOTCERT.DER by default. See Chapter 4 for more information on Novell’s Certificate Server.
32.
From this point your installation may take several routes depending on your product installation choices.
NetWare Enterprise Web Server Settings—You will choose regular and secure IP port numbers for HTTP and HTTPS support. You will also be asked whether to let the installation tune the server to the optimal WebBench configuration. I like this option as it gives Web novices a giant tuning head start— though I imagine the reason that it is included is for marketing purposes. Many testing labs benchmark servers untuned— which is a distinct disadvantage to NetWare’s versatile server platform. Also, don’t use the Web server without 256MB RAM.
NetWare Web Manager Port—The portal defaults to IP port 2200. You may change it if needed.
DNS/DHCP—DNS/DHCP requires the use of 3 NDS objects. Keep these objects near the top of the tree.
Summary Screen—You have a second chance to change almost every option presented in the Java GUI piece of this install including: File System Protocols TimeSync
5.2 Step-by-step instructions
527
NDS Additional Products and Services 33.
Final file copying begins. Follow the on screen instructions and immediately, after reboot, add service packs and vendor patches, such as Compaq’s NSSD.
NetWare 5 related Novell patches/updates can be found at http://support.novell.com/products/.
5.2.2
Installing a new server with the RESPONSE.NI file The RESPONSE.NI file is an appropriate upgrade option if you are installing or upgrading many servers that have exactly the same configuration or are willing to change some of the values in the file to reflect configuration changes. This file is a great time saver when installing multiple servers. I used this file at a client with a plethora of new Compaq computers. I could do as many at a time as I had NetWare 5.1 CDs. This text file is intended to make a 45 to 60 minute install take only 15 to 20 minutes, because all the installation choices are made in advance, via the text file. There is a RESPONSE.NI file made upon each install of a NetWare server. It is found in the SYS:NI\DATA directory—open it with a text editor. It is a listing of all of the choices you made while installing the server. This option has some serious restrictions that may make the Accelerated Upgrade a better choice. The Accelerated Upgrade is discussed in the next chapter. The SYS volume is the only volume that can be created with the response file according to Novell TIDs—though I have been able to create other volumes by letting the install script stop and ask for my input. I have dealt with intermittent errors—many of which are easy to get around. No NSS volumes can be created until after the initial installation. After that point, you can manually create other volumes. Read all of the TIDs and try this in your lab. I like the response file for new, duplicate, exact hardware that comes in and needs to be standardized. Copy this small file to a diskette and begin the installation process on a new server with the same hardware as one already upgraded. Insert the CD
Chapter 5
528
5.2 Step-by-step instructions
and when you come to the aforementioned menu choice, press F3 and enter the path of your response file. Example: a:\response.txt Novell is now advertising new Response files. The file names are AAFIX.ZIP and AAFIX1.ZIP.
5.2.3
NSS volumes NSS volumes are a cross between the Unix file system and the legacy NetWare file system. Technically, a 64-bit interface is used to retrieve an object from disk with no more than four I/O cycles. NSS is a major enhancement to Novell’s traditional file system. NetWare 6 ships with version 3.0 which includes several important enhancements NSS supports:
A single file up to 8TB
Eight trillion files per NSS volume
1,000,000 simultaneous open files
Up to 255 NSS volumes per server
Rapid REBUILD and MOUNTing of volumes. I saw a demo of a volume with 1,000,000 files corrupted, the server rebooted and the volume rebuilt itself and mounted in eight seconds
Mounting of DOS partitions—this can be dangerous if an ABEND occurs while DOS is mounted as the partition can become corrupted and unbootable
The ability to define new name spaces
Loadable Storage Subsystem (LSS) support for possible future use with DVDs and other multimedia uses
Smaller memory footprint uses about 2MB of RAM and can mount with as little as 1MB RAM
Can be used to recover unused volume space in the traditional NetWare file system volumes
NSS version 3 in NetWare 6 has support for the following (which was/is not supported in NW5.1:
Software mirroring—so what, use hardware mirroring
5.2 Step-by-step instructions
529
Compression
User and directory quotas
Block sizes more than 4K—which means block suballocation is not supported—at 4K, it shouldn’t matter
TTS—which is why the SYS volume can be an NSS volume in NSS version 3
VREPAIR—because NSS has an equivalent REBUILD and VERIFY utilities
Disk striping—but does support disk spanning
File name locks
Auditing
Novell File Transfer Protocol (NFTP) nor Novell Network File System (NNFS)
Support packs and field updates sometimes contain enhancements to NSS. Look for these. NSS is great for databases, BorderManager cache volumes, and other large volume needs. NSS server console commands are listed in Chapter 2.
5.2.4
Final installation notes NetWare’s Installation log file can be found SYS:NI\DATA\NI.LOG. If you are installing this server into an existing tree, I recommend forcing an NDS sync at the master replica of the partition you are installing this server into. To force a sync, go to the master and, on the server console, type: :SET :SET :SET :SET :SET
DSTRACED = ON DSTRACE = 1 DSTRACE = *S DSTRACE = +S DSTRACE = *H
Do not forget to turn the directory service screen off when you are done: :SET DSTRACE = OFF
Chapter 5
530
5.3
5.3 Third-party tools
Third-party tools Several third-party tools are ideal for large-scale rollouts.
5.3.1
Server image Server Imaging, or ghosting as it is sometimes called is a good idea, time saver and best practice. Some of my closest co-consultants rave about PowerQuest’s Server Image. This is a great product for lab use too. You can continually tweak your lab servers without going through a 90-minute install—one hour for NetWare 5, 30 minutes for all accompanying products—every time you need to start over again. Best Practice: Image production servers and use the production image in your lab on the same server hardware to test updates, patches, tools, utilities and configuration changes. You will have a much better idea of how the changes will effect your production environment.
5.3.2
Server Magic I use PowerQuest’s Server Magic product often. The product lets you expand or shrink the size of any partition—DOS or NetWare. If the DOS partition is too small from a previous upgrade, you can enlarge it without rebuilding the server—the same goes for any NetWare volume, too.
5.3.3
Norton Ghost Norton has been working closely with some Novell consultants to improve the ghost product for NetWare. You can image a server on a volume level, which is a huge plus. You can back up server’s SYS volume by ghosting. Also, ghosting production servers for use in the lab gives you real-world scenarios to test. Obviously, you may have to do some work to take off some NDS replicas that want to contact and sync with other servers in the replica ring—I doubt you’ll have a complete production setup in your lab.
5.3
Third-party tools
5.3.4
531
SnapBack Live I’ve never used SnapBack, but one of my largest clients swears by it (http:// www.cdp.com/snaplive.htm). The company advertises as an Image Storage Solution’s company.
5.3.5
TOOLBOX.NLM Novell’s freeware utility has saved me many times. I like to keep it on a diskette and carry it with me. Refer to Chapter 9 for more information on TOOLBOX.
5.3.6
CONFIG.NLM Novell’s freeware configuration documentation tool is a godsend to document your server’s configuration. More information about the CONFIG.NLM is found in the next chapter. This is not the CONFIG server console command you use on the server.
Chapter 5
This Page Intentionally Left Blank
6 Upgrading a NetWare Server
NetWare 5 upgrades were my forte. I spent most of my time designing and implementing NetWare 5. My experience is not from papers and theory; I have actually lived through much pain during grueling implementations. It is this experience I share with you. This information should save you hundreds of man-hours. Most of my career at Novell Consulting has, in some way, involved upgrades to NetWare 5.x. Why am I concentrating on NetWare 5.1 when 6 is out? Most of you will not be candidates for NetWare 6 as Novell has positioned it only for larger companies using multiprocessor servers (which they have since changed to anyone can benefit from a NetWare 6 upgrade, of course). I do go over NetWare 6 options—there are really only two options are added. Know that upgrading to NetWare 6 is not much different than upgrading to NetWare 5 or 5.1. My two upgrade priorities are:
Protection of the data on the server
The health of the NDS tree
Everything else comes a distant second. The preparation steps below are for your protection. An administrator or consultant has the tedious job of ensuring up-time for the CIO—he has to get to his U: drive for stuff to justify his existence. First, take time to learn/understand Service Location Protocol (SLP). Go back to the IP chapter and read about SLP. If you are glutton for punishment, read RFC 2165. Next, make an appointment to see router boy. I know he thinks he is busy, but this is important. Find out if he will allow IP multicast traffic throughout the enterprise. Your SLP design, thus the design of your NetWare 5/6 implementation will depend upon his answers. 533
534
6.1
6.1 Patching is upgrading
Patching is upgrading Patching your server is upgrading your server. Novell is not resting on yesterday’s functionality. Each field test fix and support pack—which is a compilation of field test patches—add functionality to your server (not just bug fixes). This is great for you, but can antiquify documentation rapidly. Feature sets and SET commands are added at almost every support pack. Each support pack has a README.TXT that explains most of the new functionality—which is also why most of it goes un-noticed. NetWare 5.1 is NetWare 5.0 with support pack 4 plus bells and whistles. Still, NetWare 5.1 is worthy of your attention for many reasons that are mentioned below. Note: You can see every SET command listed by typing: :MONITOR !H ➝ Server Parameters
which enables all the hidden commands to be seen. There are quite a few debug commands not normally seen. I highly recommend patching your servers with all support packs and hardware vendor patches—before upgrading your servers. Test all patches and updates in your lab first, but I recommend that you wait two weeks after a patch has been released before you use it—as many updates are retracted and re-posted in this 2 week incubator period (ever notice that Novell seems to always have a SP1a within two weeks of an SP1?). Let other companies be your guinea pig.
6.1.1
NetWare 5.1 versus other NetWare versions Hopefully, your company purchased upgrade protection. I recommend upgrading to NetWare 5.1 or NetWare 6. NetWare 4.11 is very solid, but lacks the Pure IP support and other necessities that your company needs to build its network foundation on. NetWare 5.1 includes the following (some features are new to 5.1, others were included in 5.0):
Virtual memory—enables NetWare 5 to store information temporarily on the hard drive when there is not enough RAM to complete an operation. This, though, is used solely for Java apps on the server. Unlike NT, I don’t really do much on the server and Console One is just too slow for me to use it at the server unless it is a long walk back to my desk.
6.1
Patching is upgrading
6.1.2
535
Application prioritization—unlike previous NetWare versions, NetWare 5 enables prioritization of applications running on the server.
Symmetric multiprocessing—NetWare 5 supports single and multiple processors through the same kernel, with support for up to 32 processors. Full multiprocessing support of the OS modules (namely the IP stack) come with Novell’s NetWare 6 release.
Support for industry and Internet standards including Java, JNDI (Java Naming and Directory Interface) CORBA/IIOP and Active X
The world’s fastest Java Virtual Machine for running server-based Java applications and services according to VolanoMark bench tests conducted by KeyLabs Inc., an independent third-party testing lab.
The ConsoleOne Java management tool, which provides a central point of administration that can be accessed anywhere a Java Virtual Machine is present, including a NetWare server.
A free five-user license of Oracle8.
Support for Pure IP to ensure interoperability with open-standards based networks such as the Internet .
An enhanced version of NDS referred to as NDS 8 or eDirectory, with role-based management and LDAP v3 support .
The Upgrade Wizard for automating the move from NetWare 3.x, 4.x or NT servers to directory-based NetWare 5 servers.
Compatibility mode for allowing customers to run current IPX applications on a pure IP-based NetWare 5 network.
Cryptographic Services in NetWare (.XLMs) to save developers’ time by eliminating the need to include cryptographic code in their products.
A Domain Name Server (DNS) and Dynamic Host Configuration Protocol (DHCP) management utility ties network resources together into a single, trusted, NDS-based system.
Supports Microsoft’s Active Server Pages via Halcon’s ASP technology.
More. See Chapter 2.
NetWare 6 highlights NetWare 6 provides
32 x 32-way scalability (32 servers each with up to 32 processors) Chapter 6
536
6.2
2 to 32 server clustering
each server can support up to 8TB volumes
iFolder, which provides support for client file access without a NetWare client via Webdav Redirection
Internet Printing Protocol (IPP)
An updated IP stack to support multi-processor servers. As a note, by advertising this point, Novell has admitted, sort of, that older versions of NetWare cannot support multi-processors well. I remember a client running NetWare 4.x on HP 4 CPU systems with GroupWise. NetWare, until version 6, could not properly take advantage of the extra processors (to say nothing of the GroupWise application making use of the processors, too)—what a waste of money.
NSS version 3.0 which now supports:
6.2
Pre-install checklist
User and directory quotas SYS volume, thus TTS RAID 0, compression, mirroring and data shredding
Pre-install checklist Consider the following before installing the OS.
6.2.1
NetWare 5.1 Check Novell’s Website for the latest requirements (http://developer.novell.com). The Minimum NetWare 5.1 requires a server-class PC with a Pentium or higher processor. It also requires at least 1.3GB of disk space and 128MB of RAM. To install NetWare 5.1 you will need a VGA or higher resolution display adapter, one or more network boards, 50 MB DOS partition with 35MB free, and a CD-ROM drive that can read ISO 9660-formatted CD disks. I recommend 256MB RAM—RAM is a cheap server tuning tool.
6.2.2
NetWare 6 NetWare 6 requires a minimum Pentium II processor (PIII 700MHz for MP systems) 256MB RAM, a 100MB DOS partition and a 4 GIG disk. The difference in a NetWare 6 upgrade is minimal. After running the NWDEPLOY.EXE on your workstation (you can find it on the NetWare
6.2
Pre-install checklist
537
5.x/6 CD). You then boot the server to be upgraded with the NetWare 6 CD in the CD drive. Upon accepting the license agreement and existing boot partition, you are presented with a choice of Express or Custom Install. The Express install auto-selects NDPS, NetWare Enterprise Server, NetWare Administration server, NFS server, IBM Websphere Application server. You then have the choice of a new server, upgrade or pre-migration. NetWare 6 Pre-Migration option chooses this server to be a destination server for the migration wizard utility The C-Worthy menu then asks the same information as if you were doing a new server install. The GUI piece of the install/upgrade is prettier. Again, not much has changed—as far as the upgrade is concerned.
6.2.3
On-line resources Use the following Websites as resources for your upgrade. Look at all of them. Also, you can get a lot of great information from the README files. Most of my supposed genius comes from reading information before I start an installation/upgrade. You’ll be surprised what you can learn from a README.TXT—try it. http://www.novell.com/products/deployment/ www.nw5occ.com www.novell.com/documentation http://support.novell.com http://support.novell.com/products/nw5 http://www.tinypineapple.com/luddite/beigepapers/ www.netadmincentral.com The following information is appropriate for NetWare 3.x to 4.x or 5.x or 4.x to 5.x or 4.x to 6.x. 1.
Plan the upgrade. Read the above resources for excellent real-world information. If you are in a medium to large environment (20+ servers) I recommend a methodology. Learn from my mistakes; make a spreadsheet listing all of your tasks and considerations. Go to Compaq’s NetWare 5 site for upgrade methodology. Look at the tools and other information at the site too. Again, read the Chapter 4 on IP and SLP before upgrading. Chapter 6
538
6.2
Pre-install checklist
a. Determine Training needs—it is always a good idea to learn a new OS before having to support it on a daily basis b. Set up Lab for testing—this will give you hands-on experience c. Test all third party .NLMs and drivers on the new NOS (in the lab) d. Understand the core OS enhancements—Chapter 2 was written for this very reason e. NDS tree planning—if migrating from 3.x to 4.x or 5.x or 6.x f. NDS naming standards—in larger environments it is helpful to have codes to be able to recognize network resource names and know exactly what they are and where they are at g. Review WAN maps h. Partition Design—NetPro (third-party) makes two great NDS alerting and analyzing programs; DSDesigner is your best tool for NDS designs i. SLP design—see Chapter 4 j. TimeSync Design—time synchronization is crucial to a healthy NDS database—it is covered in Chapter 2 k. Login script analysis l. Client access—mobile users planning, planning for client access over WAN links m.Remote access considerations—the use of special identifiers in the login script and special command line switches for NAL can make login times much faster n. Server Security—See Chapter 8 Security o. Design Security Audit Strategy—either Novell’s AUDITCON or third-party (third-party is recommended as Novell’s auditing stinks) p. Prepare for Novell’s Certificate Server being automatically put into the NDS tree—refer to Chapter 7 q. Plan for ZENworks for Desktops design r. Plan for interoperability with other OSes and critical network components and applications (e.g., NT, W2K, Unix, DNS, DHCP, PKI, etc.)
6.2
Pre-install checklist
539
s. Plan for/Test third-party application software such as backup software and anti-virus software. I’ve had to wait months for backup software to work correctly to start an upgrade. t. Evaluate different upgrade processes—In Place, Across-theWire, Scripted, Response File, Ghosted/Imaged u. Develop a project schedule (I use Microsoft Project) v. Create Standardization Templates for file structure, roles, etc. w. Read the other chapters of this book, especially the IP chapter 2.
Document each server’s configuration with the CONFIG.NLM (see point number nine later). You may use NDSMGR32.EXE to gather DS version information or distribute DS.NLM updates.
3.
Document any printing queues, printer and/or print servers on your servers. You can use: C:/>NLIST “PRINT QUEUE” /r /s /d >pqueue.txt
There are third-party utilities to document BINDERY print services (www.dreamlan.com makes one). 4.
Check minimal hardware requirements. Again, I recommend 256MB RAM minimum. If your company is large enough (more than 10,000 NDS objects) to have dedicated DSMASTER servers, realize that NDS version 8, eDirectory, provides functionality to cache as much of the NDS database as you have RAM. Any server with an NDS replica on it can operate more efficiently if NDS can store the entire partition database in RAM. If you plan to use ZEN for desktops and DHCP, you are going to be adding 2 or 3 times as many objects as you already have—consider this to be a great time to upgrade your server hardware if you’ve been squeaking by in the past. Never dedicate more than 80% of RAM to caching the NDS database—buy more RAM if needed.
5.
Gather appropriate software and support documentation. Bookmark the above on-line references. Keep this book handy too.
6.
Obtain your NetWare 5.1 license.
Chapter 6
540
6.2
Pre-install checklist
Make 2 copies of the diskette. I have had to sit a full day waiting on an overnight delivery of another diskette because somehow the one I had got corrupted. 7.
Check for the latest drivers and utilities. DO NOT overlook this point. Go to your hardware vendor and obtain the latest BIOS, disk, NIC, SCSI, etc. drivers and load them. Your hardware vendor probably has some optional updates to components too (e.g., Compaq, Dell and others have monitoring software modules and configuration tools upgrades). Also, keep the drivers handy for troubleshooting purposes. I have seen many customers wasting hours troubleshooting problems that originated from NIC drivers sometimes over 2 years old—no kidding. You will need to upgrade to new drivers and support packs once you are finished the upgrade too. According to Alexander Server Protection Kit (SPK), third-party .NLMs and old drivers are the largest ABEND offenders. Check the NIC drivers first.
8.
Check for the latest Support Packs and OS patch list. Check Novell’s minimum patch list at http://support.novell.com/misc/ patlst.htm. It is especially important to upgrade all of your DS versions to the latest release if possible. Failure to do so puts your tree in jeopardy. Novell provides very little development and support for older NDS versions. NDS health is the cornerstone of an effective upgrade. The upgrade should be transparent as possible to your end-users. See the Novell Website to update all of your NetWare 4 servers DS and DSREPAIR modules before you install the first NetWare 5.x server into the tree. Apply the latest support packs to the OS. Many times the latest support packs have essential modules in them to make the upgrade process a smooth transition.
9.
Backup your current system. Nothing takes the place of a good backup—except for 2 good ones. Err on the side of caution. Some of my customers are using ghosting software to image the server, as a backup, in case of failure. It is much faster to restore an image than to reload the old OS and restore the data from backup—not to mention the trouble of cleaning up NDS. There are a couple of freeware tools I recommend to obtain specific backup information. The first is Novell’s TBACKUP.EXE. This is an invaluable tool for backing up and documenting file
6.2
Pre-install checklist
541
trustee assignments. The companion program, TRESTORE.BAT, will restore trustee assignments on the file system if you encounter problems. The TRESTORE.BAT is created after you run the TBACKUP.EXE. The TRESTORE.BAT is a simple collection of RIGHTS commands contained within a batch file. Backup your server’s trustee assignments with TBACKKUP.EXE and then copy the resulting TRESTORE.BAT to your workstation or a central server to use on the upgraded server if trustee rights are not migrated after the upgrade. I have had to use these utilities many times. Use Novell’s freeware CONFIG.NLM—separate from the OS’s CONFIG server command—is used to document server’s configuration. Find the file from http://support.novell.com. Search for CONFIG.NLM. You will need to manually copy the file to every server’s SYS:SYSTEM directory—use Command Center shareware or Novell’s OnSite Admin Pro to distribute the file and the command to load it (:LOAD CONFIG /S). Copy the resulting CONFIG.TXT text file from every server to a backup location— either by a PERL script, or assign this manual task to someone who has been bugging you to learn NetWare. :LOAD CONFIG /d to include the SYS:SYSTEM and local drive file listings. :LOAD CONFIG /s to include the SET parameters. :LOAD CONFIG /a to append to CONFIG.TXT. :LOAD CONFIG /ads to get set parameters, file listing, and append to CONFIG.TXT.
I normally do a simple CONFIG /S. You may use the CONFIG reader GUI to read and analyze the file(s)—more freeware also found on Novell’s support site. The CONFIG Reader GUI also provides the ability to compare server’s configurations—use it to find differences between servers with like hardware and configurations. I have used this tool to find outdated drivers, unusual SET commands, differences in loaded modules and other anomalies. I have clients that make a ghost image of the server before upgrading. There are several ghosting products that support NetWare. Norton supports ghosting on a volume level, which some clients prefer. 10.
Verify DOS partition size. I cannot emphasize this forgotten point strong enough. NetWare 5.1 requires 50MB total, with 35MB free space. I once did an upgrade for a client who had Chapter 6
542
6.2
Pre-install checklist
16MB DOS partitions. I had some servers that worked and some that didn’t. One of the servers ABENDed 250 times over the weekend. The TCP/IP.NLM didn’t get updated as there was no room in the C:\NWSERVER directory. The server was still up, but, obviously, no one could connect to it. I always recommend 200MB. Use Server Magic, from PowerQuest (www.powerquest.com), to expand the DOS partition when needed. Remember, back up information before using any third party utility to manipulate production servers. 11.
Prepare your network. Document any SAP or IP filtering before you begin. You can use the freeware SAPSNOOP.EXE to document IPX SAPs. Get it from www.netwarefiles.com. I use the documented SAPs in my report to the client—it is good information.
12.
Talk to the Unix guys. See if you can obtain their permission to use NetWare’s DHCP (fat chance, I know). Really all you want from NetWare’s DHCP is the SLP information provided to NetWare clients—see the IP chapter for more information.
13.
Upgrade the clients. You can wait on this task if you have a NetWare 5.x supported client. Check Novell’s Website for details. I recommend upgrading the clients as soon as you are able (Novell always recommends to upgrade the server first and the clients later). Decide if you are going to use IPX only, IP only, IP with CMD or IP and IPX. I recommend using the dual stack, IP and IPX, approach. Use the ACU for larger installations—see Chapter 1 for ACU and client information.
14.
Upgrade printers to NDPS compatible printers—or NDS printers at the least. This will also help you to remove bindery services on the server—which closes a security hole and removes the need for an NDS replica on the server. If your printers support NDS, I recommend leaving the NDPS upgrade as a low priority item. You may have to upgrade your JetDirect cards to the latest firmware found on HP Web page. There have been several issues with older JetDirect firmware and newer NDS versions. When using HP JetDirect Admin, set up printer through the NDS tree and not through servers. Configuring of printers off of servers make them bindery printers—you want NDS/NDPS printing.
15.
Upgrade applications to ones that support your new NOS. REM out third-party NLMs in the AUTOEXEC.NCF so they cannot interfere with your upgrade.
6.2
Pre-install checklist
543
16.
Lab test everything. Upgrade lab servers until you have the process down. If possible, use ghosted images of production servers in your lab—with similar hardware—to simulate how the actual upgrade will go.
17.
Prepare your source server. Your source server would be the server that you mount the NetWare 5 CD on for scripted upgrades—if you are doing scripted upgrades. Don’t place the source server over a slow WAN link if possible. All of the server files will need to be copied over the link. Patch the source server.
18.
Perform an NDS health-check on your tree. Many of you do not know what I am talking about. Go to the end of the NDS chapter and read about it. This involves much more than a simple DSREPAIR operation. Do not skip this step this important step. Novell now provides AppNotes on NDS health-checks at http://developer.novell.com/research
19.
Start upgrading at the server holding the Master replica of [ROOT]. Then, continue to finish upgrading the servers in the replica ring of [ROOT]. The NDS schema will be updated and sync down the entire tree. Schema updates go across the tree, laterally, and down—schema updates/enhancement updates do not travel up the tree.
20.
Document your NDS replica matrices. You may use NDSMGR32.EXE for smaller implementations. Use DSDesigner or ConsoleOne for medium to large installations—it is discussed in the NDS chapter and Chapter 9. DSDIAG.NLM is another good tool. The module is freeware provided by Novell which can document replica rings and partitions.
21.
On NetWare 3.x servers, run BINDFIX until you have no errors. Then, run it one more time, which ensures the backup file BINDFIX creates will be error free, too.
22.
Check volume block size. You want a 64K volume block size for file compression and suballocation using the older NetWare file system. If you are migrating from an older version of NetWare that does not have 64K blocks, upgrade the blocks to 64K or plan on backing up the volume, re-creating the volume and restoring the data. All created volumes have compression turned on by default. Turn off com-
Chapter 6
544
6.2
Pre-install checklist
pression for the SYS volume (can only be done upon creation of the volume) to speed up SYS volume I/O requests. Do not worry about block size if you are upgrading to NSS volumes. The volume block re-sizer can be used. This free tool was developed by Novell consulting, but is not supported Novell software, so back up your information first. This tool can be found at www.novell.com/coolsolutions/freetools, look for RESIZE.EXE. Remember to have enough space on your volume to expand all of the files to 64K. Alternately, you can back up data on the volume, delete it, recreate the volume with a 64K block size. Of course, if you are doing an over-the-wire migration, which is to a new server, you will be migrating the data to a 64K block size on the new server. NSS volumes are an exception as they default to 4KB block size for optimization.
6.2.4
23.
Purge your volumes. Delete unneeded files, such as .BAK, .BMP, .GIF, .00*, .TMP, and .DMP.
24.
Unload any unnecessary third-party .NLMs. Anti-virus programs are notorious for causing upgrade problems.
25.
It is important to decide on whether you are going to implement NDS 7 or 8. Your users will not notice any difference between the versions, but you will. Use NDS 8, read the NDS chapter for more information. Be sure you understand how to prepare your tree for NDSv8.
26.
Read all README files
27.
Triple-check everything before you start.
Begin the Installation At this point, you should be ready to begin the installation process. 1.
Insert the NetWare 5.x/6 CD in your admin workstation and run the NWDEPLOY.EXE—which should auto-start—and follow all instructions therein. You will be asked to update the NLS licensing code, if applicable, to prepare the NDS tree for NDS version 8 and other considerations. This is only necessary to do once per each tree prior to the first server upgraded.
6.2
Pre-install checklist
545
2.
Begin the upgrade by upgrading the Master of [ROOT]. Use the CD if it is an in-place upgrade. Use the Novell Migration Wizard if it is an across-the-wire migration. The migration wizard is found on the 5.1 CD, but don’t use it. There is an updated version on Novell’s Website (http://www.novell.com/download/#NetWare). You will need to skip to the appropriate upgrade section now for more information—each migration method is covered later in this chapter.
3.
Do not use a scripting method for the first server as the NetWare 5/6 CD is needed to extend the NDS schema.
4.
Apply the OS patches, DS patches, support packs, vendor updates, etc. Although it is possible to script this entire process, you are better off patching each server. I have spent many hours re-doing patches that were part of a scripted effort.
5.
Force a sync with the other NetWare replica servers in this partition. :SET :SET :SET :SET :SET
DSTRACE DSTRACE DSTRACE DSTRACE DSTRACE
= = = = =
ON 1 *S +S *H
Do not forget to turn the directory service screen off when you are done: :SET DSTRACE = OFF
This is done at the server console on the master replica of the partition. Do this on the master replica in the replica ring of each server you upgrade. 6.
Finish upgrading the servers in the [ROOT] partition. You will save yourself many headaches by keeping replica rings on the same DS version. Whenever possible, finish upgrading an entire replica ring before you go onto another part of the tree. NDS will work best when all NDS versions within a replica ring are the same.
7.
Work your way up or down the tree—your call.
Chapter 6
546
6.3
6.3
Licensing—NLS
Licensing—NLS Most people are familiar with the new NetWare licensing model despise it. I am no exception. It is not that it is a bad idea, but the implementation of the idea has been weak. Recently, Novell has provided some relief. Licenses are now ported to and controlled by NDS. For more information about what NLS and how NLS works, refer to www.novell.com/deployment/nls.
6.3.1
NDS objects relating to licensing objects Licensing Objects in NDS include: License Container Objects—This is usually installed during the installation of the server. License Certificate Objects—This is a leaf object, able to contain no other objects, which contains information about each individual application license file installed. NDS allows you to restrict the use of licenses by associating them with the following NDS objects: User Group Organization Organizational Unit If you are lucky enough to have an MLA or ALA license you can simply put a license in the parent object of each partition. If you don’t, careful placement of the license objects is necessary. It is also important not to neglect your client patches as some client patches contain fixes for license connection releasing issues. Server console commands related to NLS There’s only one that I know of: SETUPNLS—This command is a shortcut. The equivalent is to go to NWCONFIG ➝ License Options ➝ Create License Service Provider SET Commands To see all of the licensing SET commands—even the hidden ones, type: :CSET LICENSING SERVICES
Also, see server console commands in Chapter 2.
6.4 Migration Paths
547
Adding additional licenses You can use the NetWare Administrator to install licenses from your client workstation, or go to the server console and install them.
6.4
Migration Paths Migration methods include across-the-wire and in-place.
6.4.1
Across-the-wire migration Your data is the safest doing across-the-wire migrations as the server you are migrating from will be left in tact with all data and NDS information. You may also manipulate and organize your NDS information before it gets migrated into the tree. You may migrate multiple servers to a single server and migrate data at a volume level. Across-the-wire migrations can use the Novell Migration Wizard, or a scripted install. Migration wizard Novell’s Migration wizard is your best friend for across-the-wire migrations. It could hardly be simpler. The wizard supports NetWare 3.12 or 3.2 to 4.11 or 5.1 and NT to NetWare 5 migrations. The Upgrade Wizard allows you to migrate data and bindery or NDS objects from an existing server running NetWare to another server running a later version of NetWare (either NW 4.x or 5.x). Installing Novell upgrade wizard Download the latest upgrade wizard from www.novell.com/download#NetWare. Note: Don’t use the migration wizard on the NetWare CD; download the latest copy from Novell’s Website.
6.5
NT to NetWare 5.1 migrations NT shops can now easily migrate to NetWare 5.1. One of the most recent additions to the Wizard is a migration option that migrates Microsoft NT 3.51 or NT 4 domains to any NetWare server in your NDS database. Dur-
Chapter 6
548
6.5 NT to NetWare 5.1 migrations
ing the migration, all NT objects and their associated file and directory permissions are migrated and converted into NDS objects and trustee rights. The NetWare Migration Wizard also copies home directories and offers the use of ZENworks to manage and maintain their NT user’s desktop environment—therefore, reducing the migration impact from NT to NDS. There’s no risk of losing data during across-the-wire migrations, since the NetWare Migration Wizard only copies the NT objects and data to the NDS tree, leaving the NT server intact—and still running. Having said all of that, let me tell you that I have never encountered a customer moving from NT to NetWare. I’ll leave it at that.
6.5.1
Migrating NetWare 3.x data to NetWare 5.1 Novell Upgrade Wizard copies the NetWare 3.x file system and converts bindery objects to NDS objects on another server running a later version of NetWare. This is a simple utility to use. The wizard does most all of the work for you. Verify the NetWare 3 server’s SUPERVISOR account is allowed multiple connections; if not, enable it. You will literally drag and drop bindery objects from one pane to the other pane. It is much like the Explorer window. You can choose to place the server and bindery objects in any container that you have Admin rights to. When the bindery objects are copied to the destination server, they are placed in the NDS tree and automatically converted to NDS objects. Note: How Fast is the Data Migration? It depends, and it varies—common IT answers. The best I have seen is 10GB of data in an hour. That was a 100MB switched connection on all devices involved. Novell Upgrade Wizard will not migrate data from a NetWare 3.x source server to a NetWare 4.10 destination server. Besides NetWare 5.1, valid destination servers can be running NetWare 4.11, 4.2, and 5.0.
6.5.2
Migrating NetWare 4.x data to NetWare 5.1 Novell Upgrade Wizard copies files and NDS information from a NetWare 4.x server (source server) to a computer running NetWare 5.0 or 5.1 (destination server). The smallest data size migration is a volume. Once the NDS database is migrated, the destination server then replaces and assumes the identity (name and internal IPX number) of the NetWare 4.x source server on the network.
6.5
NT to NetWare 5.1 migrations
549
Scripted upgrades There are two forms of scripted upgrades:
The response file—RESPONSE.NI
The Accelerated Upgrade Script
The first server upgraded, which should be the master of [Root], must be done with the CD as either an across-the-wire migration or in-place upgrade. Response file Covered later in this chapter Accelerated upgrade script Covered later in this chapter
6.5.3
In-place upgrade with DSMAINT DSMAINT.NLM allows an in-place upgrade to NetWare 5 after upgrading the hardware. My success with this procedure is spotty at best. I know a lot of people like the simplicity of being able to upgrade with DSMAINT.NLM. The problem is restoring the backed up DS—I have used the procedure several times where DS would not upgrade and would not back out to the previous version—at least not without a call to support. I do not recommend using this procedure. If you think you know better, search for the related TIDs and good luck.
6.5.4
In-place upgrade with the CD You will need to prepare the NDS tree first by placing the NetWare 5.1 or 6 CD in your workstation. The CD will automatically start a Java program— or you can click on the NWDEPLOY.EXE at the root of the CD. The window that you see will give you a checklist for preparing your network for the NetWare 5.1 upgrade. This utility is not an option. You will lose certain functionality if you do not use Novell’s Deployment Manager to prepare for the upgrade to NetWare 5.1 and NDS 8 (Corporate Edition and/or e-directory). You will only need to run the utility once for each tree that you are upgrading NetWare 5.1 into. After you have followed all of the directions, you are ready to upgrade the first server. Always start with the Master replica of [Root]. Chapter 6
550
6.5 NT to NetWare 5.1 migrations
Do not use the CD to upgrade a server with:
DHCP Export the DHCP database—which is really a flat file—upgrade the server, choosing the DNS/DHCP products and import the database
NFS Remove NFS services, upgrade, then put the NFS services back on.
NetWare/IP This can get ugly. Novell publishes several TIDs explaining how to migrate from NWIP to Pure IP.
NetWare AppleTalk File and Print Services Backup, remove and reinstall after the upgrade.
Novell Web Server The Web server has changed a lot since the older versions. Back up your Web pages and document your configuration.
BorderManager
The in-place upgrade is almost exactly the same as an original NetWare install—which is covered in the preceding chapter, read it. You will be prompted to upgrade instead of installing a new server at one of the beginning screens, but the rest is almost exactly the same. The in-place install starts with the downing of the server.— NWCONFIG is used to apply OS patches, not to upgrade the OS At the DOS prompt, warm boot the server with the NetWare 5.1 CDROM in—Make sure that your server can boot off of a CD. If it cannot, upgrade the server’s BIOS, and/or use a boot diskette, but not a WIN98 bootable diskette. Note: Since the server is going down anyway, now would be a good time to update BIOS and FIRMWARE.
6.5.5
Automated upgrade using the response file The response file has two purposes: 1.
Install brand new servers faster—approximately 20 minutes versus an hour
6.5
NT to NetWare 5.1 migrations
2.
551
Upgrade 3.12, 3.2, 4.11 servers faster—upgrade in half the time
In NetWare 5, install scripts are supported by the NWCONFIG utility and the NetWare 5 installation system. I have used the response file many times and can attest to its timesaving ability. I am not a programmer; so any scripting requires a learning curve for me. The response file is pre-scripted with only some search and replace needed. There are two places during the NetWare 5 installation process where install scripts may be executed. The first is at the beginning of the install. You will notice that one of your options, shown at the bottom of the CWorthy screen is to press F3 for a response file. An install script executed here may be used to finish the entire install or upgrade process (great for when you have many servers that have about the same configuration and hardware). Equally you could use ghost-imaging software, though I have never been a big fan of it for servers. Since many of the NetWare products are not installed with the response file, Novell provides a second scripted install opportunity. The second install script can be run at the end of the NetWare 5 installation. It is called right after the user answers OK or NO on the closing screen—which is before the install cleanup process. This script function is for customers who want to manage files and launch NLMs as part of the NetWare 5 installation—e.g., those that install other products or a NetWare OS service pack. The script must be placed on the SYS volume prior to execution. Do this either by having the script run at the end of the preliminary file copy or by placing the script in the appropriate directory of a CD-ROM image on a network drive. The Factory Install splits the installation of NetWare into two phases. Phase 1 performs the disk detection, disk partitioning, SYS volume creation, and file copy portions of the install. This phase is intended to be performed in a factory or your company’s IT configuration center. Phase 2 is focused on local administrator configuration. It includes the choice of server name, protocol bindings, volume creation (other than SYS), time zone configuration, NDS, licensing, and other products. This phase is intended to take place by the admin at the server’s permanent location. After Phase 1 is completed, the machine should be rebooted or powered off. When the machine is powered on and the server is started, the AUTOEXEC.NCF will launch Java for Phase 2 of the installation.
Chapter 6
552
6.5 NT to NetWare 5.1 migrations
A Factory Install is implemented with the Response File. The Preinstall script key [NWI:Factory] section is the primary key that directs the NetWare 5 Installation to perform a factory install. The Precopy script key in the other sections specifies whether the file group should be recopied during the final file copy routine of the NetWare 5 Installation. If Precopy=True, the files will be verified, but not copied—you will, however, see the installation as if it is copying the files because each file name will be displayed in the copy status box. A Response File can be generated from a server installation or upgrade and used as input for additional server installations or upgrades. Using the Response File from another server installation works best when both servers have the same hardware configuration. The RESPONSE.NI file is found in the SYS:NI/DATA directory. Use the following syntax: INSTALL /RF=
For example, if you are installing NetWare 5 from the CD-ROM and the Response File is on a diskette, you would type: D:\INSTALL /RF=A:\RESPONSE.TXT
To use the Response File generated in a server installation, do the following: 1.
Perform the first server installation. Reboot the server by answering “Yes” on the closing screen of the installation.
2.
Log in to the new server after it has been rebooted.
3.
Copy the RESPONSE.NI file from the SYS:NI\DATA directory to a diskette and/or to the new server.
4.
Modify the file by adjusting the parameters as needed and removing unwanted sections
The NetWare 5 CD-ROM must be inserted in Phase 2 of the Factory Install in order to perform this file verification—this assumes that all other required keys for an automated install are also included in the Response File The following Response File syntax is used to run install scripts during the NetWare 5 installation. Options for passing a Response File into the NetWare 5 installation: 1.
on the command line using the /RF switch
2.
from the Install Options screen
6.5
NT to NetWare 5.1 migrations
553
If the install is begun by booting directly to the NetWare 5 CD-ROM, the only opportunity to pass in the Response File is:
6.5.6
1.
Pressing the F3 key (when indicated on the C-Worthy installation) and entering a path to the response file.
2.
