July 31, 2008
NOTE:Check the currently installed Novell and third party applications to determine if eDirectory™ 8.8 SP3 is supported before upgrading your existing eDirectory environment. You can find out the current status for Novell products in the TID - What products are supported with Novell eDirectory 8.8 SP3?. It is also highly recommended to backup eDirectory prior to any upgrades.
Windows* 2003 Server SP2
For information on preparing an existing tree for an eDirectory 8.8 SP3 installation, see “Updating the eDirectory Schema for Windows” in the Novell eDirectory 8.8 Installation Guide.
The eDirectory and Novell iManager installs use Java* 1.4. This means that a minimum color depth of 8 bits (256 colors) is required by your video card and driver setting to run the installations properly.
With some video cards, and with some driver versions, you might notice some visual abnormalities in the installation screens. Examples include a pastel color scheme and a strange mottling effect that might look like the resolution is much lower than the actual setting. Some installation screens do not display at all. This makes it appear that the installation is hung up, or that it has aborted. If you see that the installation screens do not appear correctly, download a newer version of the driver for your video card. Otherwise, the installation might not complete successfully.
With some video cards, when 256 colors are set, the installation screen might seem to disappear after the SNMP portion of the installation, even though install.exe and launch.exe are still running (as shown in the Windows Task Manager). If this happens, use Task Manager to terminate the launch.exe process, set your display to more than 256 colors, then rerun the installation. This performs an upgrade installation over the top of the existing installation, and the upgrade should complete successfully.
Prior to the installation of eDirectory 8.8 SP3 on Windows 2003 Server, make sure that the native Master Agent is installed.
If you have the Windows SNMP service installed and running on your system, the eDirectory installation temporarily shuts it down while it installs the Novell SNMP subagent. After the Novell SNMP subagent is installed, the Windows SNMP service is restarted.
If your IPX™ configuration (in Network Settings in the Windows Control Panel) is configured with an Internal Network Number of 0, the eDirectory 8.8 SP3 installation might fail if the machine has multiple NICs. The Internal Network Number must be set to something other than 0 in order for the eDirectory installation to complete properly, and for eDirectory to run properly after installation.
If you choose to uninstall IPX, IPX should be completely uninstalled as a protocol, not merely disabled on some or all adapters.
If you use IPX, it must be configured correctly. That is, multiple adapters (LAN or WAN) must have a valid internal IPX net number set.
You cannot install, remove, enable, or disable a protocol on any adapter while eDirectory is running.
In some cases, schema extensions do not synchronize fast enough to the lower levels of a tree where the first new eDirectory 8.8 SP3 server is being installed, so some features are not completely installed.
This problem can be avoided by manually extending the schema in your tree before you install eDirectory 8.8 SP3, using the eDirectory 8.8 SP3 schema files located in the <Unzip Location>\nt\I386\NDSonNT\ndsnt\nds directory.
For more information on extending the schema, refer to the eDirectory 8.8 Administration Guide.
When installing eDirectory on a Windows server that has a Jaz* or Zip* drive, you might receive the following error:
There is no disk in the drive. Please insert a disk into <drive_name>.
To resolve this issue, do one of the following:
Click Continue several times.
Insert a Jaz or Zip cartridge, then click Continue.
Start the install with a Jaz or Zip cartridge in the drive.
When eDirectory 8.8 SP3 is installed on a Windows 2000 already containing the Novell Client™, eDirectory installs an SLP service, but sets the service to manual mode so that it does not run when the server is booted. eDirectory then uses the SLP service from the Novell Client.If the Novell Client is removed, leaving no SLP service for eDirectory to use, you must manually start the SLP service, or change it to start automatically when the server boots.
If you have eDirectory 8.5.x or 8.6.x, you must first upgrade to eDirectory 8.7.x, then upgrade to eDirectory 8.8 SP3.
During the upgrade from eDirectory 8.7.x to eDirectory 8.8.3, the location of the Identity Manager files is changed, requiring a reinstall of the Identity Manager engine and drivers. Any third-party jar files are not automatically copied to the new location and must be manually placed prior to startingthe drivers affected. It is recommended that all drivers be set to manual prior to upgrading to eDirectory 8.8 SP3.
When an eDirectory server is upgraded from previous versions to eDirectory 8.8 SP3, the disk space check for the DIB upgrade is performed. The free disk space necessary in the file system where the DIB resides is equal to that of the DIB size. The messages of the disk space check are updated in the ndscheck.log located in the instance’s specific log directory. For default instance, C:\Novell\NDS\ndscheck.log.
NOTE:The disk space check is required only during the DIB upgrade process. For more information, refer to Upgrade Requirements of eDirectory 8.8.
