Novell eDirectory 8.6.x for Windows NT/2000
December 3, 2001

TABLE OF CONTENTS

1.0    Installation Issues
         1.1     Distributing Proper Versions of DSREPAIR to All Servers in the Tree
         1.2     Upgrading an Existing eDirectory Database
         1.3     Installing DHost Without a Network Connection
         1.4     Uninstall Issues
         1.5     NICI Issues
         1.6     Reinstalling NMAS
         1.7     Installing a NetWare 6 Server into an eDirectory 8.6.x Server Tree
         1.8     Upgrading from eDirectory 8.0
         1.9     Installing Certificate Server
2.0    Known Issues
         2.1     Persistent Search Operations
         2.2     ConsoleOne Issues
         2.3     iMonitor Issues
         2.4     Dynamic Group Issues
         2.5     Novell Certificate Server Issues
         2.6     Updating NMAS Clients
3.0    Documentation Issues
         3.1     Viewing Documentation on the Product CD
         3.2     Additional Readme Files
         3.3     Additional Readme Information
4.0    Legal Notices
         4.1     Disclaimer, Patents, and Copyright
         4.2     Novell Trademarks
         4.3     Third-Party Trademarks

1.0    Installation Issues

1.1     Distributing Proper Versions of DSREPAIR to All Servers in the Tree

For information on preparing an existing tree for an eDirectory 8.6.x installation, see Updating the eDirectory Schema for NT/2000 in the Novell eDirectory Administration Guide.

1.2     Upgrading an Existing eDirectory Database

Running this version of Novell eDirectory on an existing NDS or NDS eDirectory database will upgrade the database format and make it unable to be read by previous versions of NDS or NDS eDirectory.

The larger the database, the longer this process may take. For millions of objects, this process could take a number of hours. Using any NDS Trace facility that ships with eDirectory (NDS iMonitor, DSTrace executables, or "set DSTRACE" on NetWare), you can get a feel for the progress of this step. Turn on the "Storage Manager" option (+RECMAN for "set DSTrace") and the "Change Cache" option (+CHANGE for "set DSTrace"). The NDS storage manager will upgrade the database format, then the DIB will be allowed to open. Thereafter, the synchronization process will rebuild the change cache for each replica it holds, and eDirectory will resume normal operation.

1.3    Installing DHost Without a Network Connection

When installing DHost, you will get a -625 error if your IPX interface has not been defined. DHost had a bind for IPX, but no interface defined for IPX, so it looks at any of the other interfaces (for example, TCP or UDP) while it searches for a fixed address.

This occurs when IPX is installed on your server and the NWLink IPX/SPX/NetBIOS Compatible Transport Protocol is selected in the Property dialog box of Control Panel > Network and Dial-up Connections > Local Area Connection (otherwise, only TCP and UDP are activated), and you are installing DHost when your network is not plugged in.

When the installation is run with the network connected, the system will search Frame Type and Network Number for IPX in the wire. However, if the server is not network activated, it cannot find the necessary information above and will report an error. To solve this, manually set the Frame type and the Network number in the Property dialog box of Local Area Connection Properties > NWLink IPX/SPX/NetBIOS Compatible Transport Protocol so that the system can get the information it needs without a network connection.

1.4    Uninstall Issues

1.4.1  Uninstalling eDirectory 8.6.x

When uninstalling eDirectory 8.6.x, you might receive the following error if the installation of eDirectory 8.6.x was an upgrade from NDS eDirectory or NDS eDirectory 8.5:

Incompatible JClient/DClient Package
JClient Revision 1.0.19
DClient Revision 1.1.1018

This error occurs only when the previous eDirectory installation was performed on a date later than the dates of the eDirectory 8.6.x files located in the \NT\I386\NDSONNT\NI\LIB directory on the Novell eDirectory 8.6.x CD. If the previous installation was performed prior to those dates, this error will not occur.

To solve this issue, copy the .JAR files from the \NT\I386\NDSONNT\NI\LIB directory on the Novell eDirectory 8.6.x CD to the \PROGRAM FILES\COMMON FILES\NOVELL\NI\LIB directory on the Windows server before performing the eDirectory 8.6.x uninstall.