Or, when the NetWare 5 CD is booted, the startup utility checks for a RESPONSE.TXT file in the C:\NWUPDATE directory. If such a file exists, the installation program will bypass the DOS partitioning utility and use RESPONSE.TXT as the input Response File. The best way to use the response file for upgrades is to do an upgrade and then look at the file SYS:NI\DATA\ RESPONSE.NI and then modify it to your needs on other machines. Test in the lab first with an image from a production server.
Novell’s Accelerated Upgrade utility The files necessary for the NetWare 5 Accelerated Upgrade are on the NetWare 5.1 CD—though I would always check Novell’s Website first for possible upgrades. The accelerated utility The NetWare 5 Accelerated Upgrade uses a script file to automate the upgrade. More information on using script files can be found in Technical Information Document #2944480, and others (TID numbers sometimes change when they are updated) at http://support.novell.com. It is a text-based utility that allows you to quickly upgrade a NetWare 4.1x server to NetWare 5 without having to be at the server console or install a CD-ROM drive on the server. It also allows you to upgrade a NetWare 4.1x server that has only 32MB of RAM (instead of the 64MB of RAM normally required for NetWare 5 installation). Novell’s Information Services and Technology department has used the Accelerated Upgrade utility to upgrade several hundred production servers at Novell to NetWare 5. Four key benefits of the Accelerated Upgrade are:
Speed. A NetWare 4.1x server can be upgraded in 10 minutes—your results may vary. Novell’s IS&T department experienced an 87% reduction in server upgrade time with the tool.
Remoteness—is this a word? The Accelerated Upgrade Utility can be run on a server with a Remote Console session from a client.
Lower Overhead. It does not require as much RAM or DOS partition space as the standard NetWare 5 install/upgrade system. This is valuChapter 6
554
6.5 NT to NetWare 5.1 migrations
able for customers who want to upgrade to NetWare 5, but do not yet have the budget to upgrade their server hardware (it has been known to upgrade a server with only 24MB RAM and a 20MB DOS partition).
Customizable. It can be modified to fit the needs of the enterprise customer. I recommend trying Server Magic to expand server partition space—DOS and NetWare.
Accelerated Upgrade limitations There are trade-offs for the ease of scripting. They are:
The first server in the network to be upgraded to NetWare 5 must be upgraded with the standard install/upgrade system from the CD. This is because the standard system extends the NDS schema for the entire network—the files to do this are on the CD and cannot be done any other way.
Additional drivers cannot be loaded, nor can additional protocols (such as TCP/IP) be bound during the upgrade. These operations are available in the standard install/upgrade system, but not in the Accelerated Upgrade. However, after using the Accelerated Upgrade, drivers and protocols can be added to a server by using the NetWare 5 NWCONFIG and INETCFG server utilities.
According to Novell, additional Products and Services (such as Novell Distributed Print Services and other products hooked to a protocol not already loaded on the server to be upgraded) cannot be installed during an Accelerated Upgrade. This is because the installation of these Novell products and services were developed using the Javabased Novell Installation Services SDK (see the Software Developer Kit available from http://developer.novell.com). The Accelerated upgrade is to upgrade the NOS primarily.
The following .ICS files are called, in order, and responsible for the scripted Accelerated Upgrade. 1.
UPGRADE.IPS—IPS files are product files
2.
ACCUPG.ICS—ICS files are normal batch files that usually call other batch files
3.
SETLAN.ICS
4.
HWDETECT.ICS
6.5
NT to NetWare 5.1 migrations
555
The Accelerated Upgrade consists of several scripts. The first script (UPGRADE.IPS) performs a number of steps prior to the server reboot. The second script (HWDETECT.ICS) starts the hardware detection, upgrades the NDS database after the server is rebooted, cleans up after the Accelerated Upgrade, and reboots the server one last time. The following files are associated with the Accelerated Upgrade: ACCUPG1B.TXT AUTOEXEC.NCF CUSTOM.ICS CUSTOM.TXT HDETECT.NLM HWDETECT.ICS ICMD.NLM LICENSE.TXT NDSDIBUP.NLM NEW.TXT NWI.NLM NWIHW.NLM README.TXT REBOOT.NCF SETLANG.ICS UPGRADE.HTM UPGRADE.IPS Exposing additional menu options The simplest customization to the Accelerated Upgrade script is the exposure of additional menu options. Many procedures that are normally run automatically may be turned into menu options. They are:
Remove old files from Startup and SYS:SYSTEM directories
Copy server startup drivers and files
Copy NetWare SYSTEM, PUBLIC, and LOGIN directories and files
Install Script Files Chapter 6
556
6.5 NT to NetWare 5.1 migrations
Copy Java files
Copy Novell ConsoleOne
Run NetWare GUI Install
Custom End-User Installation Options
Descriptions of what these options do are found in the UPGRADE.IPS install script on the Help: line associated with the menu option. Warning: If you reveal these options and deselect any of them, NetWare 5 will not be fully installed. Moreover, disabling these options may result in an upgrade failure and may render your server unusable. To display these procedures as options on the Accelerated Upgrade menu, locate the @FileSet and @EndFileSet commands in UPGRADE.IPS. These commands define the groups of files to copy, or instructions to be performed—if the corresponding box is checked. For example, the section associated with “Copy server startup files and drivers” is shown below: @Fileset Description: “Copy server startup files and drivers” Name: DOS_STUFF Class: MANDATORY Help: “Server startup files, needed to boot the server, are copied to the server’s startup directory. Hardware drivers, such as: storage, I2O, PSM, and SBD, are copied to the servers startup .\\ DRIVERS directory.” DiskBytes: 8780000 Bytes: 8780000 SetVar SBOOT, %{true} SetVar itemSelected, %{true} @EndFileset
To make any one of these options visible on the menu, you must do two things: 1.
First, replace the keyword MANDATORY on the Class: line with OPTIONAL (the option is selected by default) or OPTIONAL_OFF (the option is not selected by default). This will allow the Fileset to appear as an available menu option.
2.
Second, search in UPGRADE.IPS for the second copy of the same Fileset group by its Name: and replace the keyword MAN-
6.6
Customizing an installation CD with a support pack
557
DATORY with OPTIONAL or OPTIONAL_OFF. By way of example, the following is the second Fileset for “Copy server startup files and drivers” (identified by the Name: DOS_STUFF). Finally, you can completely customize the Accelerated Upgrade to meet your enterprise needs. To accomplish this you will need to have an understanding of the NetWare Installation Scripts. For detailed information, see Technical Information Document #2944480 at http://support.novell.com. Accelerated Upgrade includes a sample of a script (CUSTOM.ICS) that can be used to extend the utility. The CUSTOM.TXT in v1.1 explains the commands most widely used in the installation scripts. Commands to call the sample script (CUSTOM.ICS) already exist in UPGRADE.IPS, but are disabled. To enable them, simply uncomment two groups of lines by removing the semi-colon at the beginning of each line. To find the first group, search for Custom End-User Installation; then uncomment every line from @Fileset to @EndFileSet. Next, search for CUSTOM.ICS and uncomment every line from @IncludeFile to @EndIncludeFile.
6.6
Customizing an installation CD with a support pack NW51SP1 can be integrated into the NW51 International (export version) install by modifying the entry listed below to match your configuration and placing it into the response file. The install will take the string and append it to “LOAD NWCONFIG B=<string>” and execute it. The Service Pack is installed in the same manner as any .IPS file upgrade through NWCONFIG. It can, therefore, be scripted. SPACK.IPS is called through NWCONFIG to install all of the service pack modules. The SPACK.IPS calls: STARTUP.ICS SPACK.ILS—ILS files are language files SHUTDOWN.ICS Don’t spend a lot of time on scripts if you don’t have a large installation. The learning and testing curve of scripts can be too big to justify your time. It is easier to use NWCONFIG to install support packs and vendor patches on smaller networks.
Chapter 6
558
6.6 Customizing an installation CD with a support pack
6.6.1
[NWI:Install Script] Use if the support pack image is on the c: drive in the \nw51sp1 directory. Support Pack Script=c:\nw51sp1\spack.ips e=c:\ loaderr.log s=c:\nw51sp1
Use if the support pack image is on a mounted CDROM. ;Support Pack Script=NW51:\spack.ips e=c:\err.log s=NW51:\
Use if the support pack image is on a remote server named ATLFS1 in the IMAGES:SP1\ directory in the TEST-TREE tree. ;Support Pack Script=ATLFS1/images:/sp1/spack.ips TRANSPORT=IPX u="SITESTER2" a=01010155:000000000001:0451 DS u="CN=CONTAINADMIN2.OU=INSTALL.OU=LABRATS.O=LAB" z= TEST-TREE e=C:\err.log s=ATLFS1/IMAGES:/SP1
You can use STUFFKEY.NLM to aid your scripting. Use an NCF file to load TOOLBOX and use the TOOLBOX commands to backup the old C:\NWSERVER directory. You can also back it up using Novell’s CD Scripting Language.
6.6.2
Important Post Installation Tips Do not skip this section, do not collect $200 and do not pass GO. Patch your servers, BIOS, LAN drivers, DS, etc. Warning: Compaq LAN drivers are sensitive to what version of the Novell ETHERTSM and MSM modules they work with. Compaq ships the correct versions of these Novell modules with their LAN drivers on the NSSD diskette. If you run a Compaq LAN driver with a mismatched set of ETHERTSM and MSM modules, you run a serious risk of memory leaks and/or performance problems. Since a support pack or NetWare version upgrade often replaces the ETHERTSM and/or MSM modules, without replacing the Compaq LAN driver, it is always a good idea to reinstall the LAN driver, ETHERTSM and MSM modules from the latest NSSD update from Compaq after installing a support pack or upgrading to a new version of NetWare. See Chapter 2 for more information on Novell patches and Chapter 9 for tuning and optimization information.
6.6
Customizing an installation CD with a support pack
559
Verify your LAN card and protocol settings Many times the auto-negotiation value is changed. I have also found that the upgrade actually downgraded the NIC driver version. Some versions of Intel’s NIC cards require a minimum 2048 physical packet size. Check all of your protocol bindings Ping the server (IP and IPX), ping other servers from this server. Look at the CONFIG display. Check time synchronization At the server console type: :SET TIMESYNC DEBUG = 7
Toggle to the debug screen and make sure you are timesyncing properly. Change it back when you are finished. :SET TIMESYNC DEBUG = 0
Tune the server Increase the speed/efficiency of your NetWare server. Recommendations are covered in Chapter 9. Tune the clients Recommendations are covered in Chapter 1. Verify printing Print to queues assigned to this server or NDPS printer agents that are using the server’s broker. Enable all third-party .NLMs Go through the AUTOEXEC.NCF file and uncomment third-party files. Take a new CONFIG /S of the server As previously discussed, do a: :LOAD CONFIG /S
and copy the resulting SYS:SYSTEM/CONFIG.TXT file to your workstation or another central place to refer to it later.
Chapter 6
560
6.7
Upgrading NDS
Best practices using TOOLBOX.NLM Novell’s TOOLBOX freeware utility has many uses. Use it to backup your DOS directory before you start. Take note that the newest version of TOOLBOX requires authentication. 1.
Create an .NCF file to do the following:
2.
LOAD TOOLBOX
3.
MKDIR C:\NW41OLD
4.
CHDIR C:\NWSERVER
5.
COPY *.* C:\NW41OLD /DS
Use TOOLBOX to purge volumes Purge the SYS volume, at least, before starting. PURGE SYS: -A
Force a sync NDS sometimes needs a kick in the butt. After installing a server, go to the NDS master replica of the partition it was just installed in and force a sync. :SET :SET :SET :SET :SET
DSTRACE=ON DSTRACE=1 DSTRACE=*S DSTRACE=+S DSTRACE=*H
I sometimes make a FORCESYNC.NCF file with these commands in it. More information about NDS Tools and troubleshooting can be found in the NDS chapter. Remember to turn off the DSTRACE screen. :SET DSTRACE=OFF
6.7
Upgrading NDS Some NDS patches require an entire support pack installation—some require only three or four files. Read the corresponding README file. After copying a new DS.NLM to the server, you can load it without rebooting the server by: :SET DSTRACE = *.
6.8
Response file syntax
561
This DSTRACE command reloads the new DS.NLM in the SYS:SYSTEM directory into RAM immediately. NDS 8 is an exception. If you do not choose it through the installation or upgrade process, it is installed through NWCONFIG, like a new product.
6.8
Response file syntax The Response File is a Windows INI type file. Data items are identified as keys. Keys have associated values that you would specify for data fields (e.g key = value). These keys are grouped in sections. For the NetWare 5 installation program, each data input screen has one or more sections associated with it. Section names of the NetWare 5 installation generally correspond to their function. The syntax is:
Section and key names are case sensitive.
Values associated with keys are not case sensitive.
A semicolon (;) placed at the beginning of a line specifies that the line is a comment.
Sections may be placed in any order within the Response File. If, however, there is more than one section with the same section name, the first section encountered in the Response File will be the one used; any others will be ignored. Section headings Table 6.1 lists the sections that apply to the NetWare 5 server installation. For the most part, they are listed in the order they appear during the installation. The Prompt key A Prompt key is listed with each section that corresponds to a data input screen. This key controls whether the screen will be displayed, giving you the ability to pass in the keys and values of the section via the Response File and bypass the screen. If the value of Prompt is True, the screen will be displayed and the data that is specified in the Response File will be presented as default values. If the value of Prompt is False, the screen will not be displayed. However, if any of the required data is missing in the Response File, the screen will be displayed regardless of the Prompt value.
Chapter 6
562
6.8 Response file syntax
Table 6.1
Response File Section Headings
Section Heading
Purpose
[NWI:Product Information]
Identifies the specific product version that this Response File is associated with.
[NWI:Language]
Specifies the languages to be installed on the server.
[NWI:Install Options]
Corresponds to the first data input screen.
[NWI:Locale]
Corresponds to the regional settings screen.
[NWI:Mouse and Video]
Corresponds to the mouse and video settings screen.
[NWI:Hardware]
Corresponds to the hardware detection and driver matching function of the installation program. Note: If drivers are found in the Update directories, they will be used instead of the drivers found on the NetWare 5 CD-ROM.
[NWI:Multi-Processor System]
Identifies the driver associated with the processor system in the server.
[NWI:Storage Adapter n]
Identifies the driver and its associated parameters for a specific storage adapter. This section may be duplicated for as many adapters as are in the server. The variable n uniquely identifies the sequence of the section (for example, 1, 2, and so on).
[NWI:Storage Device n]
Specifies storage devices. This section may be duplicated for as many devices as are in the server. The variable n uniquely identifies the sequence of the section (for example, 1, 2, and so on).
[NWI:Network Adapter n]
Identifies the driver and its associated parameters for a specific network adapter. This section may be duplicated for as many adapters as are in the server. The variable n uniquely identifies the sequence of the section (for example, 1, 2, and so on).
[NWI:HotPlug System]
Identifies the driver associated with the processor system in the server.
[NWI:NetWare Loadable Module]
Identifies NLMs that are to be loaded with the hardware drivers.
[NWI:Misc]
For parameters that do not correspond to a data input screen.
[NWI:NW Volume]
Specifies the parameters for the SYS volume and its NetWare partition.
[NWI:File Server]
Specifies the parameters that uniquely identify the server.
[NWI:Protocols]
Controls whether the protocol screen is displayed.
[NWI:TCPIP]
Specifies TCP/IP parameters.
[NWI:IPX]
Specifies IPX parameters.
6.8
Response file syntax
Table 6.1
563
Response File Section Headings (continued)
Section Heading
Purpose
[NWI:Time Zone]
Corresponds to the time zone screen.
[NWI:NDS]
Corresponds to the NDS screen.
[NWI:License]
Identifies the location of the license file.
[NWI:Time Synchronization]
Identifies time synchronization configuration.
[NWI:DNS]
Specifies Domain Name Service parameters.
[NWI:SNMP]
Specifies Simple Network Management Protocol parameters.
[NWI:Add To Startup]
Specifies lines to be added to the STARTUP.NCF file
[NWI:Append To Autoexec.ncf]
Specifies lines to be added to the AUTOEXEC.NCF file.
In the following example, the NDS section includes Prompt=True. The NDS data input screen will be displayed with the specified information already filled in. [NWI:NDS] Prompt = True Tree Name = MY_TREE New Tree = True Server Context = O=First_O Admin Context = O=First_O Admin Login Name = Admin Admin Password = NetWare Display Summary = True Schema Extensions = sys:/system/schema/NLS.SCH,sys:/ system/ schema/AUDITING.SCH,sys:/system/schema/ NWADMIN.SCH,sys:/ system/schema/NRD.SCH,sys:system/schema/SAS.SCH,sys:/ system/ schema/NDSPKI.SCH,sys:/system/schema/ MASV.SCH,sys:system/ schema/SLP.SCH Schema Extensions Pre DS = sys:/system/schema/NDS500.SCH, sys:/system/schema/NLS.SCH
With this entry in the Response File, the NDS information screen will be displayed with the specified defaults.
Chapter 6
564
6.8 Response file syntax
If the entry in the Response File showed PROMPT=FLASE the NDS input screen and the Summary screens would not be displayed and the NetWare 5 installation program would bypass them. [NWI:NDS] Prompt=False Tree Name = MY_TREE New Tree = True Server Context = O=First_O Admin Context = O=First_O Admin Login Name = Admin Admin Password = NetWare Display Summary = False
7 Other Novell Products
This chapter was needed. I can’t believe how well Microsoft gets its message out compared with Novell. Most of my former clients had no idea of what other offerings Novell had. I wanted to make you aware of some of the highlights. I do not intend to cover every Novell product nor each feature of the one’s I do cover. I do want to educate and provide a quick reference for you if you are answering questions for yourself, a client or manager about the functionality of many of Novell’s product offerings. The information is based on latest releases and/or Novell’s public product roadmap information. Each version and support pack offers additional functionality, security enhancements and bug fixes. Best Practice:
Keep your products patched and updated.
Novell publishes documentation and TIDs to optimize, configure and troubleshoot their products. Use Novell’s free TID support to tune your products to their full potential.
NetWare is more than a file and print platform. It is an application platform able to run enterprise applications. More information about those applications can be found at the following addresses:
www.novell.com/documentation
www.novell.com/coolsolutions
www.novell.com/products
www.novell.com/products/resourcecenter
http://support.novell.com 565
566
7.1
7.1 Installing Novell products
www.novellshareware.com
www.netwarefiles.com
www.netpro.com
www.netadmincentral.com
www.bindview.com
Installing Novell products Installing Novell Products used to be simple—go to the INSTALL.NLM and through the product options menu. An .IPS file was used to load products to the server—no more. Now, there seems to be a disconnect with Novell’s product divisions. Some applications are loaded through NWCONFIG—like NDS version 8, some through the X Window System GUI on the server—e.g., NDPS, and some from the workstation—like ZEN for desktops.
7.2
Managing Novell’s products Managing Novell’s products are done through the server console, the NetWare Administrator GUI or the ConsoleOne Java GUI. Novell is in a transition period where all products are in the process of being ported to ConsoleOne. Consider ConsoleOne your new and future management tool.
7.3
Novell products 7.3.1
BorderManager BorderManager is an application that rides on top of NetWare and delivers the following: Benefits
Provideshighly secure, single sign-on authentication
Control access between your network and the Internet
Simplify management and cut administrative costs
Implement a low-cost WAN
7.3
Novell products
567
Enjoy simplified installation
Provide faster RADIUS authentication
Perform user-based URL blocking in a thin-client environment
Support VPN over NAT to allow users to work securely via cable modem or DSL
Protect information with Triple-DES security
Provide multiprotocol and multi-OS dial-in and dial-out access
Accelerate access to Web content
Provide RTSP support
Support multiple languages Firewall— Packet Filtering: Decide what traffic to allow out and in your network Stateful Inspection: Allow certain types of traffic only if an internal request is made for that type of traffic Proxies Network Address Translation (NAT) Network Address Translation—NAT allows for one valid IP address to be shared among all of your clients. All requests are proxied through the IP address and all return information is based upon the one IP address too. IPX/IP and IP/IP Gateway Services—There may be no safer method to protect your internal clients than to run a separate protocol, like IPX, internally and gateway to IP services. SOCKS 4 and SOCKS 5 Server—Cache HTTP, FTP, and DNS The fastest, most cost efficient cache engine on the planet is Novell’s ICS cache appliance. The cache engine in the predecessor to BorderManager 3.5 is supposed to have a similar cache engine. Still BorderManager can support 10,000 requests per second—much more than most shops need. Proxy—Proxy literally means “on behalf of.” A proxy server serves you by making requests on your behalf—thus concealing your identity
Chapter 7
568
7.3
Novell products
Reverse Proxy/Cache—Supports cookie based authentication for reverse proxy Application Proxies—Non-caching RTSP Real Audio proxy, Telnet proxy Server-to-Server VPN (IPSec)—Instead of paying for outrageous point-to-point data lines, create a secured VPN over the public Internet using a BorderManager server at each site Client-to-Server VPN (IPSec)—VPN over the Internet to your network. You need to use valid IP addresses on your servers to access and control them, no 10.x, or other internal, non-routed IP address for internal servers. Access to your internal servers allows for PORTAL control. See the information about Novell’s PORTAL earlier in this chapter. RADIUS Authentication Support—Remote Access support Access Control—Grant and restrict access and access times based on NDS URL Content Filtering—Done through Cyber Patrol software; 45 day Trial License New in BorderManager 4.x Support for third-party security services via APIs (only in version 4.x) CVP, Filter Framework, IPSec, etc.—Allows developers to construct data filtering services that register with the BorderManager proxy service, such as URL blocking, virus-scanning, mobile code scanning and blocking (ActiveX/Java applets), advertising insertion Mobile code blocking Multiple URL filter partners AntiVirus in the Box Intrusion Detection PKI in the Box SSLizer in the Box VPN enhancements—Full IPSec and IKE support X.509 certificate support in VPN client Interestingly, you may purchase BorderManager as a whole or in individual pieces/services.
7.3
Novell products
569
Understanding the name resolution process for BorderManager Name resolution for the server IP stack is provided by NETDB.NLM. The Novell BorderManager proxy doesn’t make use of these functions, but instead does name resolution by itself. Novell BorderManager proxy does name resolution without using the functions provided by NETDB.NLM, which is used by NetWare. The search order is: 1.
local cache
2.
sys:etc\hosts
3.
sys:etc\resolv.cfg
The proxy is notified by BRDMON.NLM when changes are made to the CONFIG files. You will see a message on the proxy cache server screen telling you that “modified hosts entries in sys:/etc/hosts file are now being used.” The same will happen if you make a change to the RESOLV.CFG file. Changes to hosts or RESOLV.CFG are not dynamic. You have to unload and reload NETDB.NLM and TCP/IP.NLM—just restart the server. Both NETDB and PROXY.NLM will search for a “.” in the name to be resolved. If no “.” is found, they will append the domain name specified in RESOLV.CFG to the string and try to resolve the resulting name. BorderManager is marketed as a compilation of products that manage, secure and accelerate user access to information. The BorderManager server is put between two networks to:
Examine and modify entire data objects. For example, a filter could scan incoming files for virus infections and, if necessary, clean them.
Inspect and modify each data block as it comes from an origin server. This kind of filter has sequential access to incoming data. For example, a filter could look for content deemed inappropriate by the site administrator.
Examine user requests to determine whether the request should be blocked, based on user information that is stored in NDS. This capability is known as Object Content Filtering (OCF).
Determine whether an individual user is allowed to retrieve an object, based on the stored information about the content of the object and on information about the user that is stored in NDS.
Chapter 7
570
7.3
Novell products
When a user logs in, NDS notifies the filter framework. The filter framework then calls each registered filter’s processUserSettings function with the NDS settings for that filter and user. The NDS settings are taken from the user object, the user’s container hierarchy, and the user’s security equivalents. When a user logs out, filter framework calls each registered filter’s clearUserSettings function. Practical application of BorderManager BorderManager has been well received by critics and companies. Eighteen Industry awards, over six million users, ICSA certified firewall and the strongest authentication offering in the market make it an excellent choice for small to large shops. It is not an enterprise offering—it may not show the throughput needed for Fortune 1000 companies, but there are few companies that wouldn’t benefit from at least the caching/proxy and VPN services. I have used the product often and can attest to its stability and ability. Proxy/Cache If you are looking to BorderManager to do just caching, don’t. Use Novell’s ICS which has been optimized as a caching appliance. ICS is one of the strongest product offerings from Novell. The competition cannot match Novell’s price and performance for caching. Drew Major, Novell’s chief scientist, has been devoting much of his time to optimizing the ICS appliance product. Firewall BorderManager’s firewall capabilities are great for small to medium size companies. In larger organizations, I see CheckPoint Firewall 1 and Cisco’s PIX used most often. VPN services Use the VPN for access to your network through the Internet—your ISP— and for site-to-site communication through the Internet (client/server). VPN services are also appropriate for server-to-server communication across a public network—like the Internet. Instead of an overpriced pointto-point T1 connection between two of your sites—especially overseas sites—use the ISP connection to set up a BorderManger Internet VPN between sites. You will pay only for the ISP cost—which you are probably paying for anyway—and the Border software.
7.3
Novell products
571
Figure 7.1 Novell’s VPN client
Note: BorderManager is sold in modules. If you do not need the firewall services, for example, pay only for VPN.
Third-party software for BorderManager http://www.maa.it/tools/border.htm—Provides a Border logging utility http://www.analog.cx/—A FREE log analyzer tool. Use on a Web server, too. Can analyze 2 million lines per minute on a 266MHz workstation. http://www.webtrends.com/products/firewall/—Management and security reports for the BM firewall; incoming and outgoing Web reports. Outgoing Web Activity allows you to assess employee productivity, including bandwidth usage, and the Websites visited by IP, username or authenticated user, and filter data by site, search engine keyword, and IP or authenticated user. http://www.patchlink.com/—Network Border Control allows management through browsers http://www.telemate.net/—Internet usage management http://www.tibus.net/pgregg/projects/radiusreport/—RADIUS reports http://www.netcents.com/—Usage tracking for dialups https://grc.com/x/ne.dll?bh0bkyd2 Chapter 7
572
7.3
7.3.2
Novell products
Novell Certificate Server (formerly PKIS) 39.7MB extra SYS volume space needed for installation Free Download The Certificate Server—renamed from its days as PKIS—provides for:
Authentication, via NDS or other directory service—without the use of the Novell workstation client software
An encrypted session between client and server—without the use of the Novell workstation client software—is appropriate for e-mail, Web server authentication and secure network applications (like LDAP applications)
See a pattern here? Many people do not want, nor do they use the Novell workstation client software to authenticate to servers—especially Web servers. Novell must, therefore, embrace other authentication standards to gain and keep a foothold in the Web services arena. The digital equivalent of a secure, personalized ID card, public key infrastructure provides a foundation for secure transactions. Public Key encryption is the basis for the security functions of Novell’s Certificate Server. Some third-party vendors that Novell’s Certificate Server supports are Baltimore Technologies, Verisign and Entrust. Popular e-mail applications supported by Certificate Server include Outlook98, Outlook2000, GroupWise 5.5, Netscape Messenger, and others. Server application support includes Novell LDAP, BorderManager Proxy Services, Netscape Enterprise Server on NetWare 5.1, and the NetWare Management Portal. Though the popular Netscape and Microsoft browsers do not natively recognize the certificates, they do still work upon accepting the certificate trust warning. Authentication and decryption are accomplished through the use of key pairs (digital codes). Key pairs are generated by Novell’s Certificate Server.
Public Key Published openly by a key pair owner to a requestor—public keys are generated by a Certificate Authority (CA)
Pair owner validates signatures of the key—certified through a Certificate Authority (in Novell’s case the CA is NDS# “However external CA’s can be used”)
7.3
Novell products
573
Encrypts data between requestor and key pair owner for private transmittion# spelling—public key encryption can only be decrypted by a private key Public keys contain a public key, subject name, an expiration date (optional) and a CA generated signature
Private Key Closely guarded key used to:
Create digital signatures—by Novell’s International Cryptographic Infrastructure (NICI) Decrypts data from the owner’s public key For example, if I wanted to send you an encrypted e-mail, I would encrypt the e-mail with your public key and only you can decrypt it with your private key.
PKI services allow the administration of key pairs using the NDS database. Standards Support for the PKIS generated certificates according to the X.509 v3 standard. PKIS is compatible with X.509 v 1 and v 2 certificates. Also supported are: PKCS #7—S/MIME and multiple certificate-packaging format PKCS #10—Certificate Signing Request format PKCS #12—Personal Information Exchange formati PKI has a dependant relationship upon Novell’s International Cryptography Infrastructure (NICI); therefore, keep both updated/ patched. The role of NDS in certificate server NDS is used to:
Replicate and store public and private keys
Provide central administration through ConsoleOne
Provide users access to manage their own certificates—admin willing
X.509 v3 The X.509 version 3 format provide for the following information to be contained in a certificate:
Name of the organizations or user (subject name)
Public key of the organization or user Chapter 7
574
7.3
Public key certificate validity length of time
Public key certificate serial number
Public key certificate issuer CA name
CA generated digital signature
Alternate names
Phone numbers
E-mail addresses
Key usage constraints
Certification practice statements
Other critical or non-critical attributes
Novell products
Novell Certificate Server 2.0 is available as a no cost download and can mint an unlimited number of certificates—other solutions charge per certificate. It can also work with other third-party vendors to share minting duties. Novell Certificate Server can support a considerable demand for certificates, PKI queries, and certificate storage and management—use a beefy server. Certificates are minted using cryptography technology and managed automatically—through NDS and with NICI. Novell Certificate Server and NICI use the strongest legally allowable cryptography algorithms— NICI is loaded by an .NFK file and tied to the server based license. The Certificate server is a great solution for an authentication into a Website. Unfortunately, Netscape and Microsoft browsers do not natively recognize the certificates. All NDS supported platforms will work with Novell’s Certificate Server (NetWare, NT, Solaris, Linux, etc.). Configuring PKI support for NDS Use ConsoleOne #ConsoleOne is one wordto configure support for PKI— from a workstation (oddly, ConsoleOne cannot be used from the server to configure the Certificate Server). Server Certificate object Create one for each application that is cryptographically enabled. A server can have many server certificate objects associated with it, but an object cannot be shared among servers. Server Certificate objects must reside in the container where the server object exists—if the server is moved, the certificate objects must be moved. Do not rename a server certificate object— instead, recreate a new one.
7.3
Novell products
575
Associated NDS Objects Certificate Authority Object Key Material Object Security Container Object—This is that little lock icon under [Root]. It is created when the Secure Authentication Service (SAS) is installed CRLDistributionPoint MASV:Security Policy SD Key Access Partition Trusted Root Container Object—Provides the basis for trust in public key cryptography and are used to authenticate/validate certificates signed by the CA. Trusted Root container object allows for secure email (S/MIME), certificate based authentication, and SSL. NDS leaf objects contained by the Trusted Root Container Object are Trusted Root Objects. This container object must be created in the Security object container. Trusted Root Object—Different than the container object, this leaf object contains only a valid CA’s trusted root certificate. This NDS object can only exist in the Trusted Root container. Note: Verify that you have the latest NICI components installed through NWCONFIG ➝ Product Options ➝ View/Configure/Remove installed products.
The Certificate Authority A Certificate Authority mediates the exchange of public keys by verification of identity—which NDS may do—then, the CA issues a public key certificate for each of the parties in the conversation (analogous to a Tom Clancy spy novel where two parties talk over a public wireless medium with cell phones that use 128-bit encryption on each end). 1.
The CA verifies your identification
2.
Creates a public key certificate containing the required information
3.
Mathematically hashes the information in the public key certificate to arrive at a value data string—normally, 16 to 20 bytes Chapter 7
576
7.3
Novell products
4.
Encrypts the data string using the CA’s private key
5.
Sends the public key certificate containing the public key and the CA’s signature to the requestor
6.
Requestor receives the public key certificate which is verified by the same mathematical hash against the value. An unaltered message should have the same hashed value and be opened
The Certificate Authority NDS object resides in the Security container under [Root]. It contains the public key, private key, certificate, certificate chain, and other configuration information. Normally, it is created upon installation of the first NetWare 5.1 server as it is used for SSL and the NetWare Portal, if not, install it on a reliable server at a location convenient for the entire enterprise—as all servers may access this server. The Certificate Authority service runs on only one NetWare server. The NDS server may mint an unlimited amount of certificates. Setting up PKI services in NetWare Public Key Infrastructure, in NetWare, relies on NDS—rightly so. NDS provides PKI a way to manage security objects (certificates), verify that certificates are up to date, revoke them when compromised and handle other functions. NetWare Administrator (or ConsoleOne) ➝ look in [Root] context for the security container then right-click the security object ➝ create ➝ Certificate Authority ➝ OK ➝ follow prompts. You should create a key material NDS object for each application that uses PKI Services—e.g., LDAP. Creating other key material objects NetWare Administrator (or ConsoleOne) ➝ right-click container of context that server to run application is ➝ Key material object ➝ OK. NLMs relating to Certificate Server PKI.NLM PKIAPI.NLM
7.3.3
NetWare Management Portal 0.5MB FREE; loaded in the installation/upgrade of NetWare 5.1
7.3
Novell products
577
This is the most exciting part of NetWare 5.1 and updated in NetWare 6. Finally, we do not need a mega-intrusive Novell client on my workstation to get server specific information. I can now use my browser to manage the server. Novell now supports HTTP as an access protocol. This portal is viewed by typing in the IP address of your NetWare 5.1 server and accessing port 8008. http://x.x.x.x:8008
Example: http://10.2.3.5:8008 Figure 7.2 The NetWare Management Portal. Hint, Click on the black banner at the top of the page.
Chapter 7
578
7.3
Novell products
Novell published an AppNote on server management from the PORTAL—http://developer.novell.com/research. NLMs related to the portal PORTAL.NLM—Use the /buttons switch to load the .NLM from the AUTOEXEC.NCF HTTPSTK.NLM—Should be auto-loaded by the PORTAL.NLM
7.3.4
Storage Management Services 9.47MB Novell’s proprietary backup solution, SMS has come a long way. I have used SMS at client sites to backup servers before I start upgrading. Still, other solutions, like Backup Exec, can do a backup in literally half the time. SMS is covered in Chapter 2.
7.3.5
NetWare Enterprise Web server 85.05MB No longer are you relegated to using the Fast Track “mini-Web server.” This is the same Web server Novell uses to front its Website that takes some 2.2 million hits per week. Novell is now pushing the Apache Web server on its NetWare platform. You can find out more information on Novell’s Website or Apache’s Website.
7.3.6
Netscape Enterprise Server security features
Restricts access to information stored on the server via NDS authentication.
Encrypts communications between the server and a Web client.
Allows access to documents, directories, and applications based on specific user name/password pairs, groups (collections of users), IP addresses, host names, or domain names.
Supports client authentication to restrict access based on client certificates. Incorporates SSL 3.0.
7.3
Novell products
579
Includes centralized management because of the integration to Novell Directory Services and LDAP directories.
The best tools do not make the best mechanic. Use the tools that NetWare provides to make your implementation secure. Your security model starts with the server hardware protected from curiosity seekers. Many of my clients have rouge servers under desks. This is not a problem for lab testing purposes when the servers exist in a different tree and on a network separated from the production environment.
7.3.7
NetWare News server 61.66MB Free with the OS This product is a port from Netscape’s Collabora server.
7.3.8
NetWare MultiMedia server 1.26MB Free with the OS Support Real Time Streaming Protocol (RTSP) RFC 2326. Supports:
7.3.9
HTTP
RTSP
.RM files
.WAV files
.MPG files
NetWare Web Manager 30.07MB Free with the OS Control the Web Server securely with your browser. The default IP port is 2200. https://10.1.2.3:2200
See Chapter 4 for more information.
Chapter 7
580
7.3
7.3.10
Novell products
NetWare FTP server .37MB Free with the OS File Transport Protocol support. Load the NWFTPD.NLM to activate. FTP server is covered earlier—see Chapter 4 for more information. NLMs related to the FTP server FTPIF.NLM FTPSTAT.NLM NWFTPD.NLM
7.3.11
NetWare Web Search 1.75MB This product needs some work. It is accessed by http://serverIP/novellsearch
7.3.12
Novell DNS/DHCP services Covered in Chapter 4, Novell’s DNS/DHCP services port the data into NDS. Novell also supports Dynamic DNS. Refer to Chapter 4 for more information.
7.3.13
Novell Internet access server 7.78MB Formerly MultiProtocol Router (MPR) this option installs a more robust INETCFG and provides the software to use your NetWare server as a gateway and/or router. This is often the case with smaller companies, which need a server to be their Internet gateway/router.
7.3.14
NDS Corporate Edition Corporate Edition NDSv8 is Novell’s new super-charged billion-user object directory service. BrainShare demos have shown billion user trees on servers and one Solaris server. NDSv8 exists in two forms, Corporate edition and eDirectory. Corporate Edition distinguishes itself as a file and print plus user account management directory service. It is the evolution of NDS 7.x
7.3
Novell products
581
versions. Corporate Edition has been enabled to run on several platforms (and is scheduled for more) and is managed by ConsoleOne/NetConsole. Covered in Chapter 3.
7.3.15
NDS eDirectory NDSv8 is eDirectory and is tailored to Internet usage. It can run on various operating systems such as NT 4.0, NT2000, Linux, Solaris, OS390, etc. NDS eDirectory has no support for file and print integration—it is solely used for the entry/authentication point into your Internet/Intranet. The newest version of eDirectory is version code named TAO. Covered in Chapter 3.
7.3.16
Novell eGuide Novell’s eGuide application is a platform independent, Web-based (Java) application that lets you search for information in any LDAP enabled source. From eGuide you can quickly launch e-mail (MAPI), instant messaging (AOL IM), and video conferencing (Microsoft’s NetMeeting). It’s like an electronic yellow pages. Oblix, third-party company, makes a fullfeatured yellow/white page application. eGuide allows:
7.3.17
Administrators to centrally manage and control—updates are done in real-time
Users to search for directory information anywhere—via the Internet
Users to customize their view of directory information
Users to securely change their information—leaving the Administrator to take care of other tasks
Novell Single Sign-on The Novell Single Sign-on solution is one of my favorites. I like the idea of having a single password for every application that needs authentication. The SSO solution intercepts the authentication API calls from the thirdparty application and redirects them to NDS where your password is kept encrypted, by NICI, in a “secret store.” SSO supports any authentication that is integrated into NDS—like biometric, X.509 Certificates, tokens, smart cards, etc. Chapter 7
582
7.3
Novell products
The architecture is basically this: USER AUTHENTICATES TO NDS ➝ USER LAUNCHES A PASSWORD ENABLED APPLICATION ➝ APPLICATION STARTS WITHOUT A CALL FOR A PASSWORD
Out of the box third party support for:
PeopleSoft 7.0 and 7.5
Entrust 4.0
Lotus Notes 4 and 5
Vantive 6, 7, and 8
Windows NT logon
SQL Integrator
GroupWise Enhancement Pack for 5.5
Host Emulators (available from a third party)
Attachmate EXTRA! Wall Data Rhumba WRQ Reflection
There is some custom coding needed for many applications that Novell would love to guide you to their consulting arm for—though the red box solution comes with a toolkit. Fortunately, there is only one file needed to implement SSO on a workstation. Novell is touting its future SSO technology to cover all Windows applications.
