You must verify that the SDI Domain Key servers meet minimum configuration requirements and have consistent keys for distribution and use by other servers within the tree. These steps are crucial. If you don't follow them as outlined, you could cause serious password issues on your system when you turn on Universal Password.
We recommend that NetWare 6.5 or later or eDirectory 8.7.3 or later be installed on your SDI Domain Key servers.
At a NetWare server console, load sdidiag.nlm.
or
At a Windows server command prompt, run sdidiag.exe.
Sdidiag.nlm ships with NetWare 6.5 or later. Sdidiag.exe ships with the Windows version of eDirectory 8.7.3 or later. Both files are available as part of a security patch (sdidiag21.exe) associated with Novell TID 2966746.
Log in as an Administrator by entering the server (full context), the tree name, the username, and the password.
Check to make sure all your servers are using 168-bit keys.
Follow the instructions in Novell TID 3364214 to ensure that this requirement is met.
Enter the command CHECK -v >> sys:system\sdinotes.txt.
The output to the screen displays the results of the CHECK command.
If no problems are found, go to Section 2.5, Step 5: Upgrade at Least One Server in the Replica Ring to NetWare 6.5 or Later or eDirectory 8.7.3 or Later.
or
If problems are found, follow the instructions written to the sys:system\sdinotes.txt file to resolve any configuration and key issues, then continue with Step 6.
Verify that the SDI Domain Key Servers are running NICI 2.6.x or later.
At the server console, enter the NetWare command M NICISDI.NLM.
The version must be 264xx.xx or later.
If the version is earlier, you must do one of the following:
Update the servers' NICI to version 2.6.x, which requires eDirectory 8.7.3 or later.
You can download NICI from the Novell Free Download site. Select NICI from the Product or Technology drop-down list, then click Search.
Update the SDI Domain Key servers to NetWare 6.5 or later or eDirectory 8.7.3 or later.
Remove the servers as SDI Domain Key Servers and add a NetWare 6.5 or eDirectory 8.7.3 or later server. See Section 2.5, Step 5: Upgrade at Least One Server in the Replica Ring to NetWare 6.5 or Later or eDirectory 8.7.3 or Later.
(Optional) After completing one of the options above, you might want to rerun the SDIDIAG CHECK command. See Step 4.
For more information on SDIDIAG, see Novell TID 3455150.
To remove a server as an SDI Domain Key Server
At a NetWare server console, load sdidiag.nlm.
At a Windows server, open a command prompt box and run sdidiag.exe.
Sdidiag.nlm ships with NetWare 6.5 or later. Sdidiag.exe ships with the Windows version of eDirectory 8.7.3 or later. Both files are available as part of a security patch (sdidiag21.exe) associated with Novell TID 2966746.
Log in as an administrator with management rights over the Security container and the W0.KAP.Security objects by entering the server (full context), the tree name, the username, and the password.
Enter the command
For example, if server1 exists in container PRV in the organization Novell within the Novell_Inc tree, you would type .server1.PRV.Novell.Novell_Inc. for the servername.
To add a server as an SDI Domain Key Server:
From a NetWare server console, load sdidiag.nlm.
or
From a Windows server, open a command prompt box and run sdidiag.exe.
Log in as an Administrator by entering the server (full context), the tree name, the username, and the password.
Enter the command AS -s servername.
For example, if server1 exists in container PRV in the organization Novell within the Novell_Inc tree, you would type .server1.PRV.Novell.Novell_Inc. for the servername.