Novell eDirectory 8.8 SP7 for Windows

April 27, 2012

1.0 Installation

1.1 Prerequisites

NOTE:Check the currently installed Novell and third-party applications to determine if eDirectory 8.8 SP7 is supported before upgrading your existing eDirectory environment. It is also highly recommended that you back up eDirectory prior to any upgrades.

You can use any one of the platforms listed below.

32-bit eDirectory supported platforms:

  • Windows Server 2003 Enterprise Edition with latest Service Pack

  • 32-bit Windows Server 2008 (Standard/Enterprise/Data Center Edition) and its service packs

64-bit eDirectory supported platforms:

  • 64-bit Windows Server 2008 (Standard/Enterprise/Data Center Edition) and its service packs

  • Windows Server 2008 R2 (Standard/Enterprise/Data Center Edition) and its service packs


  • You must use an account that has administrative rights to install eDirectory 8.8 SP7 on Windows Server 2008 R2.

  • You should apply the latest available patch for eDirectory.

  • Windows XP is not a supported eDirectory 8.8 platform.

eDirectory also requires the following:

  • An assigned IP address

  • Administrative rights to the Windows server and to all portions of the eDirectory tree that contain domain-enabled User objects. For an installation into an existing tree, you need administrative rights to the Tree object so that you can extend the schema and create objects.

For a detailed list of prerequisites for installing eDirectory on a Windows server, see the Novell eDirectory 8.8 SP7 Installation Guide.

Using eDirectory 8.8 SP7 with a Firewall Enabled

When you try to add an eDirectory 8.8 SP7 server from a Windows host to an existing tree running on a different host, it might fail if the firewall is enabled.

To work around this issue, enable SLP services and an NCP port (default 524) in the firewall to allow the secondary server addition.

1.2 Video Cards and Driver Settings

The eDirectory and Novell iManager installs use Java 1.4 or later versions. This means that a minimum color depth of 8 bits (256 colors) is required by your video card and driver setting to run the installations properly.

With some video cards, and with some driver versions, you might notice some visual abnormalities in the installation screens. Examples include a pastel color scheme and a strange mottling effect that might look like the resolution is much lower than the actual setting. Some installation screens do not display at all. This makes it appear that the installation is hung up, or that it has aborted. If you see that the installation screens do not appear correctly, download a newer version of the driver for your video card. Otherwise, the installation might not complete successfully.

With some video cards, when 256 colors are set, the installation screen might seem to disappear after the SNMP portion of the installation, even though install.exe and launch.exe are still running (as shown in the Windows Task Manager). If this happens, use Task Manager to terminate the launch.exe process, set your display to more than 256 colors, then rerun the installation. This performs an upgrade installation over the top of the existing installation, and the upgrade should complete successfully.

1.3 SNMP Installation Notes

Prior to the installation of eDirectory 8.8 SP7 on any Windows server, make sure that the native Master Agent is installed.

If you have the Windows SNMP service installed and running on your system, the eDirectory installation temporarily shuts it down while it installs the Novell SNMP subagent. After the Novell SNMP subagent is installed, the Windows SNMP service is restarted.

1.4 Network Settings for IPX Configuration

If your IPX configuration (in Network Settings in the Windows Control Panel) is configured with an Internal Network Number of 0, the eDirectory 8.8 SP7 installation might fail if the machine has multiple NICs. The Internal Network Number must be set to something other than 0 in order for the eDirectory installation to complete properly, and for eDirectory to run properly after installation.

If you choose to uninstall IPX, IPX should be completely uninstalled as a protocol, not merely disabled on some or all adapters.

If you use IPX, it must be configured correctly. That is, multiple adapters (LAN or WAN) must have a valid internal IPX net number set.

You cannot install, remove, enable, or disable a protocol on any adapter while eDirectory is running.

1.5 Manually Extending the Schema Before Installation

In some cases, schema extensions do not synchronize fast enough to the lower levels of a tree where the first new eDirectory 8.8 SP7 server is being installed, so some features are not completely installed.

This problem can be avoided by manually extending the schema in your tree before you install eDirectory 8.8 SP7, using the eDirectory 8.8 SP7 schema files located in the <Unzip Location>\Novell\NDS folder (for 32-bit) and <Unzip Location>\Novell\NDS\x64 folder (for 64-bit).

