At some point it might be necessary to recover NICI configuration files so that the information they contain can be used to decrypt data for an application or simply to restore NICI to a previous state. We assume that you backed up the NICI configuration files at the same time you backed up the application.
WARNING:Overwriting existing NICI configuration files can cause critical data to be lost. If an application has used NICI to encrypt data and the NICI configuration files are lost, it might not be possible to recover the encrypted data. Always keep copies of any files you overwrite. Different applications might have conflicting needs and you might need to recover the data for one application, then restore the system again to recover the data for a second application or continue with normal operations.
Reinstall NICI to a known good state.
Determine which user files must be restored.
It might be necessary to recover files from one user directory and place them in a different user directory if the users on the system have changed. For example, if Bob originally encrypted data, then the data should not accidentally be revealed to Mary.
Recover the common configuration files and the appropriate user-specific files.
This may invalidate the configuration files for other users not recovered from the same backup. It might be appropriate to just delete all the configuration files before attempting to restore any specific user files. Re-establish the correct access rights so that each user has approved access to the correct configuration files.
On server where you installed eDirectory, you can restore the NICI keys using the DSBK utility as instructed in Restoring NICI in the NetIQ eDirectory Administration Guide.
The administrator should follow the above steps. But a knowledgeable operator might choose to restore individual files or directories, possibly changing the names of the files or directories and assigning new access rights.
This can be done if the nicifk and xmgrcfg.wks files haven't changed from those on the backup store.
Review the following guidelines for each file/directory before restoring NICI if NICI is already installed on the server:
|
Filename |
Guidelines |
|---|---|
|
xarchive.000 |
Can be restored over an existing file. |
|
xmgrcfg.nif |
Can be restored over an existing file. |
|
User-specific directories and files |
Make sure that the user ID in the backup is the same as the user on the box. If the user directory already exists, then it must be determined if the user wants to keep the current files or restore them to a previous state. Normally, user configuration files should be restored as a group rather than individually. Be sure to restore the user files under the correct user’s user ID and to restore the rights on the user directory and contents. For example, if BOB had user ID 1000 at the time of the backup but now has user ID 5000, then the files in the backed up directory 1000 should be restored to directory 5000, or BOB’s UID must be changed back to 1000. So, the restore process must not just blindly restore the user directories without input from the operator. In either case, a backup of the existing NICI user directory needs to be done. |
Determine if NICI is already installed on the server by searching the registry for the NICI registry keys mentioned in Performing a Backup on Windows Servers, then do one of the following:
If NICI is not installed, restore all the registry information first.
If NICI is installed, remove NICI and overwrite the registry information from the backup store.
Restore the files and directories within [You registry key]\ConfigDirectory as selected by the operator.
On server where you installed eDirectory, you can restore the NICI keys using the DSBK utility as instructed in Restoring NICI in the NetIQ eDirectory Administration Guide.
It is recommended that all the files be restored as a group. But if you are knowledgeable, you can choose to restore individual entries. This can be done only if the nicifk and xmgrcfg.wks files did not change from the files in the backup store. If this is the case, be sure to adjust the access rights based on the new owner of the user configuration directories. The individual directories are named after the owner, but access rights are controlled by the SID. For example, just because a subdirectory is named BOB does not automatically mean that the current user BOB is the correct owner of the information being restored.
It is possible to configure the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI\UserDirectoryRoot 32-bit or HKEY_LOCAL_MACHINE\SOFTWARE\Novell\ nici_x64\UserDirectoryRoot 64-bit to indicate that the user configuration files are to be placed in the user’s personal configuration directory. In this case, you should be prepared to back up and restore the user information independently as part of normal backup and restore operations. If NICI has been configured in this manner, you should be aware of it and be prepared to do individual backups.
This special case for the Windows user directory is enabled by creating the registry value EnableUserProfileDirectory rather than just pointing the directory path there. When the user profile directory is enabled, the directory might be automatically deleted when Windows is configured to automatically create and delete user accounts. In this case, backup and restore is necessary only for those specific users who are permanent.
The default path is the Application Data\Novell\Nici directory branch of the user’s directory in Documents and Settings.