When eDirectory is upgraded to eDirectory 8.8 SP3, the server is stopped and a DIB upgrade operation is performed before the server is started and the normal upgrade is performed. The time taken for this upgrade depends on the number of objects in the tree.
For more details on the DIB upgrade, please refer to the “Upgrade Requirements of eDirectory 8.8 SP3” section of the eDirectory 8.8 Installation Guide.
When specifying the eDirectory information during the installation, if an invalid Server object container type is specified, the installation does not detect the error until later, and the eDirectory installation fails with a -611 or -634 error.
The valid Server object container types are:
Organizational Unit (OU)
On rare occasions, the eDirectory installation fails during its core DS component installation. If so, an error like the following is displayed:
The DS component of eDirectory failed to install correctly. The error received was: ’<some error>’. Please view DSInstall.log for more detailed information. The eDirectory installation will now be terminated.
If you receive this error, you should try to reinstall the product, or remove it and then reinstall it. If the reinstallation fails because of a partial installation already being on your system, or for any other reason, please visit the Novell Support Web site Web site for possible solutions.
After uninstalling NICI, if you want to completely remove NICI from your server, delete the \windows\system32\Novell\NICI subdirectory. You might need to take ownership of some of the files and directories under the NICI subdirectory to delete them.
WARNING:When the NICI subdirectory has been removed, any data or information that was previously encrypted with NICI cannot be recovered.
eDirectory 8.8 SP3 does not function properly with Nsure™ Audit 1.0.x. For full functionality with eDirectory 8.8 SP3, upgrade to Novell Audit 2.0.
Before upgrading to eDirectory 8.8 SP3 on Windows, if other Novell products are installed (such as ZENWorks®, Nsure Audit, and NetMail® Manager), you must first manually stop the currently running NDS® server service before proceeding with the installation of eDirectory 8.8 SP3. Restart the applications after the eDirectory installation.
Because of some security issues, Windows 2003 Server restricts console access from within a service. Because eDirectory evokes as a service on Windows, it has restricted access to the console, which prevents it from opening the help dialogue box. This is observed for operations such as dsrepair, dsmerge, and dsbrowse.
Work around: To view the help files for these utilities, open them directly by double-clicking them in the directory they are located in. For example, C:/Novell/NDS/NLS/Nihongo for the Japanese help file.
The W32 SMDR service cannot start, because the following files are missing from the installed 8.8 system:
These files are not installed with the eDirectory 8.8 SP3 installation. They are only installed if the Novell Client is installed.
To work around this problem, install the client.
If the login fails during the secondary server installation, click the Browse button next to the Administrator Login Name dialog box. After this, you might see an error message, and a dialog box prompting you to enter an IP address. Enter the IP address of any server in the tree, preferably the Master server of the partition to which the server is being added. If the server is running on a port number other than 524, enter the port number as well (such as 126.96.36.199:1524). This connects to the server, displays the tree name, and prompts for a login name and password. Follow the dialog boxes to continue with the installation. Ensure that the time between primary and secondary servers is synchronized.
When you upgrade eDirectory 8.7.3.x to eDirectory 8.8 SP3 and enable encrypted replication, replication fails in rare scenarios.
To work around this issue:
In Novell iManager select modify object, then select the NCP Server object.
Under the General tab, select Other.
Add NCPKeyMaterialName from Unvalued Attributes to Valued Attributes with the certificate name, for example, SSL CertificateDNS.
Run Limber on the server where the attribute changed (Step 3).
After eDirectory 8.8 SP3 installation is complete, when you login to iMonitor or use NDSCONS to start the sas.dlm service, you might see a -5984 error.
This issue occurs on systems where Client32™ is not installed. To resolve this issue, add \novell\nds\sms to the path environmental variable.
In LDAP transaction support, supportedGroupingTypes OID and transactionGroupingType OIDs are the same ( 2.16.840.1.1137188.8.131.52.7).
If a client performs an unauthenticated search operation when anonymous binds are disabled, the LDAP server responds with the bind result of inappropiate authentication instead of the search result, operationsError.
When you try to add eDirectory 8.8 SP3 server from Windows host (SLES10 also) to the existing tree running on a different host, it might fail if the firewall is enabled.
To work around this issue, enable SLP services and NCP port (default 524) in the firewall to allow the secondary server addition.
eDirectory installation fails when the install files are run from a path that contains double-byte or extended ASCII characters.
The installation fails with an error message. Because remote desktop connection is delayed than the actual/physical access, the install process fails to acquire the local referrals resulting in a failed installation.