For more information on extending the schema, refer to the “Extending the Schema on Windows” section in the Novell eDirectory 8.8 SP7 Administration Guide.

1.6 Removing the Novell Client after eDirectory Installation

When eDirectory 8.8 SP7 is installed on a Windows 2000 machine already containing the Novell Client, eDirectory installs an SLP service, but sets the service to manual mode so that it does not run when the server is booted. eDirectory then uses the SLP service from the Novell Client. If the Novell Client is removed, leaving no SLP service for eDirectory to use, you must manually start the SLP service, or change it to start automatically when the server boots.

1.7 Upgrading to eDirectory 8.8 SP7

If you have eDirectory 8.5.x or 8.6.x, you must first upgrade to eDirectory 8.7.x, then upgrade to eDirectory 8.8 SP7.

Upgrading to eDirectory 8.8 SP7 in a System Running Identity Manager

During the upgrade from eDirectory 8.7.x to eDirectory 8.8 SP7, the location of the Identity Manager files is changed, requiring a reinstall of the Identity Manager engine and drivers. Any third-party jar files are not automatically copied to the new location and must be manually placed prior to starting the affected drivers. All drivers should be set to manual prior to upgrading to eDirectory 8.8 SP7.

Disk Space Check While Upgrading to eDirectory SP7

When an eDirectory server is upgraded from previous versions to eDirectory 8.8 SP7, the disk space check for the Directory Information Base (DIB) upgrade is performed. The free disk space necessary in the file system where the DIB resides is equal to that of the DIB size. The messages of the disk space check are updated in the ndscheck.log located in the instance’s specific log folder. The default location is C:\Novell\NDS\ndscheck.log.

NOTE:The disk space check is required only during the DIB upgrade process. For more information, refer to the “Upgrade Requirements of eDirectory 8.8” section in the Novell eDirectory 8.8 SP7 Installation Guide.

DIB Upgrade Issues While Upgrading to eDirectory 8.8 SP7

When eDirectory is upgraded to eDirectory 8.8 SP7, the server is stopped and a DIB upgrade operation is performed before the server is started and the normal upgrade is performed. The time taken for this upgrade depends on the number of objects in the tree.

For more details on the DIB upgrade, refer to “Upgrade Requirements of eDirectory 8.8” in the Novell eDirectory 8.8 SP7 Installation Guide.

eDirectory Upgrade Fails with an Error

The following error is displayed:

Admin user does not have enough rights to modify the tree schema.

To resolve this issue, complete the following steps:

  1. From the Administrator Login page of eDirectory installation, browse to and select the admin user.

  2. Specify the password, then click Next to continue.

Instrumentation Upgrade Issues While Upgrading eDirectory

If you upgrade an eDirectory server on which the eDirectory instrumentation is installed, the eDirectory instrumentation files are not upgraded automatically. Therefore, you must manually upgrade the eDirectory instrumentation files.

NOTE:eDirectory instrumentation is automatically installed with Identity Manager 4.0.

For more information on upgrading the instrumentation, refer to the Novell eDirectory 8.8 SP7 Installation Guide.

1.8 Specifying eDirectory Information During the Installation

When specifying the eDirectory information during the installation, if an invalid Server object container type is specified, the installation does not detect the error until later, and the eDirectory installation fails with a -611 or -634 error.

The valid Server object container types are:

  • Organization (O)

  • Organizational Unit (OU)

  • Domain (DC)

1.9 Core DS Component Installation

On rare occasions, the eDirectory installation fails during its core DS component installation. If so, an error like the following is displayed:

The DS component of eDirectory failed to install correctly. The error received was: ’<error text>’. Please view DSInstall.log for more detailed information. The eDirectory installation will now be terminated.

If you receive this error, you should try to reinstall the product, or remove it and then reinstall it. If the reinstallation fails because of a partial installation already on your system, or for any other reason, visit the Novell Support Web site Web site for possible solutions.

1.10 iManager Plug-In Installation

Download the eDir_88_iMan27_Plugins.npm iManager plug-in from the Novell Downloads Web site.

Install the NPM as directed in the Novell iManager 2.7.5 Installation Guide.