7.3.18
NDS authentication services (NMAS) 12.5MB plus third-party files needed (most are less than 1MB) FREE Download (Starter Pack) Novell’s Module Authentication Service is a security system that supports authentication via: Simple Password—Who doesn’t NDS Authentication—Our trademark, true RSA 128-bit encryption with public private key Smart Card or Token—It can even be a cell phone or pager X.509 Digital Certificates—Novell’s Certificate Server
7.3
Novell products
583
Biometrics—Through third-party vendors—voice, fingerprint, retinal, face, etc—available now Third-party vendor support for NMAS
7.3.19
Compaq
RSA Security
SAFLINK Corporation
Identix
ActivCard
VASCO Data Security
GEMPLUS
BioID
Keyware Technologies
BAC
CRYPTOCard
Arcot Systems, Inc
Secure Computing
Protocom Development Systems Ltd
Precise Biometrics
IriScan Iris Recognition Products
CHERRY
Novell Small Business Suite 5 Novell has had good success with the Small Business Suite. It is NetWare bundled with other products to serve as a turn-key solution to small business needs. Specifically, it includes:
GroupWise 5.5—Web access and document management included
Single-site NDS—no partitioning used
Wizards—NICE Internet connection wizard, QuickTasks and Novell East Administration Tool (NEAT)
ZEN starter pack 1.1
Netscape Enterprise Web Server Chapter 7
584
7.3
Novell products
BorderManger FastCache Services 3
NetWare Connect—for dialup connectivity
Oracle 8.04
Tobit Faxware 5.11
McAfee NetSheild and McAfee VirusScan
NetObjects Fusion Web design tool
NetWare Management Agent (NMA), which runs on NetWare, providing a reseller with monitoring capabilities
Note: Version numbers are reflective of Small Business Suite 5.
7.3.20
IBM WebSphere Application server 47.65MB Free with the OS This is an enterprise foundation application to use NetWare as a Java development platform. The abbreviated version comes with the OS—you’ll have to pay for the full version.
7.3.21
MacIntosh Client for NetWare Look for it on Novell’s Website and in NetWare 6. APF and Mac support is back.
7.3.22
Novell iChain Ever wondered how to make a Web presence that allows you to login and present personalized information based on user chosen preferences? Sure you can do that with any database software, but take a look at using NDS as it is faster, scales better and is optimized for digital identity. Look at the big boys doing the same like my.cnn.com and my.yahoo.com. You can do the same, and more, with iChain. iChain provides:
HTTP Traffic Management through:
Caching Authentication proxy Reverse proxy technology
7.3
Novell products
585
Common Security and Access Controls though:
Data Confidentiality eDirectory (NDS version 8.x and above) based Graded Authentication Singe Web sign-on Community Policies Object level access controls
Application Integration through:
Transaction Management with DirCommerce Application Programming Interfaces (APIs)
iChain consists of three components:
Proxy server which performs:
Web Server
Supports both NetWare’s Netscape Enterprise Server and Microsoft’s IIS Runs Java servlets
eDirectory (which is NDS version 8.x)
7.3.23
Authentications Access Control Acceleration Data Confidentiality DirCommerce
LDAP v3 support DirXML to synchronize directory services
Novell Internet Caching System (ICS) The ICS product is one of Novell’s brightest shining stars. Chief Scientist Drew Major demonstrated the first cache boxes at BrainShare 1999. He seems to be heavily involved in the product development—which is great news. As for references, how about a company that has defined eBuisness in the last decade? $20+ million per day of Internet orders alone provides a fantastic testimony for the trust, capacity (3.8 million visitors quarterly) and stability of Novell’s ICS appliance. Dell is the company and was the first worldwide distributor of ICS.
Chapter 7
586
7.3
Novell products
Dell’s own numbers show the ICS box compared to one of their PowerEdge 6300 Servers. The ICS box with 1 CPU (as compared to 4 CPU on the PE6300) produced a 11,500 gets/sec (versus 1184 gets/sec for the PE6300) and shows a latency of only 45 ms (compared to 90 ms on the PE6300). Bottom line is, ICS provides:
Six times the performance
Twice the responsiveness
1/10 of the cost
The ICS system is an appliance—much like a router or hub. It runs an OS that controls functions of:
Cache server
Proxy server
Novell’s ICS supports the following functions and enjoys vendor support from those functions:
Multimedia: RealVideo Apple
Ad injection: DoubleClick ADFORCE NetGravity
Intrusion detection: Axent
Filtering: X-Stop for Novell ICS N2H2 CyberPatrol Finjan
Virus detection: Network Associates Symantec Norton Antivirus
7.3
Novell products
587
Billing/reporting: Webtrends Telemate.net Portal
Authentication: ActivCard RSA VeriSign Entrust
The performance results versus competitors leave everyone in the dust when you consider performance and cost. There are no NetWare dependencies—ICS will work in any OS environment/shop. Specifically, the ICS box enhances your Internet experience, or that of your customer through: Caching—HTTP, FTP, multimedia, MP3 Proxy—Authentication through LDAP or RADIUS; Telnet proxy Pinning/Purging Objects—Allows administrators to specify URLs of objects that need to be purged from cache FTP Forward/Reverse Proxy Cache—Not transparent, but forward and reverse modes alleviate frequent downloads by caching content in the ICS appliance FTP SOCKS support Abort Fill Objects—Can configure the appliance to continue download of object to cache even if client aborts Content Filtering—And logging at user and group levels Byte Range Client—HTTP v1.1 byte range specs to resume object fetches that experience a broken connection Proxy Authentication—ICS Proxy extension to support authentication IIS and Multi-home Support—Accelerate, via reverse proxy, multiple sites on the same address and port Dynamic NAT—For small environments, ICS can be set up as a router using NAT Chapter 7
588
7.3
Novell products
DHCP Forwarding—DHCP broadcast address forwarding to a DHCP server on another segment WCCP v2 Support—Web Cache Communication Protocol by Cisco; redirects HTTP requests to cache and balances traffic across multiple caching nodes; a WCCP enabled router (e.g., layer 4 switch) can balance network traffic across multiple caching nodes Best Practice: You may use a WCCP enabled router to transparently transfer all HTTP, FTP, and so on requests to the ICS appliance. WPAD Support—Web Proxy Auto Discovery Protocol, which enables browsers to find and use caches on the Internet (currently support built into IE5, but not Netscape) Report of the Top 10 Site Hits—Other reporting features too, graphical reports, CSV reporting features Common logging support with extended logging format Over the wire Upgrade Security Administration via Serial Port OEM management extensibility via SNMP IP address based access control for additional security by administrators Separate ports for administration and error page reports—Block the admin port through your firewall, but leave the error page report port open to query the error logs from any Internet connection Two account types—Admin and guest; allowing for configurations changes or simple configuration viewing Who sells the ICS appliances?
IBM
Compaq
Dell
Toshiba
Quantex
Microbits
7.3
Novell products
589
Pionex
OCD Network Systems
Hitachi
Fujitsu Computers Seimens
NEC
Legend Switching Partners include:
ArrowPoint Communications
AlteonWebSystems
Foundry Networks Content Delivery Partners are:
Akamai
skycache
edgix
My experience is that up to 80% of everyday content can be cached. Medium to large shops can’t afford to do without this appliance, as it will save you from buying expensive Internet connections—like T1 lines—and greatly speed up your Internet experience. Imagine an ISP going from 8 overworked Unix Web servers down to 5 under-worked Web servers just by reverse proxying the content with the ICS boxes—I’ve see it second hand. Network placement of ICS appliances
Use the appliance outside your firewall to accelerate your Website
Place the appliance next to your layer 4 switch to route all HTTP, FTP, and other relevant Internet IP desired proxy/cache traffic to the appliance before heading outside to the router interface that goes to the Internet cloud. http://www.dell.com/us/en/biz/products/series_pwrap_servers.htm http://www.compaq.com/tasksmart/cseries/index.html Both sites have sizing tools. Compaq has a fantastic free deployment guide filled with strategies and ideas. Dell is usually the more cost efficient of the two.
Chapter 7
590
7.3
7.3.24
Novell products
Novell Internet Messaging System (NIMS) NIMS is Novell’s directory driven e-mail system that is based on open-standards—SMTP, POP, IMAP, LDAP, HTTP, SSL—and allows you to use any mail client. Info can be found at www.nimsinfo.com or www.novell.com/products/nims The directory driven portion of NIMS provides for:
No separate account creation or synchronization
Single password and other shared object attributes
User and server information is backed up automatically with the directory
Use of groups, aliases and organizational roles already in NDS
Automatic aliasing
Distribution of administration rights and tasks more easily
Cross-platform integration
Mail server clustering
NIMS server features:
Single copy message store
7 anti-Spam measures
SSL on every protocol
Web browser administration
Clustering
Mailbox quotas
System address book
Advertising
Users will see:
Auto reply
Forward (without env)
Auto localization
Proxy
User interface customization
Multiple entry points
7.3
Novell products
7.3.25
591
Novell FireWALL for NT The technology from Ukiah, a company Novell acquired, is being used to release a cross-platform firewall solution.
7.3.26
Graphical User Interface—Novell boasts the easiest in the industry— in reality, it is one of the best I have ever seen from Novell (why don’t they make other management utilities this easy?)
Bandwidth Traffic Management—QoS on the network (e.g., to give priority to FTP and HTTP traffic instead of the bandwidth-stealing PointCast program)
Directory Enabled
Third-party integration for URL filtering and virus scanning
ManageWise 2.7 ManageWise is Novell’s server and network management piece. ManageWise supports:
NetWare server management—hardware and software configuration information—ManageWise can report on over 450 server parameters
NT server alerts—SNMP alerts via an agent on the NT server
Hardware information 22 Windows NT server trend objects NT Server Events are mapped to generic SNMP traps
Desktop Management—though better done with ZEN for Desktops
Infrastructure Management—good for LANs, but not made for large scale WAN support
SNMP MIBII support for alarm notification To send server informational traps to ManageWise consoles, the severity level in the NWTRAP.CFG file will need to be changed. The steps to do this are included in the NWTRAP.CFG. On NetWare 5 servers, the NWTRAP.CFG file is found in the SYS:SYSTEM\NMA directory. On a NetWare 4.1x server, the file will be found in the SYS:ETC directory.
Remote control
Real-time LAN segment monitoring
Packet Capturing Chapter 7
592
7.3
Novell products
Server/node down alerts—done via IP or IPX intermittent pings
Asset management
Virus Protection on server and workstations
McAfee VirusScan and Netshield Realtime scans Server scanning Boot sector, file, multipartite, stealth, polymorphic, encrypted and macro viruses
Auto-discovery of network—low network impact
Trending information for up to 2 years
Reporting features—TrendComplete and SyncComplete
Automated HTML Reports Graphs Single query point for information Pre-configured reports Pervasive SPQ 2000 engine used in ManageWise 2.7
Note: ManageWise 2.7 works with NetWare 5.1 and Pure IP—ManageWise 2.6 will not work with IP only networks. Some of the most useful alerts are:
Users logged in
CPU utilization
NCP requests per minute
Total packets received per minute per NIC
Cache buffer %
Outdated DS.NLM versions
Outdated CLIB versions
Minimum hardware and software configurations
Weekly changes reports
The NWTRAP.CFG lists 382 SNMP alerts.
7.3
Novell products
593
The number of Traps by category:
12 Async
6 Audit
4 DS Audit
9 Connection
35 Disk
7 Directory Services
66 File System
1 License Violation
17 Media Manager
8 Memory
7 NCP
13 Network
4 NLM
24 NetWare Operating System
11 Router
9 Security
72 SFT III
30 System
23 TimeSync
16 Transactional Tracking System (TTS)
5 User
24 Threshold
ManageWise has an ugly 16-bit interface user workstation interface that is not intuitive. NLMs related to ManageWise NETXPLOR NXPCON NWPIP
Chapter 7
594
7.3
Novell products
NXPLANZ IGROUPER IPCACHE ManageWise Web links http://www.kansmen.com/ http://www.netpro.com/ http://www.atlantissoftware.com/ http://www.cplus.co.uk/ http://developer.novell.com/npp http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/mrtg.html http://www.avanti-tech.com/ http://www.novell.com/coolsolutions/freetools.html http://www.hdopp.de/ www.alantissoftware.com Several AppNotes on ManageWise, which can be found at: http://developer.novell.com/research
7.3.27
Lanalyzer Novell’s sniffer program GUI, version 2.2, is old. Still, it has the best NetWare decodes. I use it often. You will find Lanalyzer in the Software Evaluation Library—http://shop.novell.com/shopnovell/index.jsp. If you are using Lanalyzer, don’t forget to download the SLP updates. They can be downloaded from http://support.novell.com/nisc/patlst.htm. The file is called LFW01C.EXE. A limited version of LANalyzer for Windows 2.2 is available for download from http://support.novell.com/products/lzfw22/patches.htm. Sniffer and network tuning information can be found in Chapter 9 and the appendix.
7.3.28
GroupWise GroupWise is Novell’s e-mail collaboration solution. It is a holdover from the old WordPerfect days. GroupWise has been good for Novell. Many
7.3
Novell products
595
companies, errantly, do not consider GroupWise when considering groupware packages. Some of GroupWise’s highlights:
Support for POP3, IMAP4, and LDAP
Simultaneous multiple mail accounts supported
HTML editing and messaging
Built in workflow sequential routing capabilities
Support for NDS groups as distribution lists
Internet directory lookups
Plug-in to support MS Outlook as your e-mail client (6.5MB)
Web access through efficient Java servlets—more efficient than CGI scripts for the server—and custom integration with leading Web servers
Dynamic HTML conversion
Extensive calendaring features
Clustering support
NT services support
Paging capability through GWIA (GroupWise Internet Agent)
Symmetrical multiprocessor support (SMP)
Server Java monitoring agents which support HTTP and SNMP to agents
GroupWise monitor via a browser—uses a Java servlet
Centralized polling
ConsoleOne used to administer GroupWise
Novell boasts over 22 million installed base for GroupWise. GroupWise has won several awards and is worth your consideration. Future of GroupWise Novell’s publicly released vision of GroupWise:
XML integration to allow third-party product integration
Completely manage GroupWise from a browser
SSL connections between GroupWise post offices Chapter 7
596
7.3
Novell products
Other GroupWise information
7.3.29
Novell Documentation
Novell TIDs
LogicSource CD for Groupwise
Novell Press books on GroupWise Administration and end-user guide
FaxWare for GroupWise—www.tobit.com
Novell Net Publisher This product took me by surprise when it came out as it seemed a departure from products Novell normally puts out. When you understand the product, you may see the message Novell’s is trying to get out—NetServices across all platforms. You can publish documents to Novell servers—and other Web servers—without the intrusive Novell software client on your OS. By posting your work in shared space—like a Web server where everyone can get to it—and setting NDS permissions on the file—where you define the security of who can get to it—you provide a collaboration platform for others to check out the document, provide their written input, let them publish the updated file and it is then again available to be used for collaboration. Net Publisher is written in Java and provides LDAP integration with NDS. Net Publisher consists of a server, a store, and a client and fully supports the WebDAV standard.
Server Components
WebDAV server—NetWare, NT or Unix, as long as there is WebDAV support Indexer Server—Full text indexing and searching capabilities Conversion Server—Converts documents to HTML
NDS access with a zero-byte client highlights the Web Folder support for Office 2000. You will see Novell’s Net Publisher as a right-click menu choice when installed. Access files from anywhere—anywhere where you have Internet access— share, browse, search, edit, lock or unlock files. Go to www.juston.com to see this technology in action. JustOn provides 50MB of free Web storage space. You then manage the space.
7.3
Novell products
597
Note: Novell acquired JustOn (www.juston.com), which reaches in the Web storage space.
What is WebDAV? WebDAV (Web Distributed Authoring and Versioning) is an extension to the HTTP 1.1 protocol to support collaboration. RFC 2518 describes WebDAV. Novell, interestingly, is part of the standards committee. WebDAV provides for:
Property information such as creation, removal and querying of document information
Overwrite protection which allows exclusive write lock and shared write lock to documents (locks can time out automatically)
Name space management which allows for copy and move operations within a server’s namespace
WebDAV uses XML as part of the protocol and bases its model after XML naming, structure and transmission of properties. WebDAV is not widely accepted for server (Novell’s Enterprise Web Server, IIS5.0, Apache modules) or client (IE5 and MSOffice 2000 Web Folders, DAVExplorer) support. Check out http://www.ics.uci.edu/pub/ietf/webdav/
7.3.30
DirXML DirXML provides for a new type of NDS replica—a virtual replica. Filtered replication is allowed with an XML rules engine with XLS processor and drivers—and other tools and accessories. DirXML is a solution that mimics the old Catalog services solution—yet is many times more useful. Use DirXML to extend eBuisness applications (no modifications are made to the application) to reference NDS as a single source of collected data indexed by virtual replicas from the configured XSL rules engine and XSLT style sheet. DirXML uses NDS to manage the flow of directory data—via relationships with other directory services. Information is not dependant upon OS, NOS, databases, devices or applications. Simply, specific chosen directory information (properties about an object) is made available to applications to map or match information. For example, I go to a portal Website, login and am presented my personalized Chapter 7
598
7.3
Novell products
information. In the background, the Website uses my login to query other partners to provide a seamless Web experience for me. Depending on the partnerships/relationships I could get frequent flyer information from Delta and American Airlines (it is information found only in their sites), Marriott reward points, financial data from investments, overdue books at the library, favorite groceries that are on sale . . . you get the idea. Leveraging information that already exists in databases and other directories allows you to concentrate on eBusiness applications—not on merging over 100 disparate directories (independent reports show the average corporation has over 100 different sources of employee and customer information).
NDS extensions to support application data
Globalize directory support for open standards—LDAP (Lightweight Directory Access Protocol), XML (Extensible Markup Language), XSL (Extensible Style Language) , DSML (a directory DTD)
Support for other directories and integration solutions DirXML uses XML for:
Data conversion
Data mapping
Event mapping
Note: DirXML must have NDS version 8 (eDirectory).
7.3.31
NetWare cluster services for NetWare 5 Information can be found at http://www.novell.com/products/clusters/ncs/. Dell and Novell partnered for a 32-node cluster demo that was awesome. I don’t know when I would need a 32-node cluster, but if I did, and if the application could run on NetWare, I would go out and by a Dell 32node cluster.
7.3.32
Novell Replication Services (NRS) This is one of those good idea products that never seemed to get all of the bugs worked out. Many clients groaned about this product. Use ZEN for Servers to accomplish data replication on server.
7.3
Novell products
7.3.33
599
Novell Storage Services NSS is Novell’s new file system. It is discussed in Chapter 2 and Chapter 5.
7.3.34
Schemax This handy NDS schema extension product allows you to add properties to objects in NDS. We used it to add a social security number property to user objects at a university—without a line of coding. The GUI allows you to drag and drop information to make NDS schema extensions easily. Novell bought the company and the product is available for free download— maybe it will be incorporated into ConsoleOne.
7.3.35
ConsoleOne/NetConsole ConsoleOne/NetConsole is the management tool of the future. Novell has discontinued development on the NetWare Administrator. This product can be run from the server console or any workstation that supports a Java runtime environment. ConsoleOne is covered in Chapter 1.
7.3.36
WAN Traffic Manager 4.05MB Free with the OS I have never recommended using this option. Perhaps it would be appropriate where a a dialup, leased line is in use. IPX SAPs and other broadcast network traffic should be your focus—not restricting NDS database synchronization. As a consultant, every administrator I meet loves to hear that he can administer his network via policies. NDS allows real-time policy management via network login identities—whether they are grouped or individuals. The WAN Traffic Manager (WTM) flies in the face of NDS policy management. The WTM sets restrictions on the synchronization policy engine. You are telling NDS not to synchronize, for example, until after midnight, thereby delaying all changes until a time when network traffic is lessened.
Chapter 7
600
7.3
Novell products
Network directory services create network traffic. NDS database processes generate server-to-server traffic:
Replica synchronization
Immediate Sync—10 seconds after save
Slow Sync—22 minutes after change
Schema synchronization—every 4 hours
Heartbeat—every 30 minutes
Limber—5 minutes after boot, then every 3 hours
Backlink—2 hours after boot, then every 13 hours
Connection management
Server status check—every 6 minutes
These events, left unchecked, can generate more traffic than you are comfortable with during high-usage periods. I am not comfortable trying to stop synchronization traffic without a darn good excuse. NDS is a directory service and should be treated with respect. NDS is like a queen wanting to communicate with her subjects. Don’t stop the queen without a good excuse—or she could make you pay for the lack of communication…big time. The WAN Traffic Manager acts as a WAN “traffic officer.” It is a general-purpose WAN traffic policy interpreter for use by NDS that lets you control NDS traffic over WAN links by applying policies to directory services (minimizes expenses for those networks that have pay-by-the-use connection fees). The three elements of the WAN Traffic Manager The WTM.NLM resides on each server in the tree. WTM.NLM reads a WAN Traffic Policy and determines whether NDS traffic will be sent. WAN Traffic Policies are rules that control the generation of NDS traffic and are stored as an NDS attribute value on the Server object, the LAN Area Object, or both. Multiple policies are interpreted as multiple values of this attribute. The interface for WAN Traffic Manager is a NetWare Administrator snap-in. It allows you to create or modify policies, LAN Area Objects, and to apply policies to LAN Areas or to servers. When the WAN Traffic Manager is installed, the NDS schema will include a LAN Area Object and three
7.3
Novell products
601
new detail pages on the server object—LAN Area Membership, WAN Policies, and Cost. You can apply policies to individual servers or you can create LAN Area Objects that are similar to group objects for servers. Policies applied to LAN Area Objects are automatically applied to all servers assigned to it. The idea to control WAN traffic is noble, but in most every case NDS traffic is far too important to delay synchronization. If you are that concerned about WAN traffic, use one manageable protocol, like IP, and control the excess traffic coming from the clients. See Chapter 9 for network tuning information. The only compelling reason I can find to use it is for replica servers that lie across expensive dial-up WAN links. I have been to clients that have replica servers behind a WAN links with 9600-baud throughput and NDS synchronization didn’t eat up much bandwidth—it’s the IPX SAPs that do. There may be cases that justify the use of WTM, but they are few. Note: One of the new features in DS7 is that multiple objects can be sent in one packet. In NetWare 4.1 only changes for a single object could be in a packet. Netware5 reduces the total number of packets for synchronization, which is a benefit for WAN links.
Configuring the WAN Traffic Manager The NetWare Administrator is used to configure the WAN Traffic Manager. If you loaded the product upon install, you extended the NDS schema and copied a snap in—a .DLL file—to the NetWare Administrator directory on the server. 1.
Select an NDS NCP Server holding that holds a replica of a partition that you want to start a traffic policy on.
2.
Right-click, then go to Details. Choose the WAN policy button.
3.
Pre-defined Policy groups may be chosen from the drop down list.
4.
Click on the load group button.
Note: The Advanced button allows you to alter the default settings of any policy group file.
Chapter 7
602
7.3
Novell products
Server Console Commands for WAN Traffic Manager :WANMAN=ON :WANMAN=OFF :WANMAN POLICY ENABLE= policy_name :WANMAN POLICY DISABLE= policy_name :WANMAN LOGFILE MAX SIZE= filesize :WANMAN REFRESH IMMEDIATE
Associated NDS objects A LAN area object is the NDS representation of a group of servers managed by the WTM policy. Best Practice: Don’t use the WTM. Control annoying, needless broadcasts, SAPs, etc., traffic at the client, server and router level.
Associated NLMs WTM.NLM WTM.MSG
7.3.37
LDAP services 10.23MB Free with the NetWare OS The term LDAP has several meanings. LDAP is a protocol riding on top, or within, an IP packet. LDAP is an API for developers to hook into directory-enabled applications. LDAP is a format defining data in a directory. LDAP is a format to exchange information—referred to as LDIF. LDAP version 3 is supported by NDS. The complete LDAP v3 specification can be found in RFCs 2251 through 2256. Lightweight Directory Access Protocol (LDAP) is an open standard protocol riding on IP that rivals Novell’s proprietary Novell Directory Access Protocol (NDAP). Novell includes LDAP support as it has taken center stage as the new de facto standard to allow clients access of directory service—any directory service—information.
7.3
Novell products
603
The Lightweight Directory Access Protocol is an open-standard protocol riding within IP to access any directory service that supports the LDAP standard. Lightweight Directory Access Protocol services are an extremely important strategic move for Novell. This open standard protocol enables programmers access to directory services, like NDS, based on RFC standard programming calls. Novell uses a proprietary NDAP—Novell Directory Access Protocol— structure. Developers have never flocked to Novell’s API or .NLM architecture, so Novell’s support of open standards provides a new door to developer support. LDAP provides the ability for applications to write a call to a directory service for information. For example, your e-mail client could query NDS for other e-mail addresses—based on LDAP search criteria. Any attribute stored in NDS like: Telephone numbers Social security numbers Fax numbers Age Homepage URL Home directory Password restrictions e-mail address Last login time Login script may be queried by any application written to query for such object property information. Of course, objects—like users—may be queried as well. Best Practice: If you are truly going to use LDAP do not waste your time with DS version 7.x—upgrade to eDirectory (NDS version 8.x). eDirectory supports indexes and custom indexes to supercharge your LDAP queries. LDAP provides for: A data form—Defines the kind and how you update information put into an LDAP compatible directory Chapter 7
604
7.3
Novell products
A naming form—Defines how to organize the information in the LDAP directory A security form—Defines how to access information based on rights LDAP also defines the LDAP Data Interchange Format (LDIF) format—which provides a text based means to describe directory information. Using LDIF you can import and export bulk information between directories—similar to the OIMPORT and OEXPORT NDS tools. LDAP offers nine basic protocol operations: Search—A query function Compare—A query function Add—An update function Delete—An update function Modify—An update function Rename—An update function Bind—A security function equivalent to a login. Unbind—A security function equivalent to logging out. Abandon—A security function equivalent to closing a connection— like the watchdog process logging you out of NDS. Configuring LDAP support for NDS ConsoleOne is the only management utility to configure LDAP services. Currently, the Netscape Directory server is Novell’s biggest competitor in the LDAP directory services space. Netscape has been doing LDAP longer than Novell, which has influenced the industry to believe that Netscape’s LDAP directory services are “Pure LDAP” versus Novell’s proprietary adoption of LDAP, which is untrue. The RFC for LDAP version 3 grants latitude for defining/extending schema objects and attributes. Associated NDS objects LDAP Server Object—The server where LDAP was loaded is the default LDAP server and is placed, by default, into the same NDS container LDAP Group Object—This is where you set referral options and map NDS attributes to LDAP attributes.
7.3
Novell products
605
LDAP server console commands NLDAP.NLM—If you installed the product, this command should be written automatically to the AUTOEXEC.NCF file LDAP trace screen NDS provides an LDAP directory trace screen for debugging/troubleshooting. LDAP Help file on the NW51 CD-ROM \PRODUCTS\NLDAP\SYS\PUBLIC\WIN32\NLS\ENGLISH Online LDAP information http://www.critical-angle.com/ldapworld/index.html http://www.umich.edu/~dirsvcs/ldap/ldap.html www.iit.edu/~gawojar/ldap
7.3.38
Secure authentication service SAS is Novell’s modular, core authentication service—it is not a library. SAS provides for SSL connections and worldwide exportable cryptographic services for NDS authentication. SAS is a new security service that other security products depend on. SSL is automatically installed when you install SAS—as is NICI. SAS is built entirely on NICI. Any application written to the SAS interface inherits the ability to have PKIS manage its certificates. NDS Access Control Lists (ACLs) manage access to the private key that enables SSL. Because SAS is a network service, it has its own network identity. ACLs are set up on the SSL key object in such a way that allows only the SAS identity to read the private key. This guarantees that non-authorized entities such as users, other server applications, and even the application built on top of SAS cannot gain access to and expose or subvert the private key. Associated NDS objects SAS Service Object
Chapter 7
606
7.3
7.3.39
Novell products
NICI NICI is the location library that SAS uses to define encryption and authentication rules for different regions. NICI is installed by default when you install SAS. A dynamically bound cryptographic library that delivers controlled cryptographic services to your applications regardless of where they are used. In the past, applications had to provide their own services if they wished to employ cryptography. Because of the way the Novell cryptographic services are designed and will be provided via a standard SDK, application vendors can take full advantage of the services without having to incorporate cryptography in their applications. They can ship just one version of their product worldwide, instead of having multiple versions to accommodate the many and varied national cryptography policies. Novell will assure compliance with international laws and export requirements. NICI is the encryption capability written into NDS.
The ability for international applications to receive expedited U.S. export approval.
Integrity of key management.
An infrastructure supporting key escrow in future releases.
A uniform cryptographic services API.
Network security services built on NICI
Note: NICI is copied to the server during installation as the licensing file is on the MLA diskette. NICI foundation keys are named serial_name.NFK.
7.3.40
NTP The Network Time Protocol is not a product, but an important feature. It is defined in RFC 2030. NetWare supports this IP protocol to reference a defined IP address as a time reference provider. This defined authoritative source can be any host that supports NTP—an Internet site set to the atomic clock or your local Unix box. NTP information can be found in the SYS:ETC\NTP.CFG file.
7.3.41
PKI Service (renamed Novell Certificate Server) See Certificate Server earlier in this chapter.
7.3
Novell products
7.3.42
607
Catalog services I don’t want to spend much time with an antiquated product. Catalog services provided a way to index certain NDS values. It was used for contextless login, and faster queries. Upgrade to NDS 8. It is a free upgrade and provides the ability to cache the entire NDS database in RAM for instant access. By default, other NDS versions only cache 8 MB. Best Practice: For fastest NDS queries, upgrade to NDS version 8 and cache the entire NDS database on your main [Root] server. See the NDS chapter for more information.
7.3.43
Contextless login support If you plan on using catalog services in an NDS version 8 (eDirectory) environment you must have one DS v. 7.x server to run the dredger DSCAT.NLM—the dredger will not run on an NDS8 server, but the catalog objects will coexist in an NDS version 8 tree. There is talk about a version of NetWare client in the future that will take advantage of the NDS version 8 indexes. There is an LDAP client snap-in from Novell’s cool solution Website, which will provide contextless login via LDAP, but with clear text passwords. If, for some reason, you still want to use Catalog services, look up relevant TIDs on providing contextless login support.
7.3.44
NetWare Enterprise Printing Services Don’t mess with this product because it was created for NetWare 4.11. Use NDPS.
7.3.45
NDPS printing 184.32MB FREE with the NetWare 5 OS Novell Distributed Print Services is Novell’s new standard for network printing. Developed by Novell, HP and Xerox, NDPS provides an enterprise printing architecture that is based on industry standards—SNMP Chapter 7
608
7.3
Novell products
Printer MIB and ISO 10175. Automatic print driver download, easier printer configuration, better troubleshooting and support features as well as IPP support are features of NDPS. With an embedded NDPS configuration, administrators and end-users can directly interact with print devices. This is, by far, the best printing architecture I have seen from any vendor— wow. If your company is not using NDPS, I want to know why (other than no money to update outdated print servers to NDPS aware print servers). NDPS delivers real-time printer management, bi-directional printing, remote management of printers on desktops, printer notification (even by voice from Lexmark), automatic installation of printers, and LPR/LDP and IPP (Internet Printing Protocol). It is fault tolerant, accounting-enabled, and customizable by vendors. NDPS removes the need for IPX SAPs and supports plug and print. NDPS workstation support (you have to load it from the Novell software client) prints directly to the printer—not to a queue on the server first—which saves network traffic and reports status based on an event system. There is no polling traffic or unnecessary polling CPU cycles. NDPS printers do not require server resources to print—users can print when the server is down. NDPS installation is chosen during the install/upgrade to NetWare 5 or via the XConsole GUI on the server. You must have a NDPS Broker object and a NDPS Manager object created and loaded before installing your NDPS printer. You can have an unlimited number of both NDPS Brokers and NDPS Managers created, but only one can be loaded on any given server at a time. Also, the NDPS printer that you are creating can be associated with any of the presently created NDPS Managers/Brokers provided they are the ones that are loaded at the time of creation. For further details, see the Novell documentation (www.novell.com/documentation) on NDPS Broker/Manager creation and management. Note: 185MB? Yes, this is much bigger than the NetWare OS as it provides for many workstation print drivers for different workstation OSs. NDPS printers can be installed on Windows NT desktops to provide all NDPS services to users. NDPS Printers can be installed with the “add printer wizard,” through the explorer window, with NWPM.EXE, or automatically when the user logs in using NDPS Remote Printer Management. NDPS includes support of SMTP notification of printer events and a notification method that supports SMTP mail servers. Because NDPS supports SMTP, any notification of printer and job events will be available for e-mail, pagers, cell phones, etc.
7.3
Novell products
609
Older bindery and NDS print services are still supported in NetWare 5.1—even through NDPS using the gateway feature. Your best choice for printing services is NDPS. And NDPS can service existing queues, allowing you to use NDPS on the server even though your client platform is not currently running NDPS. This allows you to install and run NDPS while you are changing your client workstations to NDPS NDPS does require a module installed on the client workstation. This is done during the install of the client. Realize that NDPS will copy about 160MB of print drivers to the SYS:NDPS\RES\PRNDRV directory. Client assigned printers will automatically download assign printer drivers from this directory (based on the client OS). NDPS allows the administrator to create only one printer agent object instead of three separate printing objects in queue based printing—the print server, print queue and printer objects. NDPS supports “plug and print”; as soon as a new printer is plugged into a network, the program automatically creates a public access printer agent, allowing anyone on the network to use the printer. If access to the new printer must be controlled a quick configuration step is necessary. NDPS also allows administrators to specify who should receive alerts and notifications. A pop-up window can notify the person submitting a print job when the work is done, and a junior administrator can receive “out of paper” or “toner low” alerts. Notifications can also be sent as e-mail via Novell GroupWise or any e-mail package that uses SMTP. NDPS works like this: 1.
The client locates a printer—most likely through an SLP Directory Agent
2.
NDPS gets the printer’s type and Resource Management Service (RMS)
3.
NDPS fetches the driver from the RMS and installs the printer on the client’s workstation OS
The administrator can also select printers to be automatically installed on client workstations Workstation drivers are installed automatically when any end-user assigned to that printer logs on to the network. If you are printing NDPS through a legacy printer: 1.
The client binds to the Print Service Manager
2.
The client submits a job request Chapter 7
610
7.3
Novell products
3.
The print service manager verifies the job
4.
The print service manager notifies the gateway of the new job
5.
The gateway retrieves the hob and its attributes
6.
The job is processed by the gateway and sent to the printer
7.
Upon job completion the gateway updates the job object and informs the Print Service Manager
8.
(Optional) If job notification was requested, the client is notified of the job NDPS has four components, three required: Broker—Provides event notification—only one Broker needed per every 3 network hops Manager—Registers the new printer agent with an SRS—service registry service—which is a part of the Broker Printing Agent—Day to day management done with this object only Gateway—The gateway is an optional piece used to support printers/ print servers that are not NDPS enabled. The gateway creates a printer agent NDS object and sets the printer’s attributes.
NDS objects related to NDPS NDPS Broker—Provides event notification; only one Broker needed per every 3 network hops NDPS Manager—Manages the printer agents; can manage an unlimited number, though I have heard 600 agents working fine on a single manager NDPS Printer Agent—Represents a physical printing device—except for the public access printers which need no corresponding NDS object. Printer Agents are the foundational component of NDPS. They combine the previous functions of printer, print queue, print server, and spooler into one unit. Printer Agents are the NDPS mechanisms that receive and process NDPS printer and job requests as well as provide a uniform interface to all NDPS users and administrators regardless of the type of printer they represent. NLMs related to NDPS based printing NDPSM.NLM—The NDPS Manager BROKER.NLM—The NDPS Broker
7.3
Novell products
611
REGSRVR.NLM—Service Registry NTFYSRVR.NLM—Event notification RMANSRVR.NLM—Resource Management XGATEWAY.NLM—Gateway services for Xerox—gateways only needed to provide backwards support for print queues HPGATE.NLM—Gateway services for HP—gateways only needed to provide backwards support for print queues Note: There are many vendor gateways included in NDPS.
SLP and NDPS NDPS printers use SLP to register their services to a Directory Agent and for client browsing of printing services. Other NDPS Tips
The client will keep a log file (5K) in the C:\WINDOWS directory for remote printer management functions
NDPS 2.0 requires NetWare 5
NetWare Administrator ➝ Tools ➝ NDPS Remote Printer Management option. You may manage printers in containers which you have Supervisor rights to the container object.
There are NDPS white papers and TID to reference
Best Practice:
Put the Broker on a NetWare server that has a replica of the context the Broker in
NDPS support must be installed on the client, make this one of your considerations when you deploy the NetWare client software—800K of RAM is used for NDPS
Check your printer’s vendors for updates to their NDPS gateways. HP and Xerox have updates that supersede support packs at times. Check printer firmware versions to support NDPS. If a 3rd party gateway doesn’t work chances are you can use Novell’s gateway (port handler) and use LPR to print to the printer—if the printer supports LPR. Chapter 7
612
7.3
Novell products
As you create the NDPS manager do not spool to SYS—you may fill up the volume with prints and crash NDS. Considering creating a separate PRINT or QUEUE or SPOOL volume or if you do not want to lose the segment simply spool to your APP volume—in most cases that space will be static and you can always put space restrictions on the Print Agents or even put a directory quota on the NDPS directory.
NAT NAT is not actually a product, but a feature of the base OS. NetWare 5.1 provides NAT functionality. Novell’s BorderManager product expands on NAT. Network Address Translation is a technique, which maps IP addresses from one group to another, and is invisible to end-users. Network Address Port Translation, or NAPT, is a method by which both network IP addresses and their TCP/UDP ports are translated into a single “real” network address and its TCP/UDP ports. Jointly, this provides a mechanism to connect your private addresses to a single “real” IP address. NetWare, Cisco and other vendors sell and support NAT solutions. Refer to the BorderManager sections for more information.
7.3.46
NIAS (formerly Multi-Protocol Router) Formerly, Multi-Protocol Router, Novell Internet Access server acts as a gateway between your local network and the Internet—or another network. In NetWare 4.11, there are two different DHCP server NLMs needed in order to service local clients and remote dial-up clients. Using the NIAS (Novell Internet Access Services), it is possible to configure the NetWare server to have dial-up clients getting IP addresses. NIAS 4.1 ships with NetWare 5. DHCP 3.x provides both capabilities (local and dial-up) in a single DHCPSRVR.NLM. Use the following steps to configure the NetWare server to issue IP addresses to dial-up clients: 1.
Install NIAS 4.1.
2.
Load NIASCFG.
3.
Select Setup.
4.
Select Remote Access Services.
7.3
Novell products
613
5.
Select PPPRNS = YES.
6.
From the list of various available protocols, select IP.
7.
In the “Parameters for loading services” box, select “Specify Client Address Range = YES”.
8.
Specify the Client Start range.
9.
Specify the Client Stop range.
10.
Save the changes and reload the NIAS.
Make sure you are running DHCPSRVR and NIAS on the same server in order to service the dial-up clients.
7.3.47
SSLizer A new product from Novell to provide: Security and Performance over SSL—Offloads the workload from Web servers and accelerates through a proxy Mutual Authentication—Digital Certificates, Token cards, Username/Password support Plug and forget installation—No client software needed, no browser plug-ins, no configuration of your Web server Policy Management— User or server based Content filtering OS Independent—Able to run with any Web server OS Crypto Card—Support for hardware crypto acceleration Telnet/FTP Support—Required for the management and administration of SSLizer
7.3.48
Digital Me Digital Me is a personal preference tool for end-users to interact with business sites. Preferences are customized to your input. Digital Me is available as an identity server and hosted service. Digital Me uses a meCard, which is customized personal information profile you put together for specific online purposes—like an electronic business card. You control what goes on the card and what parts are shared. Chapter 7
614
7.3
Novell products
The dynamic features of Digital Me include automated fill-ins for online forms, dynamic changes to your profile replicated across to everyone that you chose to give your meCard to. www.digitalme.com
7.3.49
Netscape Enterprise Web server Netscape, I believe, got tired of having to rewrite their Web server software every time Microsoft came out with a support pack and killed their performance. NetWare is an awesome platform for this Web server. Novell’s own Website, as you might expect, uses NetWare 5.1 and Netscape Enterprise Server on the Intel platform—unusual as many large Websites rely on RISC chips. NetWare runs Java servlets most efficiently—CGI and PERL are supported, but not ideal in heavily used environments without multiple CPUs—as the CPU cycles generated are not as efficient as Java servlets. http://www.novell.com/documentation/lg/nes4nw/docui/index.html Netscape-related modules NWHDIR.NLM—Netscape server user home directories WEBDAV.NLM—Novell’s WebDAV protocol support—which is a Netscape Server plug-in to support functions like MS Office WebFolders NSSGC.NLM—Novell’s Java servlet gateways
7.3.50
NDS for NT NDS for NT is a product to simply NT domain management. The NetWare Administrator GUI manages domains similar to NDS groups. The NT 4.0 file SAMSRV.DLL is redirected to NDS for authentication into the directory tree. Highlights of the product:
Administration for NT accounts may be done in NT or NDS.