You can avoid this by installing eDirectory on actual/physical connection of the server or using the VNC connection.
On Windows, while uploading LDIF with a simple password, ldif2dib might fail if the NICI keys in the System and Administrator folder are not in sync.
To work around this issue, use the following procedure to access the keys in the nici/system folder:
Go to the C:\Windows\system32\novell\nici\ folder.
Back up the files in the Administrator folder.
Go to the Security tab in the Properties window of the system folder.
Select Advanced Options and go to the Owner tab.
Go back to the Security tab and add Administrator to the list.
Repeat Step 3 through Step 6 to get read access to all the files present inside the system folder.
Overwrite the files in the Administrator folder with the ones in the system folder.
After the upload is done, copy the backed-up files to the Administrator folder.
Change the Administrator’s access to the system folder and also the files within the folder.
The LDIF file should mention all the object classes that an entry belongs to. You should also include the classes that an entry belongs to because of inheritance of classes. For example, an entry of type inetOrgPerson has following syntax in the LDIF file:
Objects bulkloaded by using the ldif2dib utility are not added with ACLs that are specified in the ACL templates for the object class of the object.
You can temporarily suspend the offline bulkload operation by pressing the s or S key. You can use Escape key (Esc) to stop the bulkload operation.
You cannot configure encrypted replication through iManager if any server in the replica ring is down.
If an attribute of an object is encrypted, you cannot view or modify the object by using iManager 2.5.
To work around this issue, you can view or modify the encrypted attribute over a secure channel, using any of the following methods:
LDAP: The LDAP request must be send over a secure channel, which means that the trusted root certificate of the server must be used.
ICE: LDIF scripts can be used to modify the object. If you do this, ICE must use a secure channel.
Use iManager 2.5 FP2, iManager 2.6, or later.
NOTE:We recommend using iManager 2.6 or later for viewing or modifying encrypted attributes.
Alternatively, you can turn off the secure channel required option for viewing or modifying the encrypted attributes by disabling the requireSecure attribute in the Encrypted Attributes policy. This makes the object and the encrypted attributes accessible by any client over clear text channel. After this, iManager can access the object.
When encrypted replication is enabled, merging trees fails. Disable secure replication on each tree before doing a merge.
If you try taking the clone of a server immediately after an offline bulkload, it might result in a failure, if the bulkload has been done with the disable indices option.
However, this is not an issue if the dibclone is initiated a few hours after the bulkload completion.
While cloning with the Encrypted Replication feature enabled on the source server, modify the ER policy to temporarily exclude the cloned server. This can be changed after the configuration of the cloned server is complete.
On Windows, after NLDAP is stopped, you need to restart the server to load NLDAP.
iManager requires NMAS™ support to be installed on the Windows system on which iManager is installed. It does not require the Novell Client. If you are going to use the Novell Client, iManager requires a version with NMAS support.
Quick Create only creates an LDAP group object with dummy attributes that you can later modify. It creates the LDAP Group object with version one instead of nine. Therefore, all the LDAP operations fail as it is not possible to associate any LDAP server due to version incompatibility.
To work around this issue, after creating the LDAP group using Quick Create, change the LDAP Group object version number to nine.
When using iMonitor to browse an eDirectory tree for objects, an object with double-byte characters in the name might not correctly hyperlink to the object properties.
The Agent Health check feature in iMonitor shows a Warning icon in the Results column when run on a single server tree because of the Perishable Data status. This does not mean that the tree is not healthy or that the Agent Health check is not working as designed. Perishable Data indicates the amount of data that has not yet been synchronized to at least one replica. A single server tree, by its nature, means that the data is always at risk for catastrophic failure because there is no other place that the data is replicated. If you lose the hard disk, you lose the data.
If you don't want to view health check warnings about Perishable Data or Readable Replica Counts on your single server tree, you can turn off these health checks by editing the ndsimonhealth.ini file to change the following entries:
ring_readable-Min_Marginal: 1 or ring_readable-active: OFF
This turns off the warnings for Readable Replica Count and Perishable Data.
The custom reports feature in iMonitor is designed to place the URL specified by the user into the saved report (the saved HTML file) when the custom report is created. That means that when you open a saved custom report that has been run, you see the live (current) data instead of the data captured by the URL at the time the custom report is run. This issue will be resolved in a future release of iMonitor.
Click Tools > Internet Options, then click the Security tab.
Select the Internet icon, then click Custom Level.
Scroll down to the Scripting section and set Active Scripting to Enable.
Click OK twice.
When running eDirectory utilities such as dsbrowse.dlm and dsrepair.dlm on a Windows Terminal Server, the utility opens on the main desktop, not in the Terminal Services window. This is because Win32, for security reasons, does not allow a service to display a window on the Terminal screen.