1.11 Uninstalling

If, after uninstalling the Novell International Cryptographic Infrastructure (NICI), you want to completely remove NICI from your server, delete the \windows\system32\Novell\NICI subdirectory (for 32-bit NICI) or delete the \windows\SysWOW64\Novell\NICI subdirectory (for 64-bit NICI). You might need to take ownership of some of the files and directories under the NICI subdirectory to delete them.

WARNING:When the NICI subdirectory is removed, any data or information that was previously encrypted with NICI cannot be recovered.

2.0 Known Issues

2.1 Installation and Configuration Issues

eDirectory Dumps the Core on Loading xdasauditds When the Syslog Appender Is Disabled

Install and configure eDirectory, then configure the xdasproperties file. Ensure that the syslog appender is enabled as follows:

Disable Layout definition for appender Syslog S as follows:

# Layout definition for appender Syslog S.
log4j.appender.S.layout.ConversionPattern=%c : %p%m%n

When you attempt to load xdasauditds, eDirectory starts dumping the core and the program is terminated with signal 11.

This issue arises because log4cxx does not check for the existence of layout in the xdasproperties file before setting it up. It assumes that Layout definition for appender Syslog S is automatically enabled if the syslog appender is enabled in the xdasproperties file.

Auto Save Issues in iManager

The auto save feature of the iManager property page causes it to save the default object class when you visit XDAS roles or XDAS accounts page before moving to other pages. To make sure that the settings are appropriate for your requirement, check the xdasconfiguration attribute on the NCP Server object after you are done with settings through iManager.

The Install Fails to Stop the Existing eDirectory Service when Other Novell Products are Installed

Before upgrading to eDirectory 8.8 SP7 on Windows, if other Novell products are installed (such as ZENWorks and NetMail Manager), you must first manually stop the currently running NDS server service before proceeding with the installation of eDirectory 8.8 SP7. Restart the applications after the eDirectory installation.

Launching Utilities Help Files Fails on Windows Server 2003

Because of some security issues, Windows Server 2003 restricts console access from within a service. Because eDirectory evokes as a service on Windows, it has restricted access to the console, which prevents it from opening the help dialog box. This is observed for utilities such as DSRepair, DSMerge, and DSBrowse.

To view the help files for these utilities, open them directly by double-clicking them in the folder they are located in. For example, C:/Novell/NDS/NLS/Nihongo for the Japanese help file.

Login Fails During Installation of the Secondary Server

If the login fails during the secondary server installation, click the Browse button next to the Administrator Login Name dialog box. After this, you might see an error message and a dialog box prompting you to enter an IP address. Enter the IP address of any server in the tree, preferably the Master server of the partition to which the server is being added.

If the server is running on a port number other than 524, enter the port number as well (such as This connects to the server, displays the tree name, and prompts for a login name and password. Follow the dialog boxes to continue with the installation. Ensure that the time between the primary and secondary servers is synchronized.

Replication Issues After an Upgrade

When you upgrade eDirectory 8.7.3.x to eDirectory 8.8 SP7 and enable encrypted replication, replication fails in rare scenarios.

To work around this issue:

  1. In Novell iManager, select Modify Object, then select the NCP Server object.

  2. Under the General tab, select Other.

  3. Add NCPKeyMaterialName from Unvalued Attributes to Valued Attributes with the certificate name. For example, SSL CertificateDNS.

  4. Run Limber on the server where the attribute changed in Step 3. For information about using Limber, see the Novell eDirectory 8.8 SP7 Administration Guide.

Novell SSL Service Startup Error

After eDirectory 8.8 SP7 installation is complete, you might see a -5984 error when you log in to iMonitor or use NDSCons to start the sas.dlm service.

This issue occurs on systems where Client32 is not installed. To resolve this issue, add \novell\nds\sms to the path environmental variable.

eDirectory Installation Fails From a Path Containing Non-ASCII Characters

eDirectory installation fails when the install files are run from a path that contains double-byte or extended ASCII characters.

Missing rt.jar File Causes eDirectory Installation to Fail on Windows 2K3

The installer fails to find the correct path to load the rt.jar file. This issue does not occur if the eDirectory installation folder has a relatively short path. For example, eDirectory installation can fail if the length of the folder path is more than 115 characters.

eDirectory Might Fail to Install or Upgrade Through Remote Desktop Connection

If you use a remote desktop connection to install, the installation fails with an error message. Because a remote desktop connection is slower than the actual/physical access, the install process fails to acquire the local referrals, resulting in a failed installation.