NDS and NT Domain passwords are synchronized
NDS for NT supports up to 65,000 users in a single domain
Eliminates many NT security hacks by keeping information securely in NDS
Enforces intruder detection lockout across all domains
No need for NT Domain trusts
7.3
Novell products
615
PDC to BDC replication traffic is eliminated
Allows NDS replicas on NT servers—especially useful for remote sites with only NT servers
No client pieces needed, only on the NT servers that are PDCs and BDCs This, like many Novell products, enjoys very positive press coverage.
7.3.51
NDS for NT 2.01 provides Pure IP support.
NDS for NT requires NT 3.51 SP5 or NT 4.0 SP3 minimums
BranchManager for NT BranchManager for NT is sold as one product but is a compilation of the following products:
7.3.52
NDS for NT
ZEN for Desktops
BorderManager Authentication Services
ManageWise Agent for NT
ZENworks for Desktops ZENworks for desktops used to be referred to as just ZEN or ZENworks. Novell has expanded ZENworks for desktops 3.x offerings to:
General enhancements to the 2.0 release and bug fixes
Application policies
No NetWare OS dependencies, though eDirectory is still required ConsoleOne is used for administrative functions Windows 2000 Management features Mobile User support Install, repair and create CD utility for applications Microsoft Installer Support Application Uninstall—without interfering with shard .DLL files New Association types—quick launch and force cache Tiered Electronic Distribution Agent for the Novell Application Launcher
Disk imaging
Directory Enabled Disk Imaging Chapter 7
616
7.3
Consolidated Policy Packages between Windows2000, NT and WIN9x packages Windows2000 Group Policy Integration Windows Terminal Server user settings policy
Inventory enhancements
Consolidated Policy Packages between Windows2000, NT and WIN9x packages Windows2000 Group Policy Integration Auto Workstation Import (AWI) and removal
User policies
Create and restore drive images from ConsoleOne on managed workstations Application Overlay Make images available offline Create offline CD images
Workstation policies
Novell products
Database rollup capability for enterprises—database shortcomings in past releases have been less than enterprise capable (Sybase is default database in ZEN for Desktops 3 Reporting enhancements to allow third party reporting tools and a Data Export Wizard Oracle 8 ready Software Metering
Remote management
Remote Control Commandeer with screen blanking and keyboard and mouse locking Wake-on-LAN Performance Enhancements which include speed improvements
Documentation on ZENworks for Desktops The Logic Source for ZENworks is a good source for ZENworks for Desktop information as well as O’Reilly’s ZENworks book. The Novell Press also has a new ZENworks for Desktops 3 Admin Guide. Don’t forget Novell’s online documentation site and support TIDs and the following sites:
http://www.performingpcs.com.au
http://www.novell.com/coolsolutions/zenworks
http://www.zenman.de/
7.3
Novell products
617
http://www.zenworksmaster.com/
http://www.nwadmin.de/
http://www.digitalco.com/staff/brian/nal
http://www.jsiinc.com/
http://www.zenmaster.com/
http://netadmincentral.com
O’Reilly’s book Desktop Management with Novell ZENworks
ZENworks in your workstation registry ZENworks for Desktops configuration parameters, like almost any other application, are written to the workstation registry database. NDS database size increase by using ZENworks Table 7.1 shows the average size of the ZENworks NDS objects. Depending on the number of objects and the data stored in the objects NDS will consume following additional volume SYS space:
Table 7.1
100 Users, 100 Workstation, 4 different policy configuration, 50 Application objects with software distribution: about 10–15 MB
ZENworks NDS Object Average Size Object Class
Typical # in one location
Object Size
Workstation without inventory data
# Computers
~3 KByte
Workstation with inventory data
# Computers
~10 KByte
Workstation group
~# of different workstation configurations
~2–20 KByte
Policy package
~3–20
~2–5 KByte
Policy
~15–50
~1–10 KByte
Application
~20–100
minimum 3 Kbyte, MSOffice97 full distribution ~1 MByte
Application Folder
1
~2–10 KByte
Chapter 7
618
7.3
Novell products
1000 Users, 1000 Workstation, 4 different policy configurations, 100 Application objects with software distribution: about 40–50MB
5000 Users, 5000 Workstation, 4 different policy configurations, 100 Application objects with software distribution: about 130–140MB
NDS access and replication traffic increase by using ZENworks Table 7.2 shows process traffic using ZENworks.
The standard processes Workstation Login and User login produces only additional replication traffic of about 2KB per Workstation/ User.
The Workstation Inventory process produces about 5KB of replication traffic.
Best practices
Always have a working AOT or AXT in reserve.
Use “clean” imaged machines to take Zen snapshots.
Since ZEN takes the Users Home dir from NDS and not the domain store area you need to make sure that the users Home Dir on the user object’s environment tab is correct (this is really the only one that matters to ZEN).
When designing ZENworks in your tree, try not to allow your application objects to be referenced outside of your current partition.
When assigning Application Objects to groups of users, use OUs rather than groups whenever possible. Groups may cause unnecessary delays as sometimes tree walking is necessary by groups to resolve members in different partitions.
There is an article called “The Basics” on the Cool Solutions Website to get you started
NDS version 8 (eDirectory) handles stream files better than NDS version 7.x; therefore, ZEN application objects take up less directory space—depending on which options are used you create up to 28 stream files per APP object in NDS version 7.x
For applications that like to configure themselves after rebooting will require you to complete the ZEN snapshot before the workstation reboots
7.3
Novell products
Table 7.2
619
ZENworks Process Traffic
Process
Client-NDS Traffic to Local Replica
Workstation Boot with Workstation authentication
27 K Send/ 32 K Receive
268 Packets
No user login Novell Client Policy defined Remote Control Policy def. WS Printer Pol. defined with 1 Printer
User-Login
with User Policy Package without Login-Script with Workstation object
Workstation Registration
26 K Send/ 34 K Receive
Synchronization Type (Immediate/Slow) Slow
Slow
109 K Send/ 27 K Receive
Slow
11 K Send/ 1 K Receive
Immediate
5 K Send/ 1 K Receive
Slow
local copy of NAL.EXE 8 associated applications no group assignments
Refresh of NAL 2.5 Window
8 associated applications no group assignments
1. Start of local NAL application Notepad
without software distribution
24 K Send/ 44 K Receive
9 K Send/ 1 K Receive 14–20 Packets
Slow
12 Packets Start of NAL 2.5 Window
5 K Send/ 1 K Receive 16–22 Packets
36 Packets Workstation Inventory (2. Run)
< 2K Send/ < 1 K Receive 2–8 Packets
462 Packets Workstation Inventory (1. Run)
< 1 K Send/ < 1 K Receive 2–8 Packets
14 Packets Workstation Import (with Schema Check)
< 1 K Send/ < 1 K Receive 2–8 Packets
312 Packets < 2K Send/ < 2 K Receive
NDS Replication Traffic Between Two Servers
4 K Send/ 1 K Receive 6–12 Packets
no NDS changes
no Traffic
no NDS changes
no Traffic
no NDS changes
no Traffic
434 Packets 18 K Send/ 26 K Receive 318 Packets 7 K Send/ 5 K Receive 100 Packets
Chapter 7
620
7.3
Table 7.2
ZENworks Process Traffic (continued) Client-NDS Traffic to Local Replica
Process 2. Start of local NAL application Notepad
Novell products
without software distribution
5 K Send/ 3 K Receive
Synchronization Type (Immediate/Slow)
NDS Replication Traffic Between Two Servers
no NDS changes
no Traffic
no NDS changes
no Traffic
64 Packets 3. Start of local NAL application Notepad
without software distribution start load balanced application
7.3.53
6 K Send/ 4 K Receive 72 Packets
When using the ZENworks client, the client searches each container starting with the user object container the whole way up to [Root] for a policy package. This creates problems in a WAN environment. Make a search policy that can be used by creating a container policy package. The search policy has several options: Object Container, Partition, Selected Container, [Root]. Set the search policy can be set to Selected Container to prevent the ZENworks client from searching below a specific container.
Print out TIDs on every ZEN task and subject you need
ZENworks for Servers I love ZEN for Servers. It is most appropriate for Novell’s largest server based installations. Still, medium size companies with accomplished administrators can save valuable time and energy using policy based management products. ZEN for Servers allows policy management, through NDS, of servers. Specifically, you can:
Realize that the functionality of ManageWise was ported to ZENfS v2.0. Now Zfs v2.0 allows you to manage the Network alerts and is all managed from one common console, ConsoleOne. Also, all the functionality of ManageWise is now all 32 bit. The product was 100% redone. The database is now a light weight Sybex rather than the horrible Betrieve one. You not longer need a dedicated workstation to manage the application and report generation. It’s all managed via ConsoleOne from any workstation on your network.
7.3
Novell products
621
Automate server software installation through software distribution and automated server configuration—tiered electronic distribution (TED) is used
Perform automated Service Packs installations.
Set policies on server configuration
Perform server management tasks on a schedule or in response to an event
Do a one-time server software setup and apply it to multiple servers
Eliminate manual installation processes
Automated distribution and updating of server content
Distribute software across WAN links through proxy agents configured through NDS
Configuration and behavioral management based on policies stored in NDS, including NetWare SET parameters, server down schedules and timing, script automation, and SNMP Trap destinations. An example of a behavioral policy is the Down Server policy that defines an automated process to bring a server down and the criteria that must be met before the server can be taken down.
Policy engine to locate and schedule all policies that apply to given servers.
Configuration enforcement on single or multiple servers.
Policy-based configuration of machines for distribution, subscription, and proxy agents within NDS.
ZENworks management database for tracking and reporting all ZENworks for Servers processes.
ZENworks for Servers policy management ZENworks for Servers includes 13 customizable types of policies:
Server Down Schedules down time and who should receive a message if someone enters the DOWN command at the server console. Configure the conditions that should over-ride a server down command.
SET Parameters Enforce server SET parameter configuration compliance
Chapter 7
622
7.4
Novell’s support lifecycle product forecast
Server Scripts PERL, NetBasic or .NCF files
Scheduled Load/Unload Automates module, or Java program, loading and unloading—much like STUFFKEY and CRON
Text Change Edit any text or configuration file on your servers
ZENworks for Servers Policies Policies based on servers that are in NDS
SMTP Configuration Automate server’s SMTP alert configurations
Documentation can be found at Novell’s documentation Website— www.novell.com/documentation. ZENworks for Servers works on NetWare 4.11 servers and above. Best Practice: Use no more than 40 servers per distributor.
7.3.54
ZENworks for Networks (routers and switches) The first, 1.0, release of ZENworks for Networks was less than remarkable. Since then, word is, it is impressive—QoS (Quality of Service) offerings on an NDS level. Set polices based on NDS information, like bandwidth for users, groups, etc. Novell is leveraging directory services to a new level. I don’t know how well this product is being received (selling) as many router boys do not want any part of an OS or directory service touching their routers—outside their router’s OS. That is okay if you sell it to upper management—which has always been a weakness of Novell.
7.4
Novell’s support lifecycle product forecast The following site is a great resource for finding which product(s) are coming to the end of their existence. http://support.novell.com/lifecycle/forecast.htm
7.5 Other Novell products
7.5
623
Other Novell products
SQL Integrator
Pervasive SQL 2000
Reporting snapin to ConsoleOne
NetWare Host Integration Solution
NetWare for SAA 4
HostPrint 2
HostPublisher
Novell High Availability Server
Novell StandbyServer
Novell StandbyServer Many-to-One
Novell SnapShot Server
Chapter 7
This Page Intentionally Left Blank
8 NetWare Security
Chapter 8 is the culmination of a lot of work. I wanted to write a chapter about NetWare security, but could find little information. The fragmented information I did find is in this chapter. Not only did I put in Novell information, but I also visited all of the hacking communities I could find that offered NetWare information. A hacker wants Admin equivalence. Some hackers want it to see sensitive information, some want to spread it, some want the thrill of the chase and others have destructive intentions. A hacker also wants to hide his tracks. NetWare’s basic model is NDS and file system security. File system rights can be managed on directories and files. NDS security includes object and object property rights.
NDS Object Rights
NDS Object Property Rights
File and Directory Rights
File and Directory Attributes
Other security support, such as LDAP, SAS, PKI, VPN and firewalls are available too. NetWare 5 provides security updates not found in NetWare 4. My first recommendation is to upgrade to NetWare 5.x from your existing 3 or 4 platforms.
8.1
NetWare “out of the box” NetWare, like other operating systems out of the box, is neither secure (at least not secure to the point of your company’s peace of mind), nor performance “tuned” (performance tuning is covered in the next chapter). To that 625
626
8.1
NetWare “out of the box”
end, it is essential to know what security doors to close to the computer hacker, the curiosity seeker and the accidental deleter—without causing your users unnecessary hardships (like daily password changes). Having the best tools do not make you the best mechanic. You must use the tools that NetWare provides to make your implementation secure. Your security model starts with the server hardware physically protected from curiosity seekers. Many of my clients have rogue servers under desks. This is not a problem for lab testing purposes when the servers exist in a different tree and on a network separated from the production environment. Security is for the internal end-users as well as outside hackers. As a consultant, I am surprised at how many shops do not take security seriously. I find file system security is often overlooked. Realize there are file system rights and directory rights. Both rights flow down. In other words, if you have the maximum rights (SUPERVISOR) to your user directory, you will have SUPERVISOR rights to any sub-directory, by default, created beneath that directory.
File system rights Right-click on any file and you will see a tab to set NetWare trustee rights on each file. Trustee rights are stored at the volume level. You may restrict or allow file access based on user object, group object or container object rights. Each of these rights is listed in the Appendices. NetWare also provides the DOS RIGHTS and FILER utilities to set file rights.
File attributes File attributes are set by right-clicking a file ➝ Properties ➝ NetWare Info or through other file management utilities. NetWare also provides the RIGHTS command and FILER utility to set file rights.
Directory rights Right-click on any directory and you will see a tab to set NetWare trustee rights on any directory. You may restrict or allow directory access based on user object, group object or container object rights. Each of these rights is listed in the Appendices.
Directory attributes Directory attributes are set by right-clicking ➝ Properties ➝ NetWare Rights
NetWare has a great security track record. NetWare is the only distributed network operating system to receive the US government’s C2 certifica-
8.1
NetWare “out of the box”
627
tion. Look for NetWare hacks on hacking sites and you will see mostly old 3.x hacks and utilities. You can see as much as factor of 30 times fewer NetWare hacks as opposed to other operating systems. NetWare has an excellent security model and can be considered a great foundation for network security. There are, however, ways to defeat a good security policy.
8.1.1
Updated Security in NetWare 5.x versus 4.x http://www.novell.com/corp/security/ Novell wouldn’t forward me the updated security features in NetWare 6. I’ll post them on my Website when I find them (www.netadmincentral.com). NetWare 5 includes security features not found in earlier versions, for example:
Increased granular controls within NDS to better control who can perform specific administrative functions within the NDS environment.
Inherited Rights check box within NetWare Administrator to allow (default) or disallow (by unchecking the box) NDS object and/or property rights to flow down the OU. The inheritable check box is checked by default if All Properties is selected for the property rights. A helpdesk enabled password management feature that provides a specific attribute within an OU allowing an Admin assigned user object the ability to change user passwords, without granting full permissions to user object attributes. Password Administration can be done in mixed NW 4.x and 5 environments, but your primary connection must be to a NW5 server with a replica on it–or the change password button may be grayed out. On the client, rightclick the small red N in the systray ➝ NetWare connections ➝ verify you primary connection is to a NetWare 5 server (primary connection has an asterisk by it).
Security Equal to Me tab within the NetWare Administrator lists all objects that are equivalent to a given object so that the system administrator knows who is granted effective rights to any object within the NDS environment. Security equal to permissions are not transitive. In other words, you cannot assume Admin security equivalence by making yourself security equal to another user who has the Admin equivalence. You will only gain equivalence to the explicit rights that the user possesses. Chapter 8
628
8.1
NetWare “out of the box”
Replacement of the lock monitor console, in MONITOR.NLM with a screen saver NLM (SCRSAVER.NLM), which you can make require NDS authentication to obtain access to the server console. Additionally, access at the server console can be limited based on the system administrator’s access rights. This is utilized to help separate duties between various types of system administrators such as backup operators and NDS administrators. See Chapter 2 for instruction on how to use the SCRSAVER.NLM.
PKI, integration of SSL v3 and LDAP into NDS, enhanced cryptographic services, Novell Modular Authentication Service (NMAS) that includes support for SMART cards, tokens, biometric authentication and other Secure Authentication Services.
Netscape Enterprise Server security features The new Netscape Enterprise server replaces the old FastTrack “mini-Web server.” It includes the following security features:
Restricts access to information stored on the server via NDS authentication.
Encrypts communications between the server and a Web client.
Allows access to documents, directories, and applications based on specific user name/password pairs, groups (collections of users), IP addresses, host names, or domain names.
Supports client authentication to restrict access based on client certificates. Incorporates SSL 3.0.
Includes centralized management because of the integration to Novell Directory Services and LDAP directories.
Note: Novell has now seemingly endorsed Apache Web server on NetWare and even provides a link for it on its Website.
Physical security Secure your servers physically. No operating system is safe when a hacker has access to consoles. The NetWare server is no exception. It is relatively easy to load NLMs from a diskette, go into debug mode, turn the machine off or remove NDS from the server if a user has access to the console. What about the secure screen saver in NetWare 5, you ask? Well, it does require NDS authentication, but according to some hacking sites, there are still
8.1
NetWare “out of the box”
629
possible holes. If someone has physical access to the server, all bets are off. The best policy is to severely limit physical access to servers. The one challenge is to realize that it is tempting to use RCONSOLE, which subverts security too. It is “crackable” as you’ll read later. Virus protection I have complied the following recommendations for virus software configuration:
Enable the virus-detection option in CMOS.
Enable the virus expiration warnings to alert you when signatures are outdated.
Set the server’s virus scanning software to scan both incoming and outgoing files.
Include all file types when scanning.
Use a software package that allows files to be quarantined. This will prevent users from gaining access to the infected files and perpetuating the virus.
If possible, do not give the user the option to “Cancel” the virus repair.
Use ZENworks to mass-distribute virus signature updates. ZENworks will allow you to “push” these updates to your workstations without user intervention.
Update your write-protected emergency boot disk whenever new signature files are received.
Configure your e-mail servers to filter and eliminate unsolicited junk e-mail that could contain a virus as well as malicious code (e.g., VBS scripts as attachments).
Configure the virus software to immediately send virus notification(s) to the network administrator as well as the user.
Scan all incoming and outgoing e-mail and attachments.
Discourage non-work-related downloading of attachments.
Encourage users to install an anti-virus software package on their home computers. Computer Associates (http://www.cai.com), one of the top anti-virus software developers, offers their product, InoculateIT, free to home users (http://antivirus.cai.com). Chapter 8
630
8.1
NetWare “out of the box”
It should be obvious to keep your virus signatures up to date on servers as well as workstations. Current vendors that support NetWare include, but may not be limited to:
NetShield from Network Associates http://www.mcafeeb2b.com
Server Protect from Trend Micro Inc. www.antivirus.com
Norton Antivirus Corporate Edition www.symantec.com/nav
Command AntiVirus from Command Software Systems www.commandcom.com/products/netware.html
InoculateIT for NetWare from Computer Associates International Inc. www.cai.com/products/inoculateit.htm
File system Like NDS security, the NetWare file system has a granular model. It is possible to nail down certain directories or files from accidental deletion or from prying eyes. The simplest way to test your current security on the file system is to log in as a user with default rights and browse the network. What can you see? Can you see the SYS:SYSTEM directory or the SYS:ETC directory? Can you see the directories where you can load NWADMIN and NDS Manager? Can you browse the entire tree? Users have no business in most NetWare utility specific directories. FILER, the NetWare Administrator GUI, the Novell workstation client (right-click a file or directory) and ConsoleOne, are NetWare’s file management utilities. You can also use the RIGHTS command. File system access NetWare provides for a five-tiered file system access 1.
Not logged in—you can browse the tree and get to SYS:LOGIN
2.
Logged in—trustee rights Logging in requires: a. A client sent request for a login key which the server sends an 8 byte number back
8.1
NetWare “out of the box”
631
b. The client then sends a request for the user’s ID. The NetWare server sends the ID to the client. c. Finally the client and the server do the same algorithm off the user’s password. If the algorithms matches, you gain access (login succeeded). Remember that the password is never sent across the wire. 3.
Operator Access
4.
Supervision—or Admin
5.
OS Access—needed by programs and some NLMs
Remember that trustee rights are stored at the volume level. File system rights can be remembered by the acronym WORMFACES. Discard the O. File system and directory security include the following rights: Directory Rights—The Eight Directory Rights include: Supervisor: The sum of all other access rights Read: Allows a user to view the contents of the directory or execute a file Write: Allows a user to view and modify the contents of a file Create: Allows a user to create new files or salvage files that have been deleted Erase: Allows a user to delete or overwrite a file Modify: Allows users to rename a file or change its attributes File Scan: Allows a user to view the contents of a directory without being able to view the contents of any of the files within it Access Control: Allows users to change trustee assignments and grant access rights to other users. This right allows for trustee assignment changes and IRFs. Giving access control is similar to giving Supervisor rights. Note: Users rarely need access control. Some admins grant it to a user for their user’s home directory, but I wouldn’t. Exceptions might include junior admins or department heads needing to create network shared directory.
Chapter 8
632
8.1
NetWare “out of the box”
Typically a secure site would only allow users Read and File Scan in directories where needed. Don’t give users rights on the root directory of any volume. Allowing more admins to give rights may reduce your workload, but it is at the expense of corporate security—more hands in the cookie jar. By default, an end-user has the following rights:
The user will be granted (RWCEMFA—all possible rights) to their own home directory, created during the NDS user object creation.
A user in the same NDS container (context) as the SYS volume object receives Read and File Scan rights to SYS, which are needed to login. [Public] receives Read and File Scan rights to SYS:LOGIN. The NDS container (O or OU) a volume object is in, receives Read and File Scan to SYS:PUBLIC; therefore, by inheritance, every object in the container receives the same rights.
File access security policy should be based on minimums. Table 8.1 lists minimum required rights to perform the defined tasks. Warning: Remember, when an Admin installs or upgrades a server, he/she is given, by reason of the upgrade, SUPERVISOR rights to the server object, which, in turn, grants SUPERVISOR rights to files on that specific server. According to Novell, this is the only time that NDS and files system rights overlap.
Best practices Some best practices for file system rights:
Keep user home directories on a volume other than SYS.
Restrict volume space based on users. This is done on a per volume basis—based either by the user or by directory. The amount of volume space is calculated by the owner property attribute placed on files as the user creates the files on a volume for the first time. You can change the ownership of files to re-distribute space on the volume. I have seen end-users’ crashing NDS when their home directories were on SYS and they either backed up their entire hard drive or a very large database to their home directory. NWAdmin ➝ Volume_Object ➝ User Space Limits
8.1
NetWare “out of the box”
Table 8.1
633
Minimum Required Rights Defined Tasks
Minimum Rights Required
Open and read a file
Read
See a filename
File Scan
Search a directory for files
File Scan
Open and write to an existing file
Write, Create, Erase, Modify
Execute an EXE file
Read, File Scan
Create and write to a file (but, not view it)
Create
Copy files from a directory
Read, File Scan
Copy file to a directory
Write, Create, File Scan
Make a new directory
Create
Delete a file
Erase
Salvage deleted files
Read and File Scan on the file(s) and Create on the directory
Change directory or file attributes
Modify
Rename a file or directory
Modify
Change the Inherited Rights Filter
Access Control
Change trustee assignments
Access Control
Modify a directory’s disk space assignment between users.
Access Control
You may place size limitations on directories. This limitation applies to files and subdirectories under the directory. NWAdmin ➝ choose directory ➝ Objects ➝ Details ➝ Facts
Inherited rights mask You can tune your security to the lowest common denominator by restricting access based on inherited rights filters (IRF). The rule, by default, is that both file and directory rights flow down the file system—that’s called inheritance. There are never fewer rights to a nested (inherited) file or to a directory than to their respective parents.
Chapter 8
634
8.1
NetWare “out of the box”
Two exceptions to this rule are: 1.
An inherited rights mask will filter out all and any rights you choose to deny, though the Supervisor file right can never be blocked by an IRF.
2.
An explicit right granted to a file or directory will overwrite the existing default inheritance. You know, of course, that an explicit right is one granted at a specific file level (e.g., to SYS:PUBLIC versus just to SYS: and inherited by SYS:PUBLIC and every other SYS: directory).
File and directory attribute security Individual directories and files can benefit from NetWare’s additional attribute security model. File and directory attributes apply to all users. (See Tables 8.2 and 8.3.) These rights override any other granted or inherited Table 8.2
Directory Attributes Abbreviation
Directory Attribute
Application
Di
Delete Inhibit
Prevent user’s from deleting this directory
Dc
Don’t Compress
File compression will not compress
Dm
Don’t Migrate
Used for the data migration option on the volume properties; will not migrate the directory to a “jukebox” or other storage device
H
Hidden
Hide this directory; the _NETWARE directory on SYS is an example
Ic
Immediate Compress
Compress every file in this directory immediately after each file is closed versus waiting the default time of 14 days after the directory was last accessed
N
Normal
Default assignment—allows Read and Write to a file, but not Shareable
P
Purge
Flags a directory to purge as soon as it is deleted, rendering it unrecoverable
Ri
Rename Inhibit
Prevents users from renaming the directory
Sy
System
System directory like SYS:_NETWARE
8.1
NetWare “out of the box”
Table 8.3
635
File System Attributes Abbreviation
File Attribute
Application
A
Archive Needed
Automatically assigned to files that have been changed since the last backup
Cc
Can’t Compress
Disables compression on file—the OS uses this flag on files that do not meet the SET compression criteria—see Chapter 2 for more information on file compression
Co
Compressed
File is compressed
Ci
Copy Inhibit
Prevents Apple Macintosh users from copying the file
Di
Delete Inhibit
Prevents deletion; overrides the erase trustee right
Dc
Don’t Compress
Used to override NetWare’s default days untouched before compression setting; see Chapter 2 set commands
Dm
Don’t Migrate
Don’t allow files to leave the hard disk to go to another storage device
Ds
Don’t Suballocate
I can’t think of a valid reason to ever use this
H
Hidden
Hide the file
I
Index
Set automatically, large file access is accelerated by indexing files larger than 64 FAT entries
Ic
Immediate Compress
As soon as the file is closed, it is compressed
M
Migrated
File moved to offline storage
N
Normal
Default value for all new files which allows Read and Write but not Shareable
P
Purge Immediately
Upon deletion, the file will be unrecoverable
Ro
Read Only
This is a combo of Di and Ri
Rw
Read Write
All files are created with this attribute; allows you to write to a file
Ri
Rename Inhibit
File cannot be modified or renamed
Chapter 8
636
8.1
Table 8.3
NetWare “out of the box”
File System Attributes (continued) Abbreviation
File Attribute
Application
Sh
Shareable
Allows more than one user access at the same time; many times used with Ro
Sy
System
Normally used with OS system files; hides the file from DIR; file still shows up with NDIR or FILER
T
Transactional
Allows a file to be tracked and protected by TTS, useful for databases
X
Execute Only
Prevents a file from being backed up, copied or modified; once this value is set, it is irrevocable (except by the XAway hack); use for .exe and .com files, but make backups first
rights. For example, an .exe file can be flagged with the execute only (X) attribute which would prohibit someone from copying it, backing it up or renaming it to a .txt file. Note: Some EXE files do not react well to the execute only attribute. Test it in a lab first. Placing the execute only attribute on an EXE file will render the file an EXE file forever—unless you obtain the XAWAY hack. Different versions of NetWare allow for different attributes. Not all attributes listed here may apply to your version of NetWare. Use the directory and file attributes to add additional security benefits. Realize that network applications do not provide file and directory level security—you must implement it.
8.1.2
NDS NDS has to be the most important piece of NetWare security. Without a valid login you cannot access files on the server. A login to the network invokes the first step in user object security. A login attempt first verifies that the input name is a valid user name in the context. If so, NDS checks for account restrictions. If the user object has passed the first two requirements, the inputted password is hashed against a
8.1
NetWare “out of the box”
637
RSA public encrypted key. The key is an algorithm applied against your password and a mathematical value is calculated. The encrypted mathematical value, and only the derived value, is sent over the wire. Your password never leaves the workstation. The mathematical value arrives at your preferred login server and is checked against the stored password encrypted in NDS. NDS must do the same mathematical public key algorithm calculation against your NDS stored password to authenticate and permit network access. Realize that you can attach to the server without authenticating to it. Therefore, information can be revealed to a hacker without him/her ever logging in. Shareware and Novell tools like nlist, cx, bindery, bindin, finger, userdump and userinfo can be used to collect information. NDS object rights are: Supervisor (S)—This is the sum of all other rights. Unlike the Supervisor right in the file system, the Supervisor NDS object right can be blocked through an IRF. Granting this right implies granting the same Supervisor right to all NDS properties. Browse (B)—The browse right allows trustees of the object(s) to search the tree in NWAdmin and through NLIST and CX commands Create (C)—This right, available only on container objects, allows an object trustee to create objects in and below the container. Delete (D)—Permits the removal of objects from the NDS Tree Rename (R)—Grants the object trusted the ability to change the object’s name Inheritable (I) —Only in NetWare 5. Assigned object rights are inherited by default in NDS. Unchecking this feature on a container object will restrict inheritance by causing the Administrator to explicitly granting objects trustee rights to the container. NDS property rights include: Supervisor (S)—Still the sum of all other rights Read (R)—The ability to see/read the attributes, or properties, of an object Compare (C)—The Compare right works in tandem with the Read write and is used to query any property returning only a true or false response. Chapter 8
638
8.1
NetWare “out of the box”
Write (W)—Automatically includes the Add/Remove Self right, you can modify, add, change, and delete property values. This right granted to the object trustee ACL property of any object effectively gives Supervisor access. Add/Remove Self (A)—An object trustee can add or remove itself as a value of the object property Inheritable (I)—Only for NetWare 5. Used only at the container level, this right enables inheritance of property rights from a container. Warning: Rights granted through selected properties overwrite property rights granted through All Properties radio button. Explicitly selected property rights are never inherited. Default NDS rights are:
Rights granted to the [Public] object are passed to everything connected to the network-connected, not authenticated
[Public] receives the [R] right to the messaging server attribute of the file server
Admin (or Admin equivalent) receives the [S] and [I] right to [Root]—though this happens only once, at install, with the first created Admin object
Users inherit the rights of their containers which are [R] property right to the login script and [R] to the print job (non NDPS) configuration
Users are granted the [R] right to the [Root] properties of Network address and group membership, [R] to the default server property of [Public], [R] and [W] to the user’s own login script property and print job configuration property and finally [R] to all of the user’s property rights
The [S] right to the server object is given to any user who installs the specific server into the NDS Tree
A server receives the [S] object right to itself—permitting the server to modify parameters of its own object My recommendations for NDS security:
8.1
NetWare “out of the box”
639
Disable users who haven’t logged in for the last x number (you determine) of months. Allow for remote users who sometimes are not connected to your network for an extended period of time. Delete them if they don’t call about being disabled on the network.
Use a very long 18-character password for Admin and secure it in a safe place—not a “sticky note.”
Use a null character somewhere in the Admin password. (e.g., ALT+0255). This way, if a hacker could ever see the Admin password, for whatever reason, he would see a blank where the null character exists.
Limit the number of people who know the Admin password to 4 or less. Severely limit the number of people that have security equal to Admin.
Keep the Admin object in a container that contains no other users.
Rename the Admin account—immediately. Use an underline in the name.
Do not let anyone use the Admin account. Grant the Admin security equivalence to separate user objects. This enables auditing based on individual user objects—not an Admin object that may have had many people using it.
Administrators should have two accounts. One would provide security equivalence needed to perform various Admin duties, the other would provide a generic end-user equivalent account for most of their work. This may be an inconvenience, but will help alleviate potential accidents.
Implement a policy to manage user passwords. Refer to suggestion later in this chapter for password management suggestions.
Enable Intruder detection on every OU, which is turned off by default. Right-click an OU ➝ Details ➝ Intrusion Detection ➝ select Detect Intruders. Enable it on the O too, but be careful as the Admin object exists under the O by default and it is possible to lock the Admin out if someone attempts to guess the Admin password.
Enforce the connection limit for users. Two is sufficient for everyone other than Admin—one for access, one for messaging broadcasts. If you are using ZENworks, you may need another granted connection per user. Give Admin several to unlimited, but monitor the Admin connections too. Chapter 8
640
8.1
NetWare “out of the box”
Use the expiration date property for contractors. Allow access based on their contracted time limit. Some organizations use this for everyone. They put a one-year expiration date after the user object is created. This is a great idea for lazy administrators, but would not work well in a large environment.
I don’t see many shops that use the time restriction options in NDS, but it adds an additional layer of security. Be careful, you don’t want to get calls at 11:30 p.m. for access by the payroll department making a late check run.
Network Address Restrictions are another that I rarely see used. This is especially helpful for older application logging into the server on a dedicated workstation for some reason. Many times the automated login name and password give more rights than a normal user. For that reason, configure the login name to only use that specific MAC or IP address (other address restriction options are available).
Use the MAP ROOT command to map to a “fake” root. This will hide directories from the end-users view.
Use an Inherited Rights Filters (IRF) to prohibit global access to files or directories. Be careful when using them, as they are hard to keep track of. Without a third party utility to show IRFs, you are condemned to remember all of the IRFs you, and previous Admins used throughout the TREE. IRFs are appropriate for the following directories:
SYS:PUBLIC\DNSDHCP SYS:PUBLIC\JRE SYS:PUBLIC\MGMT SYS:PUBLIC\NLS SYS:PUBLIC\SWLC SYS:PUBLIC\WIN32 SYS:PUBLIC\WIN95 SYS:PUBLIC\WINNT
For groups, OUs, or individual users, grant explicit rights to a file or NDS object by trustee assignments. This will replace any previous inherited rights.
Use OUs, when possible, to form natural groups in your network. A user object is security equivalent to the OU that they are in. That means that any rights you assign an OU flow down to every user under the OU. Use containers to assign rights to network resources.
8.1
NetWare “out of the box”
8.1.3
641
Uncheck the Inheritable attribute on each OU that you want separated support by other Administrators.
Prohibit/restrict guest and anonymous account access
Help desk functions It is great to have the help desk assist you by resetting passwords. There are many shareware/freeware help desk solutions to help you keep your network secure, yet allow only password or password related property rights to help desk personnel to change. Some are:
http://fl.visualclicksoftware.com/
Schemax
CHgpass 4 (http://www.netwarefiles.com)
Holger Dopp’s NDS UserBrowser available at www.hdopp.de
http://www.netmagicinc.com/
Tables 8.4 through 8.6 are useful when providing granular helpdesk/Jr. Admin rights for specific NDS functions. Table 8.4
Password Restrictions NWADMN32 Tab Specific Action Desired
Rights Granted
Allow user to change password = Allow User to Change Password
R, W, I
Require a password = Require Unique Password
R, W, I
Minimum password length = Minimum Password Length
R, W, I
Force Periodic password changes = Days Between Forced Changes
R, W, I
Days between forced changes = Days Between Forced Changes
R, W, I
Date password expires = Date Password Expires
R, W, I
Require unique passwords = Require Unique Passwords
R, W, I
Limit grace logins = Grace Logins Allowed
R, W, I
Grace logins allowed = Grace Logins Allowed
R, W, I
Remaining grace logins = Remaining Grace Logins
R, W, I
Change Password – Password Management
R, W, I
Chapter 8
642
8.1
Table 8.5
NetWare “out of the box”
Login Restrictions NWADMN32 Tab Specific Action Desired
Rights Granted
Account disabled = Account Disabled
R, W, I
Account has expiration date = Account Has Expiration Date
R, W, I
Expiration date and time = Account Has Expiration Date
R, W, I
Limit concurrent connections = Maximum Connections
R, W, I
Maximum connections = Maximum Connections
R, W, I
Last login = Login Time
R, I
Auditing features The following programs can audit NDS:
8.1.4
ManageWise
Novell’s Auditcon
Blue Lance LT Auditor
Bindview
Password management Your goal in password management is to eliminate a hacker’s ability to gain access to the network. A hacker uses several methods to obtain network access:
Table 8.6
Physical access to the server to load a rogue .NLM which creates an admin equivalent user object.
Intruder Lockout NWADMN32 Tab Specific Action Desired
Rights Granted
Account locked object rights
Supervisor
Incorrect login count
Supervisor object rights
Account reset time
R, I
Last intruder address
R, I
8.1 NetWare “out of the box”
643
A password decipher on workstations (like SNADBOY) to decode the Microsoft workstation password, which is usually synched to the NDS password. See workstation security later in this chapter.
A brute force attack on a user object’s password. This method is where a hacker runs a utility to try every possible combination of passwords until the programs “guesses” your password. This is thwarted by limiting incorrect logon attempts, which is disabled by default. This is also the best reason to rename your admin account.
A dictionary attack on a user object’s password. A dictionary hack uses a pre-defined set of “common” passwords to try to guess your password. Again, set the incorrect login attempts value to thwart this effort.
A utility, like CHKNULL, to identify which users are not using passwords. If you use a USER_TEMPLATE object and define a minimum password, you can avoid this problem.
Guest or Anonymous account access. Prohibit or limit guest and anonymous access.
Brute force attacks guess every possible combination of letters and numbers until the password is obtained. In contrast, dictionary attacks are those that use a predetermined word list to guess the most popular passwords. Both hacks can be dissuaded by Novell’s Intruder detection, which is not turned on by default. One such utility, many times used for hacking, is CHKNULL (see Figure 8.1). This simple DOS command line utility checks user objects for Figure 8.1 Output from chknull utility used with no parameters used. The display shows the user MFOUST has no password.
Chapter 8
644
8.1
NetWare “out of the box”
passwords without logging attempts against intruder detection. It can be found at www.nmrc.org. Use this freeware for you own auditing needs. Usage: chknull [-p] [-n] [-v] [wordlist] –p = check username as password –n = don’t check null password –v = verbose output CHKNULL also can check specified words on the command line as passwords. Oddly, this same basic function can be found by using Novell’s NLIST command. C:\>NLIST USERS Object Class: User Current context: LAB User name= The name of the user Dis = Login disabled Log exp = The login expiration date, 0 if no expiration date Pwd = Yes if passwords are required Pwd exp = The password expiration date, 0 if no expiration date Uni = Yes if unique passwords are required Min = The minimum password length, 0 if no minimum User Name Dis Log Exp Pwd Pwd Exp Uni Min -----------------------------------------------------------------------------admin No 00/00/00 No 00/00/00 No 0 mfoust No 00/00/00 No 00/00/00 No 0 A total of 2 User objects was found in this context. A total of 2 User objects was found.
