Operating System
Directory Service Manager for NetWare
Administrator's Guide
Abstract
Microsoft® Directory Service Manager for NetWare is a Microsoft Windows NT® Server utility that enables you to synchronize user accounts between Windows NT Server domains and servers running Novell® NetWare® version 3.x or 2.x. This paper provides an overview of using Directory Service Manager for NetWare.
© 2000 Microsoft Corporation. All rights reserved.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Other product and company names mentioned herein may be the trademarks of their respective owners.
Microsoft Corporation • One Microsoft Way • Redmond, WA 98052-6399 • USA
04/00
Contents
Understanding and Installing Directory Service Manager for NetWare
Microsoft® Directory Service Manager for NetWare is a Microsoft Windows NT® Server utility that enables you to synchronize user accounts between Windows NT Server domains and servers running Novell® NetWare® version 3.x or 2.x.
Directory Service Manager for NetWare extends the Windows NT Server directory service features for user and group account management to NetWare servers. You can centrally manage user and group accounts that have access to servers running Windows NT Server and servers running NetWare. Each user has just a single password to access multiple servers running either network operating system. This password stays synchronized for all servers.
Directory Service Manager for NetWare does not require you to install any new software on your NetWare servers or NetWare clients.
This package contains two versions of Directory Service Manager for NetWare: version 4.0, which runs on Windows NT Server 4.0; and version 3.51, which runs on Windows NT Server 3.51.
How Directory Service Manager for NetWare Works
With Directory Service Manager for NetWare, you can add NetWare servers to be managed with Windows NT Server domains. A domain is a group of several servers that share a single set of user and group accounts.
The next section briefly explains how Windows NT Server domains work, and the following sections explain what happens when you manage NetWare servers with domains.
How Windows NT Server Domains Work
Each domain includes one server designated as the primary domain controller. This server maintains the master copy of the domain's Directory. The Directory (also called the security accounts manager database, or SAM) is a superset of the NetWare bindery. The Directory contains the domain's user accounts, group accounts, and security policies (such as password policies).
How a Windows NT Server domain operates.
The other servers participating in the domain are called backup domain controllers, and keep updated copies of the domain's Directory.
When administrators (the Windows NT Server equivalent of NetWare supervisors) administer domain accounts, they simply refer to the domain by its domain name. Windows NT Server automatically makes the changes at the primary domain controller, and then replicates the changes to the backup domain controllers.
When a user logs on to the domain, the logon request may be processed by either the primary domain controller or any of the backup domain controllers.
For a thorough explanation of Windows NT Server domains, see the Windows NT Server Concepts and Planning Guide.
Installing a Single Windows NT Server Computer
If you have a NetWare network with no servers running Windows NT Server, and you want to install and use Directory Service Manager for NetWare, you need to install Windows NT Server on at least one computer on your network. This server becomes the primary domain controller of your only Windows NT Server domain.
You can then add NetWare servers to be managed with the domain. The computer running Windows NT Server, acting as the primary domain controller, keeps the user accounts synchronized.
If you want your NetWare clients to also access the Windows NT Server computer as if it were a NetWare server, you can install Microsoft File and Print Services for NetWare on the Windows NT Server computer. This product, included in the Services for NetWare package, enables the server to provide file and print services to NetWare clients, with no new software necessary at the NetWare clients.
What Happens When You Add a NetWare Server for Management
This section provides an overview of what happens when you add a NetWare server for management with a domain. (For step-by-step instructions, see “Administering Directory Service Manager for NetWare.”)
1. Choose a NetWare server to add to the domain, and then select which of the NetWare server's user and group accounts for the domain to manage. You can move all user and group accounts, or just some of them.
The accounts you choose are copied to the Directory of the primary domain controller.
When a NetWare server is added to a domain for management, NetWare user and group accounts are moved to the domain.
If you move only some users and groups to the domain, you choose whether to delete or retain the remaining users and groups on the NetWare server. If you retain them, you administer these accounts using NetWare administrative tools. Do not use NetWare administrative tools on accounts managed by Directory Service Manager for NetWare; if you do, those accounts on that NetWare server become unsynchronized with the accounts in the domain.
2. Specify how the Windows NT Server domain is to propagate user and group accounts back to the NetWare server. You can propagate all or a subset of the Windows NT Server user and group accounts. To propagate a subset, select which Windows NT Server groups to propagate, and user accounts that are members of any of the groups you select are also propagated.
The NetWare user accounts, along with Windows NT Server accounts, are propagated back to the NetWare server.
You can propagate up to 2,000 accounts to the NetWare server (this limit is for compatibility with NetWare). It is recommended that you choose only the groups containing users that actually need access to the NetWare server; groups containing only users who use only servers running Windows NT Server do not need to be copied.
You can also modify the list of groups that the Windows NT Server domain propagates to the NetWare server any time after adding the NetWare server to the domain.
3. The next time the primary domain controller updates its Windows NT Server backup domain controllers, the accounts of all the users and groups you copied to the domain from the NetWare server are replicated to the domain's backup domain controllers.
Administering NetWare Servers as Part of a Domain
Once you add a NetWare server for management with a domain and specify NetWare accounts to be maintained by the domain, you use a Windows NT Server tool, User Manager for Domains, to administer those accounts. Changes you make are copied automatically to the NetWare server.
If you use NetWare tools to modify one of those accounts directly on the NetWare server, the account will become unsynchronized with the domain. To make the account identical to the version on the primary domain controller, use User Manager for Domains to modify the domain account in some way, thus causing it to be propagated to the NetWare server.
Similarly, to add a new user account to access the NetWare server, you add it directly to the domain using User Manager for Domains. You must make the account NetWare-enabled. A NetWare-enabled user account is an account that can be propagated from the Windows NT Server domain to NetWare servers, and can log on from NetWare client computers. To make an account NetWare-enabled, you select a checkbox in the user account properties.
To propagate a Windows NT Server account that existed in the domain before you installed Directory Service Manager for NetWare, you simply modify the account to be NetWare-enabled.
Once an account is propagated to the NetWare server, all subsequent changes to the account are automatically copied to the NetWare server.
A NetWare client user must use the chgpass utility included with Directory Service Manager for NetWare to change his or her password. The chgpass utility implements the new password on all NetWare servers that the account is propagated to, as well as on all domain servers running Windows NT Server. Using a NetWare utility to change a password changes it only on the NetWare servers to which the user is currently attached, and the password becomes unsynchronized with the user's password on other servers.
To add NetWare servers to domains, to specify which Windows NT Server groups to propagate to NetWare servers, and to perform all other tasks to administer the association of NetWare servers and Windows NT Server domains, you use the Synchronization Manager tool. To manage account properties of users and groups, you use User Manager for Domains.
For more information, see “Administering Directory Service Manager for NetWare.”
Note
After adding a NetWare server to a domain, you still use NetWare administrative tools to manage functions on the NetWare server other than user account management. This includes shared volumes, file permissions and trustee rights, accounting, and printing.
A NetWare server can participate in only one Windows NT Server domain. Once a NetWare server has been added for management with a domain, you cannot add it to another without removing it from the first domain.
Adding Multiple NetWare Servers to a Domain
You can add multiple NetWare servers to a single Windows NT Server domain. To ensure good performance, it is recommended that you add no more than 32 NetWare servers per domain.
For performance reasons, if you have more than 32 NetWare servers to add to domains, divide the NetWare servers into smaller groups and add each group to a different domain.
When dividing NetWare servers into groups, consider what servers need to be used by the same people. It is best if all the servers used by a particular group of users are in the same domain. Then you can put that group of servers and users into a single domain.
When each NetWare server is added, you specify which NetWare users and groups to transfer from that server to the domain. The domain's Directory then contains a sum of all the users and groups that you copied from each NetWare server, plus the users and groups created directly in the Windows NT Server domain.
The list of users and groups being propagated may differ for each NetWare server participating the domain. If a NetWare user needs access only to specific NetWare servers, you can propagate the user's account to only those server(s). This enables you to minimize network traffic, making Directory Service Manager for NetWare more efficient.
For example, suppose that members of the Accounting group need access to NetWare servers NW1 and NW2, while members of Sales_Reps need access only to NW1. When you specify which groups to propagate to NW1, you select both Accounting and Sales_Reps. When you specify the users to propagate to NW2, you select only Accounting.
How to Handle Identical User Names
If you add multiple NetWare servers to be managed by the same domain, and each of those servers has a user or group account with identical names, the accounts are effectively merged in the domain.
For example, suppose that there is a LauraS account on both the NetWare servers NW1 and NW2. When NW1 is added for management with the domain, a LauraS account is created on the Windows NT Server domain, and that Windows NT Server account is given all rights and permissions on NW1 that the LauraS NetWare account had. Then, when NW2 is added to the domain, Directory Service Manager recognizes that LauraS already has an account in the domain, and gives the account the rights and permissions of the NW2 LauraS account. The domain's LauraS account then has all rights and permissions that were previously assigned to both the NW1 and NW2 LauraS accounts.
Directory Service Manager for NetWare can also merge accounts with different user names on multiple NetWare servers. For example, if LauraS also has an account on another server with a user name of LauraSh, you can merge this account into the domain's LauraS account, which would then have all rights previously held by both LauraS and LauraSh.
For more information on renaming accounts, see “Using a Mapping File to Rename User Accounts.”