You can avoid this by installing eDirectory on an actual/physical connection of the server or by using a VNC connection.

2.2 ldif2dib Limitations

Simple Password LDIF

On Windows, while uploading LDIF with a simple password, ldif2dib might fail if the NICI keys in the system and Administrator folders are not in sync.

To work around this issue, use the following procedure to access the keys in the nici/system folder:

  1. Go to the C:\Windows\system32\novell\nici\ folder (for 32-bit NICI).


    Go to the C:\Windows\SysWOW64\novell\nici\ folder (for 64-bit NICI).

  2. Back up the files in the Administrator folder.

  3. Go to the Security tab in the Properties window of the system folder.

  4. Select Advanced Options and go to the Owner tab.

  5. Select Administrator.

  6. Go back to the Security tab and add Administrator to the list.

  7. Repeat Step 3 through Step 6 to get read access to all the files inside the system folder.

  8. Overwrite the files in the Administrator folder with the ones in the system folder.

  9. After the upload is done, copy the backed-up files to the Administrator folder.

  10. Change the Administrator’s access to the system folder and also the files within the folder.


The LDIF file should mention all the object classes that an entry belongs to. You should also include the classes that an entry belongs to because of inheritance of classes. For example, an entry of type inetOrgPerson has following syntax in the LDIF file:

  • objectclass: inetorgperson

  • objectclass: organizationalPerson

  • objectclass: person

  • objectclass: top

ACL Templates

Objects bulkloaded using the ldif2dib utility are not added with ACLs that are specified in the ACL templates for the object class of the object.

Signal Handler

You can temporarily suspend the offline bulkload operation by pressing the s or S key. You can use the Escape key (Esc) to stop the bulkload operation.

2.3 Encrypted Replication Issues

Configuring Encrypted Replication Through iManager

You cannot configure encrypted replication through iManager if any server in the replica ring is down.

Merging Trees With Encrypted Replication Enabled Fails

When encrypted replication is enabled, merging trees fails. Disable secure replication on each tree before doing a merge.

2.4 Clone DIB Issues

Clone DIB Can Fail Immediately After an Offline Bulkload

If you try taking the clone of a server immediately after an offline bulkload, it might result in a failure, if the bulkload has been done with the disable indices option.

However, this is not an issue if the dibclone is initiated a few hours after the bulkload completion.

Issue in Cloning with Enabled Encrypted Replication Feature

While cloning with the Encrypted Replication feature enabled on the source server, modify the ER policy to temporarily exclude the cloned server. This can be changed after the configuration of the cloned server is complete.

2.5 Restarting NLDAP on Windows

On Windows, after NLDAP is stopped, you need to restart the server to load NLDAP.

2.6 iManager Dependency on Novell Client with NMAS Support

iManager requires Novell Modular Authentication Service (NMAS) support to be installed on the Windows system on which iManager is installed. It does not require the Novell Client. If you are going to use the Novell Client, iManager requires a version with NMAS support.

2.7 iMonitor Issues

Browsing for Objects Containing Double-Byte Characters in iMonitor

When you use iMonitor to browse an eDirectory tree for objects, an object with double-byte characters in the name might not correctly hyperlink to the object properties.

Agent Health Check on a Single-Server Tree

The Agent Health check feature in iMonitor shows a Warning icon in the Results column when run on a single-server tree because of the Perishable Data status. This does not mean that the tree is not healthy or that the Agent Health check is not working as designed. Perishable Data indicates the amount of data that has not yet been synchronized to at least one replica. A single-server tree, by its nature, means that the data is always at risk for catastrophic failure because there is no other place that the data is replicated. If you lose the hard disk, you lose the data.

If you don't want to view health check warnings about Perishable Data or Readable Replica Counts on your single-server tree, you can turn off these health checks by editing the ndsimonhealth.ini file to change the following entries:

perishable_data-active: OFF


ring_readable-Min_Marginal: 1 or ring_readable-active: OFF

This turns off the warnings for Readable Replica Count and Perishable Data.

iMonitor Report Does Not Save the Records for Each Hour

The custom reports feature in iMonitor is designed to place the URL specified by the user into the saved report (the saved HTML file) when the custom report is created. That means that when you open a saved custom report that has been run, you see the live (current) data instead of the data captured by the URL at the time the custom report is run. This issue will be resolved in a future release of iMonitor.