The defense against such password hacks is Novell’s Intruder detection. Intruder detection locks out users that supply incorrect passwords based on a pre-determined number of attempts. Turn on intruder detection in the NDS property tab of each OU. Right-click an OU ➝ Details ➝ Intrusion Detection ➝ select Detect Intruders. In the same window, select Lock account after detection.
8.1 NetWare “out of the box”
645
Figure 8.2 Intruder Detection tab properties of an OU.
As a user exceeds the Intruder detection limit, NetWare logs the event. The server beeps and a time-stamped message is displayed on the server console with the account name that is now locked out and the node’s MAC address. A locked account can be reset by anyone with Supervisor object rights to the user. Warning: If Intruder Detection is off, you can use a “brute force” password cracker; therefore, turn it on. The strength of any password is proportional to its length. The number of possible combinations increases mathematically by the square of the password length. (See Table 8.7.) 100,000 per second sound too fast? Not on your life. Expensive hardware can do much more than that. (See Table 8.8.)
Chapter 8
646
8.1
Table 8.7
NetWare “out of the box”
Number of Characters in a Password versus Possible Combinations Number of characters in the password
Possible combinations (Letters A–Z only)
Possible combinations (Letters A–Z, with numbers 0 to 9)
1
26
36
2
676
1296
3
17576
46656
4
456976
1679616
5
11881376
60466176
6
308915776
2176782336
7
8031810176
78364164096
8
208827064576
2821109907456
9
5429503678976
101559956668416
10
141167095653376
3656158440062980
Used with permission from the article “Implementing Strong Passwords in an NDS Environment,” by Marcus Williamson, published by Novell Research.
Table 8.8
Estimated Time to Break Passwords at 100,000 per Second Pass Length
Non-case
Alphanumeric
Upper/Lower
All Printable
4
< 1 min
< 1 min
1 minute
13 minutes
5
< 1 min
10 minutes
1 hour
22 hours
6
50 min
6 hours
2.2 days
3 months
7
22 hours
9 days
4 months
23 years
8
24 days
10.5 months
17 years
2,287 years
9
21 months
32.6 years
881 years
219,000 years
10
45 years
1,159 years
45, 838 years
21 M years
8.1
NetWare “out of the box”
647
Best practices for passwords Enforce the following:
Require users to have unique passwords—NetWare 5 remembers the last 8 passwords
Limit the grace logins to three—which locks the account after the prescribed incorrect login attempts. The default value is seven.
Rename the admin account and provide a second “just-in-case” second admin account. Provide each admin with a separate adminequivalent login ID—it is easier to audit separate accounts.
Bindview (www.bindview.com) enables auditing and enforcement of user passwords policies on an enterprise level. Bindview will provide reports of password attributes–such as length, number of days until change, etc. and the ability to change attributes system wide. Other auditing programs include Kane Security Analysis (www.intrusion.com) and BlueLance LT Auditor. There are also various shareware and freeware utilities that can aid auditing needs too. Biometric Biometric authentication uses some unique personal identifier such as a fingerprint or retinal scan to provide authentication. NetWare supports biometric authentication through Novell’s Modular Authentication System (NMAS), which is a free download. Informer Systems Informer Systems, which incorporates Mission Data, have developed a fingerprint-based authentication solution for NDS, known as SentriNet. SentriNet allows the user to log in to the network using just a fingerprint, instead of requiring a password. This solution won the Novell Developers Contest at BrainShare in 1998. Further information about SentriNet and Informer Systems can be found at http://www.informer.co.uk/product/product.htm. NetWare Certificate Server—PKI The digital equivalent of a secure, personalized ID card, public key infrastructure provides a foundation for secure transactions. Novell Certificate Server 2.x is available as a no cost download and can mint an unlimited number of certificates. The Certificate Server can support massive demands for certificates, PKI queries, and certificate storage Chapter 8
648
8.1 NetWare “out of the box”
Figure 8.3 Browser Security Alert
and management—therefore, put it on a semi-beefy server. Certificates are minted using cryptography technology, and with NICI and NDS, it’s managed automatically. Novell Certificate Server and NICI use the strongest legally allowable cryptography algorithms. The Certificate server is a great solution for an authentication into a Website. Unfortunately, Netscape and Microsoft browsers do not natively recognize the certificates—you will see the security alert in Figure 8.3. Just answer yes and you still have the strongest encryption available. NetWare supports other certificates, too, such as Verisign, Entrust, and Baltimore Technologies. Compatibility with other products Novell Certificate Server 2.0 is already in use with the following Novell products: Novell LDAP BorderManager Netscape Enterprise Server and Administration server for NetWare Netscape News server for NetWare NetWare Management Portal In addition, Novell certificates can be seamlessly used with popular e-mail clients including Novell’s GroupWise 5.5 (enhancement pack), Microsoft Outlook98, Outlook2000, and Netscape Messenger 4.6 and 4.7—which enables users to send and receive information securely.
8.1
NetWare “out of the box”
649
Novell Certificate Server can also mint Secure-Socket Layer (SSL) certificates for Web servers from Microsoft and Netscape, as well as any Web server capable of generating and processing a standard PKCS #10 certificate-signing request. Developers can code to NDS functionality to enhance or customize their security solutions and build on certificates issued by Novell Certificate Server without re-writing their own technology. Get the development kit from Novell at http://developer.novell.com. Security tokens Security tokens are devices which are assigned to a user and provide security by using the concept of “something owned” (the token) in addition to “something known” (the password) to ensure that the user really is who they say they are. Tokens are available in a number of formats. The most common format, implemented by both ActivCard and RSA Security (formerly known as Security Dynamics), is a device that displays an apparently random number to the user. This number is used in conjunction with a username, and often also with a password, to provide an additional piece of information for authentication of the user. An interesting new idea (and software) from Connectotel, www.connectotel.com, is using a mobile phone or pager as your security token. After you login, a PIN is sent to your phone or pager display, which you would enter in to complete the login process. ActivCard Novell provides its own “red box” version of the ActivCard One token device. ActivCard One tokens may be used in conjunction with the following services: BorderManager VPN Client—In this scenario the user is prompted for a username, password and ActivCard number when logging in to the network via a VPN connection. BorderManager Proxy—If BorderManager Proxy services has been enabled for use with ActivCard, the user must enter the ActivCard number before being granted access to the Proxy. This will allow access to the forward Proxy, for Web surfing outbound from an organization, or to the reverse Proxy, for entry to an organization’s intranet, for example. BorderManager Authentication Services—BorderManager Authentication Services (BMAS) provides Novell’s implementation of the Chapter 8
650
8.1
NetWare “out of the box”
RADIUS protocol for an NDS environment. Using BMAS, any RADIUS-compliant dial in device, or other RADIUS-compliant hardware or software, can authenticate users with an NDS account and an ActivCard device. ActivCard devices are available in packs of 5 or 50 and are shipped with a diskette including the serial numbers of the devices contained in the pack. These device “images are imported into NDS which results in the devices being created as NDS objects. Single sign on Independent surveys indicate password resetting is a top helpdesk call driver—printing problems are another. Eliminate the need for users to choose simplistic passwords for their many different password protected programs by using a single-sign on solution with the strength of NDS password restrictions. Novell’s single sign on solution allows a single enterprise login to NDS to open applications that would normally require a password. Password enabled applications authentications are redirected, via APIs, and stored encrypted in NDS. Novell’s Website provides more information about this product (http://www.novell.com/products/sso/).
8.1.5
Server side security To enable the Novell provided security model a secure site would:
Upgrade your NetWare 3.x servers to NetWare 5. There are many 3.x hacks that can only be solved by moving from bindery to NDS authentication.
Upgrade your print servers and workstation client software to enable NDS logins.
Remove bindery context as soon as possible. Many hacks are based on bindery access to the server.
In NetWare 5, use Novell’s new SCRSAVER.NLM. See Chapter 2.
Don’t use RCONSOLE. If you have to use RCONSOLE, encrypt the password, and use packet signature option 3, or use a third party RCONSOLE product. To encrypt the password answer yes to letting the server write the password encrypted to the LDREMOTE.NCF file.
8.1
NetWare “out of the box”
651
: REMOTE ENCRYPT → Enter a password to encrypt >NOVELL To use this password use the command: Load REMOTE –E 2475030255179199A911D6 Would you like this command written to SYS:SYSTEM\ LDREMOTE.NCF? (y/n)
Cache your Website’s content—reverse proxy—into an ICS or BorderManager box (http://www.novell.com/bordermanager/). Let hackers, hack cache. Place a pinhole in the firewall for only the cache server to get content. Compaq has some great architectural samples at ftp://ftp.compaq.com/pub/products/servers/tasksmart/tasksmartdeploy.pdf.
Log Web and DNS activity with BorderManager or your firewall software.
Turn off/disable any unnecessary services running on your network (i.e., FTPd, anonymous passwords, and so on). See SYS:ETC\ RESTRICT.FTP.
Use authentication, preferably NDS, to restrict Internet access by User object, Internet sites, time of day, etc. BorderManager can perform this function.
Patch all servers with the latest software patches/field updates. Many known holes are fixed with the next support patch (http://support.novell.com).
For extreme secure environments, implement biometric, or SMART card authentication (www.novell.com/security).
Consider a proxy server or using NAT (Network Address Translation).
For the most important users on your network, especially the Admin, consider using the packet signature 3 option. Turn it on the server by: SET NCP PACKET SIGNATURE OPTION = 3 (default is 1)
Enable the workstation by right-clicking the red N on the systray ➝ Novell client properties ➝ Advanced settings ➝ signature level ➝ 3. The packet signature option encrypts all communication between servers and clients. It is roughly equivalent to a virtual private network. Chapter 8
652
8.1
NetWare “out of the box”
There are 4 options. Check the Chapter 2’s server SET commands for an explanation of the options and their meaning. Warning: There is a CPU workload associated with the packet signature option. The encryption and decryption algorithm tasks the CPU. I have seen this option enabled on every NetWare client at a site with a little over 150 users connected to the main file server running at about 50% consistently because of the encryption/decryption load of the packet signature option.
SECURE.NCF The SECURE.NCF file was made with C2 security in mind. It is a batch file that makes your server conform to C2 and the European Class F-C standards—and more. The batch file has seven server SET commands and three optional commands to further secure your environment. Read the SECURE.NCF file, it explains everything. :EDIT SECURE.NCF
Enhanced Security Server Administration manual Search on Novell’s Website for the manual which is in .PDF form (Adobe Acrobat). The manual for NetWare 4.11 is 389 pages. Evaluating security with BindView BindView, a third-party vendor, along with PriceWaterhouseCoopers, puts out a paper about how to use the BindView product to check the security of your NetWare (and NT/W2K) environment. I love BindView, but it has been an expensive purchase in the past—it is still worth checking out. They provide a great demo at trade shows too. BindView does provide a free download of bv-Count for NDS which will count the total number of NDS objects by base-class (www.bindview.com). LDAP Upgrade applications that use LDAP version 1. Use LDAP version 3. It is supported by later versions of NDS 7 and all of NDS version 8. LDAP version 1 uses clear text passwords. LDAP version 3 can use SSL and SASL. BindView also provides software that defends against BIND vulnerabilities.
8.1
NetWare “out of the box”
653
ABENDS ABENDs can be caused by hackers. Analyze your ABENDs—you can submit the ABEND.LOG to Novell’s ABEND Website ASAP. ABEND troubleshooting is covered in Chapter 2 and Novell provides a beta site for ABEND analysis (http://www.abend.provo.novell.com). Alexander SPK (Server Protection Kit) The Alexander SPK provides automated server crash protection. You can receive alerts via SNMP—which, in turn, means that you can be alerted via pager, cell phone, e-mail, server console alert, pop-up message, SNMP console message, or any other SNMP available means. Novell has endorsed this company’s software to the point of selling it themselves on their shopnovell Website (http://www.alexander.com/). Telnet As an added feature, Novell supports telnet remote access to the server through INETCFG. Telnet uses clear text passwords that any sniffer product can read—for that reason do not enable this feature. Third-party products Third party products require your scrutiny. Ask the vendors about their security models and their product holes. Oblix, for example, a directory yellow/white pages product for NDS, requires a middleware server that sends clear text passwords over the wire.
8.1.6
Workstation security Workstation security is essential when you consider that 78% of security exposure comes from internal threats. Realize that getting access to network resources is as easy as walking up to a workstation and browsing. Third-party hacking utilities can decipher passwords stored on workstations. Revelation from Snadboy (www.snadboy.com) is an example. These utilities undermine workstation security by allowing the hacker to read Microsoft encrypted .pwl files—which are usually synched to NDS passwords. The following security measures are recommended:
Use NT/WIN2000 workstation if possible—the WIN9x family do not provide proper desktop security. Lock your workstation when you walk away.
Patch your workstation OS Chapter 8
654
8.1
NetWare “out of the box”
Windows 9x passwords are stored in the C:/WINDOWS directory as *.pwl files. As new passwords are created, the old .pwl files are not erased. If I wanted to look at a couple of your old .pwl files, could I guess your current one?
If you use WIN9x, use a password enabled screensaver. This is not foolproof as the workstation can be rebooted past the screensaver. There are a couple of NDS enabled password screensavers available that can help alleviate the end user from having to remember multiple passwords.
http://www.ethosoft.com http://www.netwarefiles.com/scrsaver.htm
If you are using someone else’s machine, don’t just logout—reboot or turn the machine OFF.
Be wary of user’s POST-IT notes with passwords
Read about the WINDOWS_PASSTHRU account in the WIN95 Resource Kit Chapter 9 page 292 and Chapter 11 page 401.
Disable/limit Active X controls
Use workstation policies/system policies
Know what you have—do hardware inventory via ZEN or ManageWise The network is only as secure as its weakest system—scary.
Some workstation hacks and links
www.webdon.com
www.soft4you.com
BackOrafice (www.cultdeadcow.com)
www.ntbugtraq.com
www.bindview.com/security
GetAdmin—promotes any NT user to Admin
LSAHack—exploits NT passwords stored in RAM
www.atstake.com
DHCP DHCP can be a security hole. It may be possible for someone to plug in to one of your RJ-45 jacks and obtain an IP address. The intruder probably
8.1
NetWare “out of the box”
655
now has, at least, Internet access. Without manually associating IP addresses to MAC addresses, almost any user can plug-in for an IP addresses. Note: An IP address also grants a user access to any one of a number of IP hacking tools. Authentication for Internet access enables you to grant access and log Internet activity of users. Most Internet authentication is accomplished through either a separate password, or via permission on an IP address. BorderManager provides access via policies placed upon NDS objects-users, groups, and container objects such as OUs. Other firewall solutions may require password access to the Internet, but again, the user is faced with remembering another password. Your helpdesk is tasked with another password reset call. Refer to the BorderManager section for more information.
Restrict Internet access Use a software package, like BorderManager, to restrict access based upon another authentication process. BorderManager can restrict access based on user credentials, time of day, etc. and can use your same NDS login credentials as authentication—which will keep users from having to remember another password.
Load the DHCP Server with the –d3 option :DHCPSRVR –D3
This will load the server with the debug screen on and log file enabled. Audit the log file for possible problems. To find out what users have which IP addresses: :NLIST USERS /A /B
8.1.7
NetWare holes that need to be recognized By default anyone can browse the entire tree. You do not need to be logged in to see the entire tree with the CX utility. CX /R /A /T
In NetWare 4.x the SYS:LOGIN directory contains both the CX and NLIST utility. NetWare 5.x moved the NLIST into the SYS:PUBLIC directory to be used only be authenticated users. The hidden PUBLIC object, by default has browse rights to the entire NDS TREE. Go to the TREE name and check the NDS Trustees of this object. You will find PUBLIC there. Chapter 8
656
8.1
NetWare “out of the box”
You may remove PUBLIC, but be careful. Users, by default, have BROWSE rights to their own container. Many times this is enough, but there are many organizations that have many resources (i.e., printers, etc.) outside of the user’s container. Test any options in a lab first. You don’t need a slew of helpdesk calls from users not being able to login first thing Monday morning because of an inadvertent error. Note: Be careful when removing rights from the [PUBLIC] object. Logged in users need certain NDS rights such as browsing their user object’s context and print queues. Also, contextless login is useless, as users could not search the NDS Tree. You can give [ROOT] the rights public has which will preserve the rights for authenticated users through inheritance. You may also make each O and OU a trustee of itself with Browse rights. Test this in your lab. Users are not required, by default, to have a password. Make and use a USER_TEMPLATE object for each OU. Use it to require specific password properties, incorrect login attempt maximums (otherwise a dictionary hack can be used), intruder restrictions, and time restrictions. Be careful with time restrictions as you do not want calls in the middle of the night for users finishing up a project. At account creation, Administrators do not need to specify a password. Make and use a USER_TEMPLATE object to require specific password properties. By default, the RCONSOLE utility does not use an encrypted password. Don’t use RCONSOLE. Use the REMOTE ENCRYPT command and use packet signature option 3 from the client. www.nmrc.org publishes a working hack against the hashed password. To obtain the password, a hacker would either have to have a sniffer trace of unencrypted client/server communication at a time when someone is doing an RCONSOLE or access to the SYS:SYSTEM directory. Try Protocom’s SecureRemote for NetWare (http://www.serversystems.com/scremote/Welcome.html) or NetWare 5.x’s new IP RCONSOLE utility, RCONJ. Intruder detection is turned off, by default. Turn it on. Right-click an OU ➝ Details ➝ Intrusion Detection ➝ select Detect Intruders.
8.1
NetWare “out of the box”
8.1.8
657
Hacking and backdoors Remember, a hacker usually wants Admin security equivalence. Therefore, it is your job to make it as difficult as possible. Keep informed of hacks. Go to the hacking Websites to collect information and countermeasures. Be cognizant of common login names using common passwords. Examples of possible logins are: PRINTER LASER HPLASER BACKUP MAIL POST FAXUSER You get the idea. Backup programs often use Admin equivalence— which is a security hole. Use network address restrictions, in the objects properties, for the backup node, if possible. Also, check to see if your USER_TEMPLATE object has a password. If not, it is possible for someone to clone a user object with the template. Note: Backdoors are not always evil. Giving yourself a backdoor—as an Administrator—maintains a safety net. Consider the tradeoff—tight security versus practicality. To gain Admin privileges the hacker needs access to the server—either by authenticating or physical access to the server console. Once a hacker has security equivalence to Admin, he/she wants to hide his/her tracks. A common backdoor is to create an OU with a single user object in the OU. The hacker would then give the user object explicit trustee rights to the User object and the new OU, and then take away the browse rights to the OU from the rest of the TREE by removing the Public object’s browsing rights. You can use Bindview or a freeware utility HOBJLOC.NLM (see Figure 8.4) to find these hidden OUs and users. The HOBJLOC.NLM is found on Novell’s Website or www.netwarefiles.com. Load the HOBJLOC.NLM like any other .NLM and use an Admin password to start the utility.
Chapter 8
658
8.1 NetWare “out of the box”
Figure 8.4 Freeware hidden object.
The “invisible” user will also show up in the service connections in monitor. This is useless for most installations as there may be hundreds of connections. One time a friend and I found a hidden user object at a client with admin privileges named GOD. The Pandora hack is probably the most infamous of NetWare hacks. Pandora is a set of hack utilities designed to grant security equivalence to Admin. http://www.nmrc.org/pandora/index.html is the home page of the Pandora attack. Defense against Pandora includes:
A password policy for users that uses long—at least 8 characters—and hard to guess passwords (have user’s use a combo of letters and numbers).
Pandora will not work with passwords over 16 characters, so keep your Admin passwords longer than 16 characters.
Some of the utilities require access to the SYS:SYSTEM directory to hack against NDS backup files, restrict all access to this directory from everyone except Administrators.
Access to the same Ethernet segment as Admin is required. Keep the Admin on a small segmented, switched subnet.
Ensure that the Admin and equivalents are using packet signature option 3 from their workstations.
8.1
NetWare “out of the box”
8.1.9
659
Browsing Browsing the network via Network Neighborhood is a security hole. Users do not need this ability. The login script is designed to allow the Administrator to customize a user’s environment. Browsing allows users access to resources outside the Administrator’s reach. File and directory permissions are still active, but all of your mistakes are within reach of end-users.
Map to resources using IP addresses or DNS names within login scripts
Use DNS instead of SLP—DNS doesn’t support browsing, SLP does
NetWare supports this function. With DNS implemented for all of your NetWare servers, SLP browsing support is unnecessary.
8.1.10
Subnetting IP subnetting can be used to isolate networks which can limit network problems to a subnet. Network sniffers and monitors are also prevented from seeing IP broadcasts across subnets in many cases.
8.1.11
A final word about security Administrative time devoted to auditing and searching auditing logs for possible problems should be a priority. Audit, audit, audit though realize the potential trade-offs (which are time and the CPU and log file overhead). Audit accounts under suspicion. I like to give each admin user his/her own login id with admin rights versus using the admin account. It is easier to audit individual accounts. Novell’s current auditing utility (Auditcon) is clumsy and difficult to follow. There are shareware and third-party utilities that are far more efficient and much easier to use. If you cannot afford the license for Bindview download a trial copy and test it on your network. You may find that it is worth the money. Audit server log files for important system information. Each of these files may be viewed from the server console or from a text editor.
SYS$LOG.ERR This file is found in the \SYSTEM directory and contains file server errors and general status information.
Chapter 8
660
8.2
Websites relating to NetWare security
CONSOLE.LOG Found in the \ETC directory, this file maintains a copy of all console screen activity. It is started by the CONSOLE.NLM that is automatically loaded in NW5 in the AUTOEXEC.NCF. You may change the file KB limit that is set to 100KB by default.
VOL$LOG.ERR The volume log is automatically created and stored at the root of each volume. There is little to see here except the mounting and dismounting of volumes and VREPAIR operations.
ABEND.LOG Found in the SYS:SYSTEM directory, this file keeps a record of server ABENDs. Sometimes hackers just want to ABEND your server. The Alexander LAN kit, third party product, can be used to send the Admin ABEND messages and SNMP alerts. These log files are detailed in Chapter 2.
If you use NDS on platforms other than NetWare (i.e., eDirectory on NT, Solaris, or Linux), you do not have the ability to audit via AUDITCON. You will have to buy a third-party NDS auditing utility—until Novell includes auditing in the NDS versions ported to other platforms. Budget this in your NDS purchase for Solaris, Linux, NT, or WIN2K. The auditing ability is essential part of security. The auditing ability should be added back into the product soon—according to Novell.
8.2
Websites relating to NetWare security
www.sans.org
http://www.novellshareware.com/security.shtml
www.nmrc.org
www.cert.org
www.auscert.org.au
http://www.scmagazine.com/
www.htcia.org
www.netanalysis.org
www.nai.com/nai_labs/asp_set/cybercop.asp
www.novell.com/corp/security
8.2
Websites relating to NetWare security
www.washington.edu/people/dad
http://www.serversystems.com/frames/links.htm
http://securityportal.com/
http://www.bluelance.com/products/default.html
www.radium.ncsc.mil/tpep
www.netadmincentral.com
661
Chapter 8
This Page Intentionally Left Blank
9 ADMIN Tips, Tricks, and Third-Party Utilities This was, by far, my favorite and most difficult chapter to write. I compiled this information from my experiences and from information I gained by interviewing support people and coders. I cannot emphasize enough how valuable this information is. Some of it may seem like common sense, but don’t stop reading—I promise you will find many gems of useful information in this chapter. I wanted to give you specific information about what a Novell consultant learned from my own experience and from client experiences. Again, the price of the book is only a fraction of what the information in this chapter alone is worth.
9.1
From one consultant to another One of my pet peeves as a Novell Consultant was all of these “expert” consulting houses coming into my clients and making the same recommendations to every client. Many of the recommendations made to these businesses are “canned” recommendations from companies trying to bill at $200+ an hour for as long as possible. I say canned recommendations because I saw the same recommendations from client to client. It read something like this:
Fire all of your IT people—then contract all services out (to save money)
Move to Windows NT/Windows 2000 Knowing NT/W2K is a more complex, it would make sense for a consulting company to want to keep as many consultants on site for as long as possible for a complex migration
663
664
9.1 From one consultant to another
Buy bigger hardware to consolidate your servers—duh! This is also the pitch from Sun! I don’t really have a problem with it, but you have to think in terms of client access to information. Unless you rely solely on dumb clients (in which case you wouldn’t be reading this) you are going to have network traffic and response time concerns about consolidating too much information on central servers.
Buy bigger routers and switches to help with network traffic management. Again, I have no problem with this. If you have unlimited finances to do all of this, I recommend asking for a raise, too. Go with switched gigabit to several NICs in the server. I would add to go to 100MB switched to the desktops, too!
Put in a better firewall Always a good idea—or at the least update your current firewall software. Imagine all of the great extra money the consulting company can make from extended projects!
I would also add the following to my cookie cutter recommendations (see Server Tuning later in this chapter).
Add a proxy server or appliance to speed user’s access to Internet sites.
Keep virus signatures up to date with a login script or a desktop client deployment technology—like ZENworks.
Test all changes in a lab, and then proceed to a pilot implementation—usually in the IT department, since they are most able to handle possible software problems.
Enforce a strong password policy for your end users and especially your administrator equivalents.
Provide better NetWare based security, etc. You can get more from my chapter on security, from the rest of this book, and from my Website www.netadmincentral.com.
See how Novell did it internally (www.tinypineapple.com/luddite/beigepapers) details Novell’s internal rollout of its own technology. It is written by a secret author—who works at Novell.
Keep reading for server tuning recommendations and network tuning recommendations that follow.
9.2 NetWare versus NT
9.2
665
NetWare versus NT This could be a title of a whole other book. It is important to draw distinctions for those of you used to the Microsoft terminology. When I left Novell (to go to Microsoft), I had the hardest time (even though I was already an MCSE in NT 4) understanding W2K and Active Directory. In the back of the server OS chapter, I cover the Microsoft Tools for NetWare Administration/Migration and some recommendations. Turn there before reading on. Understanding the W2K OS took sometime for me. I was, of course, biased to NetWare—it was all I knew. When I first saw an NT 4 server, I thought someone was playing a joke on me. It looked just like my Windows for Workgroups OS. I was, however, impressed how easy it was to find everything (by clicking around the GUI). Compare that to finding some obscure SET parameter or console command in NetWare and you can see how administrators seem to flock to NT. I’m not saying it is good or right, I’m just saying it happened. I remember debating a Microsoft guy one time. At Novell we were always so proud that we were faster and more efficient than NT. We loved to quote that we only had about 12 million lines of code in NetWare compared to about 31 million in Windows 2000—more than some mainframes! I’m told that prior to NetWare 4.1, the entire NetWare code was in assembly language—now NetWare has about 90 percent of its code in C+. Anyway, back to the story. The Microsoft guy floored me when he said that they were willing to trade some CPU cycles of performance in return for easier usability—I had never heard anyone say that before. It was an honest answer. Still the “Who’s faster” dilemma was found in many technical journals—including Windows NT magazine (now Windows 2000 magazine), which named (surprise) NT as the faster OS in their tests—contrary to many other similar tests that name NetWare as the fastest. At Novell, we used to say that the tests showing NT as faster was the best tests Microsoft’s money can buy. Even NT-biased administrators could admit that NetWare was faster. I can tell you that there was no customer I visited, as a member of Novell Consulting, that told me that NT was faster or just as fast on the same hardware. Anyway, those debates are gone—rightfully so. Hardware and RAM are cheap enough to make up the performance difference. Now the debate is about who can best service your e-business needs. After ignoring the Internet and IP services for a long time, Novell is coming in very
Chapter 9
666
9.2 NetWare versus NT
late in the argument (Microsoft also ignored the Internet for a while, but was faster to react). Both Novell and Microsoft provide interoperability utilities.
9.2.1
Microsoft Services for NetWare Microsoft provides Microsoft Services for NetWare. It is a suite of 3 tools, currently selling for $150 per enterprise/company.
Directory Synchronization Services (MSDSS) synchronizes Active Directory information with NDS or the NetWare 3.x Bindery. Passwords can be synched, but only from A.D. to NetWare—never the other way as NetWare will not allow access to passwords.
File and Print Services for NetWare (FPSNW) mimics a NetWare server. A Windows 2000 (or NT 4) server can serve as another NetWare file and print server. This would serve small installations moving from NT to NetWare, or vice-versa, but has little use beyond that.
File Migration Utility provides a migration tool to go from NetWare to NT/W2K and keep ACLs.
Really, these are all migration utilities (surprise, surprise) to get you off of NetWare. Be sure you know how to migrate your NDS and file information, as well as your ACLs. Nowadays, migrating directory service data/information (to or from NDS) can be as easy as exporting it to an LDIF file and importing it into another LDAPv3 compatible directory service—such as Active Directory, iPlanet, etc. The problem then is to make sure that you do not have to support many directory services. That’s where DirXML, or Microsoft’s Metadirectory Services comes in. They both provide the ability to synchronize information from one directory service (referred to as a publishing directory service) to another (a subscribing directory service). Your biggest challenge will be to choose the publisher—eDirectory with DirXML, or Active Directory with Metadirectory services.
9.2.2
Microsoft’s client for NDS Microsoft provides a client for IPX services, but nothing for a NetWare 5.x or 6 Pure IP client. Microsoft’s IPX NDS client only uses about 25 percent of the capabilities of Novell’s client. The problem with the NetWare client is
9.3 Administrator common tasks and tools
667
removing it. There is no one utility that completely removes the NetWare client and all registry settings.
9.3
Administrator common tasks and tools Clients are always asking me what other clients are using or doing. While most companies consider this information confidential—which is funny, because there is very little useful secret information—many administrators can benefit from solutions to common obstacles. The following is a listing of information you always wanted to know and shortcuts.
9.3.1
Volume maintenance and repair Volume management is essential on the SYS volume, where running out of space means crashing NDS—NDS is in a hidden directory SYS:_NETWARE. I have listed, later in this chapter, several methods of automatically purging volumes of deleted files, but I also want to relate other methods of manipulating volumes. Change volume sizes You can shrink or add size to any volume or even the DOS partition size with PowerQuest’s Server Magic product (www.powerquest.com). Recover volume information Recover information from volumes that aren’t even mountable with OnTrack’s Data Recovery for NetWare (www.ontrack.com/odrn). This utility has an impressive list of features and is Novell Yes approved.
9.3.2
CRON.NLM Just about any server task can be automated with CRON. CRON.NLM is an unsupported administrator tool used to schedule command line tasks. This is a great utility to automate mundane tasks. Some best practices are to use CRON jobs to: Backup NDS—save .DIB sets daily Run the CONFIG.NLM PURGE Volumes—use a CRON job to purge your SYS volumes monthly.
Chapter 9
668
9.3 Administrator common tasks and tools
9.3.3
STUFFKEY.NLM Stuffkey is Novell’s macro maker. STUFFKEY.NLM allows you to send keystrokes to any program on any screen. This gives you to ability to automate processes that require user input. :STUFFKEY [CommandFile [options]] [/?] :load stuffkey ? | /?
CommandFile = Full pathname of command file Options = preface option(s) with “–” or “/” (e.g., –sv) d=n—Delay n milliseconds between characters s—do not view target Screens during execution r—Return to original screen when completed v—Verbose mode (shows progress on console) ?—Display help message Warning: I see many shops using STUFFKEY.NLM to run DSREPAIRs— don’t. DSREPAIR can error out or ask for additional keystrokes—which can keep the database locked. Use CRON.NLM and the provided switches to run DSREPAIRs.
9.3.4
DSDIAG.NLM DSDIAG is available for free download from Novell or comes with NetWare 5.1. This is a multipurpose utility used to run reports on NDS. For example, you could run a schema comparison report with DSDIAG.NLM using the –DA switch, and then run the List Schema report. You will then be able to identify schema inconsistencies. This utility can be used to:
Check the NDS version installed on servers in the tree.
Check the status on background processes running on each server.
Lists partition tables of each server.
List the replica rings for each partition root found.
Check and report the synchronization status of each partition root found.
9.3 Administrator common tasks and tools
669
Compare replica rings.
Note: This utility is also used to run reports to import into the third party software DSDESIGNER.
9.3.5
Backing up the NDS database Back up your NDS database nightly—this, of course, can and should be done by your backup software. You would be wise to make a .DIB set of the database too. A .DIB is a proprietary copy of the database dumped to the SYS:SYSTEM directory. The .DIB set can only be restored by Novell’s technical support; therefore, don’t substitute it as a backup in place of the nightly NDS backup with your regular backup software. Note: Best Practice: Make a CRON job to do a DSREPAIR –RC nightly.
9.3.6
CPQFM.NLM Use Compaq’s CPQFM.NLM to browse the server via a C-worthy menu. (See Figure 9.1.)
Figure 9.1 My favorite utility, CPQFM.NLM, allows an administrator at the server console a full file and directory view (of even hidden directories such as SYS:_NETWARE) .
Chapter 9
670
9.3 Administrator common tasks and tools
This freeware utility allows you to:
View attributes
Change drives
Copy fiels and direcotires
Delete
Edit
Filter your view of files
Search
Login to remote servers
View name space information
View volume info Find it at www.nw5occ.com.
Note: Other similar utilities are JCMD.NLM, NWCC.NLM, FILER.NLM, and TOOLBOX.NLM—all freeware utilities available at www.netwarefiles.com.
9.3.7
TOOLBOX.NLM Novell’s TOOLBOX.NLM allows the same functionality of CPQFM.NLM and more. Downloads are free at http://support.novell.com/products/nw5/ patches.htm. Best Practice: Purge the SYS volume with TOOLBOX by: PURGE SYS: -A
You can use a number of utilities to automatically purge your volumes. Cleanvol.zip and Ap101d.zip are a few. You can back up important directories, like C:\NWSERVER with TOOLBOX as well as perform many other tasks. Take some time in a lab to learn this freeware program. Toolbox provides the following parameters: auth—Manage authentication/connection information
9.3 Administrator common tasks and tools
671
beep—Ring the bell (no help available) cat—Display file(s) on the screen chdir (cd)—Set/View current directory or default path copy (cp)—Copy utility del (rm)—Delete utility delay—Delay command dir (ls)—Directory utility echo—Echo a string to the console (no help available) flag—Flag and attribute utility map—Alias mapping mkdir (md)—Make Directory utility move (mv)—Move utility (alias for COPY /MS) purge—Purge deleted files rmdir (rd)—Remove Directory utility shutdown—Shutdown and restart the server startfile—Edit the Startup file (see help in newly created file) Startfile only commands: CDV4—Allow the CD alias in NetWare 4.x. (See CD help) NONS—Disable long name space support NSV4—Enable long name space on v4.x (4.11 with Support Pack 6) tapplet—Start a Java applet texp—Export (copy) Toolbox.NLM and all associated files tjava—Start a Java application tload—Load a NetWare module tmodules—List loaded NetWare modules trun—Execute an NCF file tunload—Unload a NetWare module toolbox—Toolbox main help TOOLS—Toolbox Command List Chapter 9
672
9.4 Server tuning
9.3.8
Boot disk Compaq makes a NetWare 5 boot diskette. I keep it with a collection of other utilities, mentioned here, on various diskettes. CPQBOOT.EXE creates a NetWare 5.1 boot diskette. The NetWare 5.x CD ROM also provides instructions how to make an IP boot disk to aide you installing a server over-the-wire. Look for IPCONN_1.TXT or a Novell TID.
9.4
Server tuning Server tuning is one of my favorite subjects. I find too many administrators intimidated by the vast array of NetWare SET parameters. I continually get excited every time a vendor, such as Compaq, publishes a white paper on NetWare server tuning on their platform. I read it hoping for some secret SET parameter information that I have never seen before, such as: :SET SERVER TO FASTEST ALL_AROUND SPEED =ON.
What I get is an advertisement of why I should buy the latest Compaq hardware. Some of the following recommendations are found throughout the book as best practices, too. First, you have to identify where your bottlenecks are. Most admins don’t know where they are, or are wrong. Obviously, buy a fast server platform to put NetWare on. Pay more attention to the I/O and RAM requirements than to the CPU speed, as NetWare is a cache engine, not CPU intensive. Novell list the following systems, in order, as most important to the NetWare server’s speed. 1.
Memory/RAM
2.
Processor
3.
Disk and disk subsystem—use SCSI over IDE
4.
Network cards, LAN speed, bus
That is Novell’s published order. My most trusted Novell expert tells me it is wrong. There are always exceptions to this order, but consider that this information comes from a great source—that’s all I can say.
9.4 Server tuning
673
1.
LAN Speed Best case would be multiple 100 MB cards, but you can’t run Ethernet cards above 20 to 30 percent of theoretical max due to collision back-off algorithms. (If you could get four (4) 100BaseT, you would have 400Mb × 25% wire saturation = 100Mbits or 25 MB/s
2.
Disk Speed Going from 7,500 to 10,000rpm can give a 30 to 50 percent performance gain. Imagine the 15,000rpm SCSIs.
3.
IO BUS Speed ALL topics up to now are I\O issues. Everything in NW is I\O bound. When was the last time you needed 4 processors? Use SCSI devices when possible. This won’t spare the expense (as IDE configuration may be as much as half the cost—and Adaptec does support IDE RAID configurations [RAID levels 0, 1, 5 and 0+1] in its AAA-UDMA card). SCSI supports multitasking, command queuing, and busmastering.
4.
Processor Speed
5.
RAM Of course you need RAM—always. Fifty percent or more of RAM is disk cache. If you planned properly, then the disk is fast enough for the intended use, disk cache isn’t so critical. Of course, I will always take RAM. You need to balance all of these subsystems. When you purchase a server, well rounded is best. If you had a car that was fast, but couldn’t turn, what use is it? Having 8 GB of RAM and 8 CPUs with 1 Ethernet card is useless.
Money is much better spent on improvements in that order. Assuming you have tons of LAN bandwidth and disk (SAN or big time RAID) you will saturate the PCI bus, hence all serious servers have multiple PCI busses. Then, of course, which bus you plug the cards into makes a big difference—you want to spread it around. Also make sure you don’t share interrupts on your hot cards. (LAN, disk, and so on), and always use BUSMASTER cards to offload work.
Chapter 9
674
9.4 Server tuning
I’ve been to many clients who use multiprocessor servers with 256MB RAM. This is wrong. Intel may argue with me, but for faster speed, add more RAM, increase your I/O, add NICs and increase the SET commands pertinent to your environment. According to Compaq, at maximum bandwidth:
Drive arrays could require up to 35 MB/s.
FDDI requires up to 15 MB/s.
Full duplex 100baseTX requires up to 20 MB/s.
An ATM card requires up to 20 MB/s.