User accounts on separate NetWare servers can be merged into a single account in the domain, with all the rights previously held by both accounts.
Note
If there is an account on a NetWare server that has the same name as an account already existing on the Windows NT Server domain, the rights and permissions of the NetWare account are given to the existing Windows NT Server account. If the existing Windows NT Server account is NetWare-enabled, then the account's existing password is used. If the account is not NetWare-enabled, the account is given a new password to enable it to be propagated to NetWare servers.
How NetWare Servers Are Kept Synchronized
When you install Directory Service Manager for NetWare in a domain, an account synchronization database is created on the domain's primary domain controller. This database stores the following information:
The users and groups being propagated to each NetWare server in the domain.
The update status of all user and group accounts on each NetWare server.
The update status of an account states which account modifications made to that account have been copied to the appropriate NetWare server(s). If the account is copied to more than one server, the update status may be different on each server.
The information in the database is similar to the information in Table 6.1.
Table 6.1 Contents of the Account Synchronization Database
|
|
|
|
|
|
Version on |
Version on |
|
|||
Patricia |
5 |
5 |
n/a |
Joseph |
10 |
9 |
8 |
Sales_Reps |
2 |
2 |
2 |
Patricia's account is up to date on NetWare server NW1, and is not being propagated to NW2. Joseph's account needs to be updated on both NW1 and NW2; these servers must have been down when these account changes were made. The Sales_Reps group is up to date on both NetWare servers.
Whenever you modify an account on the Windows NT Server domain, Directory Service Manager for NetWare detects the change, updates the account synchronization database, and attempts to send the change to all NetWare servers to which this account is propagated. This attempt will succeed for all NetWare servers that are currently running.
If a NetWare server is not running, it will be updated later. The account synchronization database keeps track of what account updates are still needed at each NetWare server.
When the account is updated on a NetWare server, only the changed information is sent over the network, to minimize network traffic.
Using Directory Service Manager for NetWare in an Enterprise
If you do not have multiple Windows NT Server domains, you can skip this section.
If you have a trusted domain structure using the master domain model and you have 32 or fewer NetWare servers to add to domains, consider adding all your servers to the master domain. The accounts from the NetWare servers will be in the same domain as your other accounts, thus simplifying account management.
Directory Service Manager for NetWare does not operate across domains. A user can be propagated only to NetWare servers that have been added to the domain that contains the user's account.
For more information on domain structures, see the Windows NT Server Concepts and Planning Guide.
Installing Directory Service Manager for NetWare
The computer on which you are installing Directory Service Manager for NetWare must:
Be running Windows NT Server, version 4.0 or version 3.51. If the computer runs Windows NT Server 3.51, it must also run Windows NT Server Service Pack 2 or later.
Have Gateway Service for NetWare installed. This service is included with Windows NT Server.
While you can install Directory Service Manager for NetWare on any server in a domain, the service can run only on servers functioning as primary domain controllers. You may want to install the utility on one or more backup domain controllers to speed up recovery in the event of a crash of the primary domain controller.
Note
If a primary domain controller crashes and you need to install Directory Service Manager for NetWare on a backup domain controller to replace it, you must first promote the backup domain controller to primary domain controller. If you try to install Directory Service Manager on a backup domain controller when the primary domain controller is unavailable, you will see a message stating that the domain controller is not found.
Installing Version 4.0
* To install Directory Service Manager for NetWare on a Windows NT Server 4.0 computer
1. Double-click My Computer, then double-click Control Panel.
2. Double-click Network.
3. Click the Services tab, then click Add.
4. Click Have Disk.
Important
If Directory Service Manager for NetWare appears in the Network Service list, do not select it; instead, click Have Disk.
5. Insert the Services for NetWare compact disc in the CD-ROM drive.
6. Type the appropriate path, and click OK.
The path is drive:\DSMN\NT40\processor, where drive is the drive letter of the CD-ROM drive and processor is the server's processor type. For example, type d:\dsmn\nt40\i386 to install on an x86-based computer with a CD-ROM drive at drive D. The possible values for processor are i386, MIPS, ALPHA, and PPC.
7. Select Directory Service Manager for NetWare, and click OK.
8. In both Password and Confirm Password, type a password for the Directory Service Manager for NetWare user account, and then click OK.
This account is used by the service to perform tasks.
Installing Version 3.51
To install Directory Service Manager for NetWare on a Windows NT Server 3.51 computer
1. On the server where you are installing the software, double-click the Network icon in Control Panel.
2. In the Network Settings dialog box, click Add Software.
3. In the Add Network Software dialog box, select <Other> from the bottom of the list of available software, then click Continue.
4. Insert the Directory Service Manager for NetWare CD-ROM into one of the computer's drives.
5. In the box, type the appropriate path to Directory Service Manager for NetWare version 3.51.
The path is drive:\DSMN\NT351\processor, where drive is the drive letter of the CD-ROM drive and processor is the server's processor type. For example, type d:\dsmn\nt351\i386 to install on an x86-based computer with a CD-ROM drive at drive D. The possible values for processor are i386, MIPS, ALPHA, and PPC.
6. In the Select OEM Option dialog box, select Directory Service Manager for NetWare, then click OK.
7. In both Password and Confirm Password, type a password for the Directory Service Manager for NetWare user account, and then click OK.
This account is used by the service to perform tasks.
8. Click Close, and then restart the computer to complete the installation.
Directory Service Manager for NetWare is now installed. When you restart the computer, the Directory Service Manager for NetWare service will automatically start.
The Directory Service Manager for NetWare service starts automatically whenever the computer starts. To configure how this service starts and stops, use the Services option in Control Panel or the net start mssync and net stop mssync commands.
Note
On computers that have multiple network cards and that run Directory Service Manager for NetWare but not File and Print Services for NetWare, you must use the Network icon in Control Panel to configure a unique Internal Network Number for the NWLink IPX/SPX Compatible Transport running on the primary domain controller. This is necessary for clients updating passwords using Chgpass.exe to locate the primary domain controller running Directory Service Manager for NetWare.
Upgrading From Version 3.51 to Version 4.0
If a server already runs Directory Service Manager for NetWare version 3.51, you can upgrade it to version 4.0.
* To upgrade to Directory Service Manager for NetWare 4.0 from version 3.51.
1. Double-click My Computer, then double-click Control Panel.
2. Double-click Network.
3. Click the Services tab.
4. Select Directory Service Manager for NetWare, then click Update.
5. Insert the Services for NetWare compact disc in the computer's CD-ROM drive.
6. Type the appropriate path, and click OK.
The path is drive:\DSMN\NT40\processor, where drive is the drive letter of the CD-ROM drive and processor is the server's processor type. For example, type d:\dsmn\nt40\i386 to install on an x86-based computer with a CD-ROM drive at drive D. The possible values for processor are i386, MIPS, ALPHA, and PPC.
7. Click Close, and then restart the computer.
8. After the computer restarts, the first time anyone logs on locally at the computer or the Directory Service Manager for NetWare service starts, a message will appear on the screen about upgrading the Directory Service Manager for NetWare database. Click OK to upgrade the database and complete the installation.
Installing Directory Service Manager for NetWare Administrative Tools
You can install just the administrative tools for Directory Service Manager for NetWare on any computer running Windows NT Workstation or Windows NT Server. Installing the administrative tools on a computer enables you to use that computer to remotely administer Directory Service Manager on any domain or server on your network. (To administer a domain other than the domain containing your computer, that domain must be trusted by the domain containing your computer.)
Version 4.0
To install the Directory Service Manager for NetWare 4.0 administrative tools
1. Double-click My Computer, then double-click Control Panel.
2. Double-click Network.
3. Click the Services tab, then click Add.
4. Click Have Disk.
5. Insert the Services for NetWare compact disc in the computer's CD-ROM drive.
6. Type the appropriate path, and click OK.
The path is drive:\DSMN\NT40\processor, where drive is the drive letter of the CD-ROM drive and processor is the server's processor type. For example, type d:\dsmn\nt40\i386 to install on an x86-based computer with a CD-ROM drive at drive D. The possible values for processor are i386, MIPS, ALPHA, and PPC.
7. Select Directory Service Manager for NetWare Administrative Tools, and click OK.
Version 3.51
To install the Directory Service Manager for NetWare 3.51 administrative tools
1. On the computer on which you are installing the software, double-click the Network icon in Control Panel.
2. In the Network Settings dialog box, click Add Software.
3. In the Add Network Software dialog box, select <Other> from the bottom of the list of available software, then click Continue.
4. Insert the Directory Service Manager for NetWare CD-ROM into one of the computer's drives.
5. In the box, type the drive letter of the CD-ROM followed by either i386, MIPS, ALPHA, or PPC. For example, E:\MIPS to install on a MIPS computer with a CD-ROM corresponding to drive E.
6. In the Select OEM Option dialog box, select Directory Service Manager for NetWare Administrative Tools, then click OK.
Installing Directory Service Manager for NetWare From Floppy Disk
To install Directory Service Manager for NetWare (or its administrative tools) on a computer that does not have a CD-ROM drive, use the Directory Service Manager for NetWare CD-ROM to create 3.5-inch installation floppy disks.
To create floppy disks for installation:
1. At a computer with a CD-ROM drive, insert the Directory Service Manager for NetWare CD-ROM. You need two formatted, blank, high-density 3.5-inch floppy disks. Insert one disk in drive A.