1.4.2  NMAS 2.0 Enterprise Edition Umbrella Install Affects the Uninstall of Certain Novell
          Products

There is a problem with the NMAS 2.0 Enterprise Edition installation program for servers. If it is installed after certain other Novell products (such as eDirectory and ConsoleOne), you will find that you cannot uninstall those other products. This problem has been fixed in all later releases of the NMAS installation program. If you experience this problem, you can work around it by simply re-installing that Novell product from the eDirectory 8.6.x CD. You can then, if desired, uninstall it. If it is eDirectory that you cannot uninstall, the re-install (upgrade) work-around from the Novell eDirectory 8.6.x CD will maintain all previously stored data in eDirectory.

For those who have purchased NMAS 2.0 Enterprise Edition, we recommend that you run the NMAS server install directly by executing the program INSTALL.EXE located in the NMASSERVER directory on the NMAS 2.0 Enterprise Edition CD.

If you have already installed NMAS 2.0 Enterprise Edition, you will need to upgrade the NMAS version after installing eDirectory 8.6.x. Perform this upgrade by executing the program INSTALL.EXE from the NMAS directory on the eDirectory 8.6.x CD.

1.5     NICI Issues

1.5.1  Uninstalling NICI 2.0.2

You should uninstall NICI 2.0.2 before attempting to install a version of eDirectory earlier than eDirectory 8.5.1. Otherwise, the installation on these older versions of eDirectory will fail when attempting to install their version of NICI.

1.5.2  NICI Doesn't Fully Uninstall

When you uninstall NICI, it may fail to uninstall completely. To fix this problem, restart the server and the uninstall will complete correctly.

If NICI fails to fully uninstall, delete the /WINNT/SYSTEM32/CCSW32.DLL file. If you don't remove this file, you might experience problems when attempting to reinstall eDirectory.

1.5.3  Error -670 During PKI Install

When installing a new server into an eDirectory tree, you may receive a -670 error when PKI components are being installed. This error is a symptom of a problem which has occurred on a different server already installed into the tree, not the server being installed when the error occurs. To work around the problem, you must reboot the server experiencing the problem. Do the following:

1. Using ConsoleOne, open the Security container > KAP object > W0 object.
2. Examine the W0 object properties to find the attribute labeled NDSPKI:SD Key Server DN.
3. The server identified by this attribute is experiencing a problem. This SD Key server needs to be rebooted.

The problem may recur if Directory Services on the SD Key server is restarted without a reboot. In this case, attempts to install other servers in the tree will report the -670 error and the SD Key server will need to be rebooted again. This particular -670 error does not occur during normal operations once a server is installed. It only happens during installation.

A future NICI upgrade will fix this problem.

1.6     Reinstalling NMAS

If you have previously installed NMAS Enterprise Edition on NDS eDirectory 8.5 for the Windows NT/2000 platform, you will need to install the NMAS product provided with Novell eDirectory 8.6.x after you have installed eDirectory 8.6.x. If you don't do this, NMAS will not work. This is because NICI has changed between the release of eDirectory 8.5 and eDirectory 8.6.x.

1.7     Installing a NetWare 6 Server into an eDirectory 8.6.x Server Tree

When installing a NetWare 6 server into an eDirectory 8.6.x server tree, you might receive error -1416, NICI Data Invalid. This is because the master server (the TreeCA server, or the Tree Key server as listed in the .Security.KAP.W0 container), does not yet have the Tree Key to service the other servers installed into the tree.

To resolve this error, restart the DHost running on the master server after it is installed and before you install any other server into the tree. You do not have to reboot the server. You only need to stop and then restart DHost.

1.8     Upgrading from eDirectory 8.0

When upgrading from eDirectory 8.0, you will need to upgrade the Certificate Authority (CA) server first, before any other servers are upgraded in this tree. To determine which server is acting as the CA, follow these steps:

1. In ConsoleOne, right-click the Organizational CA object > click Properties. The organizational CA object is located in the Security container at the root of the tree.
2. Select the General tab. The distinguished name of the server hosting the CA is listed in the Host Server field.

1.9     Installing Certificate Server

There are some circumstances during the installation of Certificate Server when the creation of a server certificate will continually return error -1211. There are two possible solutions to this error. One option is to run ConsoleOne and delete the server certificate object (that is, the Key Material object), then click Retry. You may need to repeat this operation several times before it works. The second option is to click Cancel to continue with the installation. Once the installation has finished, you can manually create the server certificates and configure the LDAP server to use the appropriate server certificate.

2.0    Known Issues

2.1    Persistent Search Operations

A persistent search operation might not retrieve the updated information if entries in the eDirectory database change frequently.