For example, FDDI is 100 Mbits/sec 15 MB × 8 = 120 Mbs. Add to that that there is overhead in token passing, you can’t get above around 95 percent ring utilization. FULL DUPLEX Ethernet is 200Mbs, which divided by 8 = 25 Mbs. Then take the fact that at about 30 percent utilization, collision back-off timeouts cause enough pause/delay that you are effectively stopped dead. Try to sniff an overloaded production Ethernet. It would never get above 35 percent, the math proves it. So take 25Mbs × 35% and you have 8Mbs at the ultra max possible. So 8 as opposed to 20 is only 250 percent wrong. Compaq, who brags to have 81 percent of all NetWare servers running on their hardware (as well as 55 percent of GroupWise servers), makes the following recommendations: Use PCI cards versus EISA cards—especially for NICs—While the maximum bandwidth of an EISA bus is 33 MB/s, a single PCI bus provides a maximum bandwidth of 133 MB/s. This is old news nowadays. Use PCI cards that:—Include bus mastering and burst mode support and balance high bandwidth PCI cards across the two PCI buses. Using this method can improve throughput by 20 percent and CPU efficiency by 50 percent. ALSO PCI is 66 MHz × 16 bits; which = 133 MBs. Of course read the fine print. PCI can not SUSTAIN 133 MBs it can only BURST 133, for a maximum of 64KB. Use DIMMs over SIMMs for RAM—Better upgrade paths, less power consumed, and DIMMs provide larger memory capabilities. Buy hardware components like RAM from your vendor—I don’t always follow this advice. I feel like the vendors are price gouging me
9.4 Server tuning
675
sometimes. I can easily find better hard drive prices buying directly from IBM and better RAM prices from Crucial (www.crucial.com) or Kingston (www.kingston.com). These are reputable companies making first class hardware components that even your vendor may use. The problem is that many administrators with tight budgets try to save even more money by buying discounted parts from Smith’s Little House of RAM. I can relate from personal experience that RAM inconsistencies have caused many ABENDs and much labor time. The small price savings in hardware are not worth my time in labor. What you really need is memory properly rated for the application, with the proper reliability rating. Since Compaq doesn’t manufacture RAM, you need to buy A-quality ram. Beware, whatever fails A-level specs, gets dumped to consumers at lowest street prices. You can get A-level rated RAM, it simply costs more and most Internet sites compete on price. Use vendor recommended configurations—Compaq, for instance, provides exacting bus, interrupt, and slot recommendations for optimizing I/O output. Use the most updated drivers available for your hardware—Seems obvious, right? You can’t believe how many times I have walked into client sites and seen drivers from 1997. Usually a driver is updated for either bugs or performance reasons. I like to wait for 2 or three weeks after I see a new driver released though. Let someone else be the guinea pig. Still, always test in a lab setting, then pilot the change to a few servers before deploying system-wide. Use Compaq’s Novell Support Software Diskettes (NSSD) to support Compaq’s hardware on the NetWare platform—Download the latest version from the Internet—you don’t need to put them on diskettes Use the SMART START CD—This is a very important point. Compaq has worked with Novell to tune NetWare and relies on certain information from its RAID configuration to match its NetWare block size and other features. Note: One of Novell’s heaviest-hitting technical people told me that he could sometimes see double the performance when using the Compaq/NetWare–specific drivers and configuration tools!
Chapter 9
676
9.4 Server tuning
Several parameters that almost any shop can use 1.
Buy more RAM. If you can only do one thing, add RAM. There are so many variables that go into how much you should buy. I can make it simple. Using 128MB as a minimum for a small office, add enough for NDS 8 to cache the entire NDS replicas that are on the server—add 4K per NDS object To see if you need more RAM, this is only one of many ways, is to go to the server console and type: :LOAD MONITOR ➝ Disk Cache Utilization ➝ Notice the percentage of Long Term Cache Hits shown in the lower window of the screen.
If the percentage of Long Term Cache Hits falls below 95 percent, add more RAM. 2.
Use a hardware RAID 5 design with a name brand server (e.g., Compaq, Dell, etc.)
3.
Use SCSI hard drives for better I/O. Use hard drives with the fastest rpm’s. You can gain 30 to 50 percent per second performance by going from a 7200 rpm to a 10,000 rpm hard drive. (according to Compaq’s I/O tuning guide)
4.
Realize that your bottleneck, in medium to large sites, may be network traffic. Use more than one network card and use specialized network cards in your server. For example, Alaritech (www.alacritech.com) makes a network adapter that offloads CPU processing to its LAN card chipset. They brag of an average performance gain of 238 percent over Intel’s PRO/1000 Gigabit Ethernet adapter—with non-Gigabit tests running at more than a 400 percent improvement. Intel makes some good server NICs. Intel and Cisco share a proprietary solution for server/network load balancing/sharing.
5.
Cache the entire NDS database on each server that holds an NDS replica—only available in NDS 8. This was a problem in 1995– 1998. Running DSREPAIR would seem to take 4 days to run when low on RAM—20 minutes when okay.
6.
Change your NDS design to a more efficient design. There are just too many variables to discuss here. See the NDS chapter for more recommendations.
7.
You may notice that the packet size is set, by default, to token ring. Since most companies, outside of healthcare and some
9.4 Server tuning
677
banks, seem to run on Ethernet, you can immediately change this value to 1518—some Intel NIC cards need 2048. SET MAXIMUM PHYSICAL RECEIVE PACKET SIZE=4224 (default) SET MAXIMUM PHYSICAL RECEIVE PACKET SIZE=1518 (or your MTU)
8.
Verify your NetWare server is not allowed to auto-negotiate line speed. Force the server and the switch to the same speed. Many performance problems are solved this way. Even if you do not have problems, it doesn’t hurt—and will save auto-negotiation traffic. For some reason, I have never had to troubleshoot problems relating to half-duplex forced at both ends. Full duplex—which has vendor proprietary negotiation code—has caused me much grief; therefore, I recommend half-duplex forced. If you need more bandwidth, put in a second NIC and load balance—though this is assuming the NIC card is the bottleneck. INETCFG ➝ BOARDS ➝ YOUR_NIC ➝ MEDIA AND LINE SPEED
9.
Use certified NetWare drivers (http://developer.novell.com/infosys)
10.
According to Novell’s performance testing, a 64KB block size for all volumes is recommended. The larger 64KB allocation unit allows NetWare to utilize the disk channel more efficiently— reading and writing more data at the same time which results in faster access to mass storage devices and improved response times for end-users. If you are using a RAID5 configuration, set the stripe depth of the RAID5 array equal to the block size (64K) of the volumes.
11.
Disable Compression on the SYS: volume This can only be done upon creating the volume for the first time, or re-creating it. This will give you a little faster response time for the management utilities on the SYS volume.
12.
Remove the SWAP file from SYS Remove the burden from the SYS volume. :SWAP ADD VOL1 :SWAP DELETE SYS
You can further tune the SWAP file by striping across several volumes—just don’t use SYS as one of the volumes. Chapter 9
678
9.4 Server tuning
Although this parameter is valid, realize that NetWare only uses virtual memory for anything besides the Java environment— which isn’t used much on the server. 13.
Create a separate volume for print queues and set the volume to immediately purge all deleted files. I like to create a print queue volume called QUEUES and make it about 500MB for heavy printing servers. Other clients make one and call it SPOOL or PRINT.
14.
Up the MINIMUM PACKET RECEIVE BUFFERS in SERVMAN (4.x) or MONITOR (5.x). Check your available free buffer space first. I like to use 3000 as my minimum, 10,000 as my maximum. The best formula I’ve found is MAX # of simultaneous users * 2 + 20
15.
Set the maximum service processes to 1000 or 3 per connection—not per user, per connection. Also set the new service process wait time to 0.3. MONITOR ➝ SERVER PARAMETERS ➝ MISCELLANEOUS
16.
Upgrade the OS. Newer software from Novell is more efficient and effective handling client requests as well as server side processing.
17.
Patch your current version of NetWare. Patches are not only bug fixes, but feature rich additions to your company’s NetWare investment. Many enhancements are realized through the service pack updates.
18.
Never upgrade LOW PRIORITY THREADS
Notice I didn’t recommend upgrading to a multiprocessor system. If you have unlimited money, you can. I have only found one customer so far, who would have benefited from a multiprocessor system (they would have to have used NetWare 6 too, but only NetWare 5.1 was out at the time). They had 3 central servers each with all 130+ partitions of the NDS tree and the servers were consistently at or near 100 percent utilization. By the way, that is not a good NDS design and there are other NDS factors that can cause high utilization—synch changes, an NDS bug, etc.—that a multiprocessor system may not help. Lastly, NDS synchronization is multi-threaded for
9.4 Server tuning
679
outbound synchronization and single-threaded for local write operations (in-bound replication). Finally, Novell publishes several TIDs related to server tuning. Check out TIDs 2943356, 2943472 and 2945062. SET parameters for high volume server needs For shops that have 1000 or more users using a server, test all or some of the following SET parameters on a beefy server: :SET Maximum Packet Receive Buffers = 10000 :SET Minimum Packet Receive Buffers = 3000 :SET Maximum Physical Receive Packet Size = 2048 (Ethernet) :SET Maximum Pending TCP Connection Requests = 4096 :SET Minimum File Cache Buffers = 500 :SET Maximum Concurrent Disk Cache Writes = 2000 :SET Dirty Disk Cache Delay Time = 0.5 SEC :SET Maximum Concurrent Directory Cache Writes = 500 :SET Directory Cache Allocation Wait Time = 1 SEC :SET Directory Cache Buffer NonReferenced Delay = 30 SEC :SET Maximum Directory Cache Buffers = 200000 :SET Minimum Directory Cache Buffers = 1000 :SET Maximum Number Of Internal Directory Handles = 1000 :SET Maximum Number Of Directory Handles = 100 :SET Maximum Record Locks Per Connection = 10000 :SET Maximum Record Locks = 100000 :SET Enable Disk Read After Write Verify = OFF :SET Upgrade Low Priority Threads = OFF :SET Maximum Service Processes = 1000 :SET New Service Process Wait Time = 0.3 SEC :SET Volume Low Warning Reset Threshold = 2048 :SET Volume Low Warning Threshold = 2048 :SET Days Untouched Before Compression = 30 :SET Minimum Service Processes = 100
NDS will take this last number (Minimum Service Processes) and divide it by 2 and limit its authentication buffers to this limit. Thus this number needs to be >=2 × the MAXIMUM number of simultaneous expected concurrent logins. Note: You may look up the meanings of each of these values in Chapter 2
Chapter 9
680
9.5 Customer hardware best practices
Other tuning information www.compaq.com/resellers www.compaq.com/training www.compaq.com/partners/novell www.compaq.com/support/techpubs/Tech_Docs.html www.netadmincentral.com Client tuning recommendations are in the client chapter. NDS tuning recommendations are in the NDS chapter.
9.5
Customer hardware best practices Many clients ask what I think the best configuration is. A hardware vendor is going to tell you the latest and greatest hardware, fiber cable maybe and other add-ons, but my experience is that most of that is overkill. Think about where your bottleneck is now (which is probably network traffic, your NIC card, disk I/O, and RAM) and try to correct the weakest link(s) in the chain. The best idea I have seen from client experiences is: Fast Processor—Think in terms of making the server last 3 years—it seems to be a pattern I see at client sites. Use today’s fastest processors and buses. You can, of course save money by buying a second or third generation processor for a particular server model. I’ll say again, that a multi-processor system for NetWare is overkill 97 percent of the time. 256MB-1GIG of RAM—Many variables to consider—get enough to cache whatever NDS replicas you have on the server plus extra (plan on 4K per NDS object in the replicas on the server). I cover the specific commands used to cache all of NDSv8+ later. 200MB DOS Partition—No need to have more or less—remember ABEND core dumps can now (NetWare 5.x and above) be dumped cacheless which can make the core dumps as little as 26MB for 4 GIGs of RAM 2GIG SYS Volume + NDS Objects—More is okay, but since you are not going to use SYS for user home directories, print queues, or applications, the SYS volume won’t grow with data, other than NDS—add space for larger NDS installations (4K per object) or servers running as DS Masters
9.6
Tuning the Network/NetWare traffic management
681
Best Practice: You can see how big your server’s NDS database is by making a database dump. At the server console: :DSREPAIR
-RC
You will need to find the dumped .DIB file and find out how big it is. NDS version 8 (eDirectory) writes the file to the SYS:SYSTEM\DSR_DIB\ 00000000.$DU directory, NDS v 7.x SYS:SYSTEM\DSREPAIR.DIB, check the size of the file (you The size of the file should determine how much space in the SYS volume and RAM (only for NDS 8) you should dedicate for NDS. Hardware Mirror the SYS Volume and DOS partition—Hardware mirroring is more efficient than NetWare’s NWCONFIG software mirroring. Mirroring the SYS volume and DOS partition helps protect against a hard drive failure bringing down the server and NDS RAID 5 the rest of the Volumes plus use a hot on-board spare hard drive—This is especially important for remote sites that can’t afford to be down. A hard drive failure with RAID 5 will still preserve all information, but the spare hard drive will allow you the time to order a new hard drive and visit the remote site at your convenience. Fast NICs—PCI 100MB at least—you should be using more than one on busy networks. See the above tuning recommendations for more (SCSI use, SET parameters, A-grade RAM, etc.)
9.6
Tuning the Network/NetWare traffic management Sure servers SAP, but clients are responsible for most network traffic. How do you control client traffic? Consider how clients find services. They broadcast, or unicast to a name space provider to find resources. Whether it is a WINS resolution or a Get Nearest Server (GNS) SAP, clients need an efficient method to resolve names on a network. A simple concept to solve client request traffic is to give the client information before the client requests it. If you hardcode or statically configure the clients to look at specific IP address or DNS names, you unicast, versus broadcast, to your
Chapter 9
682
9.6 Tuning the Network/NetWare traffic management
source. This is easily done through the client configuration properties. To make global changes—without visiting every desktop, use:
DHCP to send multiple configuration values for DNS, WINS, SLP—almost everything
ZENworks for desktops to send down configuration pieces
Login Script to hack the workstation registry by adding configuration parameters
Configuring the client in these ways enables a direct, broadcast free, unicast to resources. For example, when a client needs a DA, the client can unicast directly to the source node to get information—versus a multicast to all nodes of the multicast group.
9.6.1
9.6.2
Tools that monitor network performance
Lanalyzer
Sniffer software—I love Sniffer Pro and Fluke
Monitor
Display SERVERS server console command
DISPLAY NETWORKS server console command
TRACK ON console command
PING
TPING
IPXPING
TRACERT
DSTRACE
Baseline Utilization
ManageWise
IPX & IP traffic management IPX has gotten a bad rap. Almost everywhere I go, router boy asks when I am going to get IPX off of his network. Everyone wants the benefits of a single manageable protocol, but few realize the immense administrational overhead of IP—compared to IPX. When have you ever had to set a default gateway for IPX? How about WINS or DNS server configuration? Never.
9.6
Tuning the Network/NetWare traffic management
683
It’s because of the plug-and-play nature of IPX that it is so simple. Still, IPX’s SAPs can become burdensome on large networks (they can be filtered at the router or on a NetWare server’s outbound interface). According to a popular hacking site, NETBIOS traffic, used primarily for maintaining browse lists, can eat up as much as 30 percent of your bandwidth. I have never seen this, but NETBIOS traffic is cumbersome. Your ability to decrease NETBIOS traffic can make a major positive impact on your network. Microsoft’s implementation of TCP/IP encapsulates NETBIOS in IP packets—to make NETBIOS routable. This will help maintain browse lists, but can increment traffic exponentially. NetBIOS establishes sessions (logical connections) and allows for communication between PCs—workstation to workstation. The only reason you would need NETBIOS on your network is for file and print sharing on workstations. IPX SAP or SLP IP can build browse lists if your end-users need to see server and printer resources in Network Neighborhood. Packet level changes in NetWare 5
The IPX watchdog process is replaced by the NCP TCP keep alive interval
There is no need for LIP as TCP has its own windowing capabilities built in (UDP does not)
Viewing network traffic View your network traffic using:
A sniffer program—like Sniffer Pro or Lanalyzer
MONITOR ➝ LAN/WAN drivers ➝ TAB on your choice of adapters
Understanding LAN driver statistics in MONITOR Refer to Chapter 2, MONITOR section, to reference the table. Some advice:
Total cache buffers should be close to 60 percent of total memory or you need to add RAM or tune the server’s packet receive buffer settings
MONITOR ➝ Cache Utilization should be 90 percent ideally, if not, add RAM Chapter 9
684
9.6 Tuning the Network/NetWare traffic management
MONITOR ➝ Processor Utilization ➝ search for NIC interrupt and become familiar with percentage for base lining
Sniffer programs Sniffer programs are an invaluable resource to troubleshoot and optimize network issues. I use both Sniffer Pro and Lanalyzer. Often, I am asked what I look for. I look for the following problems:
Collisions
CRC Errors
MAC layer errors
Short Frames
Long Frames
Alignment Errors
Jabber
NCP failure packets
NCP request type 9999
Any NCP value other than 0 in the completion code field
Client request failures
Greater than 40 percent utilization on an Ethernet segment
Greater than 80 percent utilization on a Token Ring segment
Token Ring beaconing errors
Broadcasts traffic
ICMP traffic
Top traffic devices/nodes
Protocol Distribution
More than 100 broadcasts per second
Excessive SNMP traffic—which may be caused by too many SNMP consoles
Common addresses to look for and filter on When using the analyzer, look for and filter the following address to help troubleshoot problems.
9.6
Tuning the Network/NetWare traffic management
685
MAC layer 0xFF-FF-FF-FF-FF-FF—MAC layer broadcast 0xC0-00-FF-FF-FF-FF—Token ring MAC layer broadcast 0x00-00-00-00:FF-FF-FF-FF-FF-FF—IPX broadcast Network layer 255.255.255.255—TCP/IP all networks broadcast Network layer multicasts 224.0.0.1—All Systems on this Subnet 224.0.0.2—All Routers on this Subnet 224.0.0.5—OSPF (Open Shortest Path First) All Routers— RFC2328 224.0.0.6—OSPF Designated Routers—RFC2328 224.0.0.9—RIP2 (Routing Information Protocol version 2) Routers—RFC1723 224.0.0.10—IGRP (Interior Gateway Routing Protocol) Routers 224.0.0.12—DHCP Server (Dynamic Host Control Protocol)— Relay Agent 224.0.0.13—All PIM Routers 224.0.0.22—IGMP—Internet Group Messaging Protocol 224.0.1.39—Cisco Announce 224.0.1.40—Cisco Discovery 224.0.1.22—SLP General Multicast 224.0.1.35—SLP Directory Agent Multicast Concern yourself, mostly, with the last two multicast addresses. SLP functions can be filtered on and studied. A careful analysis of the correct patterns of SLP traffic will help you identify and isolate network communication problems. Note: A listing of all multicast addresses registered can be found at http:// www.isi.edu/in-notes/iana/assignments/multicast-addresses.
Chapter 9
686
9.6 Tuning the Network/NetWare traffic management
Table 9.1
Common IP Ports TCP
UDP
Function
524
524
NCP
2034
—
RCONJ
2035
—
RCONJ Proxy
2200
—
Web Manager
8008
—
Portal (httpstk.nlm)
8009
—
Portal SSL (httpstk.nlm)
3396
—
NDPS
40193
—
SMS (smdr.nlm)
427
427
SLP
21
—
FTP
53
53
DNS
80
—
HTTP
443
—
HTTPS
389
—
LDAP
636
—
LDAP SSL
—
161
SNMP
—
162
SNMP Trap
—
123
NTP
6543
—
Tivoli (tivnw4.nlm)
dynamic
—
NetPro (DXAgent.nlm)
—
dynamic
NAV v7
Common MAC/NIC addresses If you are taking sniffer traces, it is helpful to know the Ethernet NIC vendor for MAC address resolution. You may know that MAC addresses are composed of an assigned 6-digit heading, based upon the vendor’s brand, and the last six digits identify the specific node. Your sniffer program may have a small vendor database to match common MAC addresses to vendors.
9.6
Tuning the Network/NetWare traffic management
687
I use a spreadsheet to put in common vendor Ethernet addresses to be able to resolve server console error messages. Some server console error messages provide the MAC or NIC address attached to an informational or error message(s). A quick reference of these Ethernet vendor codes allows me to see if the offending node is a hub, printer, server or workstation. I make a spreadsheet from www.cavebear.com/cavebear/ethernet/vendor.html and keep it on my laptop. When I am at a client site, I can do a quick search on the specific vendor portion of the MAC address and inform my client of the offending node. Ethernet vendor codes I have been at clients that use the following to troubleshoot these problems. If on my client, I type: C:\>NLIST USERS /A /B >MACADDRESS.TXT
I then create a text file that shows MAC address and last login time, or a simple C:\>NLIST USER /A
gives me the MAC address along with the IPX segment. Match the NIC address against the user or node (printer, server, etc.) and you have the offending interface. For instance, if you see a MAC address starting with 00AA00 you know you have an Intel card; a 080009 is an HP. Note: The NLIST command queries against the server that you have your primary connection. Ethernet vendor codes can be found in RFC 1700.
9.6.3
SAPs SAP identification is essential to troubleshooting and promoting a healthy network. Many unneeded SAPs can be filtered at the server or router level. I list common SAPs that you may encounter. How many SAPs do you have on your network? For a quick view, go to your server console and type: :DISPLAY SERVERS
At the end of the display, you will see a line that tells you how many known services (SAPs) there are. Chapter 9
688
9.6 Tuning the Network/NetWare traffic management
Document your entire network’s SAPs. You can use a SAP table to identify IPX dependencies on your network—which will aid in your transition to a Pure IP network. SAPs packets are made up of server name, network address, node address, socket number, and intermediate networks fields. Up to 7 sets of this information can be found in one packet (I usually seem to see up to 5 services in traces). Each SAP packet service request requires a minimum of 64-bytes of bandwidth—seven can fit into a single packet, which would be 494 bytes. SAPs broadcast once per minute. The formula for figuring out SAPs is: # of SAPs divided by 7 times 494 bytes divided by 60 seconds = number of bytes per minute An example of 1100 SAPs: 1100 ÷ 7 X 494 ÷ 60 = 1293 bytes per minute This is a bit deceptive as the bytes are not spread out over a minute, but are all sent at about the same instant each minute. SAP information broadcasts Types of SAP packet broadcast: Initial Broadcast—Each server advertises its services via IPX SAP broadcast when booted and every 60 seconds Discovery—All servers and routers accept SAP information broadcasts and stores information in routing tables or, in NetWare’s case, its BINDERY and/or NDS too Availability—Clients or server’s query the server for information, the server responds with information from NDS or its BINDERY Name Resolution—The server may provide name-to-IPX mappings, thus providing name resolution. NDS may also provide name resolution SAP Types Document the SAPs on your network. Use Novell’s SAP Snoop freeware utility on their cool solutions Website. You can also view SAPs in IPXCON ➝ Services The format for SAP types is: SAP Type in Hex—Function or purpose of SAP
9.6
Tuning the Network/NetWare traffic management
689
4—File server—equivalent to bindery.novell in TCP/IP SLP. Also, recently Novell has introduced the nwserver.novell SLP URL for possible replacement to the currently used bindery.novell which is confusing to customers. The server is not a NetWare 3.x bindery server— the name just keeps carrying over. 7—Print Servers 20—NetBIOS 2e—ARCserve 5.0 47—Print Servers 64—ARCserve 66—ARCserve 3.0 102—ManageWise Virus Protect/LANDesk Virus Protect 112—Print Server (HP) 173—Compaq 174—Compaq SNMP Agent 175—Compaq 1bf—Intel LanDesk Manager 233—NMS Agent or Netware Management Agent 1.6 for ManageWise 1.0. This SAP is used by the ManageWise NXPIPX.NLM module to identify manageable servers. 237—ManageWise NetExplorer Server 239—HMI-Compliant Hubs. This SAP is used by the ManageWise NXPIPX.NLM to identify compliant hubs in the segment maps. 23a—NetWare LANalyzer Agent (NLA). This agent is used in the ManageWise suite and by the NXPLANZ.NLM to discover all servers that have the NLA module loaded. 26a—ManageWise Console used by FINDNMS.NLM. Do not filter this SAP if you are running the ManageWise console anywhere in your enterprise. 26b—Time Synchronization Server—equivalent to timesync.novell in SLP 27b—NetWare Management Agent 2.1 for ManageWise 2.0. Used by NXPIPX.NLM on the NetExplorer server to identify manageable servers. Chapter 9
690
9.6 Tuning the Network/NetWare traffic management
278—Directory Server—a server that contains an NDS replica on it. This is equivalent to a ndap.novell server in SLP. 27b—Netware Management Agent 30c—HP JetDirect Print server 394—NetWare SAA Gateway 3c4—ARCserve 4.0 (Cheyenne) 44c—ARCserve 5.01 580—McAfee’s NetShield anti-virus 640—Microsoft Gateway Services for NetWare—Microsoft RPC SAP 64e—Microsoft Internet Information Server 67b—Microsoft Win95/98 File and Print Sharing for NetWare 67c—Microsoft Win95/98 File and Print Sharing for NetWare 7D7—FAXServe Cheyenne Note: For a complete listing of SAPs see http://www.isi.edu/in-notes/iana/ assignments/novell-sap-numbers or Novell’s listing by TIDs at http://support.novell.com.
9.6.4
RIP traffic Never ever let router boy filter RIPs. RIPs are essential for IPX communications. For every SAP in the server’s cache, there must be a corresponding RIP. If there isn’t, NetWare will age the SAPs out of each server’s cache— leaving the server stranded (no routes to get to it). Although RIP traffic broadcasts every minute, it is not nearly the bandwidth hog that SAPs are. To find out how many RIPs are on your network (roughly), go to your server console and type: :DISPLAY NETWORKS
RIP traffic can be seen on the server console screen by :TRACK ON
Turn it off by: :TRACK OFF
9.6
Tuning the Network/NetWare traffic management
691
You will see the number of known networks—which equals the number of IPX RIPs. Remember, IP can use a RIP protocol too—either RIP I or RIP II. Note: RIP II supports additional functionality that your network may need—use it instead of RIP I. Talk to router boy about what he thinks— he’ll be glad you asked. RIP packets can be calculated like SAPs. RIP packets can fit up to 50 advertisements per packet. The standard packet is about 446 bytes. # of total RIPs ÷ 50 x 446 ÷ 60 = amount of bytes taking up bandwidth
9.6.5
Online resources for packet traffic analysis www.iana.org—Internet Assigned Numbers Authority is responsible for the field values in packets www.ieee.org—Institute of Electrical and Electronic Engineers provides 802.x information www.ietf.org—Internet Engineering Task Force provide Request For Comment (RFC)s www.packet-level.com—If you don’t know who Laura Chappell is, you haven’t been sniffing enough. Enjoy her insight and Website. www.sniffer.com—Home of Sniffer Pro. www.nai.com—Novell’s TID 2937503. Address Resolution Protocol parameter Address Resolution Protocol (ARP) maps IP address to NIC or MAC addresses (done by a switch, router, or server). Chapter 4 details the function of ARP on the network. Chapter 1 provides client utilities to troubleshoot ARP. The most common command is ARP –A. The Address Resolution Protocol (ARP) is specified in [RFC826]. ARP has brother and sister protocols. The Reverse Address Resolution Protocol (RARP) specified in [RFC903] uses reverse codes. The Inverse Address Resolution Protocol (IARP) is specified in [RFC1293].
Chapter 9
692
9.6 Tuning the Network/NetWare traffic management
9.6.6
Recommendations to tune your network Network tuning is essential to proper administration. A 56K remote connection serving a network with 2000 SAPs will be about 38 percent saturated with SAP broadcasts alone. I offer the following recommendations, based upon my experience: 1.
Use a single frame type, when possible, on clients and servers. Each frame type will SAP its services in an IPX world. This is bad. 3 (frame types on each server) × 5 (average number of SAPs per server) × number of servers = too many SAPs Some of my clients standardize on Ethernet II—for both IP and IPX protocols. Hopefully, you will at least try to pare down to 2 frame types on your server. According to Laura Chappell, Ethernet II, which is the default for IP, is the cleanest frame type to use.
2.
Specify your workstation’s frame type. The auto frame type option is a farce. What happens is your client broadcasts out each possible frame type, upon every reboot, and binds the first one it finds. This will put out about 20 broadcasts per client per boot up. # of clients × 20 broadcasts per boot = way too many See Chapter 1 for more client information.
3.
Subnet your segment. Subnetting will confine broadcast traffic, reduce congestion and provide better security. If I were an administrator who wanted to play network games with other IS people, I would want to subnet my segment to keep the traffic local and sniffers from finding out about my game. Get the idea?
4.
Upgrade your server’s connection to a 100MB switched port.
5.
Force the server and switch to half-duplex. There is no standard for a full-duplex negotiation algorithm, which causes much whaling and gnashing of teeth by administrators. I have never been privy to a forced full-duplex switched connection working as designed—though that is not to say it never works. There are many TIDs about forcing half instead of full duplex for these very reasons.
6.
For bandwidth intensive server connections, use load balancing on multiple NICs. You may know that with today’s fast software
9.6
Tuning the Network/NetWare traffic management
693
and network connections, the NIC is many times your bottleneck—actually it is the bandwidth coming into the interface which causes the NIC to offload the processing to the CPU. NSI Software makes a product that several consultants and clients have raved about—Balance Suite (www.nsisoftware.com/pages/brmennet.htm and www.nsisw.com). The product also provides disaster recovery operations—it can immediately reroute traffic off of a failed NIC to one of the other active server NICs. Intel and Cisco have teamed up for a proprietary solution. You can also look for 3Com and other major NIC vendors to have load balancing solutions. 7.
Control client side WINS Broadcasts. A Microsoft client goes through NetBIOS name cache, WINS, broadcast, LMHOSTS, HOSTS, and Domain Name System (DNS) to resolve a name. The H-Node name resolution is the preferred way to perform a lookup. You can control your client’s node type name resolution through DHCP (WINS/NetBT node type and specify the WINS server).
8.
Control client 640 SAPs. Microsoft, somehow, created a client RPC SAPing problem—curious, huh? WIN9x and WINNT 4.0 workstation may SAP Type 640.
Note: To see this problem on your NetWare server, go to IPXCON ➝ SERVICES ➝ Display selected entries ➝ Type ➝ 640 ➝ ESC ➝ Proceed with selection made. How many type 640 SAPs do you see. Many times there are more type 640 SAPs than any other types. Block these at the router level. The fix for WINNT is applying SP5 or later. No such luck with WIN9x clients. You have to hack the registry. Use ZENworks for desktops to throw down a reg hack. Think of having this problem at a client with 30,000 workstations, each SAPing once per minute over the enterprise—I’ve seen it. 9.
Use an ICS cache box to speed up your Internet access. Dell, Compaq, Toshiba and others sell the cache boxes. I have measured up to an 80 percent cache hit rate for clients using this tech-
Chapter 9
694
9.6 Tuning the Network/NetWare traffic management
nology. Bringing Web content into 10/100MB LAN speed range can vastly improve access. http://www.dell.com/us/en/biz/products/series_pwrap_servers.htm http://www.compaq.com/tasksmart/cseries/index.html Both sites have sizing tools. Compaq has a fantastic free deployment guide filled with strategies and ideas. Dell is usually the more cost efficient of the two. 10.
Do not enable file and print sharing on workstations. This can increase network traffic dramatically.
11.
Identify all SAPs on the wire. Use Novell’s SAPMON tool. It can be found in the coolsolutions part of the Novell Website (http://www.novell.com/coolsolutions/freetools.html). Look for sapsnoop.zip. I use this tool often—though it is a bit slow. You can save the info to a .LOG file and then import it into an Excel sheet. Notice the common SAP types and identify them with the SAP types in this Appendix. Controlling/blocking 640 type SAPs should be your first priority. Pretty the sheet up and present it to your client or supervisor and to router boy. Neither one will do anything about it, but it will enable you to cover yourself when network problems occur.
12.
Filter unneeded IPX SAPs at the router level—or at the NetWare server if router boy is unwilling. Use access or deny lists over your enterprises routers to filter unneeded SAPs from segments. The following chart shows some SAPs that can be blocked and how to still maintain service with the SAP blocked. SAP types to test blocking in a lab first, then block Never filter SAPs 4, 26B or 278. If you want to get rid of the timesync SAP, use configured source or the timesync freeware NLM that uses the type 4 SAP.
13.
Block unneeded frame types at the router level. Many times print servers are configured to support every frame type; therefore, they let SAP propagate over every frame type.
14.
Look for the errors in your network via a sniffer program or SNMP enabled application like HP Openview, ManageWise, Tivoli, etc. When found, trace and fix the problem nodes. Many times it is much cheaper to update the driver and/or replace an
9.7
Lost facts
Table 9.2
695
Common SAP Types SAP Type
Purpose
Can be turned off by . . .
26B
Timesync
Use configured time sources for ALL servers
03E1
Telnet RCONSOLE
Disable Telnet access to the server, use the new RCONJ with encrypted password option
107B
SPX RCONSOLE
Either use the IP RCONJ or use the NDS aware freeware RCONSOLE—which uses SAP type 4
4B
BTRIEVE
Upgrade BTRIEVE dependant applications
640
MS Client
Just disable it at the router, this is a junk SAP
offending NIC rather than to spend a couple hours troubleshooting it. 15.
Go to http://www.packet-level.com/ and look over all of the information Laura Chappell has about network tuning and protection. (e.g., disallow UPD port 19 through your firewall, unless you have a great need for client/server character generation, as this is a popular port for Denial of Server (DOS) attacks, etc). You’ll love this site.
16.
Use a “sniffer” protocol analyzer on important segments often to baseline your network. It is important to educate yourself to know what you are looking at. Capturing network traffic is one of the best ways to troubleshoot network problems. You must understand what you are looking at, obviously, to know what changes to recommend. I like Laura Chappell’s Website for protocol analysis http://www.packet-level.com/. Popular sniffer programs are Lanalyzer by Novell, Sniffer, and Sniffer Pro by Network Associates.
9.7
Lost facts I have always loved inside information, shortcuts, and little known facts. Working for a vendor has a certain appeal to someone like that. You would think that I am privy to all kinds of secrets and unknown switches and commands. It would, therefore, surprise you to know that I don’t know many proprietary tricks. And while I obviously can’t give confidential information away, I have been able to compile some of my favorite hints, tricks, and hidden time savers. Chapter 9
696
9.7 Lost facts
DOS fans can browse the server’s files from the server console by using NetBasic. Type: :netbasic :shell
You are now free to use basic DOS commands.
9.7.1
Mount the DOS partition as a volume NetWare 5 allows for the DOS partition to mount as a volume. Note: If you do this, unload it when you are done as an ABEND, while mounted, could cause the DOS FAT sectors to become corrupted. :DOSFAT.NSS
or :NSS DOSFAT ➝ accept the on-screen warning
View the DOS partition you just mounted :Volume
:LOAD not necessary The LOAD command in NetWare 5.x + is unnecessary. And, if an .NLM is already loaded, you don’t get the dumb message that it is already loaded, you are taken directly to the .NLM. You do have to use the LOAD command for drivers. SHOWLOGO.NLM SHOWLOGO.NLM is the annoying NetWare bitmap that displays upon each boot. Load the server with the no logo switch to avoid the advertisement. C:\>SERVER.EXE -nl
TOOLBOX Keep a copy of the TOOLBOX.NLM (or other tools/NLMs that your client won’t let you copy on his server) with you on a diskette for easiest access to server shortcut utilities.
9.7
Lost facts
697
Licensing Keep a copy of your company’s MLA or CLA, if applicable. You can reload licenses any time you see a problem—which was often for me. What has changed since the install? See what SET parameters have since the server was installed: :display modified environment
Change SET parameters to their defaults Get a chance to see everyone of the changed SET parameters—one at a time, like the DOS F8 command—and to reset them to their original settings by: :reset environment
See all of the hidden SET commands View the hidden SET parameters either through MONITOR or the CSET command: :MONITOR !H
Use the CSET command :CSET
You have to be exact with the CSET command, choose from:
Communications
Memory
File caching
Directory caching
File system
Locks
Transaction tracking
Disk
Time
NCP
Miscellaneous
Error handling Chapter 9
698
9.7 Lost facts
Directory services
Multiprocessor
Service location protocol
Licensing services For example: :CSET file system
You are walked through each possible choice and asked if you want to change it. Note: The CSET command allows one to view all of the hidden SET parameters—just like: :MONITOR !H
Get to the Console Prompt Fast ATL+ESC then ESC Find out if an .NLM or other module is loaded on the server Wonder if an .NLM is loaded? A great troubleshooting trick: :m whatever.nlm
Wildcards are supported. I can see if the SLPDA.NLM is loaded by: :m slp*
Or list all .NLMs that start with N: :m n*
You get the idea, run with it. Warm boot the server In NetWare 4 you could :REMOVE DOS ➝ DOWN ➝ EXIT
and the server would warm boot. NetWare 5 needs only the new console command of: :RESET SERVER
9.7
Lost facts
699
Add an icon to the Windows Startup group through the login script Look for the ADDICON freeware utility on one of the shareware sites. IF MEMBER OF “SPECIAL GROUP” THEN #ADDICON.EXE=NAL.EXE END
Shortcuts to console commands I see many administrators using .NCF files to automate long commands. Try the ALIAS command instead. I get tired of typing VOLUME all of the time, so try: :ALIAS alias command :ALIAS v volume
I can now type just a V for volume information. Use this shortcut to save keystrokes. In NetWare 4.x the command worked only until the server booted, in NetWare 5.x the commands are saved and work continually. ABEND information at your fingertips Sort of. Use Novell’s new Website to submit your ABEND.LOG files to for server specific ABEND information (http://abend.provo.novell.com). Login script messages Use the Freeware Utility Sayit to announce messages to your end-user community (see Figure 9.2). It is one of the easiest setups I have ever seen. Read the readme.txt Found at www.novell.com/coolsolutions/freetools.html. I wonder how Novell did it internally www.tinypineapple.com/luddite/beigepapers details Novell’s internal rollout of its own technology. It is written by a secret author, who works at Novell. Figure 9.2 Sample end-user announcement.
Chapter 9
700
9.7 Lost facts
Backup/migrate your most important user’s information Starting at NetWare 5.1, Novell uses WebDAV to support Microsoft Office’s offline files. Use a login script to backup your most important user’s registry. If your client’s OSes are WIN98 or later, you’re able to make the OS run the Registry Checker (SCANREGW.EXE) and save the files in cabinet form (.CAB compressed file) plus the SYSTEM.INI and WIN.INI. There are also VBScript and other script freeware that you can use to backup your system’s most important information. After it is backed up, upon each boot, use a login script to redirect it to the user’s server home directory. I like to keep all of my files in the MY DOCUMENTS folder and backup the folder whenever I get to my home lab. You can do the same for your power users. When you backup, consider backing up the user’s MY DOCMENTS folder (assuming that it is the location your users are putting their files), Netscape and/or IE favorite bookmarks, e-mail address book, e-mail mailbox info, templates and registry. This strategy would then allow you to use standardized workstation images and still allow users to keep personal and personalized information if the workstation is nuked. Microsoft provides a free tool called the User State Migration tool to migrate your customized settings from one computer to another. There are also several third-party tools, such as Altiris’s PC Transplant Pro, Miramar Systems’ Desktop DNA, and Tranxition’s Personality Tranxport Professional (PT Pro). http://www.microsoft.com/windows2000/library/resources/reskit/tools/ default.asp CDROM No more having to remember the archaic CD-ROM command line utilities, just type either: :CDROM
or :CD9660.NSS
Better yet, put one of them in your AUTOEXEC.NCF file and you will be able to mount and dismount CD-ROM Volumes by simply inserting and/or ejecting the media—that’s it.
9.7
Lost facts
701
Diskhog Use the DISKHOG (or similar freeware) utility found on www.novellshareware.com shareware site. Use the DISKHOG to find how much space each user is taking up on a volume basis. It should be noted that other thirdparty companies can do the same thing better, but they are not for free. C:\>DISKHOG [username] [/descending] [/File=] [/Screen]
Compare two directories to see what is different Microsoft puts out an unsupported utility, FILEIMG.EXE that is found on their support site (support.Microsoft.com) under the download FI_TOOL.EXE. This utility can give you detailed information about directory files, but more importantly, it can compare two images to determine what files in a directory have changed. Compare two files to see what is different Again, Microsoft provides the WINDIFF free graphical utility to compare two directories or files. The differences in the files will be highlighted. You can find it on Microsoft’s Website or sometimes the OS CD. For example, on the WIN98 CD \tools\reskit\file. Useful NDIR commands Chapter 1 lists client utilities used to manage files. A few favorite commands are: C:\>NDIR *.* /ACCESS BEF 12-06-00 /SUB > OLDSTUFF.TXT
Shows files not accessed since December 06, 2000 and creates a file called OLDSTUFF.TXT C:\>NDIR *.* /SIZE GR 700000
Lists files larger than the indicated size C:\>NDIR *.* /OWNER EQ JJOHNSON
Look for files owned by a specific users
Chapter 9
This Page Intentionally Left Blank
Appendix
Additional quick-reference information that I wanted and needed as a consultant from Novell is found here.