2. Change directories to the \DSMN\NT40\DISKS or the \DSMN\NT351\DISKS directory on the CD-ROM.
3. Change directories to the subdirectory for the platform for which you want to create installation disks. For example, change to DISKS\i386 to create installation disks for an x86-based computer.
4. Copy the contents of the DISK1 subdirectory to the disk, and then copy the contents of the DISK2 subdirectory to the other disk.
To install the utility using the floppy disks you have made:
1. Follow the installation instructions in the previous section, but in the Insert Disk dialog box, specify the drive containing Disk 1. You will be prompted to insert Disk 2 at the appropriate time.
Installing the Online Administrator's Guide
Services for NetWare includes an online version of the Administrator's Guide. For instructions on installing this online manual, see the Services for NetWare release notes.
Administering Directory Service Manager for NetWare
Once Directory Service Manager has been installed, you can use it to add NetWare servers for management with a Windows NT Server domain.
This section explains how:
The information in NetWare user accounts is handled when the accounts are propagated to a Windows NT Server domain.
Users' passwords are set when the users are propagated to the Windows NT Server domain.
Supervisor accounts and NetWare groups are propagated to a Windows NT Server domain.
To use mapping files when propagating users from NetWare to Windows NT Server.
User accounts originally created on Windows NT Server are propagated to a NetWare server.
How User Accounts Are Propagated from NetWare to Windows NT Server
User accounts on NetWare and Windows NT Server contain the same basic information: a username, a password, and restrictions on how the user can use the network.
On NetWare, most default account restrictions are set using the Supervisor Options and then can be changed for individual user accounts. On Windows NT Server, some account restrictions are set for individual user accounts, whereas account policies always apply to all user accounts in the domain.
The following table summarizes NetWare account restrictions and how these restrictions are interpreted when the account is moved to Windows NT Server.
Table 7.1 Transferring Account Restrictions from NetWare to Windows NT Server
|
||
NetWare Account Restriction |
Windows NT Server Equivalent |
|
|
||
Account Expiration Date |
Account Expiration Date |
By individual user account; NetWare setting preserved. |
Account Disabled |
Account Disabled |
By individual user account; NetWare setting preserved. |
Limit Concurrent Connections |
Limit Concurrent Connections1 |
By individual user account; NetWare setting preserved. |
Require Password |
Permit Blank Password |
As policy for all accounts; |
Minimum Password Length |
Minimum Password Length |
As policy for all accounts; |
Force Periodic Password Changes |
Password Never Expires |
By individual user account; NetWare setting preserved. |
Days Between Forced Changes |
Maximum Password Age |
As policy for all accounts; |
Require Unique Passwords |
Password Uniqueness |
As policy for all accounts; |
Allow User to Change Password |
User Cannot Change Password |
By individual user account; NetWare setting preserved. |
Grace Logins |
Grace Logins1 |
By individual user account; NetWare setting preserved. |
Station Restrictions |
Logon Workstations |
By individual user account; NetWare setting preserved. |
Time Restrictions |
Logon Hours |
By individual user account; NetWare setting preserved. |
Intruder Detection/Lockout |
Account Lockout |
As policy for all accounts; |
User Disk Volume Restrictions |
None |
Not transferred |
1 Although these settings do not have equivalents in Windows NT Server itself, Directory Service Manager for NetWare enables Windows NT Server to preserve and enforce them.
Account Restrictions
Expiration date
On both NetWare and Windows NT Server networks, you can set an account expiration date. This setting for each NetWare account is preserved when it is transferred to the domain.
Note
User Manager for Domains shows the last day an account is valid; NetWare utilities show the first day the account is expired.
Account Disabled
You can disable individual user accounts on both NetWare and Windows NT Server networks. This setting for each NetWare account is preserved when it is transferred to the domain.
Limit Concurrent Connections
Limits the number of network connections a user may have to the server at any one time. This setting for each NetWare account is preserved when it is transferred to the domain.
Password Restrictions
Require Password
On Windows NT Server, a password is not required when the account policy allows blank passwords. Windows NT Server preserves the domain's current setting for this policy, and discards the settings in individual NetWare accounts.
Minimum Password Length
The NetWare default minimum is 5; the Windows NT Server default minimum is 6. Windows NT Server preserves the domain's current setting for this policy, and discards the settings in individual NetWare accounts.
Force Periodic Password Changes
The NetWare default is to not force changes; the Windows NT Server default is to force changes. This setting for each NetWare account is preserved when it is transferred to the domain.
Days Between Forced Changes/Password Expiration Date
The number of days a password is valid. The NetWare default is 40 days; the Windows NT Server default is 42 days. Windows NT Server preserves the domain's current setting for this policy and discards the settings in individual NetWare accounts.
NetWare also allows supervisors to set a specific password expiration date. This setting is discarded when the account is moved to Windows NT, and the Windows NT maximum password age setting takes effect.
Require Unique Passwords
NetWare requires 8 different passwords before the system allows reuse of a password. The Windows NT Server default is 5 and can be set from 1 to 8. Windows NT Server preserves the domain's current setting for this policy, and discards the settings in individual NetWare accounts. When a user is first propagated from a NetWare server to a Windows NT domain, the user's existing password history is not preserved.
Allow User to Change Password
The default on both NetWare and Windows NT Server is to allow users to change their passwords. This setting for each NetWare account is preserved when it is transferred to the domain.
Grace Logins
Specifies the number of times a user can log in after the user's password has expired. This setting for each NetWare account is preserved when it is transferred to the domain.
Station Restrictions
Station restrictions limit the workstations from which a user can log in. Workstations are specified according to their network and node addresses. The Station Restrictions setting for each NetWare account is preserved when it is transferred to the domain.
Time Restrictions
Time restrictions specify the hours during which a user can log in to the network. This setting for each NetWare account is preserved when it is transferred to the domain.
On NetWare, time restrictions are set in half-hour blocks. On Windows NT Server, time restrictions are set in hour blocks. When a block starting or ending on a half-hour is found, Directory Service Manager for NetWare modifies it to a whole hour. The change always gives the user more access time. For example, if the NetWare restriction allows a user to log on from 7:30 A.M. to 7:30 P.M., the user can log on from 7:00 A.M. to 8:00 P.M. after the account is transferred.
Intruder Detection/Lockout
Automatically locks the account after a specified number of unsuccessful logon attempts. Windows NT Server preserves the domain's current setting for this policy, and discards the settings in individual NetWare accounts.
By default, NetWare servers allow 7 attempts before locking the account; Windows NT Server computers allow 5 attempts.
User Disk Volume Restrictions
Disk restrictions limit the amount of disk space a user can use on a NetWare volume. Windows NT Server does not support this restriction, and it is not transferred.
Note
NetWare allows user names of up to 30 characters; Windows NT allows 20 characters. Windows NT Server will not create an account for a NetWare user name longer than 20 characters. Instead, there will be an entry in the Synchronization Manager log file (systemroot\SYSTEM32\SYNCAGNT\Mssync.log) stating that the user's username is not valid.
How User Passwords Are Set
Because NetWare servers store users' passwords in an encrypted format, Windows NT Server is unable to convert them. When you add a NetWare server to a domain and propagate its users, the NetWare users' passwords are lost.
Therefore, when you add a server for management, you choose one of the following options in Synchronization Manager:
Give each user a blank password
Set each user's password to be the same as their user name
Create some other password to be assigned to all users
Give each user a different, randomly generated password
Using a mapping file, which specifies each user's new password
If necessary, new passwords with too few characters are padded with zeros to comply with the domain's password length restriction.
For more information on mapping files, see “Using Mapping Files to Propagate Users to Windows NT Server,” later in this section.
Note
Advise users to use chgpass to change their passwords immediately after they have been moved to the domain. You can enforce this when adding a NetWare server for management with a domain by specifying the Users May Only Change Their Passwords Via Directory Service Manager for NetWare option in the Set Propagate Account On Server dialog box.
How Supervisors, Operators, and Managers Are Moved from NetWare to Windows NT Server
On a NetWare network, the Supervisor has complete control over the network, and you can grant Supervisor privileges to other users by giving them a security equivalence to the Supervisor account. Similarly, on a Windows NT Server domain, members of the Administrators group (including the default account named Administrator) have complete control over the servers in the domain. To give administrator privilege to other user accounts, add them to the Administrators group in the domain.
On NetWare, you can give limited administrative privileges to other user and group accounts by adding them to one of the managers or operators groups. Similarly, on a Windows NT Server network, you can grant limited administrative privileges to user and group accounts by adding them to certain built-in groups.
For more information on the use of administrative groups in Windows NT Server, see the Windows NT Server Concepts and Planning Guide.
Supervisor
The NetWare Supervisor is equivalent to the Windows NT Server administrator. Just as users on NetWare can be made Supervisor equivalents, you can grant users full administrative privileges on Windows NT by adding them to the Administrators group.
When adding a NetWare server to a domain for management, you choose whether to add the Supervisors on the NetWare server to the Administrators group on the Windows NT Server domain.
When you add NetWare servers for management with a domain, each NetWare server retains its unique Supervisor account with its own password. You cannot centrally manage the accounts named Supervisor. Members of the Windows NT Administrators group, however, are granted Supervisor rights on the NetWare servers participating in the domain.