Enabling Trace Buttons in Internet Explorer 6.0.3790.0

Many buttons in iMonitor, including the Trace On/Off, Select All, Clear All, and Update buttons, depend on JavaScript being enabled. Internet Explorer 6.0.3790.0 has JavaScript disabled by default.

To enable JavaScript in Internet Explorer 6.0.3790.0:

  1. Click Tools > Internet Options, then click the Security tab.

  2. Select the Internet icon, then click Custom Level.

  3. Scroll down to the Scripting section and set Active Scripting to Enable.

  4. Click OK twice.

2.8 DHost Issues

Running DHost with Windows Server 2003 Terminal Services

When running eDirectory utilities such as dsbrowse.dlm and dsrepair.dlm on a Windows Terminal Server, the utility opens on the main desktop, not in the Terminal Services window. This is because Windows Server 2003, for security reasons, does not allow a service to display a window on the Terminal screen.

DHost Crashes When the Admin Logs Off

DHost crashes if the administrator logs off when a repair window is still open. When you run a repair utility, all the repair windows must be closed before logging out of the Windows session.

DHost Crashes Randomly While Shutting Down eDirectory

During upgrade or installation of other Novell products such as Identity Manager, DHost crashes randomly with the following error while shutting down eDirectory:

Memory could not be written.

However, there is no data loss.

2.9 SecretStore over LDAP

The Novell SecretStore functionality does not work over LDAP. To resolve this, you need to refresh LDAP through iManager.

2.10 SNMP Issues

Compiling edir.mib

The eDirectory MIB file (<eDirectoryInstallRootDir>\snmp\edir.mib) on Windows compiles with some errors and warnings on HP OpenView. You can ignore these errors.

Modifying the SNMP Configuration File

If LDAP is not configured to run in clear text mode, the name of the trusted root certificate file must be given in the SNMP configuration file (for example, SSLKEY C:\Novell\nds\trust.der) before bringing up the eDirectory SNMP subagent.

ndssnmp.cfg is found in C:\novell\nds\snmp on Windows.

Using SNMP After a New Tree Installation

When you install eDirectory 8.8 SP7 for the first time (creating a new tree), if the Windows SNMP Service is installed on the server, and the SNMP Service has one or more dependent services, eDirectory cannot shut down the SNMP Service. If this happens, SNMP is not ready to use after the eDirectory installation.

Follow these steps to restart the SNMP service:

  1. Click Start > Settings > Control Panel > Administrative Tools > Services.

  2. Right-click SNMP Service in the Name list, then click Stop.

  3. Click Yes to All.

  4. Right-click SNMP Service in the Name list, then click Start.

SNMP Object Creation Error on Windows Server

While installing eDirectory on any supported Windows platform server, if you get an SNMP group object creation error, you need to manually create the SNMP group object. For information on the steps to manually create an SNMP object, refer to the “eDirectory and SNMP” section of the Novell eDirectory 8.8 SP7 Administration Guide.

Uninstalling SNMP with eDirectory Uninstallation

If the Windows SNMP Service is installed on a server, and the SNMP Service has one or more dependent services, the eDirectory uninstall does not delete all the SNMP files in the C:\novell\nds folder. However, the other uninstallation processes complete successfully, including the deletion of the SNMP registry entries, and the deconfiguration process that the Novell SNMP agent does with DS and the SNMP Service.

To complete the uninstallation:

  1. Click Start > Settings > Control Panel > Administrative Tools > Services.

  2. Right-click SNMP Service in the Name list, then click Stop.

  3. Click Yes to All.

  4. Right-click SNMP Service in the Name list, then click Start.

  5. Manually delete the remaining SNMP files in the C:\novell\nds folder.

2.11 Issue while Working with eDirectory GUI on Windows Server 2008

When you invoke any of the eDirectory utilities through the eDirectory GUI (C:\novell\NDS\NDSCons.exe) on Windows Server 2008, an interactive dialog box appears.