DHost crashes if the administrator logs off when a repair window is still open. When running repair utility, all the repair windows must be closed before logging out of the Windows session.
During upgrade or installation of other Novell products such as IDM and so on, while shutting down eDirectory, dhost crashes randomly with the following error:
Memory could not be written.
However, there is no data loss.
The Novell SecretStore® functionality does not work over LDAP. To resolve this, you need to refresh LDAP through iManager.
The eDirectory MIB file (<eDirectoryInstallRootDir>\snmp\edir.mib) on Windows compiles with some errors and warnings on HP-OpenView. You can ignore these errors.
If LDAP is not configured to run in clear text mode, the name of the trusted root certificate file must be given in the SNMP configuration file (for example, SSLKEY C:\Novell\nds\trust.der) before bringing up eDirectory SNMP subagent.
ndssnmp.cfg is found in C:\novell\nds\snmp on Windows.
When installing eDirectory 8.8 SP3 for the first time (creating a new tree), if the Windows SNMP Service is installed on the server, and the SNMP Service has one or more dependent services, eDirectory cannot shut down the SNMP Service. If this happens, SNMP is not ready to use after the eDirectory installation.
To use SNMP, follow these steps to restart the SNMP service:
Click Start > Settings > Control Panel > Administrative Tools > Services.
Right-click SNMP Service in the Name list, then click Stop.
Click Yes to All.
Right-click SNMP Service in the Name list, then click Start.
While installing eDirectory on Windows 2003 Server, if you get an SNMP group object creation error, you need to manually create the SNMP group object. For more information on the steps to manually create an SNMP object, refer to the “SNMP Support of eDirectory” section of the eDirectory 8.8 Administration Guide.
If the Windows SNMP Service is installed on a server, and the SNMP Service has one or more dependent services, the eDirectory uninstall does not delete all the SNMP files in the C:\novell\nds directory. However, the other uninstallation processes complete successfully, including the deletion of the SNMP registry entries, and the deconfiguration process that the Novell SNMP agent does with DS and the SNMP Service.
To complete the uninstallation:
Click Start > Settings > Control Panel > Administrative Tools > Services.
Right-click SNMP Service in the Name list, then click Stop.
Click Yes to All.
Right-click SNMP Service in the Name list, then click Start.
Manually delete the remaining SNMP files in the C:\novell\nds directory.
If you use the eDirectory Service Manager in Novell iManager to stop eDirectory, restarting it through Service Manager is not possible. Use the Novell eDirectory Services utility (C:\novell\NDS\NDSCons.exe) on the eDirectory server to restart eDirectory.
You can use Novell iManager to increase the maximum size of the eDirectory log files.
In iManager, click eDirectory Maintenance Utilities > Log File.
Specify which server will perform the log file operation, authenticate to the server, click > Log File Options, then set the maximum file size to a large value (such as several megabytes).
The size of the log files can become a problem and might cause eDirectory to stop responding on Windows*. To solve this problem, increase the heap size allocated to the JVM* for iManager by using an environment variable of the following form:
This increases the JVM heap size from the default of 64 MB to 512 MB.
The attributes related to Netscape* have been removed from the default schema installed with LDAP in eDirectory 8.8 SP3. If you want to use those attributes, they are present in a tree that was installed prior to eDirectory 8.8, or you can add them to any new trees by using the Novell Import Conversion Export utility to run the netscape-mappings.ldif file in the schema directory.
Deletion of a moved object can fail in a tree with two or more servers.
The concurrent connection limit behavior of non-NetWare platforms is changed to match that of Netware. To resort to the old behavior (strict port based checking), set following parameter in nds.conf file.
Novell eDirectory 8.8 SP3 has the following documentation:
Novell eDirectory 8.8 What's New Guide
Novell eDirectory 8.8 Installation Guide
Novell eDirectory 8.8 Administration Guide
Novell eDirectory 8.8 Troubleshooting Guide
These documents are available at the Novell eDirectory 8.8 online documentation Web site.
The latest version of this readme is available at the Novell eDirectory 8.8 online documentation Web site.
For NMAS information, refer to the NMAS online documentation.
For Certificate Server information, refer to the Certificate Server online documentation.
For NICI information, refer to the NICI online documentation.
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.
A trademark symbol (® , TM, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries.
For a list of Novell trademarks, see the Novell Trademark and Service Mark list at http://www.novell.com/company/legal/trademarks/tmlist.html.
All third-party products are the property of their respective owners.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. Please refer to \documentation\english\license\license.txt for additional information and license terms.