Workgroup Managers and User Account Managers
The closest Windows NT Server equivalent to the NetWare Workgroup Manager and User Account Manager is the Account Operators group.
Like Workgroup Managers and User Account Managers, Account Operators can create, delete, and manage user and group accounts. Unlike Workgroup Managers, Account operators can manage any user or group except other administrative groups.
Because user account administration is centralized on a Windows NT Server domain, there is no need to delegate account administration to individual users who have administrative power on a particular server. For this reason, users who are Workgroup or User Account Managers in NetWare are not automatically added to the Windows NT Server Account Operators group. Accounts in these groups lose these abilities on NetWare servers when they are propagated to Windows NT Server domains.
Console Operators
When adding a NetWare server for management, you choose whether to add users who are File Server Console Operators on a NetWare server to a similar group in the Windows NT Server domain, called Console Operators. Users in the Console Operators group have all the rights of File Server Console Operators on NetWare servers. Members of Console Operators do not have any special abilities on computers running Windows NT Server.
Windows NT Server does not have a Console Operators group by default; this group is created when Directory Service Manager for NetWare is installed on the server.
When NetWare users are added to the Console Operators group in the Windows NT Server domain, any groups that are members of File Server Console Operators are not added to Console Operators on Windows NT Server; instead, each member of the group is added as an individual user. The same thing happens when the Console Operators group is propagated to a NetWare server, if a group is a member of Console Operators.
Print Server Operators and Print Queue Operators
In NetWare, the Print Server Operators and Print Queue Operators groups have different abilities than the Print Operators group in Windows NT Server. Members of these NetWare groups lose their abilities on NetWare servers if they are propagated to the domain.
How Other Groups Are Propagated from NetWare to Windows NT Server
When you add a NetWare server to a domain, you choose which Supervisor-created groups to propagate to the domain. Each of these groups is transferred with no additional restrictions.
The Windows NT Server domain contains a group called Everyone. This group represents all users, including those with user accounts in the domain, users from other Windows NT Server domains, and guest users. The Windows NT Server domain retains the Windows NT Server Everyone group, and ignores the Everyone group from the NetWare server.
If you choose to propagate only certain groups from the Windows NT Server domain to a NetWare server, you cannot choose the Windows NT Server Everyone group (or the Windows NT Server Domain Users group). To propagate all user accounts, you should instead choose the All Accounts option in the Set Propagated Accounts dialog box of Synchronization Manager.
Using Mapping Files To Propagate Users to Windows NT Server
A mapping file is an ASCII file listing group names, usernames, and passwords. You may want to use a mapping file for the following reasons:
To preplan and list in one file exactly which users and groups are to be propagated to the domain.
To set different passwords for each user being propagated, without randomly generating the passwords.
To rename some user accounts to match the usernames of accounts for those same users on other servers, if those usernames are different.
If you use a mapping file when you add a NetWare server to a domain, only the user and group accounts listed in the mapping file are propagated to the domain. In the domain, the users are assigned the passwords you list in the mapping file.
You cannot create new users with a mapping file. All users listed in the mapping file must already have accounts on the NetWare server.
You can either create a mapping file before you add a NetWare server to a domain, or you can use Synchronization Manager to create the mapping file while you add the server. Using Synchronization Manager to create the file is easier; the required section headings and the names of all user and group accounts from the NetWare server are automatically put into the file. Also, the file contains new passwords for each user, and you specify how to initially set these passwords; they can be the same as the username, a single password for all users, or randomly generated passwords. Once you use Synchronization Manager to create the mapping file, you can edit the file.
The mapping file format consists of two sections, headed by [users] and [groups] lines. Each user or group being moved has one line. Each line in the user section has the following format:
old_username, [new_username], [password]
The old_username is the current username of the user on the NetWare server. The new_username is optional (see the following section, “Using a Mapping File to Rename User Accounts.”) The password is the new password to assign to the user.
For example, to propagate the user account currently named Patricia, rename it to PatriciaS, and give it a password of ORANGE, you would put the following line in the [users] section of the mapping file:
patricia, patricias, orange
If you instead want to keep the current username of Patricia, you would use:
patricia, , orange
Within the group section, each line lists only the group name.
To not propagate a user and group to the domain, simply remove that name from the mapping file.
Using a Mapping File to Rename User Accounts
When you use a mapping file, the new_username argument in each line in the [users] section is optional. You can use this argument to rename a user account when it is propagated to the Windows NT Server domain or to merge this account with a user account on another server with a different user name.
1. Decide which username you want the final user account to have.
2. Add a NetWare server to the domain. If the username differs from the final user name, use a mapping file and specify the current name as the username, and the final name as the new_username.
3. Add the other NetWare server to the domain, following the same procedure.
Be sure to use the name you want the final account to have the first time you add the account to the domain. When you add subsequent NetWare servers, rename the account when necessary to match the established, correct username.
How Windows NT Server Users Are Propagated Back to NetWare Servers
When one or more NetWare servers have been added to a Windows NT Server domain for management, you can specify which accounts are to be propagated back to each NetWare server. These can be both accounts that originally existed on NetWare servers, and accounts created in Windows NT Server and made NetWare-enabled. This section explains what happens to the account information of accounts created on Windows NT Server when they are propagated to NetWare servers.
The following table lists each account restriction and the corresponding NetWare account restriction, if any, to which it is transferred.
Table 7.2 Transferring Account Restrictions from Windows NT to NetWare
|
||||
Windows NT Account Restriction |
|
How propagated to NetWare |
||
|
||||
User Properties Dialog Box |
|
|
||
Username |
Username |
Propagated intact. |
||
Full name |
Full name |
Propagated intact. |
||
Description |
None |
Not propagated. |
||
Password |
Password |
Propagated intact. |
||
User Must Change Password at Next Logon |
Password Expiration Date |
When selected, the NetWare password expiration date is the current date. |
||
User Cannot Change Password |
Allow User to Change Password |
Propagated intact. |
||
Password Never Expires |
Password Expiration Date |
Propagated intact. |
||
Account Disabled |
Account Disabled |
Propagated intact. |
||
Account Locked Out |
Intruder Detection/Lockout |
Current setting not propagated. |
||
Maintain NetWare Compatible Login |
None |
Must be selected for account to be propagated to NetWare servers. |
||
Group Memberships |
|
|
||
Group memberships |
Group memberships |
Propagated intact. |
Table 7.2 Transferring Account Restrictions from Windows NT to NetWare (cont.)
|
||
Windows NT Account Restriction |
|
How propagated to NetWare |
|
||
Profile |
|
|
User Profile Path |
None |
Not propagated. |
Logon Script Name |
None |
Not propagated. |
Home Directory |
Home Directory |
Home Directory setting is ignored; NetWare Home Directory Relative Path is propagated. |
Hours |
|
|
Logon Hours |
Logon Hours |
Propagated intact. |
Logon To |
|
|
User May Log On to All Workstations |
None |
Not propagated. Governs logons from Microsoft client computers only. |
User May Log On From All NetWare Workstations |
Station Restrictions |
Propagated intact. |
Account |
|
|
Account Expires |
Account Expiration Date |
Propagated intact. |
Account Type |
None |
Not propagated. |
NetWare Properties |
|
|
NetWare Account Password Expired |
None |
No effect when propagating from Windows NT Server to NetWare. |
Grace Logins |
Grace Logins |
Propagated intact. |
Concurrent Connections |
Limit Concurrent Connections |
Propagated intact. |
Account Policies |
|
|
Maximum Password Age |
Days Between Forced Changes |
Propagated intact. |
Minimum Password Age |
None |
Not propagated. |
Minimum Password Length |
Minimum Password Length |
Propagated intact. |
Password Uniqueness |
Require Unique Passwords |
Propagated intact, but effective only if set to 8 or greater. |
Table 2.2 Transferring Account Restrictions from Windows NT to NetWare (cont.)
|
||
Windows NT Account Restriction |
|
How propagated to NetWare |
|
||
Account Policies |
|
|
Account Lockout |
Intruder Detection/Lockout |
Propagated intact. |
Forcibly Disconnect When Logon Hours Expire |
None |
Not propagated. |
Users Must Log On to Change Password |
None |
Not propagated. |
How Windows NT Server Groups Are Propagated to NetWare Servers
Windows NT Server domains have several built-in groups. Only members of the Administrators group in the domain are given special rights on NetWare servers. These users are given security equivalence to Supervisor on every NetWare server added to the domain.
Memberships of administrator-created groups are propagated correctly from the domain to NetWare servers, as long as those groups have been selected to be propagated, or you have selected to propagate all accounts.
How Users Should Change Their Passwords
The client software determines how a user who has an account managed by a Windows NT Server domain and propagated to NetWare servers changes his or her password.
Client type |
User action to change password |
|
|
Windows NT Workstation 4.0 or 3.51 |
CTRL+ALT+DEL |
Any other Microsoft client |
chgpass command |
NetWare client |
chgpass or mslogin command |
The chgpass and mslogin utilities are provided with Directory Service Manager for NetWare. The chgpass utility simply changes a user's password. The mslogin utility is the functional equivalent to similar NetWare utilities and can correctly change passwords on NetWare servers that have been added to a domain for management. Both these utilites, when specified to change the user's password at a NetWare server, actually change the password on the Windows NT Server domain and all the NetWare servers to which the user's account is being propagated. If the user is currently attached to any NetWare servers not participating in a domain, chgpass and mslogin also change the user's password at those servers.