To launch and continue using the invoked utility, click the Show me the message option in the interactive dialog box.

NOTE:When configuring the Directory Agent for Novell eDirectory module (ds.dlm), ensure that you exit the ds.dlm dialog box to continue using the Novell eDirectory services.

2.12 eDirectory Service Manager Issues

If you use the eDirectory Service Manager in Novell iManager to stop eDirectory, restarting it through Service Manager is not possible. Use the Novell eDirectory Services utility (C:\novell\NDS\NDSCons.exe) on the eDirectory server to restart eDirectory.

2.13 Netscape Schema Attributes

Attributes related to Netscape have been removed from the default schema installed with LDAP in eDirectory 8.8 SP7. If you want to use those attributes, they are present in a tree that was installed prior to eDirectory 8.8, or you can add them to any new trees by using the Novell Import Conversion Export utility to run the netscape-mappings.ldif file in the schema folder.

2.14 Deletion of a Moved Object

Deletion of a moved object might fail (error -637) in a tree with two or more servers.

2.15 Issue with Moving a Dynamic Group

Moving a Dynamic Group object with dynamicgroup in the Object Class attribute to another container breaks the dynamic group functionality. After the move, queries and searches on dynamic members do not work.

2.16 Issue with Repairing Network Addresses through eMBox

When you repair the network addresses through eMBox, it throws the following errors because eMBox is not updated with the recent fixes for repair:

ERROR: Could not find a net address for this server - Error : 11004

ERROR: Could not connect. Error : 11004

2.17 Location of the Configuration File

Although eDirectory can be installed in a custom location, the location of the file is currently set as c:\. Therefore, you should move this configuration file from the c:\novell\nds folder to the c:\ drive.

2.18 JClient/DClient Compatibility Issue with Identity Manager 3.5

When you install the eDirectory 8.8 SP6 or later, the installer automatically includes a more recent version of the JClient/DClient package than used by earlier versions of Identity Manager. If you have eDirectory and Identity Manager 3.5 or earlier installed in the same environment, compatibility issues with JClient/DClient stop Identity Manager from starting up successfully.

2.19 Localization Issues

eMBox Does Not Handle Double-Byte Characters

The Novell eDirectory Management Toolbox (eMBox) does not handle double-byte characters for setting a roll-forward directory through the eMBox client and iManager. This can still be done by using DSBK.

dsclusterconfig.exe Utility Does Not Accept All French Terminal Options

In a French localized Windows environment, if you try to run the utility for configuring eDirectory on a cluster (dsclusterconfig.exe), the localized O option does not work. You must provide the corresponding English Y option for the utility to run.

dsclusterconfig.exe Utility Does Not Support Japanese Locale

If you use the dsclusterconfig.exe utility in a Japanese localized Windows environment, the utility displays corrupted Japanese characters in the Windows terminal. You must change the localization settings for the utility to use English in order to properly configure eDirectory.

3.0 Documentation

3.1 Viewing eDirectory Documentation

Novell eDirectory 8.8 SP7 has the following documentation:

  • Novell eDirectory 8.8 SP7 What's New Guide

  • Novell eDirectory 8.8 SP7 Installation Guide

  • Novell eDirectory 8.8 SP7 Administration Guide

  • Novell eDirectory 8.8 SP7 Troubleshooting Guide

  • Novell XDASv2 Administration Guide for eDirectory, Identity Manager, and NMAS v1

These documents are available at the Novell eDirectory 8.8 online documentation Web site.

3.2 Readme Information

The latest version of this Readme is available at the Novell eDirectory 8.8 online documentation Web site.

3.3 Additional Documentation

History of Issues Resolved in eDirectory 8.8.x

For a full list of all issues resolved in Novell eDirectory 8.8, including all patches and service packs, refer to TID 3426981, “History of Issues Resolved in eDirectory 8.8.x.”.


For iManager information, refer to the iManager online documentation.

Novell Modular Authentication Services (NMAS)

For NMAS information, refer to the NMAS online documentation.

Password Management

For Password Management information, refer to the Password Management online documentation.

Certificate Server

For Certificate Server information, refer to the Certificate Server online documentation.

Novell International Cryptographic Infrastructure (NICI)

For NICI information, refer to the NICI online documentation.