2.2     ConsoleOne Issues

2.2.1  Displaying ConsoleOne in Multiple Monitor Mode

If you are having display problems when running ConsoleOne in multiple monitor mode on Windows, use the following command line option:

-JDsun.java2d.noddraw=true

2.2.2  ConsoleOne Support for the Hong Kong Supplementary Character Set

This release of ConsoleOne does not support the Hong Kong Supplementary Character Set (HKSCS). We are currently working on a patch to allow HKSCS support in future releases of ConsoleOne.

2.2.3  PKIwrap Error

If you update a server with NDS eDirectory 8.5 and ConsoleOne 1.2d to Novell eDirectory 8.6.x without updating ConsoleOne 1.2d to 1.3.3, you will get a PKIwrap error in ConsoleOne 1.2d every time you click an object in the tree. This happens because Novell eDirectory 8.6.x installs NICI 2.3.0 on the server, and ConsoleOne 1.2d with the PKI snap-in is looking for the version of NICI installed with eDirectory 8.5, which is no longer present.

2.3     iMonitor Issues

2.3.1 Browser Compatibility

The iMonitor included with this release of eDirectory requires Internet Explorer 5.5 or later.

2.3.2  Browsing for Objects in iMonitor Containing Extended Characters

When using iMonitor to browse an eDirectory tree for objects, an object with extended characters in the name might not hyperlink to the object properties correctly. This problem does not happen with any objects that contain double-byte characters.

This issue will be resolved in a future release of iMonitor.

2.3.3  Running Custom Reports

When running custom reports, enter the URL as follows:

/nds/<required page>

2.4     Dynamic Group Issues

2.4.1  Managing Dynamic Group Objects

In this release of eDirectory, you should use LDAP to manage Dynamic Group objects. There are no ConsoleOne snap-ins available with eDirectory 8.6.x to manage dynamic groups. Also, third-party products such as Netscape's admin console cannot be used to manage Novell eDirectory dynamic groups because the schema and the functionality provided differs from Netscape's implementation.

2.4.2  Configuring the memberQueryURL Attribute

The memberQueryURL attribute is defined as a multi-valued attribute to enable future enhancements, but in eDirectory 8.6.x, only the first value of the multi-valued attribute is used for the dynamic member expansion. To avoid confusion, set only one value for the memberQueryURL attribute, and use the "replace:" option instead of "add:" to specify a query URL value for the memberQueryURL attribute.

2.4.3  Configuring the dgIdentity Attribute

A dgIdentity attribute on the Dynamic Group object can be set to the distinguished name of an entry whose credentials and rights should be used to expand the dynamic members of the group. The dgIdentity entry should always be chosen so that it is on the same partition as the Dynamic Group object. If it is not on the same partition, the dynamic members will not be visible. If no dgIdentity attribute is specified, the expansion of dynamic members will bind as public (anonymous). In that case, [Public] should at least have Read/Compare rights on all the attribute that occur in the search filter in the memberQueryURL, and also have Browse rights under the baseDN specified in the memberQueryURL.

2.4.4  Changing treeName or Search baseDN

If a dynamic group object is created in a tree and the treeName or the search baseDN subsequently changes, the dynamic members will not be visible. This can be corrected  by reading the memberQueryURL attribute and correcting the treeName or the baseDN. The same thing applies for attribute names or class names that are in the search filter and subsequently removed.

2.4.5  Creating Dynamic Group Objects on a pre-eDirectory 8.6.x server

If Dynamic Group objects are created on a pre-eDirectory 8.6.x server, either by extending the schema to the eDirectory 8.6.x schema or by adding the server to a tree that contains eDirectory 8.6.x servers, the Dynamic Group object will be created but its dynamic members will not be visible on the pre-eDirectory 8.6.x server. If the server is subsequently upgraded to eDirectory 8.6.x, the dynamic members will still not be visible until the Dynamic Group objects are upgraded. This option to upgrade will be available in an upcoming release of DSRepair.

2.5     Novell Certificate Server Issues

2.5.1  Novell Certificate Server Dependencies

The Certificate Server 2.21 ConsoleOne snap-in has the following dependencies:

• NICI 2.0.2 or later for Windows
• Novell LDAP SDK
• Novell Client 4.8 or later for Windows NT/2000, or Novell Client 3.3 or later for Windows 95/98/ME

If any of the above dependencies are not met, Certificate Server functionality will not be available and you will get one or both of the following error messages:

"NICI 2.0.2 or later is not installed on this client. The Certificate Server snap-in will not function until NICI is installed."

"The dynamic link library CCSW32.DLL could not be found in the specified path."

These error messages will occur only once on the first object access.