To help ensure that your NetWare client users use only either chgpass and/or mslogin, Directory Service Manager for NetWare provides:
The Users May Only Change Their Passwords Via Directory Service Manager For NetWare option, which prevents users from incorrectly changing passwords using NetWare utilities.
Two utilities—msattach and msmap—that display a message informing the users to use chgpass to change the password. You can have users use these utilities, instead of similar NetWare utilities.
The ability to copy the chgpass and mslogin utilities, and the necessary RPC support files, to the preferred servers of all your NetWare clients. You should make sure that every NetWare client has a preferred server that stores these utilities.
When a NetWare server is added for management in a domain, Chgpass.exe, Mslogin.exe, Msattach.exe, and Msmap.exe (along with the necessary library files Rpc16c1.rpc, Rpc16c6.rpc, and Security.rpc) are copied to the NetWare server's PUBLIC directory. Mslogin.exe and the .rpc files are also copied to the server's LOGIN directory.
Although Directory Service Manager for NetWare copies all these utilities automatically to NetWare servers added for management with Windows NT Server domains, you might also want to copy these utilities to the PUBLIC and LOGIN directories of any other NetWare servers you have to which these users might be connected.
Users of Microsoft client computers other than Windows NT Workstation (version 4.0 or version 3.51) must also have the chgpass utility available. To make it available to Microsoft client users, you can either copy Chgpass.exe (plus the *.rpc files) to the client computers or set up a shared directory accessible to these clients and put the utilities there.
If a user mistakenly uses another utility to change his or her password on a NetWare server (and you did not specify the Users May Only Change Their Passwords Via Directory Service Manager For NetWare option for the server) , you can quickly correct the situation by having the user use chgpass. The chgpass utility will synchronize the new password to all servers. (However, password histories will remain unsynchronized.)
For more information on the new utilities provided with Directory Service Manager for NetWare, see “Command Reference,” later in this section.
Using the Directory Service Manager for NetWare Tools
To administer Directory Service Manager for NetWare, you use Synchronization Manager (included with Directory Service Manager for NetWare) and User Manager for Domains.
You can use Synchronization Manager to:
Add a NetWare server to be managed with a domain.
Execute a “trial run” of adding a NetWare server for management with a domain. The trial run produces a report detailing what will happen if the server is actually added to the domain. The report shows what accounts will be added to the domain and how they will be configured.
Remove a NetWare server from management with a domain.
Specify which accounts to propagate from the domain to each NetWare server.
Synchronize one or all NetWare servers with the domain.
Back up the account synchronization database.
Once you add a NetWare server to be managed with a domain, use User Manager for Domains to:
Add, modify, and delete user accounts
Add, modify, and delete group accounts
Set account policy
Introducing Synchronization Manager
Synchronization Manager is the tool you use to add NetWare servers for management with domains and to manage other aspects of Directory Service Manager for NetWare. The main screen of Synchronization Manager is shown below.
The NetWare Server column lists the names of the NetWare servers that have been added to this domain for management. The Description column shows the version and type of each server. To the left of the server name is an icon showing the current synchronization status of the server, as indicated in the following table.
Icon |
Meaning |
|
|
|
The server is currently synchronized with the domain. |
|
The server is not currently synchronized. Directory Service Manager for NetWare will soon synchronize it. |
To start Synchronization Manager, click Start, point to Programs, point to Administrative Tools, then click Directory Service Manager for NetWare. In version 3.51, double-click the Synchronization Manager icon, which is installed into the computer's Network Administration program group when you install Directory Service Manager for NetWare.
Before You Add a NetWare Server to be Managed in a Domain
To ensure that the addition of a NetWare server to a domain for management goes smoothly, you should take a few steps before adding the server:
Use NetWare utilities to back up the NetWare server's bindery.
Check the user names on the NetWare server and the Windows NT Server domain. If any are identical, the rights and permissions of the NetWare user account will be granted to the existing Windows NT Server account, unless you rename the NetWare user account. For more information on renaming user accounts, see “Using Mapping Files to Rename Users,” earlier in this section.
If multiple NetWare servers are being added to the domain, check whether any users have accounts on multiple NetWare servers with different user names. If so, decide the username you want the user to have on the domain, and transfer the other accounts to that user name. For more information, see “Using Mapping Files to Rename Users,” earlier in this section.
Check the account policies of the domain, to make sure they are acceptable. Once the NetWare server is added, these policies will affect user logins to the NetWare server.
Note
To maintain password history, set the domain's Password Uniqueness to remember passwords, and set the number of passwords to 8 or more. If the limit is less than 8, password history affects only logons to servers running Windows NT Server, not to NetWare servers.
If the File and Print Services for NetWare product was previously installed on the primary domain controller, you must reset the passwords of any user accounts that were NetWare-enabled before Directory Service Manager for NetWare was installed. This is because Directory Service Manager for NetWare cannot read these users' existing passwords.
To enable previously NetWare-enabled users to be propagated to NetWare servers, create a batch file that calls the net user command for each user, and resets the password. For best security, you can use the /rand option to randomly generate new passwords for these users.
Perform a trial run of the addition, and carefully examine the report it produces to make sure that the effects are what you intend.
Adding a NetWare Server to be Managed in a Domain
Adding a NetWare server to be managed in a domain enables you to share user and group accounts between the Windows NT Server computers in the domain and the NetWare server.
When a NetWare server is added, user and group accounts are propagated from the server to the domain. Then, those accounts (along with original Windows NT Server accounts, if you want) are propagated back to the NetWare server. From then on, you maintain the accounts on the domain and account changes are automatically propagated to the NetWare servers in the domain.
You can remove a NetWare server from management with a domain at any time. You can then use NetWare administrative tools to administer the server and its current bindery. Or you can restore the bindery if you want to return the server to how it was before you added it to the domain. You can add the server again to a domain at any time.
Note
For compatibility, Directory Service Manager for NetWare cannot propagate more than 2000 accounts to a NetWare server. If you try to propagate too many accounts to a NetWare server, you will be prompted to propagate fewer groups.
To add a NetWare server to be managed in a domain
1. In Synchronization Manager, click Add Server to Manage on the NetWare Server menu.
2. Select or type the name of the NetWare server, and click OK.
3. Type the username and password to use to connect to the NetWare server, and click OK.
The username must have Supervisor privileges on the NetWare server.
4. Fill out the Propagate NetWare Accounts to Windows NT Domain dialog box to specify how you want NetWare user accounts migrated to the domain.
Some important points:
To use a mapping file, click Use Mapping File. To create the mapping file, type a new file name in File, and click Edit. This creates a mapping file with the name you provide.
To specify users, groups, and passwords in this dialog box, select Ignore Mapping File.
5. Click Trial Run to produce a report showing which user and group accounts will be successfully propagated, as well as users' new passwords. This step is optional, but strongly recommended.
6. Click OK to add the server.
7. Click Yes to continue if you have already backed up the bindery of the NetWare server. Otherwise, click No and back up the bindery before adding the server.
8. In the Set Propagated Accounts on [Server]dialog box, select to propagate all groups (and their members) or only some groups back to the NetWare server.
For help with the settings in the Set Propagated Accounts on dialog box, click Help.
9. Click Yes to delete the NetWare user and group accounts that you are not propagating to the Windows NT Server domain. Click No to keep these accounts and continue managing them on the NetWare server using NetWare administrative tools. Accounts left behind on the NetWare server cannot use chgpass; they must use NetWare utilities to change their passwords.
Note
When a NetWare server is added for management with a domain, a user account named WINNT_SYNC_AGENT appears in that server's bindery. Do not delete this account; it is used by Directory Service Manager for NetWare to access the NetWare server's bindery.
Log Files Created When You Add a Server for Management
Every time you add a NetWare server for management with a domain, or perform a trial run of doing so, a log file named Mssync.log is created in the systemroot\SYSTEM32\SYNCAGNT directory. The log file shows what happened to NetWare accounts during the propagation to the domain.
If you assign randomly generated passwords to users being propagated to a domain, a Mssyncpw.txt file is created in the systemroot\SYSTEM32\SYNCAGNT directory. This file contains only usernames and the new passwords. Each user/password combination is separated by a formfeed, so you can print this file when notifying users of their new passwords.
Note
Store Mssyncpw.txt files only in secure directories.
The next time you add another server or perform a trial run, the new log file is named Mssync.log and the old one is renamed to Mssync.nnn, where nnn is a three-digit number. If random passwords were used, a new Mssyncpw.txt is also created, and the old one is renamed to Mssyncpw.nnn. These old log files are not automatically deleted, so periodically check this directory and then delete old log files.
Performing a Trial Run of Adding a Server to a Domain
Before you add a NetWare server to be managed in a domain, you can perform a trial run. This produces a report you can examine to see what user and group accounts will be successfully migrated, and what users' new passwords will be.
For instructions on performing a trial run, see “Performing a Trial Run of Adding a Server to a Domain” in the Synchronization Manager online Help.
Removing a NetWare Server from Management
Removing a NetWare server from management ends the propagation of account changes and new user accounts from the domain to the server. After you remove a NetWare server from a domain, you can immediately start administering the user and group accounts on that server with NetWare tools. Or, if you backed up the NetWare server's bindery before adding it to the domain for management, you can restore that bindery to the server before continuing.