A.1
Troubleshooting high utilization on a NetWare server High utilization is a common complaint. Novell publishes a great doc outlining many troubleshooting ideas that apply to more than high utilization. Download the doc found in Novell’s TID and/or downloads, print and keep a copy of the document in this book.
A.2
Server tuning can be found in Chapter 9.
Network tuning can also be found in Chapter 9.
Client tuning can be found in Chapter 1.
Ethernet packet structure For traces and reference, see to Figure A.1. Packet piece—Description and what part I play in communication Preamble—A 64-bit (8-octet) field begins the Ethernet frame— though it is not counted in the frame length and not part of the frame. The first 7 octets have a bit pattern of 10101010 and the last octet ends with 10101011 Destination Address—A 48-bit (6-octet) field that indicates the nodal address of the receiver (Where am I going to? What is my goal?)
703
704
A.2
Preamble
Figure A.1 Ethernet packet structure.
8-octets
Destination Address 6-octets
Source Address 6-octet
Ethernet packet structure
Type
Data
FCS (CRC)
2-octet
Minimum 46 octets maximum 1500 octets
4-octet
Source Address—48-bit (6-octet) address field of the sending node (Where did I come from?) Type—16-bit (2-octet) field called the EtherType—describes the data the frame carries. For example, Ipv4, X.25, ARP are all kinds of EtherType or data identification—used to let upper OSI layers know what kind of data to expect. This part of the packet describes the why of the packet (e.g., Where do I belong? With other ARP messages?) Data—The payload. This is the very soul of the packet; the reason for its existence is to house the data portion. The minimum data portion of the packet is 46 octets (information that takes less than 46 octets is padded with zeros). The maximum is 1500 octets (which is the most efficient as it can use more info in less packets). Answers the questions, “What is my purpose here on earth?” “What message do I bring?” CRC—Cyclic redundancy check—frame integrity check
A.2.1
TTL The 8-bit time-to-live field inside the IP packet is to keep the packet from bouncing around the network forever. The TTL numbers the days of an IP packet—which prevents packet over population. It is the grim reaper of the packet world. The maximum TTL value is 255—which translates to 4.25 minutes. Each router will decrement the TTL value by a minimum of one. The packet is discarded when its TTL value reaches 0. The value of the TTL field is dependant upon the IP stack you are using. Windows NT 4.0—128 Windows 9x, NT 3.5 (Q120642)—32 Unix—30
A.3
Rights and permissions
A.3
705
Rights and permissions NetWare’s security model consists of:
File and Directory Rights
File and Directory Attributes
NDS Object Rights
NDS Object Property Rights File system and directory security include the following rights: Directory Rights—Access rights on directories and subdirectories are: Supervisor: The sum of all other access rights. Read: Allows a user to view the contents of the directory or execute a file. Write: Allows a user to view and modify the contents of a file. Create: Allows a user to create new files or salvage files that have been deleted. Erase: Allows a user to delete or overwrite a file. Modify: Allows users to rename a file or change its attributes. File Scan: Allows a user to view the contents of a directory without being able to view the contents of any of the files within it. Access Control: Allows users to change trustee assignments and grant access rights to other users. This right allows for trustee assignment changes and IRFs. Giving access control is similar to giving Supervisor rights.
File access security policy should be based on minimums. Table A.1 lists minimum required rights to perform the defined tasks.
A.4
Directory attributes Accessed by right-clicking and choosing properties. Directory attributes are listed in Table A.2; file attributes are listed in Table A.3. Different versions of NetWare allow for different attributes. Not all attributes listed here apply to your version of NetWare.
Appendix
706
A.4 Directory attributes
Table A.1
Table A.2
Minimum Rights Needed Defined Tasks
Minimum Rights Required
Open and read a file
Read
See a filename
File Scan
Search a directory for files
File Scan
Open and wrote to an existing file
Write, Create, Erase, Modify
Execute an EXE file
Read, File Scan
Create and write to a file (but, not view it)
Create
Copy files from a directory
Read, File Scan
Copy file to a directory
Write, Create, File Scan
Make a new directory
Create
Delete a file
Erase
Salvage deleted files
Read and File Scan on the file(s) and Create on the directory
Change directory or file attributes
Modify
Rename a file or directory
Modify
Change the Inherited Rights Filter
Access Control
Change trustee assignments
Access Control
Modify a directory’s disk space assignment between users.
Access Control
Directory Attributes Abbreviation
Directory Attribute
Application
Di
Delete Inhibit
prevent user’s from deleting this directory
Dc
Don’t Compress
file compression will not compress
Dm
Don’t Migrate
used for the data migration option on the volume properties; will not migrate the directory to a “jukebox” or other storage device
H
Hidden
hide this directory; the _NETWARE directory on SYS is an example
A.4 Directory attributes
Table A.2
Table A.3
707
Directory Attributes (continued) Abbreviation
Directory Attribute
Application
Ic
Immediate Compress
compress every file in this directory immediately after each file is closed versus waiting the default time of 14 days after the directory was last accessed
N
Normal
the default assignment; allows Read and Write to a file, but not Shareable
P
Purge
flags a directory to purge as soon as it is deleted, rendering it unrecoverable
Ri
Rename Inhibit
prevents users from renaming the directory
Sy
System
system directory like SYS:_NETWARE
File System Attributes Abbreviation
File Attribute
Application
A
Archive Needed
automatically assigned to files that have been changed since the last backup
Cc
Can’t Compress
disables compression on file
Co
Compressed
Ci
Copy Inhibit
prevents Apple McIntosh users from copying the file
Di
Delete Inhibit
prevents deletion; overrides the erase trustee right
Dc
Don’t Compress
used to override NetWare’s default days untouched before compression setting; see Chapter 2 set commands
Dm
Don’t Migrate
don’t allow files to leave the hard disk to go to another storage device
Ds
Don’t Suballocate
I can’t think of a valid reason to ever use this
H
Hidden
I
Index
set automatically, large file access is accelerated by indexing files larger than 64 FAT entries Appendix
708
A.4 Directory attributes
Table A.3
File System Attributes (continued) Abbreviation
File Attribute
Application
Ic
Immediate Compress
as soon as the file is closed, it is compressed
M
Migrated
N
Normal
default value for all new files which allows Read and Write but not Shareable
P
Purge Immediately
upon deletion, the file will be unrecoverable
Ro
Read Only
this is a combo of Di and Ri
Rw
Read Write
all files are created with this attribute; allows you to write to a file
Ri
Rename Inhibit
file cannot be modified or renamed
Sh
Shareable
allows more than one user access at the same time; many times used with Ro
Sy
System
normally used with OS system files; hides the file from DIR; file still shows up with NDIR or FILER
T
Transactional
allows a file to be tracked and protected by TTS, useful for databases
X
Execute Only
prevents a file from being backed up, copied or modified; once this value is set, it is irrevocable (except by the XAway hack); use for .exe and .com files, but make backups first
NDS object rights are: Supervisor (S)—This is the sum of all other rights. Unlike the Supervisor right in the file system, the Supervisor NDS object right can be blocked through an IRF. Granting this right implies granting the same Supervisor right to all NDS properties. Browse (B)—The browse right allows trustees of the object(s) to search the tree in NWAdmin and through NLIST and CX commands Create (C)—This right, available only on container objects, allows an object trustee to create objects in and below the container.
A.5 List of common TCP protocols and ports
709
Delete (D)—Permits the removal of objects from the NDS Tree Rename (R)—Grants the object trusted the ability to change the object’s name Inheritable (I)—Only in NetWare 5. Assigned object rights are inherited by default in NDS. Unchecking this feature on a container object will restrict inheritance by causing the Administrator to explicitly grant objects trustee rights to the container. NDS property rights include: Supervisor (S)—Still the sum of all other rights Read (R)—The ability to see/read the attributes, or properties, of an object Compare (C)—The Compare right works in tandem with the Read write and is used to query any property returning only a true or false response. Write (W)—Automatically includes the Add/Remove Self right, you can modify, add, change, and delete property values. Warning: This right granted to the object trustee ACL property of any object effectively gives Supervisor access. Add/Remove Self (A)—An object trustee can add or remove itself as a value of the object property Inheritable (I)—Only for NetWare 5. Used only at the container level, this right enables inheritance of property rights from a container.
A.5
List of common TCP protocols and ports For your reference (see Table A.4): Well-known ports—0–1023 Registered ports—1024–49151 Dynamic or private ports—491152–65535 RFC 1700 lists more ports.
Appendix
710
A.5 List of common TCP protocols and ports
Table A.4
Popular Ports and Protocols Protocol
Port
Notes
FTP
20
FTP Data transfer
FTP
21
FTP control port
Telnet
23
Telnet
SMTP
25
Simple Mail Transport Protocol
Domain
53
Domain Name Server
BOOTPS
67
Bootstrap Protocol Server
BOOTPC
68
Bootstrap Protocol Client
TFTP
69
Trivial File Transfer Protocol
Gopher
70
Gopher
Finger
79
Something I have been sorely tempted to give IT management
WWW
80
HTTP
POP3
110
Post Office Protocol
NetBIOS
137
NetBIOS
SNMP
161
Simple Network Management Protocol
SNMP
162
Simple Network Management Protocol traps
IRC
194
Internet Relay Chat Protocol
LDAP
389
Lightweight Directory Access Protocol
NWIP
396
NetWare IP—tunneled IPX
SLP
427
Service Location Protocol
HTTPS
443
Secure HTTP
NCP
524
NCP over IP
Netnews
532
Readnews
CMD
2302
Compatibility Mode Driver
AIM
5190
America Online Instant Messenger
A.6 IP protocols and ports in NetWare 5.x
A.5.1
A.6
711
SLL port assignments Protocol HTTP
Standard Port ➝ SSL Port 80 ➝ 443
IMAP4
143 ➝ 993
LDAP
389 ➝ 636
NNTP
119 ➝ 563
POP3
110 ➝ 995
IP protocols and ports in NetWare 5.x NetWare 5’s IP ports can be seen real-time in TCPCON. NetWare 5 uses these IP ports (as well as others—depending on the products and applications you are using on the server) (see Table A.5). You may also use the Advanced Settings of the Novell Client software to change the SLP multicasts to SLP broadcasts—though I wouldn’t recommend it. Table A.5
NetWare 5’s IP Ports Protocol
Port
Notes
TCP
524
NCP Requests—source port will be a high port (1024-65535)
UDP
524
NCP for time synchronization—source port will be a high port
UDP
123
NTP for time synchronization—source port will be the same
UDP
427
SLP requests—source port will be the same
TCP
427
SLP requests—source port will be the same
TCP
443
SSL Secured
TCP
2302
CMD—source port will be the same
UDP
2645
CMD—source port will be the same
TCP
2200
NetWare Web Manager—HTTP
TCP
8008
NetWare Portal
TCP
8009
NetWare Portal Secure Connection via SSL
Appendix
712
A.7
OSI layers and TCP/IP
In a Pure IP mode without the use of SLP multicasts, TCP port 524 will be used between NetWare servers. Client requests will be made on a high port. If you use SLP, then TCP and UDP port 427 will be required. The UA (User Agent) will contact either the SA (Service Agent), or the DA (Directory Agent) with a UDP packet. The Compatibility Mode Driver (CMD) is required when an IP device must communicate to an IPX device. All requests
A.7
OSI layers and TCP/IP The always useful OSI layers: Application Layer—e-mail, Telnet or other application Presentation—Codes or encrypts and compresses data—like streaming video Session—Creates the logical connection to upper layer services Transport—Error correction and flow control—last layer to format data Network—Routing Layer—instructs data where to go Data link—MAC or NIC address framing—switches work at this level Physical—The wire that allows packets to be sent
A.7.1
OSI layer mapped to the IP stack This is how the IP stack, imperfectly, maps to the OSI layers: Application—HTTP, FTP, NFS, NTP, DHCP, LDAP, SMTP, Telnet, SNMP, DNS Transport—TCP, UDP Internet—IP, OSPF, RIP, EIGRP, IGRP, BGP, ICMP, EGP In between these two layers are ARP and RARP Link—Ethernet, Token Ring, FDDI, WAN, etc.
A.8 Hardware interrupt usage
A.8
713
Hardware interrupt usage I’m not a hardware guru, so I need a reference (see Table A.6). Consider disabling IRQ’s that you do not need for your server machines. Parallel ports and one serial may be good choices. IRQ’s are serviced in a specific order. Note: NetWare supports shared interrupt configurations, but it is not recommended.
Table A.6
Hardware IRQs Standard Interrupt Usage 0
System Timer
1
Keyboard
2
Video (Cascade to 9)
3
Serial COM 2
4
Serial COM 1
5
Parallel Port 2
6
Diskette Controller
7
Parallel Port 1
8
CMOS Clock
9
Cascaded to IRQ 2
10
Open
11
Open
12
Mouse PS2
13
HD Controller
14
Reserved for NetWare
Appendix
714
A.9
Table A.7
Priority of interrupts
IRQ Interrupt Priorities Priority of Interrupts 0 1 2/9 10 11 12 13 14 15 3 4 5 6 7
A.9
Priority of interrupts I don’t often see Table A.7, but I think its important for tuning.
A.10 Other Novell resources Where to go when you need answers:
http://support.novell.com
www.novell.com/documentation
www.novell.com/download
www.novell.com/whitepapers
www.oreilly.com
A.11 Some Novell product/shareware/info Websites
715
A.11 Some Novell product/shareware/info Websites This section is very important. I know it is buried deep in the Appendices, but that shows how important every word and section is in the O’Reilly In a Nutshell Series. www.netadmincentral.com—A Website made by a couple of Novell Consultants to provide a portal to NetWare 5 information. Good opinion pages here, too. http://www.novell.com/coolsolutions/—Starting with Novell’s own site for great admin info. http://www.novell.com/coolsolutions/freetools.html—Tools are cool. This is a site that has some of the best tools. I use some of these very tools on engagements. http://www.novell.com/coolsolutions/masterindex.html—Don’t miss this site. WOW! http://www.tinypineapple.com/luddite/beigepapers/—Want how Novell does it internally? Here it is….really!
to
know
www.novellshareware.com—I spend a lot of time on this site. There are many useful tools and utilities here. http://www.nwconnection.com/index.html—NetWare Connection is a free monthly magazine discussing NetWare products and topics. Highly recommended. http://www.nwconnection.com/resources/index.html—This will look very similar to the other site. Novell’s NetWare Connection magazine is also found here. The magazine provides a great overview to Novell’s newest products. There is also good technical information too. The best technical information is still found in AppNotes and on the documentation Website. www.bindview.com—I love everything about Bindview except the price. Still download a free copy and test it out. Medium to larger sites may find this utility to be one you can’t live without. www.intrusion.com—Kane Security Analyst’s home is here. www.netwarefiles.com—A very useful Novell freeware/shareware site http://www.avanti-tech.com/
Appendix
716
A.11
Some Novell product/shareware/info Websites
http://dsdesigner.hypermart.net/—DSDesigner is a favorite among NDS designers. DSDesigner allows you to import your tree, document it, simulate other designs and provides advice. Definitely worth the price. http://www.ahs.hist.no/distr/PerlWare/—Shareware and tools. Perl utilities. Perl is a great language to automate administrator tasks. Perl is supported on NetWare 4.x and 5.x. www.atlantissoftware.com—Notification software for OS management—hooks into ManageWise and other SNMP aware applications. http://www.hdopp.de/—Holger Dopp is a Novell Consultant. He has some custom code as well as great Web links from his site. http://www.zenworksmaster.com/—Lots of ZEN for desktops information. He offers free tools for BorderManger, ManageWise, ZEN for desktops and NDS. www.novellfans.com—Shareware/freeware site. This site doesn’t seem to be updated often, but it provides many resources to choose from. http://hsjones.members.atlantic.net/—A consultant friend’s Website. Has some great Novell wallpaper. http://www.tung.nu/—Written and maintained by a Novell Systems Engineer from England http://www.microsoft.com/office/visio/—Microsoft bought Visio. I use Visio for network and NDS designs. http://developer.novell.com http://developer.novell.com/ndk/downloadaz.htm http://www.hitecsoft.com—NetWare provides HiTecSoft sells a full NetBasic package. www.simware.com www.dreamlan.com http://www.midnighttech.com http://www.jrbsoftware.com/ http://www.connectotel.com/marcus/ http://www.serversystems.com/index.html
NetBasic
support.
A.12 Educational resources for Novell
717
www.ontrack.com—Utilities for your workstation. I love the PowerDesk utility. www.timpanogas.com—You may want to take a long look at this Website. One of Novell’s chief scientists (supposedly) has broken off into an open source NOS project that will mimic the NetWare platform. The company also sells NetWare file systems for the NT and Linux platforms. http://www.cdp.com/snaplive.htm—SnapBack is a ghosting utility. I have clients that use this, but prefer Norton for its ability to image on a volume level.
A.12 Educational resources for Novell Other resources for Novell education and certification: http://education.novell.com www.brainbuzz.com www.cramsession.com www.certify.com www.syngress.com www.bfq.com www.syngress.com www.careerpath.com
Appendix
This Page Intentionally Left Blank
Index
# (pound) login script command, 321 server console command, 211, 256 ; (semicolon), 211, 265 –A, 211 ABEND.LOG, 192, 194–96, 660, 699 ABENDed NLM, 194–95 ABEND Message, 194 creation, 194 defined, 194 File Server Name, 194 Modules List, 196 Running Process, 195 Stack Limit and Pointer, 195 Stack Trace, 195 ABENDs, 192–97 caused by hackers, 653 coredumps and, 193 culprits, 192–93 defined, 192 personal experience, 197 tools, 196–97 ABORT REMIRROR, 211 Accelerated Upgrade, 553–57 additional menu options, 555–57 benefits, 553–54 defined, 553 files, 555 .ICS files, 554 limitations, 554 script file, 553 scripts, 555 See also Upgrading (NetWare server) Access control lists (ACLs), 397
ActivCard, 649–50 ADDICON, 699 ADD NAME SPACE, 212 Address Resolution Protocol (ARP), 18–19, 499, 691 Advanced Menu Settings tab, 123–39 Cancel Desktop Login, 123–24 Change Password, 124 Display Bindery Services Page, 124 Display Container Page, 124 Display Directory Map Object Page, 124 Display Directory Services Page, 124–25 Display NetWare Information Page, 125 Display NetWare Rights Page, 125 Display Server Page, 125–26 Display Tree Page, 126 Display Volume Information Page, 126–27 Enable Authenticate to Server, 127 Enable Authenticate to Tree, 127 Enable Browser To Dialog, 127–28 Enable Capture Dialog, 128 Enable Change Context Dialog, 128 Enable Disconnect Dialog, 128 Enable End Capture Dialog, 128–29 Enable Group Membership Dialog, 129 Enable Inherited Rights Dialog, 129 Enable Login Administration, 129 Enable Login Dialog, 129–30 Enable Login to Server, 130 Enable Logout of Server, 130 Enable Logout of Tree, 130 Enable Map Dialog, 130 Enable Modify Container Script, 131 Enable NDS Login To Tree, 131 Enable NDS Mailing Information, 131 Enable NDS Personal Information, 131 719
720
Advanced Menu Settings tab (cont’d) Enable NDS Work Information, 132 Enable NetWare Connections Dialog, 132 Enable NetWare Copy Dialog, 132 Enable NetWare Utilities Dialog, 132 Enable Novell Client Help, 133 Enable Novell Client Properties, 133 Enable Object Properties Dialog, 133 Enable Password Administration, 133 Enable Purge Dialog, 134 Enable Salvage Dialog, 134 Enable Send Message Dialog, 134 Enable Send Message To Server Dialog, 134 Enable Send Message To User Dialog, 135 Enable Set Current Tree, 135 Enable Set Default Context, 135 Enable Show Parent Context, 135 Enable Systray Config Dialog, 136 Enable Trustee Rights Dialog, 136 Enable Who Am I Dialog, 136 Filter User List, 136 Force Bindery Connections, 137 Force Login Dialog, 137 Show Bindery Servers, 137 Show Current Connections, 137 Show Edit Login Script Item, 138 Show NDS Descriptions, 138 Show NDS Objects, 138 Show Novell System Tray Icon, 138 Show Scheduler System Tray Icon, 139 Show User Administration Menu, 139 See also NetWare client properties Advanced Settings tab, 93 Alexander SPK, 653 ALIAS, 212 AppNotes, 50 ATTACH login script command, 322 AUDITCON, 53 Auditing, 642 AUTOEXEC.NCF, 158 Auto-loaded NLMs, 173, 272 Automated Client Upgrade utility (ACU), 5–8, 507 ACU.EXE, 6 defined, 5 implementing, 5–6 methodology, 6–7 Auxiliary classes, 359 LDAP and, 383–84 in mixed environments, 383
Index
Backdoors, 657–58 Backlinks, 361, 441 Backups directory, 670 important user information, 700 NDS database, 409, 669 NDS rights for, 187 SMS terms, 189–90 strategies for, 187 types of, 187 upgrading and, 540–41 BIND, 213, 473–74 BINDERY, 213 Bindery emulation, 355–56 BINDERY.NOVELL service, 23 BindView, 652, 657 Biometric authentication, 647 Boot disk, 672 Boot partition, 509, 510 BOOTPFWD.NLM, 213–14, 430 Boot up NDS processes, 158 network traffic, 158–59 warm, 698 BorderManager, 566–71 benefits, 566–68 features, 567–68 firewall, 570 in modules, 571 name resolution process, 569–70 new in version 4.x, 368 practical application of, 570 proxy/cache, 570 server, 569 third-party software for, 571 VPN services, 570–71 BranchManager for NT, 615 BREAK login script command, 322 BROADCAST, 214 Browsing, 463 defined, 463 as security hole, 659 BSTART.NCF, 214 BTRIEVE, 185 BULKLOAD.NLM, 385 CAPTURE, 54 Catalog services, 607 CDINST.NLM, 214, 517
Index
CDROM command, 214–15, 700 Certificate Authority (CA), 485, 575–76 Certificate Server, 475, 480–86, 572–76, 647–49 associated NDS objects, 484–85, 575 Certificate Authority (CA), 485, 575–76 certificate format, 483–84 functions, 481, 572 key pairs, 572 minting SSL certificates, 649 NDS role of, 483, 573 NLMs relating to, 576 Objects definition, 526 Private Key, 173, 482–83 Public Key, 172–73, 482 support, 648 SYS volume space requirement, 572 CFGBACK.EXE, 38 CHKNULL, 643–44 Cisco switches, 459–60 CLEAR STATION, 215 CLIB, 490 CLS login script command, 322 server console command, 215 Command shareware, 178, 276, 277 Communication parameters (server SET commands), 276–87 Communications management, 153–54 Packet, 153 Packet Receive Buffers, 153–54 See also SERVER.NLM Compaq Novell Support Software Diskettes (NSSD), 675 recommendations, 674 Compaq support, 202–6 Insight Manager, 204–5 links, 203 management solutions, 204–6 Power Array Status Screen, 206 Power Resource PAQ, 202 remote insight board, 206 Smart Start CD, 206 software, 203–4 Compatibility mode drivers (CMD), 453–55 client-side, 454 defined, 455 as migration tool, 454 modules, 454 server-side, 454–55
721
Compression enabling, 300 parameters (server SET commands), 299–302 status screen, 295 unopened files, 300–302 COMSPEC login script command, 323 CONFIG command, 215 CONFIG.NLM, 216, 531, 541 defined, 216 Reader GUI, 541 Configuration Database Engine (CDBE), 173, 273 Configuration files (related to TCP/IP), 470–72 RESOLV.CFG, 470 SLP.CFG, 470 SYS:ETC\GATEWAYS, 471 SYS:ETC\HOSTS, 470 SYS:ETC\NETWORKS, 471 SYS:ETC\PROTOCOL, 472 SYS:ETC\SERVICES, 471 CONMAN.EXE, 37 Connection group, 93–96 Auto Reconnect Level, 93–95 Auto Reconnect Timeout, 95 NetWare Protocol, 95–96 Replica Timeout, 96 See also NetWare client properties CONSOLE.LOG, 660 ConsoleOne/NetConsole, 32, 198–99, 371, 373, 599 adding menu to, 199 background, changing, 199 for configuring support for PKI, 484 defined, 198, 599 functionality, 198, 373 location, 169 renovations, 373 server access from, 199 snapins, 199 Contextless login support, 607 Contextless Login tab, 84–85 CONTEXT login script command, 323–24 Coredumps, 193 CPQFM.NLM, 669–70 defined, 669 functions, 670 CPUCHECK, 216 CRON.NLM, 408, 667 Custom Device Interface (CDI), 165 Custom Device Modules (CDMs), 163, 164–65 Index
722
Customer hardware best practices, 680–81 CX, 53–54 DBNETS.NLM, 216–17 Debugger commands, 191–92 Defragmentation utilities, 38 Dell support, 206–7 RAID card, 207 server management, 207 sizing tools, 207 storage area network (SAN), 206 DHCP best practices, 432–33 communications by client, 24–25 defined, 120 fault tolerant, 433–34 management, 421–32 modules related to, 428–30 NDS objects relating to, 430–32 numerical options, 425–26 option levels, 425 options, 25 properties, 90 RFCs related to, 427–28 as security hole, 654–55 server, 421 support, 422 troubleshooting tools, 427 DHCPCLNT.NLM, 217, 498 DHCPSRVR.NLM, 217, 428–29 .DIB files, 370, 371 Digital Me, 613–14 Direct File System (DFS), 45, 341 Directory attributes, 626, 634 caching parameters (server SET commands), 296–97 comparison, 701 rights, 616 services parameters (server SET commands), 315–17 Directory Agent (DA), 436 DirXML, 597–98, 666 DISABLE LOGIN, 217 DISABLE TTS, 217 Diskeeper, 38, 41 DISKHOG utility, 701 Disk parameters (server SET commands), 303–4 DISMOUNT, 217–18 DISPLAY ENVIRONMENT, 218 DISPLAY INTERRUPTS, 218
Index
DISPLAY login script command, 324 DISPLAY MODIFIED ENVIRONMENT, 218 DISPLAY NETWORKS, 218 DISPLAY PROCESSORS, 218 DISPLAY SERVERS, 218 DMA transfers, enabling, 48–49 DNIPINST.NLM, 429–30 DNS best practices, 432–33 BIND compliant, 420 host name resolution order, 461–62 instead of SLP, 461 modules related to, 428–30 as name space provider, 415 NDS objects relating to, 430–32 in NetWare 4.11, 421 in NetWare 5, 421 resource records, 419 RFC support, 420–21 DNSCONVRT.NLM, 219, 430 DNSDHCP.EXE, 428 DNS/DHCP Management Console, 415–21 Attributes tab, 417 DHCP portion of, 423 elements, 416 Forward List tab, 417 illustrated, 416 No-Forward List tab, 417 Options tab, 418–19, 424–26 SOA (Start of Authority) Information tab, 418 toolbar, 416–17, 422–23 ZONES tab, 417 DOS BREAK login script command, 324–25 DOS VERIFY login script command, 325 DOWN, 219 DreamLAN, 407 DRIVE login script command, 325 Drivers changing, 47 Ethernet, 235 FDDI, 236 initialization, 515 LAN, 170, 472–75 NDIS, 7 ODI, 7 Token Ring, 237, 241–42 DS Analyzer, 410–11 DSBROWSE.NLM, 372, 412
Index
DS Designer utility, 345, 346, 373 defined, 406 for schema comparison, 406 DSDIAG.NLM, 368, 374–75, 407–8, 668–69 defined, 407, 668 functions, 668–69 information gathered by, 408 report types, 374–75 using to report unknown objects, 368 DS Expert, 409–10 .DSK drivers, 170 DSMAINT.NLM, 549 DSMERGE.NLM, 372, 375–76 DSREPAIR.LOG file, 363–65 DSREPAIR.NLM, 219–21, 372, 376–82 advanced options, 378, 379 Advanced Options menu, 380–82 defined, 376 menu screen, 378–80 repairing NDS with, 382 switches, 376–78 Time Synchronization screen, 386 DSTRACE command, 221, 387 DSTRACE.NLM, 221 ECHO OFF, 221 ECHO ON, 222 EDirectory, 340, 581 EGuide, 581 ENABLE LOGIN, 222 ENABLE TTS, 222 End-user rights, 632 Environment, NETX Compatibility group, 96–102 Broadcast Mode, 96 Cache NetWare Password, 97 DOS Name, 97 End of Job, 97–98 Environment Pad, 98 Force First Network Drive, 98 Hold Files, 98–99 Long Machine Type, 99 Maximum Cur Dir Length, 99 NW Language, 99 Polled Broadcast Message Buffers, 99–100 Remove Drive From Environment, 100 Search DIRs First, 100 Search Mode, 100–101 Set Station Time, 101 Short Machine Type, 101
723
Shrink Path to Dot, 101–2 Use Video BIOS, 102 See also NetWare client properties Error handling parameters (server SET commands), 314–15 ERU.EXE, 38 Ethernet, 9 driver statistics, 235 Ethernet II, 10 EXIT login script command, 326 server console command, 222 External references, 359–60 defined, 359 errors, finding, 360 life span, 359 See also NDS; NDS objects Fast synchronization, 352 FDDI driver statistics, 236 FDISPLAY login script command, 326–27 File(s) attributes, 626 caching parameters (server SET commands), 296 comparing, 701 log, 38, 529, 659–60 TCP/IP configuration, 470–72 File and Print Services for NetWare (FPSNW), 208, 666 File Migration Utility, 208, 666 FILER, 54, 630 FILE SERVER NAME, 222 File system access, 430–32 attributes, 635–36 best practices, 632–33 granular model, 630 management, 154 parameters (server SET commands), 297–300 rights, 626, 631, 632–33 security, 630–32 File System grouping, 102–3 Lock Delay, 102–3 Read Only Compatibility, 103 Use Extended File Handles, 103 See also NetWare client properties FIRE PHASERS login script command, 327 FireWall for NT, 591 FLAG, 54–57 directory attributes, 55 Index
724
FLAG (cont’d) examples, 57 file attributes, 56 general options, 55 status flags, 56 uses, 54–55 using, 55 Flat cleaner, 366 Frame Type Information, 139–44 Frame types choices, 9–10 Ethernet, 9 information property, 139–44 IPX, 4 Token Ring, 9 workstation specification, 692 FTP clients, 480 FTP server, 477–80, 580 configuration, 480 control of, 477 files, 479–80 intruder logs, 480 NLMs, 479 starting, 481 FULL DUPLEX Ethernet, 674 Get Nearest Server (GNS), 435, 681 GOTO login script command, 327–28 Graphical Interface group, 116–18 Cancel Desktop Login, 116 Send Message, 116 Show Edit Login Script Item, 116–17 Show Novell System Tray Icon, 117 Show Scheduler System Tray Icon, 117–18 Show User Administration Menu, 118 See also NetWare client properties GroupWise, 594–96 defined, 594 future of, 595 highlights, 595 information, 596 Half-duplex switch connection, 692 Hardware vendor support, 202–7 Compaq, 202–6 Dell, 206–7 HDETECT.NLM, 514 HELP, 222 HIGHUTL1.EXE, 190
Index
HOBJLOC.NLM, 657 Host Adapter Control Block (HACB), 165 Host Adapter Interface (HAI), 164 Host Adapter Modules (HAMs), 163–64 HOSTS file, 14, 17 HP printing support, 183–84 HTTPSTK.NLM, 222, 477, 578 HWDETECT.NLM, 514 Hypertext Transmission Protocol (HTTP), 491 IBM WebSphere Application server, 584 IChain, 584–85 IF...THEN login script command, 328–30 IGMP Snooping, 460 INCLUDE login script command, 330 INETCFG.NLM, 466–70, 472, 492 best practices, 469–70 Bindings, 468–69 Boards, 466–67 configuration files, 469 configuration information, 499–500 defined, 466 Manage Configuration, 469 Network Interfaces, 467 Protocols, 467–68 Reinitialize System, 469 View Configuration, 469 INETCFG server console command, 222–26 Inherited rights filters (IRF), 633–34 Insight Manager, 204–5 defined, 204 illustrated, 205 MIBs, 205 version control piece, 205 See also Compaq support Installation (client), 3–5 options, 3–4 via wizard, 3 Installation (NetWare server), 505–31 boot partition, 509, 510 Certificate Server Objects definition, 526 customized CD, 508 driver initialization, 515 final notes, 529 Hardware detect screen, 514 hardware recommendations, 505–7 help information, 508 keyboard navigation, 517, 518 licensing agreement, 509
Index
licensing screen, 523 log file, 529 minimum hardware requirements, 505–8 mouse type, 512 NetWare client considerations, 507–8 NSS volumes, 528–29 partition screen, 515–17 product installation options, 523–25 protocol choices, 520–21 regional settings, 512 with RESPONSE.NI file, 527–28 Server Settings menu, 511–12 step-by-step instructions, 508–27 third-party tools, 530–31 Time Zone information, 522 tree choice, 522–23 video mode, 512, 513 volume information, 518–19 Installation NDPS, 608 Novell products, 566 support packs, 557–60 upgrade, 544–45 INSTALL.CFG file, 7 INSTALL.NLM, 226 Internet access server, 580 Internet Caching System (ICS), 585–89 cache box, 693–94 Dell distribution of, 585–86 distributors, 588–89 enhancement through, 587–88 network placement of appliances, 589 OS control functions, 586 support, 586–87 See also Novell products IntraNetware client, 21 Intruder detection, 644–45 Inverse Address Resolution Protocol (IARP), 691 IP addresses, obtaining, 500 configuration, 16–17 LAN segment conversion to, 452–53 management through browser, 475–80 management utilities, 415–32 manual assignment, 421 migrating from IPX to, 452–57 name resolution via, 463–64 packet types, 414–15 Pure, 413, 441
725
traffic management, 682–87 troubleshooting tools and tips, 427 tuning server for, 500–501 use in NetWare, 413 IP services, 480–90 Certificate Server, 480–86 LDAP support, 487–88 MIB-II support, 488 NICI, 486–87 SNMP support, 488–90 IPTRACE.NLM, 226–27, 499 IP utilities/tools, 491–501 ARP, 499 DHCPCLNT.NLM, 498 INETCFG configuration information, 499–500 INETCFG.NLM, 492 IPTRACE.NLM, 499 NIASCFG, 492 NLSLookup utility, 497–98 PIM.NLM, 498 PING.NLM, 495–97 PPPTRACE.NLM, 492, 498 sniffer programs, 501 TCPCON.NLM, 492–95 TCP/IP SET commands, 499 TPING, 497 IPX, 23, 435 bad rap, 682–83 communicating, 453 connections, 44 converting LAN segment from, 452–53 dual IP stack, 453 frame type, 4 migrating to IP, 452–57 packets, 51 parameters in properties panel, 140 property page, 139 retry count, 140 SAP types, 439 traffic management, 682–87 IPX INTERNAL NET, 227 IPX/SPX property page, 142 Janitor process, 365–66 Java command, 227, 228 Kernel process management, 150–53 Priorities, 151–52 Process Queues, 152–53 Index
726
Kernel process management (cont’d) States, 151 Threads/processes, 150–51 See also SERVER.NLM Lanalyzer, 594 LAN drivers, 170, 472–75 Compaq, 558 LOAD statement used for, 472–73 statistics in MONITOR, 683–84 LANGUAGE, 227 LAN/WAN driver statistics, 232–34 LASTLOGINTIME login script command, 330–31 LDAP associated NDS objects, 604 auxiliary classes and, 383–84 configuring for NDS, 604 Data Interchange Format (LDIF), 384, 488 defined, 382–83, 487, 602–3 Help file, 605 meanings, 602 online information, 605 protocol operations, 384, 488, 604 provisions, 603–4 server console commands, 605 services, 602–5 support, 382–84, 487–88 trace screen, 605 Lexmark printing support, 184 Licensing, 546–47 agreement, 509 screen, 523 services parameters (server SET commands), 320 Lightweight Directory Access Protocol. See LDAP Limber process, 366–67 LIST DEVICES, 228 LIST STORAGE ADAPTERS, 228 LIST STORAGE DEVICE BINDINGS, 228 LMHOST file, 15 LOAD, 229, 472–73, 696 Load balancing, 161, 692–93 LOADER.EXE, 150 Lock parameters (server SET commands), 302 Log files audit server, 659–60 installation (NetWare server), 529 troubleshooting, 38 LOGIN, 57–58 examples, 58
Index