You will typically not have LDAP SDK in your ConsoleOne distribution if you obtained ConsoleOne directly from the Novell Web site. You should use the version of ConsoleOne provided with eDirectory.

NICI 2.0.2 for Windows is provided with eDirectory and is available from the Novell Free Download Site.

2.5.2  Browser Support

You must use Internet Explorer 5 or later or Netscape Navigator 4 or later to use the certificates generated by Novell Certificate Server for SSL or LDAP connections. Older browsers are not supported.

2.5.3  Verisign Certificates and Creating a Server Certificate (KMO)

With Certificate Server 2.2.1, if you use Verisign as the external Certificate Authority (CA) during the creation of a Server Certificate (KMO), you no longer need to obtain Verisign's trusted root to paste into the Trusted Root field. You can now select the option No Trusted Root Available, click Next, and then paste in the certificate you received from Verisign.

When the certificate is installed, the server determines if the certificate you pasted chains to a Verisign embedded root. If it does, the certificate and the trusted root are added to the Server Certificate object in eDirectory.

2.5.4  Compatibility between Certificate Server 2.03 and 2.21

If you run the Certificate Server 2.21 snap-in while generating the Certificate Authority object or a Server Certificate (KMO) object on a server where Certificate Server 2.03 is running, in order to successfully create the object, you will need to use the custom path in the creation wizard. On the Key size screen, deselect the Allow Private Key to Be Exported check box.

2.6     Updating NMAS Clients

If you install the NMAS server module that ships with this product, you must make sure you update the NMAS client on each workstation to 2.02 or higher. If you fail to do this, you will receive -1635 errors when you attempt to log in.

The NMAS client 2.02 or higher is available at the Novell Free Download site.

3.0 Documentation Issues

3.1     Viewing Documentation on the Product CD

This product CD contains documentation for the following products:

• Novell eDirectory

\DOCUMENTATION\ENGLISH\EDIR86\EDIR86.PDF
\DOCUMENTATION\ENGLISH\EDIR86\QSEDIR86.PDF

• Novell Client

\DOCUMENTATION\ENGLISH\NOCLIENU\NOCLIENU.PDF

• Novell Certificate Server

\DOCUMENTATION\ENGLISH\CERTSERV\CERTSERV_ADMIN.PDF

• ConsoleOne 1.3

\DOCUMENTATION\ENGLISH\CONSOL13\C1_ENU.PDF

• Novell Modular Authentication Services (NMAS)

\DOCUMENTATION\ENGLISH\NMAS\DOC\NMAS_ADMIN.PDF
\DOCUMENTATION\ENGLISH\NMAS\DOC\NMAS_INSTALL.PDF
\DOCUMENTATION\ENGLISH\NMAS\DOC\RADIUS.PDF

For the most current versions of these manuals, see the Novell Documentation Web site.

3.2     Additional Readme Files

For additional information on the contents of this release, see the following sources on the Novell eDirectory CD:

• Novell eDirectory for NetWare

\NW\INSTALL\NLS\4\NWREADME.TXT

• Novell eDirectory for Solaris

\SOLARIS\README.TXT

• Novell eDirectory for Linux:

\LINUX\README.TXT

• NICI on Windows NT

\NT\I386\SERVERNICI\NI\HELP\EN\README.HTML

• Novell Clients

\NT\I386\README.TXT

International users of eDirectory 8.6.x should refer to the Novell Documentation Web site for translated versions of this readme file.

3.3     Additional Readme Information

For information on additional eDirectory issues for this release, refer to Solution #10066455 in the Novell Knowledge Base.

4.0     Legal Notices

4.1     Disclaimer, Patents, and Copyright

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

U.S. Patent Nos. 5,608,903; 5,671,414; 5,677,851; 5,758,344; 5,784,560; 5,794,232; 5,818,936; 5,832,275; 5,832,483; 5,832,487; 5,870,739; 5,873,079; 5,878,415; 5,884,304; 5,913,025; 5,919,257; 5,933,826. U.S. and Foreign Patents Pending.

Copyright (C) 2001 Novell, Inc. All rights reserved.

4.2     Novell Trademarks

Novell, NetWare, NDS, and GroupWise are registered trademarks of Novell, Inc. in the United States and other countries.

ConsoleOne, eDirectory, Novell Client, Novell Certificate Server, Novell Modular Authentication Services, and NMAS are trademarks of Novell, Inc.

4.3     Third-Party Trademarks

All third-party trademarks are the property of their respective owners.