You can add the server again to a domain at any time.
For instructions on removing a NetWare server from management, see “Removing a NetWare Server from Management” in Synchronization Manager Help.
Setting Propagated Accounts
You can change the list of groups whose members are propagated to NetWare servers that have been added to the domain for management. For instructions, see “Setting Propagated Accounts” in Synchronization Manager Help.
Creating New User Accounts
To create a new user account to access a NetWare server that is managed by a domain, add the account directly to the domain using User Manager for Domains. When you do so, be sure to select the Maintain NetWare Compatible Login checkbox.
Propagating Existing Windows NT User Accounts
To propagate an existing user account, make the account NetWare-enabled. If only some accounts are propagated to NetWare servers, you must also make the user account a member of a propagated group.
When you NetWare-enable an existing account, you are prompted to change the user's password. Directory Service Manager for NetWare cannot propagate a user account unless it knows the account password. Because passwords are stored encrypted, it cannot learn the existing password. When you set a new password for the user, Directory Service Manager for NetWare receives it and begins propagating the account.
For instructions on propagating existing user accounts, see “Propagating Existing User Accounts” in Synchronization Manager Help.
Modifying User Account Information
To modify a user account (including changing its password), use User Manager for Domains. The changes are automatically propagated to all the NetWare servers to which the account is being propagated.
Make changes to user or group accounts only while the Directory Service Manager for NetWare service (also called the mssync service) is running. Otherwise, these changes are not propagated to NetWare servers.
If you do make changes while the service is not running, you must start the service and then make another change to the account. The account is then made current on NetWare servers.
Note
NetWare servers limit a user to being a member of no more than 32 groups. You can use User Manager for Domains to add a user to more than 32 groups, but the user does not receive rights and permissions on NetWare servers from any groups after the 32nd group.
Ensuring that Users' Passwords Are Synchronized
Directory Service Manager for NetWare includes dsmchk.exe, a new utility for testing password synchronization. It checks one or more NetWare servers in the domain, comparing the user's password on each NetWare server to the user's password on the primary domain controller.
To automate the testing of each user's password, you can call dsmchk from each user's login scripts.
To use dsmchk, the primary domain controller must be running Windows NT Server 4.0.
Dsmchk Syntax
The syntax for dsmchk is:
dsmchk -d domain -u username [-n NWserver] [-r retries:interval]
where
-d domain specifies the domain in which to verify password synchronization.
-u username Specifies the user account.
-n Nwserver Specifies the name of a NetWare server with which to verify password synchronization. If you don't specify a server, the default is all NetWare servers in the domain.
-r retries:interval Specifies a number of retries and the interval in seconds between retries.
Error Levels Returned by Dsmchk
Dsmchk reports on the user's password situation with the following error levels:
0 The password is synchronized across the specified NetWare server(s) and the primary domain controller.
1 The password is not synchronized.
2 The NetWare server is unknown or not administered by DSMN.
3 The domain name is unknown.
4 The user account name is unknown or not administered by DSMN.
5 The user account name is not administered between the primary domain controller and the NetWare server.
Using Dsmchk
You can run dsmchk with the dsmchk files based either on the server or on client computers.
To run DSMCHK using files on the server
1. Create directories for each processor type (i386, Alpha, mips, and/or ppc) in the %systemroot%\system32\repl\import\scripts directory. For example, if %systemroot% is c:\winnt and you have clients with x86 and Alpha processors, you would create the following directories:
c:\winnt\system32\repl\import\scripts\i386
c:\winnt\system32\repl\import\scripts\alpha
2. Expand and copy the appropriate Dsmchk.exe and Swclnt.dll files from the FPNW/DSMN compact disc to each directory. Continuing the example from Step 1, and assuming that D: is the CD-ROM drive, you would type
expand d:\dsmn\nt40\i386\dsmchk.ex_ c:\winnt\system32\repl\import\scripts\i386\dsmchk.exe
expand d:\dsmn\nt40\i386\swclnt.dl_ c:\winnt\system32\repl\import\scripts\i386\swclnt.dll
expand d:\dsmn\nt40\alpha\dsmchk.ex_ c:\winnt\system32\repl\import\scripts\alpha\dsmchk.exe
expand d:\dsmn\nt40\alpha\swclnt.dl_ c:\winnt\system32\repl\import\scripts\alpha\swclnt.dll
3. If any of the clients run Windows NT Workstation 3.51, copy Msvcrt.dll from the Windows NT Server 4.0 RC %systemroot%\system32 directory to each DSMCHK directory. Continuing the examples from previous steps, you would type
copy c:\winnt\system32\msvcrt.dll c:\winnt\system32\repl\import\scripts\i386
copy c:\winnt\system32\msvcrt.dll c:\winnt\system32\repl\import\scripts\alpha
After you have copied these files, a Windows NT 4.0 client can run dsmchk simply by using the pathname of the dsmchk.exe file on the server.
To run DSMCHK using files on the client
1. Copy the DSMCHK files (Dsmchk.exe, Swclnt.dll, and Msvcrt.dll [needed for Windows NT 3.51clients only]) for the client's processor type to the client's %systemroot%\system32 directory.
For example, at the client's command prompt, you might type
copy \\server\netlogon\i386\*.* c:\winnt\system32
When you copy the files to the client, the client can use dsmchk without referencing a pathname on a server.
Now, with the files installed either on a server or on the client, you can use dsmchk in a login script. For example, you could insert the following commands in a logon script to test that user's password synchronization:
:TEST_USER
\\DSMNsrvr\netlogon\i386\dsmchk -d domain2 -u myname -n NWserver -r 4:30
@ECHO OFF
IF ERRORLEVEL 5 GOTO USER_NOT_PROPED
IF ERRORLEVEL 4 GOTO USER_NOT_DSMN
IF ERRORLEVEL 3 GOTO DOMAIN_NOT_DSMN
IF ERRORLEVEL 2 GOTO SVR_NOT_IN_DSMN
IF ERRORLEVEL 1 GOTO SVR_NOT_IN_SYNC
IF ERRORLEVEL 0 GOTO ALL_IN_SYNC
:ALL_IN_SYNC
ECHO The servers are synchronized.
GOTO DONE
:SVR_NOT_IN_SYNC
ECHO The servers are not synchronized. Rechecking . . .
sleep 30
\\DSMNsrvr\netlogon\i386\dsmchk -d domain2 -u myname -n NWserver -r 1:30
IF ERRORLEVEL 1 GOTO TEST_USER
GOTO DONE
:SVR_NOT_IN_DSMN
ECHO The NetWare server is unknown or not administered by DSMN.
GOTO DONE
:DOMAIN_NOT_DSMN
ECHO The domain name is unknown.
GOTO DONE
:USER_NOT_DSMN
ECHO The user account name is unknown or not administered by DSMN.
GOTO DONE
:USER_NOT_PROPED
ECHO The user account name is not administered between the primary
ECHO domain controller and the NetWare server.
GOTO DONE
:DONE PAUSE
Setting User Account Policy
Use Account on the Policies menu in User Manager for Domains to set user account policy (such as password length, age restrictions, and uniqueness) for users managed on a Windows NT Server domain and propagated to NetWare servers.
Note
Password uniqueness must be set to 8 or higher to be effective for users logging on to NetWare servers. Setting the password uniqueness to a lower number affects only user logons to Windows NT Server computers in the domain.
Synchronizing One or More Servers
Directory Service Manager for NetWare automatically keeps servers synchronized with the domain. If a NetWare server is down for a time, when it comes back up it will be automatically synchronized. However, if you want to immediately synchronize one or more NetWare server that have been down, instead of waiting for the regular propagation cycle you can use one of the following four commands:
Synchronize Selected Server, which sends updated account information to the selected NetWare server. Only the account updates not yet received by that NetWare server are sent.
Synchronize All Servers, which sends updated account information to all NetWare servers in the domain. Each server receives only the account updates it needs.
Fully Synchronize Selected Server, which sends complete account information about all propagated accounts to the selected NetWare server. Use this command only when a server is extremely unsynchronized with the domain's Directory.
Fully Synchronize All Servers, which sends complete account information about all propagated accounts to all NetWare servers in the domain. Use this command only when several NetWare servers are extremely unsynchronized with the domain's Directory.
To synchronize one or more servers
1. From the NetWare Server menu, click Synchronize Selected Server, Synchronize All Servers, Fully Synchronize Selected Server, or Fully Synchronize All Servers.
2. In the confirmation message dialog box, click Yes.
Backing Up the Account Synchronization Database
The Windows NT Server domain Directory is always backed up on the domain's backup domain controllers.
However, by default, the account synchronization database (which contains a list of the user and group accounts being propagated to each NetWare server, and what version of each account each server has) is not backed up to other computers. We recommend that you use the Set Database Backup Options command in Synchronization Manager to specify one or more locations on other computers on which to back up the database daily. Then, if the account synchronization database for a domain is damaged, a backup copy will be available; otherwise you will have to reinstall Directory Service Manager for NetWare.
When you configure daily backups, specify a time when there is little network activity, especially activity related to Directory Service Manager for NetWare. Otherwise, even a user's password change would have to wait until the backup is complete.