options, 58 syntax, 57 using, 57 Logins common names, 657 contextless support, 607 effect on NDS, 350 NDS, 57 process, 40 replicas and, 349–50 resources, 50 slow, troubleshooting, 40–50 symbols, 329 Login script messages, 699 Login script variables, 321–37 # (execute external program), 321 ATTACH, 322 BREAK, 322 CLS, 322 COMSPEC, 323 CONTEXT, 323–24 DISPLAY, 324 DOS BREAK, 324–25 DOS VERIFY, 325 DRIVE, 325 EXIT, 326 FDISPLAY, 326–27 FIRE PHASERS, 327 GOTO, 327–28 IF...THEN, 328–30 INCLUDE, 330 LASTLOGINTIME, 330–31 MAP, 331–33 NDS, 398–99 NOSWAP, 333 PAUSE, 333 PCCOMPATIBLE, 333 PROFILE, 333–34 REMARK, 334 SCRIPT_SERVER, 334 SET, 334–35 SET_TIME, 335 SHIFT, 335–36 SWAP, 336 TREE, 336–37 WRITE, 337 LOGOUT, 58–59 Lost facts, 695–701
Index
Macintosh Client for NetWare, 584 MAGAZINE commands, 230 Management Information Base II (MIB II) standard, 488 ManageWise, 591–94 alerts, 592 defined, 591 links, 594 NLMs related to, 593–94 number of Traps by category, 592 support, 591–92 See also Novell products MAP, 59–61 defined, 59 options, 60 syntax, 60 using, 60–61 MAP login script command, 331–33 Master replica, 348 M command, 229–30 MEDIA commands, 230 MEMORY, 230 Memory management, 153 parameters (server SET commands), 287–95 protection, 161 virtual, 161 See also RAM MEMORY MAP, 230 Microsoft Active Directory, 208 client for NDS, 666–67 Directory Synchronization Services (MSDSS), 208, 666 File and Print Services for NetWare (FPSNW), 208, 666 File Migration Utility, 208, 666 NetWare 5 assessment, 209 Server Messaging Block (SMB), 307 Services for NetWare 5.0, 208, 666 Migration across-the-wire, 547 NetWare 3.x data to NetWare 5.1, 548 NetWare 4.x data to NetWare 5.1, 548–49 NT to NetWare 5.1, 547–57 paths, 547 Migration Agents (MAs), 456–57 for backbone support, 457 defined, 456 requirements, 456
727
MIRROR STATUS, 230 Miscellaneous parameters (server SET commands), 310–14 MODULES, 231 MONITOR.NLM, 231–45, 388 general information, 244 options, 231–43 placement, 231 understanding LAN driver statistics in, 683–84 MOUNT, 245 Multicast delivery method, 23 use to authenticate, 24 Multiprocessor parameters (server SET commands), 317–18 Multi-Protocol Router. See NIAS Multithreading, 160–61 MUP.SYS, 44 MY DOCUMENTS folder, 700 NAME command, 246 NAMED.NLM, 246 Name resolution, 461–75 in BorderManager, 569–70 browsing, 463 DNS host, order, 461–62 as misunderstood function, 461 modules, 464–66 NetBIOS, order, 15–16 network, 12 via IP, 463–64 WINS host, order, 462 Name Resolution Timeout, 49 Name space modules, 170–71 NBTSTAT, 19 NCCSCAN.TXT, 39–40 NCCUTIL4.EXE, 39 NCIMAN.EXE, 5–6 NCMCON.NLM, 246–47 NCOPY, 66–67 examples, 67 options, 66–67 syntax, 67 NCP ADDRESSES, 247 NCP DUMP, 247, 248 NCP protocols, 1, 2, 51 defined, 172, 307 parameters (server SET commands), 307–10 viewing, 172 Index
728
NCP STATS, 247–48 NCP TRACE, 248 NDIR, 67–71, 701 attribute options, 68–69 defined, 67 display options, 68 examples, 68, 70–71 format options, 68 restriction options, 69–70 sort options, 68 status flags, 69 syntax, 67 using, 67 NDIS drivers, 7 NDPS, 181–83 best practice, 611–12 client module requirement, 609 components, 610 defined, 181, 607 functioning of, 609 functions, 608 installation, 608 NDS objects related to, 182, 610 NLMs related to, 181–82, 610–11 “plug and print” support, 181 printers, 608 printing, 181–83, 607–12 SLP and, 182, 611 support, 608, 609 tips, 183, 611–12 See also Printing NDPSM, 248 NDS, 339–412 Administration Guide, 340 auditing, 642 authentication services, 582–83 auxiliary classes, 359, 383–84 background processes, 367 backlinks, 361, 441 boot up processes, 158 cache size configuration, 403–4 caching on servers, 43–44 Certificate Server role, 483, 573 Corporate Edition, 580–81 database backup, 409, 669 database functioning, 339 default rights, 397–98, 638 dependence on SLP, 387–90 dependence on time sync, 390–95
Index
design guidelines, 399–401 design ideas, 400 design optimization, 42 directory manipulation, 371–82 DSBROWSE.NLM, 412 eDirectory, 581 error codes, 387 error culprits, 401 flat cleaner, 366 health check, 43, 343, 387, 543 information resources, 339 janitor process, 365–66 LDAP support, 382–85, 604 limber process, 366–67 links, 412 logins, 57 login script variables, 398–99 logins effect on, 350 management, 339–412 Microsoft client for, 666–67 obituaries, 361–65 optimization, 401–5 partitions, 41, 43, 344–45 PKI support configuration, 484, 574 properties, 90 property rights, 396–97, 637–38 RAM cache use, 402 repairing, 386–87 repairing, with DSREPAIR.NLM, 382 replicas, 41, 345–50 rights for backups, 187 schema, 356–59 scope configuration in, 443 security, 636–41 security model, 395–98 security recommendations, 638–41 sniffers, 50 startup, 368 TAO, 340, 353 terminology, 344–69 troubleshooting, 390 tuning, 401–5 unknown objects, 367–68 upgrading, 560–61 user authentication in, 41 versions, 340–41 versions, choosing, 341–43 Visio, 412 NDS for NT, 614–15
Index
NDS Manager, 161, 372, 373 Schema Manager tool, 357–58 uses, 372 NDS objects, 385–86 external references, 359–60 names, 395 properties, 385–86 related to LDAP, 604 related to NDPS, 182, 610 related to queue based printing, 179–81 related to SAS, 605 related to WTM, 602 relating to DNS/DHCP, 430–32 relating to licensing objects, 546–47 rights, 396, 637 SLP, 444–45 unknown, 367–68 ZENworks average size, 617–18 See also NDS NDS rights, 396–98 default, 397–98 object, 396 property, 396–97 NDS tools, 405–12 CRON.NLM, 408 DreamLAN, 407 DS Designer, 406 DSDIAG.NLM, 368, 374–75, 407–8 NetPro, 373, 409–11 RCONSOLE, 405 REMADR.EXE, 405 Report Generator, 406 SAP Snoop, 406 SCANTREE, 406 Schemax, 407 Script, 406 Sync scrsav pwd AOT, 406 TIMESYNC, 407 TREEINT.NLM, 372, 376, 407 NDS trees, 24 defined, 344 designing, 353 during installation, 522–23 mixed version, 343 modeling, 345 names of, 43 partitions, 344–45 See also NDS
729
NDSv8, 340, 341 defined, 340 design guidelines, 400–401 DIB files, 371 Direct File System (DFS), 341 files in SYS:_NETWARE, 370–71 operating systems, 341 replicas, 347 scalability, 342 upgrading to, 342–43 See also NDS NetBIOS, 143, 463 name resolution order, 15–16 names, 15 routable, 683 settings, tweaking, 45–46 traffic, 683 troubleshooting, 15 NETDB.NLM, 248, 464–65 NetPro, 373, 409–11 Net Publisher, 596–97 Netscape Enterprise Web server, 32, 614 administration, 32 security features, 628 NETSTAT, 20 NetWare 5.1 features, 534–35 install scripts, 551 migrating NetWare 3.x data to, 548 migrating NetWare 4.x data to, 548–49 NT migration to, 547–57 other NetWare versions vs., 534–35 packet level changes, 683 pre-install checklist, 536 NetWare 6, 145–48 highlights, 535–36 installation, 508–27 multithreaded components, 147–48 scalability, 146–48 TCP/IP improvements, 414 upgrade pre-install checklist, 536–37 NetWare as application platform, 565 cluster services, 598 hardware vendor support, 202–7 IP use in, 413 Microsoft tools for administration/migration, 208–9 NT vs., 665–67
Index
730
NetWare (cont’d) “out of the box,” 625–27 PKI service setup in, 485–86, 576 routing functions, 474 security, 625–61 security holes, 655–56 SNMP configuration in, 489–90 support pack 1, 201–2 NetWare Administrator, 11, 29–32, 371–72, 373 defined, 29–30 Help, 31 Internet Connections, 31 last version of, 31 manual queue based printing setup in, 181 Object, 30 Options, 30 scalability limitations, 31 Show Welcome Screen on Startup, 31 snapins, 32 Tools, 30 View, 30 Window, 31 NetWare Bus Interface (NBI), 165 NetWare client, 1–51 CD, 3, 4–5 frame type choices, 9–10 function of, 1 future of, 51 installation, 3–5 latest version, 3 NetWare server installation and, 507–8 network name resolution, 12 performance/optimization recommendations, 41–50 properties, setting on multiple clients, 8–9 property choices, 8–10 reinstalling, 42 requirements, 2–3 troubleshooting utilities, 39–40 tuning, 8–10 using latest, 41 Windows 3.x/Windows 9x platform intrusiveness, 2 for Windows NT/2000, 10 wizard, 3–4 workstation time, 8 NetWare client DOS command line utilities, 53–54, 53–74 AUDITCON, 53 CAPTURE, 54 CX, 53–54
Index
FILER, 54 FLAG, 54–57 LOGIN, 57–58 LOGOUT, 58–59 MAP, 59–61 NCOPY, 66–67 NDIR, 67–71 NLIST, 61–66 NPRINT, 71 NPRINTER, 71 PURGE, 71–72 RIGHTS, 72–74 SETPASS, 74 NetWare client properties, 75–144 Advanced Menu Settings tab, 123–39 Advanced Settings tab, 93 Connection group, 93–96 Contextless Login tab, 84–85 Environment, NETX Compatibility group, 96–102 File System grouping, 102–3 Frame Type Information, 139–44 Graphical Interface group, 116–18 output settings, 85–93 Packet Management group, 103–6 Performance, Cache groups, 106–11 Printing group, 111–12 SLP General group, 118–21 SLP Times group, 121–23 Trouble Shooting group, 112–15 WAN group, 115–16 Windows 9x registry, 75 NetWare client utilities, 25–37 ConsoleOne/NetConsole, 32 controlling the Web server, 32 NetWare Administrator, 29–32 RCONSOLE, 33–35 RConsoleJ, 35–37 right-click, 25–29 NetWare Core Protocol. See NCP protocol NetWare Enterprise Printing Services, 607 NetWare Enterprise Web server, 578 NetWare FTP server, 477–80, 580 NetWare Loadable Modules (NLMs), 159 auto-loaded, 173, 272 BOOTPFWD.NLM, 213–14, 430 BULKLOAD.NLM, 385 CDINST.NLM, 214, 517 CONFIG.NLM, 216, 531, 541 CPQFM.NLM, 669–70
Index
CRON.NLM, 408, 667 DBNETS.NLM, 216–17 defined, 169 DHCPCLNT.NLM, 217, 498 DHCPSRVR.NLM, 217, 428–29 DISK DRIVERS, 170 DNIPINST.NLM, 429–30 DNSCONVRT.NLM, 219, 430 DSBROWSE.NLM, 412 DSDIAG.NLM, 368, 374–75, 407–8, 668–69 DSMAINT.NLM, 549 DSMERGE.NLM, 372, 375–76 DSREPAIR.NLM, 219–21, 372, 376–82 DSTRACE.NLM, 221 enabling, 559 errors, 70 groups of threads, 169 HDETECT.NLM, 514 HOBJLOC.NLM, 657 HTTPSTK.NLM, 222, 477, 578 HWDETECT.NLM, 514 INETCFG.NLM, 466–70, 492 INSTALL.NLM, 226 IPTRACE.NLM, 226–27, 499 LAN DRIVERS, 170 loaded, finding, 698 loading, 154–55 loading format, 169 MONITOR.NLM, 231–45, 388 NAMED.NLM, 246 NAME SPACE MODULES, 170–71 NCMCON.NLM, 246–47 NETDB.NLM, 248, 464–65 NLM UTILITIES, 171 NSLOOKUP.NLM, 249 NSS.NLM, 249–53 NTP.NLM, 391 PIM.NLM, 498 PING.NLM, 254–55, 495–97 PORTAL.NLM, 255–56, 477, 578 PPPTRACE.NLM, 492, 498 PROXY.NLM, 465–66 purpose and architecture, 169–71 RCONAG6.NLM, 258–59 RDATE.NLM, 390 related to ManageWise, 593–94 related to NDPS, 181–82, 610–11 related to queue based printing, 179 related to WTM, 602
731
RSPX.NLM, 260–61 SCMD.NLM, 455–56 SHOWLOGO.NLM, 696 SLPDA.NLM, 265–66 stage description example, 155–57 STUFFKEY.NLM, 267, 668 SYSCALLS.NLM, 268 TCPCON.NLM, 492–95 TCPIP.NLM, 269, 474–75 TIMESYNC.NLM, 390–91 TOOLBOX.NLM, 531, 560, 670–71, 696 TREEINT.NLM, 372, 376, 407 types of, 170–71 UNICON.NLM, 270 WTM.NLM, 271, 600 XGATEWAY.NLM, 271 NetWare Management Portal, 576–78 defined, 577 illustrated, 577 NLMs related to, 578 NetWare MultiMedia server, 579 NetWare News server, 579 NetWare peripheral architecture (NWPA), 163–66 CDM Message, 165 Custom Device Interface (CDI), 165 Custom Device Modules (CDMs), 163, 164–65 functioning of, 165–66 Host Adapter Control Block (HACB), 165 Host Adapter Interface (HAI), 164 Host Adapter Modules (HAMs), 163–64 Media Manager, 164 NetWare Bus Interface (NBI), 165 Novell Event Bus (NEB), 165 Super Host Adapter Control Block (SuperHACB), 165 NetWare server ABENDs, 192–97 AUTOEXEC.NCF, 158 boot up NDS processes, 158 boot up network traffic, 158–59 CD, 5 clients handled by, 146 commands and NLMs, 172–73 common files and directories, 166–69 elements, 159 environment, 148–59 hangs and locks, 190–92 I20 support, 162 innerworkings, 159–71 Index
732
NetWare server (cont’d) installing, 505–31 Java support, 163 keystrokes available on, 200 LOADER.EXE, 150 loading stages, 154–55 patching/updating, 200–202 PCI Hot Plug support, 162 PC/Serial Mouse support, 163 predefined directories, 167–68 public symbol errors, 197 SERVER.EXE, 149 SERVER.NLM, 150–55 stage description example, 155–57 STARTUP.NCF, 157–58 troubleshooting, 190–97 tuning, 275, 672–80 upgrading, 533–64 warm boot, 698 Winsock 2.0 support, 163 NetWare server kernel, 159–62 load balancing, 161 memory protection, 161 multiprocessor support, 159–60 multithreading, 160–61 preemption, 162 scheduling, 162 virtual memory, 161 NetWare Web Manager, 476–77, 579 NetWare Web Search, 580 Network Address Translation (NAT), 612 Network Application Launcher (NAL), 13 Network Information System (NIS), 465 NETWORKS file, 17 Network Time Protocol (NTP), 391–92, 606 Network traffic capturing, 695 packet analysis, 691 RIP, 690–91 tuning recommendation, 692–95 viewing, 683 See also Traffic management NIAS, 612–13 configuring, 612–13 defined, 612 NIASCFG, 248–49, 492 NLIST, 61–66, 361, 687 any information, 62 defined, 61
Index
format, 61 group information, 64 object information, 65–66 options, 62 printer information, 64–65 print queue information, 65 redirecting information to files, 66 server information, 63–64 user information, 62–63 uses, 66 volume information, 65 NLS, 546–47 resource, 546 server console commands related to, 546–47 NLSLookup utility, 497–98 NMAS, 582–83, 647 Norton Ghost, 530 NOSWAP login script command, 333 Novell Client for Windows NT/2000, 10 Novell Directory Services (NDS), 1, 2 Novell Event Bus (NEB), 165 Novell International Cryptography Infrastructure (NICI), 482, 483, 486–87, 606 defined, 486, 606 encryption capability, 486 NLMs related to, 487 Novell Internet Access server. See NIAS Novell Internet Messaging System (NIMS), 590 Novell Modular Authentication System (NMAS), 582– 83, 647 NOVELLNIOS, 22 NOVELLNP, 22 Novell products, 565–623 additional, 623 BorderManager, 566–71 BranchManager for NT, 615 catalog services, 607 Certificate Server, 572–76 ConsoleOne/NetConsole, 599 contextless login support, 607 Digital Me, 613–14 DirXML, 597–98 DNS/DHCP services, 580 eGuide, 581 FireWall for NT, 591 GroupWise, 594–96 IBM WebSphere Application server, 584 iChain, 584–85 installing, 566
Index
Internet access server, 580 Internet Caching System (ICS), 585–89 Lanalyzer, 594 LDAP services, 602–5 Macintosh Client for NetWare, 584 ManageWise, 591–94 managing, 566 NDPS printing, 607–12 NDS authentication services, 582–83 NDS Corporate Edition, 580–81 NDS eDirectory, 581 NDS for NT, 614–15 Net Publisher, 596–97 Netscape Enterprise Server security features, 578–79 Netscape Enterprise Web server, 614 NetWare cluster services, 598 NetWare Enterprise Printing Services, 607 NetWare Enterprise Web server, 578 NetWare FTP server, 477–80, 580 NetWare Management Portal, 576–78 NetWare MultiMedia server, 579 NetWare News server, 579 NetWare Web Manager, 579 NetWare Web Search, 580 Novell International Cryptography Infrastructure (NICI), 482, 483, 486–87, 606 Novell Internet Access server (NIAS), 612–13 Novell Internet Messaging System (NIMS), 590 Novell Replication Services (NRS), 598 Novell Storage Services (NSS), 599 NTP, 606 Schemax, 599 secure authentication service (SAS), 605 Single Sign On (SSO), 581–82 Small Business Suite, 583–84 SSLizer, 613 Storage Management Services, 578 support lifecycle forecast, 622 WAN Traffic Manager, 599–602 ZENworks for Desktops, 615–20 ZENworks for Networks, 622 ZENworks for Servers, 620–22 Novell Replication Services (NRS), 598 Novell Storage Services (NSS), 249–53, 599 Novell Support Software Diskettes (NSSD), 675 Novell Upgrade Wizard, 548 NPRINT, 71 NPRINTER, 71 NSLOOKUP.NLM, 249
733
NSS.NLM, 249–53, 599 additional commands, 251–52 components, 253 DOS FAT commands, 250–51 informational commands, 250 load commands, 250 modules, 249 old vs. new, 252–53 server console commands, 249 server console help, 249 supported enhancements, 528–29 volumes, 528–29 NSWEB.NCF, 254 NTP.CFG, 391–92 NTP.NLM, 391 NVXADMDN.NCF, 253 NVXNEWDN, 253 NWBACK32.EXE, 187–89 NWCONFIG utility, 253–54, 374, 557 NWHOST file, 14–15 NWREDIR, 22 Obituaries, 361–65 clearing time, 362 defined, 361 errors, finding, 365 information, generating, 362 primary, 363–64 problems, 361–63 secondary, 364 tracking, 364 See also NDS ODI drivers, 7 OFF, 254 OnSite Admin Pro, 177, 276 Output settings, 85–93 Banner Settings, 87 BINDERY, 90 DHCP, 90 Directory Agent List, 92–93 DNS, 90 Enable Banner, 87 Enable Tabs, 86–87 Form Feed, 85–86 Name Resolution Order, 89–90 NDS, 90 Number of copies, 85 NWHOST, 90 Other Settings, 87–88 Index
734
Output settings (cont’d) Protocol Order, 88–89 SAP, 90 Scope List, 90–92 SLP, 90 See also NetWare client properties Packet bursting, enabling/disabling, 49–50 Packet Management group, 103–6 Checksum, 104 Large Internet Packets, 104 Link Support Layer Max Buffer Size, 104–5 Packet Burst Read Window Size, 105 Packet Burst Write Window Size, 105–6 See also NetWare client properties Pandora hack, 658 Partitions, 344–45 creating, 345 DOS, mounting as volume, 696–701 replicas, 345–50 root entry information, 345 synchronization, 348, 350–54 viewing, 344 See also NDS Partition screen, 515–17 Block Suballocation, 516 Data Migration, 517 File Compression, 516 Hot Fix Size, 515 NetWare Partition Size, 515 Status, 516 Upartitioned Disk Space, 515 Volume Block Size, 516 Volume Name, 516 Volume SYS Size, 515 See also Installation (NetWare server) Passwords attacks, 643–44 best practices, 647 common, 657 decipher on workstations, 643 estimated time to break, 646 length, 645 management, 642–50 number of characters vs. possible combinations, 646 restrictions, 641 single sign on and, 650 strength, 645 See also Security
Index
Patching server tuning with, 678 as upgrading, 534–36 PAUSE login script command, 333 server console command, 254 PCCOMPATIBLE login script command, 333 Performance, Cache groups, 106–11 Cache Writes, 106–7 Close Behind Ticks, 107 Delay Writes, 107–8 File Cache Level, 108–9 File Write Through, 109 Max Cache Size, 109–10 Name Cache Level, 110–11 True Commit, 111 See also NetWare client properties Pervasive SQL, 185–86 Physical security, 628–29 PIM.NLM, 498 PING.NLM, 254–55, 495–97 command line syntax, 495–96 defined, 495 error messages, 496–97 ICMP Echo Request/Reply, 495 return information display, 496 troubleshooting, 497 PKI, 482 configuring support for NDS, 484, 574 NLMs, 486 services, 573 service setup in NetWare, 485–86, 576 PKIS. See Certificate Server PORTAL.NLM, 255–56, 477, 578 PPPTRACE.NLM, 256, 492, 498 Preemption, 162 Printer assignment, 181 Printing, 178–85 HP support, 183 Lexmark support, 184 NDPS, 181–83, 607–12 queue based, 179–81 services for Unix, 183 third-party support, 183–85 verifying, 559 Xerox support, 184–85 Printing group, 111–12 Network Printers, 111–12 Print Header, 112
Index
Print Tail, 112 See also NetWare client properties Print server, 179 PROFILE login script command, 333–34 PROTECT, 256–57 PROTECTION, 257–58 PROTOCOL, 258 PROXY.NLM, 465–66 Public symbol errors, 197 Pure IP, 413, 441 PURGE, 71–72 Queue based printing, 179–81 manual setup in NetWare Administrator, 181 NDS objects related to, 179–81 NLMs related to, 179 quick setup, 181 RAID 5 design, 676, 677 RAM A-level rated, 675 buying more, 676 DIMMs for, 674 speed and, 673 See also Memory RCONAG6.NLM, 258–59 RCONPRXY.NLM, 36–37 RCONSOLE, 33–35 107B SAP control, 34 to asynchronous connection, 34–35 defined, 33 downloading, 33 key functions, 33–34 NDS aware, 405 to NW5 server in pure IP, 35–36 security and, 656 RConsoleJ, 35–37 RDATE.NLM, 390 README.TXT, 534 Read only replicas, 349 Read/write replicas, 348 REGCLEAN, 38 REGEDIT.EXE, 76 REGISTER MEMORY, 259 Registry Windows 9x, 75 workstation, ZENworks in, 617 Registry entries SLP, 439
735
tweaking, 46–47 Windows TCP/IP, 12 Release notes, NetWare client, 4–5 REM, 259 REMADR.EXE, 405 REMARK login script command, 334 REMIRROR PARTITION, 259 REMOTE, 259 REMOVE DOS, 259 Replicas, 345–50 abused, 347–48 defined, 345 design and placement principles, 346–48 filtered, 354 logins and, 349–50 master, 348 NDSv8, 347 read only, 349 read/write, 348 ring, 348 Sparse/Fractional, 354 states, 349–50 subordinate, 349 use recommendations, 346–47 See also NDS; Partitions RESET ENVIRONMENT, 260 RESET ROUTER, 260, 463 RESET SERVER, 260 RESOLV.CFG, 470 Response File automated upgrade with, 350–53 Factory Install, 551–52 generation, 552 install scripts, 551, 552 passing, 552–53 Prompt key, 561–64 purposes, 550–51 section headings, 561, 562–63 server-installation generated, 552 syntax, 561–64 timesaving ability, 551 RESPONSE.NI file, 527–28 RESTART SERVER, 260 Reverse Address Resolution Protocol (RARP), 691 Right-click objects, 25–29 RIGHTS, 72–74 defined, 72 examples, 73 Index
736
RIGHTS (cont’d) file system rights, 73 options, 72–73 using, 74 rights default NDS, 638 directory, 626 end-user, 632 file system, 626, 631, 632–33 inherited, mask, 633–34 minimum required, 633 NDS object, 396, 637 NDS property, 637–38 trustee, 631 See also Security RIPs displaying number of, 690 importance of, 690 packets, 691 RIP II, 691 traffic, 690–91 RMIC, 260 Routing functions, 474 RSPX.NLM, 260–61 SAPs, 687–90 client 640, controlling, 693 displaying, 687 filtering, 694 identification, 687, 694 information broadcasts, 688 listing resource, 690 packets, 688 types, 688–90, 695 SAP Snoop, 406 Sayit, 699 SCAN ALL, 261 SCAN FOR NEW DEVICES, 261 SCANTREE, 406 Scheduling, 162 Schema, 356–59 checking, 358 defined, 356 extending, 356–57 files, 357 problems, 358–59 See also NDS Schema Manager tool, 357–58 Schemax, 357, 407, 599
Index
SCMD.NLM, 455–56 backbone support option, 457 functionality, 455 IPX compatibility, 455 switches, 455 Scopes, 442–44 configuration in NDS, 443 configuration on client, 444 configuration on server, 443–44 filtering, 443 minimizing, 443 purposes, 437 using, 442 warning, 437 See also SLP Script, 406 Scripted upgrades, 349 SCRIPT_SERVER login script command, 334 SCRSAVER, 261 SEARCH, 262 Secure Authentication Service (SAS), 484, 605 defined, 605 related NDS objects, 605 SECURE CONSOLE, 264 SECURE.NCF, 262–64, 652 Security, 625–61 attacks, 642–43 backdoors and, 657–58 browsing and, 659 DHCP, 654–55 evaluating, with BindView, 652 features, 627–28 file and directory attribute, 634–36 file system, 630–32 help desk and, 641–42 NDS, 636–41 Netscape Enterprise server, 628 NetWare holes, 655–56 password management, 642–50 physical, 628–29 RCONSOLE and, 656 server side, 650–53 tokens, 649 track record, 626–27 updated in NetWare 5.x, 627–36 virus protection, 629–30 Websites, 660–61 workstation, 653–55 See also Rights
Index
SEND, 265 SERIALVER, 265 Server console commands, 172–73, 211–71 # (pound), 211, 256 ; (semicolon), 211, 265 –A, 211 ABORT REMIRROR, 211 ADD NAME SPACE, 212 ALIAS, 212 BIND, 213 BINDERY, 213 BROADCAST, 214 CDROM, 214–15 CLEAR STATION, 215 CLS, 215 CONFIG, 215 CPUCHECK, 216 DISABLE LOGIN, 217 DISABLE TTS, 217 DISMOUNT, 217–18 DISPLAY ENVIRONMENT, 218 DISPLAY INTERRUPTS, 218 DISPLAY MODIFIED ENVIRONMENT, 218 DISPLAY NETWORKS, 218 DISPLAY PROCESSORS, 218 DISPLAY SERVERS, 218 DOWN, 219 DSTRACE, 221 ECHO OFF, 221 ECHO ON, 222 ENABLE LOGIN, 222 ENABLE TTS, 222 EXIT, 222 FILE SERVER NAME, 222 HELP, 222 INETCFG, 222–26 IPX INTERNAL NET, 227 JAVA, 227, 228 LANGUAGE, 227 LDAP, 605 LIST DEVICES, 228 LIST STORAGE ADAPTERS, 228 LIST STORAGE DEVICE BINDINGS, 228 LOAD, 229 M, 229–30 MAGAZINE, 230 MEDIA, 230 MEMORY, 230 MEMORY MAP, 230
737
MIRROR STATUS, 230 MODULES, 231 MONITOR, 231–45 MOUNT, 245 NAME, 246 NCP ADDRESSES, 247 NCP DUMP, 247, 248 NCP STATS, 247–48 NCP TRACE, 248 NDPSM, 248 NIASCFG, 248–49 NVXNEWDN, 253 NWCONFIG, 253–54 OFF, 254 PAUSE, 254 PPPTRACE, 256 PROTECT, 256–57 PROTECTION, 257–58 PROTOCOL, 258 REGISTER MEMORY, 259 REM, 259 REMIRROR PARTITION, 259 REMOTE, 259 REMOVE DOS, 259 RESET ENVIRONMENT, 260 RESET ROUTER, 260, 463 RESET SERVER, 260 RESTART SERVER, 260 RMIC, 260 SCAN ALL, 261 SCAN FOR NEW DEVICES, 261 SCRSAVER, 261 SEARCH, 262 SECURE CONSOLE, 264 SEND, 265 SERIALVER, 265 SET, 265 SET TIME, 265 SET TIME ZONE, 265 SETUPNLS, 265 shortcuts to, 699 SPEED, 266 SPOOL, 266 SPXCONFG, 266–67 SQLCMON, 267 START PROCESSORS, 267 STARTX, 267 STOP PROCESSORS, 267 SWAP, 268 Index
738
Server console commands (cont’d) TIME, 269 TPING, 269 TRACKOFF, 269 TRACKON, 269 UNBIND, 270 UNLOAD, 270 VERSION, 271 VESA_RSP, 271 VMDISMOUNT, 271 VMMOUNT, 271 VMVOLUMES, 271 VOLUME, 271 for WAN Traffic Manager, 602 SERVER.EXE, 149 contents, 149 defined, 149 NLMs contained in, 154–55 Server Imaging, 530 Server Magic, 530 Server Messaging Block (SMB), 307 SERVER.NLM, 150–55 communication management, 153–54 defined, 150 file system management, 154 kernel process management, 150–53 memory management, 153 server loading stages, 154–55 Server side security, 650–53 Server tuning, 275, 672–80 disk speed and, 673 IO BUS speed and, 673 LAN speed and, 673 parameters, 676–79 processor speed and, 673 RAM and, 673 resources, 680 system importance relative to, 672 TIDs, 679 See also NetWare server Service Agent (SA), 436, 439 Service Location Protocol. See SLP SET commands, 173–78, 265, 273–320 communication parameters, 276–87 compression parameters, 300–302 console commands related to parameters, 177, 275–76 defined, 173, 273 directory caching parameters, 296–97
Index
directory services parameters, 315–17 disk parameters, 303–4 error handling parameters, 314–15 file caching parameters, 296 file system parameters, 297–300 hidden, viewing, 697–98 licensing services parameters, 320 locks parameters, 302 memory parameters, 287–95 miscellaneous parameters, 310–14 multiprocessor parameters, 317–18 NCP parameters, 307–10 nonpersistent parameters, saving, 175, 274 nonpersistent parameters, setting, 273 organized by function, 176–78, 275–76 parameters, 173 parameters, changing to defaults, 697 parameters, registration of, 174 parameters, saving, 273, 274 parameters, viewing, 273 parameters for high volume server needs, 679 persistent parameters, listing, 273 persistent parameters, saving, 175, 274 relating to SLP, 451 relating to TIMESYNC, 393–94 at server console, 175–76 service location protocol, 318–20 shortcuts to parameter changes and comparisons, 177, 275 TCP/IP, 499 time parameters, 304–7 transaction tracking (TTS), 303 tuning and optimization, 287 for “tuning” NetWare servers, 275 viewing parameters, 174 SET login script command, 334–35 SETPARM engine, 273 SETPASS, 74 SETSAVE, 178, 276 SET TIME, 265 SET TIME ZONE, 265 SET_TIME login script command, 335 SETUPNLS, 265 SHIFT login script command, 335–36 SHOWLOGO.NLM, 696 Simple Network Management Protocol (SNMP) configuration in NetWare, 489–90 defined, 488 packet transmission, 488–89
Index
support, 488–90 traps, logging, 490 Single Sign On (SSO), 581–82, 650 Slow synchronization, 352 SLP, 90, 434–61 30 servers or less implementations, 446 31–100 server implementations, 446–49 100+ server implementations, 450–51 best practices, 458–61 defined, 387–88 Directory Agent (DA), 436 DNS instead of, 461 dump command, 440 functions, 435 IGMP multicast dependence, 389 implementing, 445–51 infrastructure, 389, 435, 441, 447 IPX SAP types in, 439 NDPS and, 182, 611 NDS dependence on, 387–90 NDS objects, 444–45 as open standard protocol, 434 parameters (server SET commands), 318–20 as pull technology, 440, 441 registered services, 438 registry entries, 439 RFC, 436 route of least configuration, 458 router support addresses, 460–61 scopes, 437, 442–44 server SET commands relating to, 451 Service Agent (SA), 436, 439 service entries, 440 as service location protocol, 434 URL structure, 437, 438–45 User Agent (UA), 436 when you don’t have to use, 457–58 when you must use, 458 SLP.CFG, 470 SLPDA.NLM, 265–66 SLP General group, 118–21 SLP Maximum Transmission Unit, 118–19 SLP Multicast Radius, 119 Use Broadcast for SLP Multicast, 120 Use DHCP for SLP, 120–21 See also NetWare client properties SLP Times group, 121–23 Give Up on Requests to SAs, 121 SLP Cache Replies, 121–22
739
SLP Default Registration Lifetime, 122 Wait Before Giving Up On DA, 122 Wait Before Registering on Passive DA, 122–23 See also NetWare client properties Small Business Suite, 583–84 SMART START CD, 675 SMS, 186–90, 578 backup terms, 189–90 backup types, 187 client utility, 187–89 defined, 186 loading, 186 modules used by, 190 SnapBack Live, 531 Sniffer programs, 501, 684–87 addresses to look for, 684–85 common IP ports, 686 common MAC/NIC addresses, 686–87 defined, 684 looking for errors with, 694 problems, 684 SPEED, 266 SPOOL, 266 SPXCONFG, 266–67 SQLCMON, 267 SQLC.NCF, 267 SSLizer, 613 START PROCESSORS, 267 Startup Folder, removing programs from, 50 STARTUP.NCF, 157–58 STARTX, 267 Statistics Ethernet driver, 235 FDDI driver, 236 LAN/WAN driver, 232–34 for NE2000, NE2, NE2_32, CNE2_32 Ethernet drivers, 237–40 for Token Ring drivers, 237, 241–42 STOP PROCESSORS, 267 Storage Attached Network (SAN), 146 STUFFKEY.NLM, 267, 668 Subnet addressing, 501–4 Subnetting, 659, 692 Subordinate replicas, 349 Super Host Adapter Control Block (SuperHACB), 165 Support packs customizing installation CD with, 557–60 installation, 557 latest, checking for, 540 Index
740
Support packs (cont’d) README.TXT, 534 support pack 1, 201–2 support pack 5, 447 SWAP login script command, 336 server console command, 268 SWAP file, 677 Synchronization, 348, 350–54 as background process, 351 design considerations, 353–54 fast, 352 password change effect on, 352–53 schedule, 350–51 slow, 352 TAO filtered replica, 354 traffic, 351–52 workstation time, 8 See also NDS; Partitions Sync scrsav pwd AOT, 406 SYS$LOG.ERR, 659 SYS:_NETWARE hidden directory, 369–71 NDSv8 files, 370–71 NDS versions 6.x/7.x, 369–70 SYSCALLS.NLM, 268 System Works, 38 SYSTRAY client, 26–29 Browse to, 29 Configure System Tray Icon, 29 Disconnect Network Drive, 27 menu choices, 26 NetWare Connections, 26–27 NetWare Login, 26 NetWare Utilities, 27 Novell Capture Printer Port, 27 Novell Client help, 29 Novell Client Properties, 29 Novell End Capture, 27 User Administration, 28–29 TAO, 340, 353 Directory Agent (DA), 436 filtered replica synchronization, 354 ICE, 385 support, 353 TCPCON.NLM, 492–95 defined, 492 illustrated, 493 IP routing table, 494–95
Index
options, 493 protocol information, 494 SNMP access configuration, 493–94 TCP/IP APIs, 490–91 4.3 BSD Sockets, 491 CLIB, 490 Transport Layer Interface (TLI), 491 WinSock 2.0, 490 TCPIP.NLM, 269, 474–75 loading, 269 parameters, 269, 475 TCP/IP stack, 12–16 HOST files, 14–15 NetBIOS name resolution order, 15–16 WINSOCK.DLL version 2, 13–14 Telnet, 653 TIME, 269 Time parameters (server SET commands), 304–7 Timesync checking, 559 debug screen, 395 NTP and, 391–92 server types, 392–93 troubleshooting, 394–95 TIMESYNC.NLM, 390–91 Token Ring, 9 driver statistics, 237, 241–42 network packet support, 9 TOOLBOX.NLM, 531, 560, 670–71, 696 best practices using, 560, 670 defined, 670 diskette copy of, 696 parameters, 670–71 for purging volumes, 560 TPING, 269, 497 TRACERT, 20–21 attributes, 20 defined, 20 ICMP packets, 21 syntax, 20 TRACKOFF, 269 TRACKON, 269 Traffic management, 681–95 IPX and IP, 682–87 monitoring tools, 682 tuning, 681–95 See also Network traffic Transaction Tracking System (TTS), 368–69 defined, 368
Index
disabling, 217 enabling, 222 flag, 369 parameters (server SET commands), 303 Transport Layer Interface (TLI), 491 TREEINT.NLM, 372, 376, 407 TREE login script command, 336–37 Troubleshooting ABENDs, 192–97 debugger commands, 191–92 IP, tools and tips, 427 IP Ping, 497 log files, 38 NDS, 390 NetBIOS, 15 NetWare server, 190–97 Novell-specific client utilities, 39–40 slow logins and client best practices, 40–50 timesync, 394–95 Trouble Shooting group, 112–15 Alert Beep, 112–13 Handle Net Errors, 113 Log File, 113 Log File Size, 113–14 Message Timeout, 114 Net Status Busy Timeout, 114 Net Status Timeout, 114–15 See also NetWare client properties Trustee rights, 631 UNBIND, 270 UNICON.NLM, 270 Unix, NetWare print services for, 183 UNLOAD, 270 Update Sequence Numbers (USN), 344 Upgrading (NetWare server), 533–64 with Accelerated Upgrade utility, 553–57 application upgrade, 542 automated, using Response File, 550–53 backing up system and, 540–41 beginning, 544–45 clients upgrade, 542 DOS partition size and, 541–42 in-place, with CD, 549–50 in-place, with DSMAINT, 549 lab testing, 543 latest support packs/patch list and, 540 licensing, 546–47 migration paths, 547
741
minimal hardware requirements and, 539 NDS, 560–61 NDS health-check, 543 network preparation, 542 NT to NetWare 5.1 migrations, 547–57 on-line resources, 537–44 patching as, 534–36 planning, 537–39 post installation tips, 558–60 pre-install checklist, 536–44 printers upgrade, 542 priorities, 533 server configuration documentation and, 539 volume block size and, 543–44 User Agent (UA), 436 User State Migration tool, 700 VERSION, 271 VESA_RSP, 271 Virtual memory, 161 Virus protection, 629–30 Visio, 412 VLAN configuration, checking, 42 VMDISMOUNT, 271 VMMOUNT, 271 VMVOLUMES, 271 VOL$LOG.ERR, 660 VOLUME, 271 Volumes block size, 516, 543–44 CD-ROM, mounting/dismounting, 700 DOS partition, 696–701 information, 65, 518–19 information recovery, 667 maintenance and repair, 667 name, 516 NSS, 528–29 print queue, 678 purging, 560 sizes, changing, 667 WAN group, 115–16 Large Internet Packet Start Size, 115 Minimum Time to Net, 115 NCP Max Timeout, 116 See also NetWare client properties WAN Traffic Manager (WTM), 599–602 associated NDS objects, 602 associated NLMs, 602 Index
742
WAN Traffic Manager (WTM) (cont’d) configuring, 601 defined, 599–600 elements, 600–601 server console commands for, 602 as WAN “traffic officer,” 600 Warm boot, 698 Watchdogging, 140–43 WebDAV (Web Distributed Authoring and Versioning), 597 WINDIFF, 38 Windows 9x client, 11–12 boot anatomy, 22–25 Windows NT vs., 11–12 Windows 9x client properties, 75–83 Advanced Button, 83 Bindery, 81 Clear Connections, 83 client version, 77–78 Credentials, 80 Default Login Location Profile, 80 Default Policy Support, 81–82 first network drive, 77 List of Location Profiles, 80 Location List, 82–83 name context, 77 NDS, 80–81 NT Credentials, 80 Policy Path and Filename, 82 preferred server, 75–76 preferred tree, 76–77 Script, 81 Service Pack, 79 Variables Button, 83 Windows NT/2000 NetWare client for, 10 Resource Kit, 11 System Policy Editor, 10 Windows NT client, 10–12 IP configuration, 17 to NetWare 5.1 migrations, 547–57 NetWare vs., 665–67
Index
WINIPCFG utility, 16–17 WINS client side broadcasts, controlling, 693 host name resolution order, 462 verifying setup, 42 WinSock 2.0, 490 WINSOCK.DLL, 13–14 Workstations defragging, 41 frame type specification, 692 hacks and links, 654 password decipher on, 643 security, 653–55 time synchronization, 8 WRITE login script command, 337 WTM.NLM, 271, 600 X.509 v3, 483–84, 573–74 Xerox printing support, 184–85 XGATEWAY.NLM, 271 XLMs, 171 ZENworks for Desktops, 1, 21, 500, 615–20 application policies, 615 best practices, 618–20 disk imaging, 615–16 documentation on, 616–17 general enhancements, 615 inventory enhancements, 616 NDS access and replication traffic increase using, 618 NDS database size increase by using, 617–18 policies, 43 process traffics, 619–20 remote management, 616 user policies, 616 workstation policies, 616 in workstation registry, 617 ZENworks for Networks, 622 ZENworks for Servers, 620–22 defined, 620 documentation, 622 management, 620 policy management, 621–22