It is recommended that at least one of the backup paths be the systemroot\SYNCAGNT\BACKUP directory on a backup domain controller in the domain. This simplifies the steps you'll need to take if the primary domain controller becomes inoperable and you need to promote a backup domain controller.
For instructions on how to specify database backup, see “Specifying Backup of the Account Synchronization Database,” in the online Synchronization Manager Help.
Whenever the database is backed up, it is also automatically backed up to the SYNCAGNT\BACKUP directory on the primary domain controller.
Cleaning Up Jetn.log Files
Directory Service Manager for NetWare periodically creates Jetn.log files, which are used for recovery in the event the service is stopped in an unusual way. In this case, the log files are automatically used when the service is restarted, to re-create the correct state of the account synchronization database.
The log files are processed and deleted whenever a full backup of the account synchronization database occurs. If many Jetn.log files accumulate in the %systemroot%\SYSTEM32\SYNCAGNT directory, schedule daily backups to clear these logs automatically.
You can delete these log files manually as long as the Directory Service Manager for NetWare service is not stopped incorrectly before the next full backup of the database.
Making a Tape Backup
To back up the account synchronization database directly to tape, set the tape backup program to back up all the files in the %systemroot%\SYSTEM32\SYNCAGNT\BACKUP\NEW directory. It is recommended that you perform this tape backup nightly.
Other Ways of Protecting Against Failure
It is recommended that you have at least one backup domain controller in each domain. Without backup domain controllers, you cannot administer user accounts if the primary domain controller crashes. Users will still be able to log on to their NetWare servers, but they will be unable to change their passwords.
Back up the bindery of each NetWare server before you add it to the domain. You can then use the backup bindery to restore the server to the state it was in before you added it to the domain. This is useful both for disaster recovery, and in case you want to restore the original state of the bindery if you decide to stop using the NetWare server with Directory Service Manager for NetWare.
Note
Write down the Supervisor account password and store it with the backup bindery. You will need this password to restore the bindery, which may happen years later.
Disaster Recovery
This section contains instructions for recovering from a server failure of the primary domain controller and for recovering from a loss of the account synchronization database when no backup of the database exists.
To recover from primary domain controller server failure
1. Promote a backup domain controller in the domain to primary domain controller. For instructions, see the online Windows NT Server Help..
2. If you haven't already done so, install Directory Service Manager for NetWare on the newly promoted server.
3. Use the net stop mssync command to stop the Directory Service Manager for NetWare service on the new primary domain controller.
4. On the new primary domain controller, create a BACKUP subdirectory of the systemroot\SYSTEM32\SYNCAGNT directory.
5. Copy the following files from an account synchronization backup location to the BACKUP directory:
Mssync.mdb
System.mdb
Jetn.log
*.pat
6. Use the Services icon in Control Panel to start the Directory Service Manager for NetWare service.
7. In Synchronization Manager, click Synchronize All Servers from the NetWare Server menu. The synchronization may take a significant amount of time, depending on the number of NetWare servers being synchronized, and the number of accounts being propagated.
If you do not have a backup domain controller, you cannot modify or create user accounts until a primary domain controller is again running in the domain.
If you do not have a backup copy of the account synchronization database, you must reconstruct your NetWare account information once you have a new primary domain controller.
To recover from loss of the account synchronization database with no backup database
1. On each NetWare server that was participating in the domain, use NetWare administrative tools to delete the user account named WINNT_SYNC_AGENT.
2. To return the NetWare server bindery to the state it was in before you added the NetWare server to the domain, restore the bindery from a backup.
3. For each NetWare server, use Synchronization Manager to again add the server to the domain, specifying which accounts to propagate from the NetWare server to the domain and which groups to propagate back from the domain to the server. You will have set a new password for each propagated user.
Maintaining the Account Synchronization Database
It is recommended that you occasionally run the dsmpack utility. This utility defragments the file and removes information for servers that are no longer being used with Directory Service Manager for NetWare.
To defragment and compact the account synchronization database
1. Open a command prompt.
2. Stop the Directory Service Manager for NetWare service by typing net stop mssync.
3. Start the utility by typing dsmpack.
Once the utility is finished, the old version of the account synchronization database is saved as MSSYNC.BKP in the systemroot\SYSTEM32\SYNCAGNT directory.
In addition to occasionally compacting the database, you must be sure the system partition of the primary domain controller has enough disk space. If Directory Service Manager for NetWare runs out of disk space to write log files, new changes made to user accounts cannot be written to the account synchronization database, and the database may become unusable.
To prevent this from happening, Directory Service Manager for NetWare will send an alert if the available disk space on the system partition drops below 20 Mb.
To ensure that you receive administrative alerts, use Server Manager to make sure your name is in the Alerts list. For more information, see the online Server Manager Help.
Note
Although 20 Mb is the default for the disk space alert level, you can change this amount by changing the DiskFullThreshold key in the \\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSYNC
\Parameters key of the Registry. DiskFullThreshold is a REG_DWORD value, and is specified in kilobytes; for example, typing 30000 as the value for DiskFullThreshold sets the threshold to 30Mb.
Command Reference
Directory Service Manager for NetWare includes new commands and new command options not found in Windows NT Server.
Chgpass Command
Use the chgpass command to change your password on a domain that runs Directory Service Manager for NetWare and has one or more NetWare servers added to it for management. The password you set using chgpass will be used as your password when you log on from either a NetWare-compatible client computer or a Microsoft client computer. The password you set can be up to 14 characters, the Windows NT Server limit. (The chgpass command does not support extended characters.)
Syntax: chgpass [-s] [server] [/username]
where
-s forces the password change to be a Microsoft-style password change and be performed on a Windows NT Server computer. This option is not usually necessary, as chgpass detects the type of client computer you are using and works accordingly.
server is the name of the server on which you want to set or change your password. The current server is the default.
/username is the name of the user whose password you want to set or change. The current user name is the default.
Msattach Command
Use the msattach command to log in to another server (running either NetWare or Windows NT Server with File and Print Services for NetWare) while remaining logged in to the current server. If your password has expired, you see a message requesting you to use the chgpass command to change your password.
You must be logged in to a server before you can use the msattach command to log in to additional servers. Although the msattach command connects you to a server, it does not create a drive mapping to that server. However, once attached, you can make drive mappings to that server without supplying your password.
Syntax: msattach [server[/name]]
where
server is the name of the server in which you want to attach.
name is the user name you want to use on that server.
For example, a NetWare client user named ChrisDr, to log on to a server names JUPITER, would enter the following command at the system prompt:
msattach jupiter /chrisdr
Mslogin Command
Use the mslogin command to gain access to a server and start your login script on the server. When you type a mslogin command, you log in to the specified file server and automatically log out of any servers to which you were attached. If your password is expired, you see a message requesting you to use the chgpass command to change your password.
Syntax: mslogin [server[/name]] [/clearscreen] [/noattach] [/script path]
where
server is the name of the server to which you want to log in.
name is the user name in which you want to log in.
/clearscreen clears the workstation screen when you enter your password.
/noattach starts the login script you specify in the script option without logging out of your current server or attaching to a new server.
/script overrides the system and personal login scripts with the login script you specify as path. The path must be the complete path specification.
Msmap Command
Use the msmap command to view current drive mappings, create or change network drive mappings, create or change search drive mappings, map a drive to a fake root directory, and map the next available drive.
Drive mappings are temporary and are deleted when you log out or turn off your workstation. Drives mapped to fake root directories are also deleted. You can save drive mappings, including fake root mappings in your login script if you want them to be used each time you log in. When you map a local drive to a network directory path, you are prompted to assign the drive letter to a network drive. If your password is expired, you see a message requesting you to use the chgpass command to change your password.
Syntax:
To view current drive mappings, type:
msmap [drive:]
To create or change network drive mappings, type:
msmap path
msmap drive: = [drive: | path]
msmap [option] drive:
To create or change search drive mappings, type:
msmap [option] drive: = [drive:path]
To map a drive to a fake root directory, type:
msmap [root] drive:= [drive: | path]
where
drive is the drive letter mapped to the directory you want to work with.
path is the directory path you want to work with.
root maps the drive to a fake root directory.
option is one of the following options:
Option |
Description |
|
|
delete |
Deletes a default, network, or search drive mapping. |
insert |
Changes search drive mappings. |
next |
Maps the next available drive to a specified path. |
remove |
Deletes a default, network, or search drive mapping. |
/Rand and /FPNW Options for the Net User Command
The /fpnw option for the net user command makes the specified user account a NetWare-enabled account. This enables the user to be propagated from the Windows NT Server domain to NetWare servers that have been added to the domain for management.
For example, if LoriR is a user account on a Windows NT Server domain, and you want to begin propagating this account to NetWare servers, you can type
net user lorir /fpnw
Using the /fpnw option is equivalent to selecting the “Maintain NetWare Compatible Login” box in the User Properties dialog box.
When you make a user account NetWare-enabled by using the /fpnw option, you are prompted to supply a new password for the user. This is because Directory Service Manager for NetWare must know the user's password to propagate it to NetWare servers, but it cannot read the current password, which is stored in an encrypted form.
You can also use the /fpnw to cause a user account to stop being NetWare enabled, by specifying /fpnw:no.
The /rand option generates a new password, composed of random characters, and assigns it as the user's password. The /rand command is especially useful when you:
Use the net user username /fpnw command to make a large number of user accounts NetWare-enabled; specify the /rand option to have passwords generated automatically.
Have the File and Print Services for NetWare product already installed on the server, with accounts that are already NetWare-enabled. When Directory Service Manager for NetWare is installed, it cannot propagate these existing users because it cannot read their current encrypted passwords.
To propagate these users to NetWare servers, create a batch file, with each line net user username /rand. Directory Service Manager for NetWare is notified of the new randomly generated passwords, and begins propagating the user accounts.
The default random password is 8 characters, but you can specify any length that conforms to the domain's minimum password length requirements. For example, /rand:6 generates a password of 6 characters.
You can use both the /fpnw and /rand options when either creating new user accounts or modifying existing user accounts.
Troubleshooting
This section discusses how to diagnose and solve error conditions, and lists and explains error messages that you might see in the Windows NT Server Application Log.
Unable to Add NetWare Server to a Domain
If you are unable to add a NetWare server to a domain, and see the message "Server name has already been added to a Windows NT domain" when you try to add it, the NetWare server has already been added to a domain. Check other domains to see if they are currently managing the server.
If you determine that no domain is currently managing the server, then the NetWare server may have been previously added to a domain, and was not properly removed from the domain before Directory Service Manager for NetWare was removed from that domain. If this is the case, and you are sure that no domain is currently managing the server, you can free the server (from that previous domain) by using a NetWare administrative tool to remove the user account named WINNT_SYNC_AGENT from the NetWare server's bindery. You can then add the server to a domain.
Troubleshooting Service Failures
If the Directory Service Manager for NetWare service fails to start when the computer starts, but you can start the service manually, the user account used by the service to log on may have the wrong password set. This account is named Sync Agent Account. Use the following procedure to correct the password problem.
To set the password for the Sync Agent Account
1. In Control Panel, double-click Services.
2. From the Service list, select Directory Service Manager for NetWare, and click Startup.
3. Type the correct password for the account in both Password and Confirm Password. Then click OK.
Re-creating the Sync Agent Account
If the Sync Agent Account is ever accidentally deleted from the primary domain controller, you must re-create the account. Perform the following steps.
To re-create the Sync Agent Account
1. In User Manager for Domains, create a new account with the name Sync Agent Account. Make it a member of the Administrators group.
2. In Control Panel, double-click Services.
3. From the Service list, select Directory Service Manager for NetWare, and click Startup.
4. Click This Account, and type Sync Agent Account in This Account. Or use the ellipsis button to select Sync Agent Account.
5. Type the correct password for the account in both Password and Confirm Password. Then click OK.
Application Log Messages
Directory Service Manager for NetWare writes logged errors and warnings to the Windows NT Server Application Log. The following list shows some messages you might see in the Application Log, and what you should do if you see them.
To view the application log, use Event Viewer.
Two sections of errors are listed. The first section contains errors not associated with an error number. The second section of errors, which include error numbers, are listed in numerical order, with lowest numbers first.
Unnumbered Errors
Account <account name> cannot be propagated to Netware servers because the account name is invalid on NetWare servers.
One cause for this may be if the account name contains spaces. NetWare does not support spaces in account names. In particular, this may happen for many built-in Windows NT Server groups (such as PRINT OPERATORS). If you require this group to propagate to NetWare servers, you must change its name to a valid name. Otherwise, no administrator action is necessary.
The Sync Agent account will not propagate the account <account name> to the NetWare servers because it does not know the password of the account.
The account account_name was NetWare-enabled before Directory Service Manager for NetWare was installed on the server. To cause this account to be propagated, reset the account password.
The Sync Agent Service will stop because it can only run on the PDC of the domain.
This error appears on the old primary domain controller when a new primary domain controller begins running in the domain.
Numbered Errors
Error 51
If you see an Error 51 immediately followed by error 10253 (“The Sync Agent Service failed to modify account <account name> on the NetWare server <server name> due to error 10253”), you can ignore these errors. The account will eventually be synchronized correctly.
The Sync Agent Service failed to sync the server <servername> due to error 31.
The server may be down, or this could be caused by timing issues during communications. The server will be synchronized when the next regular round of synchronizations is sent out. No administrator action is necessary, unless you see a long series of these for one server, in which case you should verify that the server is running.
ERROR 58: The Sync Agent Service could not replicate the database to <server name\path> because of error 86.
The password used to access this server to back up the account synchronization database has probably been changed. To correct the problem, in Synchronization Manager, choose Set Database Backup Options from the NetWare Server menu. Then remove and again add this backup path, specifying the current password for the account used to access the backup path.
The Sync Agent Service could not replicate database to <server name> because of error 59.
Directory Service Manager for NetWare could not access the server. This is probably a momentary problem. No administrator action is necessary, unless you see a long series of these for one server, in which case you should verify that the server is running.
The Sync Agent Service could not replicate the database to <server name\path> because of error 67
The specified path no longer exists on the server. In Synchronization Manager, choose Set Database Backup Options from the NetWare Server menu. Then remove this backup path.
-530 JET_errBadLogSignature.
The log files probably do not match the database. To correct the problem, run dsmpack. If this is successful, delete all the Jet*.log, Jet*.chk, and Res*.log files in the system32\syncagnt directory. Then start the Mssync service again.
Jet Error 1004: JET_wrnColumnNull
May indicate that the account synchronization database has become inconsistent, because of a previous lack of disk space on the server. If these errors occur often, restore the account synchronization database using a version that was backed up before the disk space problem occurred.
A JET DATABASE ERROR -1102 HAS OCCURRED. JET_errWriteLock
A timing issue occurred with propagating an account change to NetWare servers. The account will be propagated in the next cycle, and no administrator action is necessary.
The Sync Agent Service failed to sync the NetWare server 386 due to error 1219 ERROR_SESSION_CREDENTIAL_CONFLICT The credentials supplied conflict with an existing set of credentials.
This sometimes occurs if you are using a NetWare server that is participating in a domain as a backup location for the Account Synchronization database. While the database is being backed up to the server, attempts to synchronize the server will fail. As soon as the backup is complete, synchronization attempts will again succeed. No administrator action is necessary.
1220 Error:
Indicates that a NetWare server did not have any connections available. Directory Service Manager for NetWare logs this error until connections to the NetWare server are available again. No administrator action is necessary.
A jet database -1032 has occurred. JET_errFileAccessDenied
Check to see if there is enough disk space available on the computers containing the Synchronization Manager database backup paths.
The Sync Agent Service failed to sync the NetWare server <servername> due to error 1317 ERROR_NO_SUCH_USER The specified user does not exist.
Check whether the WINNT_SYNC_AGENT account has been deleted from the NetWare server. This account must not be deleted from a NetWare server that has been added to a domain for management.
1376: ERROR_NO_SUCH_ALIAS
May indicate that the account synchronization database has become inconsistent, because of a previous lack of disk space on the server. If these errors occur often, restore the account synchronization database using a version that was backed up before the disk space problem occurred.
Jet Error: -1507 JET_errColumnNotFound
Indicates that Directory Service Manager for NetWare is trying to propagate to a server which no longer exists in the domain.
Jet Error -1603 errors, JET_errNoCurrentRecord
A process tried to add a user account to a group after the user account was deleted.
Jet Error -1801: Jet_errDiskFull
Check to see if there is enough disk space available on the computers containing the Synchronization Manager database backup paths.
Jet Error -1808: JET_errDiskFull
Free up disk space on the server.
Jet Error -1811: Jet_errFileNotFound
Check to see if there is enough disk space available on the computers containing the Synchronization Manager database backup paths.
The Sync Agent Service failed to modify account <account name> on the NetWare server <server name> due to error 10253
Ignore this error; the account will eventually be synchronized correctly.
Appendix
Directory Service Manager for NetWare Registry Parameters
The configuration Registry stores values that define the working environment for the Windows NT Server operating system and any services installed on the Windows NT Server computer. Windows NT Server includes the Registry Editor (Regedt32.exe), which you can use to inspect and modify the configuration Registry directly.
Before you modify the Registry, it is strongly recommended that you read the registry sections of the Windows NT Workstation Resource Guide (found in the Microsoft Windows NT Workstation Resource Kit).
Caution
Using the Registry Editor to edit Registry entries is like editing sectors on a hard disk. If you make mistakes, your computer's configuration could be damaged. Edit Registry entries carefully, and only for settings that you cannot adjust using the user interface.
The following parameters are used by Directory Service Manager for NetWare. Initially, the defaults are used for each of these parameters and none of them appear in the Registry. To change the value of a parameter, add it to the subtree HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\MSSYNC\Parameters, and specify the new value.
Allow4X = REG_DWORD
To allow servers running NetWare 4.x in bindery emulation mode to be added to Windows NT Server domains, add this parameter to the Registry and specify any nonzero value.
ChangeCredentialInterval = REG_DWORD
Specifies in thousandths of a second how often the WINNT_SYNC_AGENT account password is changed. Default is 604,800,100 (7 days).
DiskFullThreshold = REG_DWORD
Specifies in kilobytes the minimum amount of free disk space the server can have before sending alerts and logging events. Default is 20,000 (20 MB).
For More Information
For the latest information on Windows NT Server, check out our Web site at http://www.microsoft.com/ntserver and the Windows 2000/NT Forum at http://computingcentral.msn.com/topics/windowsnt.
Windows 2000 White Paper 4
Directory Service Manager for NetWare 52