3.5 Installing eDirectory on Windows

3.5.1 Installing or Updating eDirectory 9.1 on a Windows Server

You can install eDirectory 9.1 for Windows without the Novell Client. If you install eDirectory 9.1 on a machine already containing the Novell Client, eDirectory will use the existing Client, or update it if it is not the latest version.

  1. At the Windows server, log in as Administrator or as a user with administrative privileges.

  2. If you have Autorun turned off, run eDirectory_910_Windows_x86_64.exe from the windows folder in the eDirectory 9.1 CD or from the downloaded file.

  3. (New installations only) Select an eDirectory installation type under the Basic tab:

    • Create a New eDirectory Tree creates a new tree. Use this option if this is the first server to go into the tree or if this server requires a separate tree. The resources available on the new tree will not be available to users logged in to a different tree.

    • Install eDirectory into an Existing Tree incorporates this server into your eDirectory network. The server can be installed into any level of your tree.

  4. Provide information in the eDirectory Installation screen:

    • If you are installing a new eDirectory server, specify a Tree name, Server object context, and Admin name and password for the new tree.

      IMPORTANT:Though eDirectory allows you to set the NCP server object's FDN up to 256 characters, NetIQ recommends that you restrict the variable to a much lesser value because eDirectory creates other objects of greater length based on the length of this object.

    • If you are installing into an existing tree, specify the IP address, Tree name, Server object context, and Admin name and password of the existing tree.

    • If you are upgrading an eDirectory server, specify the Admin password.

      NOTE:eDirectory 9.1 allows you to use case sensitive passwords for all the utilities.

    For information on using dots in container names, see Installing into a Tree with Dotted Name Containers.

  5. Specify or confirm the installation path. The default location is C:\NetIQ\eDirectory.

  6. Specify or confirm the DIB path. The default location is C:\NetIQ\eDirectory\DIBFiles.

  7. In Advanced tab, specify the following information:

    • If you want to use IPv6 addresses, select Enable IPv6.

      NOTE:If you do not enable IPv6 addresses during the installation process and decide to use them later, you must run the setup program again.

    • If you want to enable Enhanced Background Authentication (EBA), select Enable EBA.

      NOTE:If you do not enable EBA during the installation process and decide to enable it later, you must run the setup program again.

      To add a secondary EBA-enabled server to the tree, you must have an EBA CA configured in the tree. If the EBA CA is not present, first add the server without enabling EBA and then upgrade the server to host the EBA CA. Otherwise, the configuration of the secondary server fails.

    • Specify the HTTP Stack ports to use for the eDirectory administrative HTTP server.

      IMPORTANT:Make sure that the HTTP stack ports you set during the eDirectory installation are different than the HTTP stack ports you have used or will use for NetIQ iManager. For more information, see the iManager Administration Guide.

    • Specify which LDAP ports to use.

      For more information, see Communicating with eDirectory through LDAP.

  8. Click Install.

    The installation program checks for the following components before it installs eDirectory. If a component is missing or is an incorrect version, the installation program automatically launches an installation for that component.

    • NICI 3.1

      For more information on the Novell International Cryptographic Infrastructure (NICI), see theNICI Administration Guide.

  9. eDirectory will install and configure all the required components automatically.

  10. When the installer completes the installation, click Finish to exit the wizard.

IMPORTANT:Only the eDirectory administrator should be able to login to the server where eDirectory is installed.

NOTE:After you install eDirectory, we recommend you exclude the DIB directory on your eDirectory server from any antivirus or backup software processes. Use the eDirectory Backup Tool to back up your DIB directory.

For more information about backing up eDirectory, see Backing Up and Restoring NetIQ eDirectory, in the NetIQ eDirectory Administration Guide.

3.5.2 Server Health Checks

With eDirectory 9.1, when you upgrade eDirectory, a server health check is conducted by default to ensure that the server is safe for the upgrade.

Based on the results obtained from the health checks, the upgrade will either continue or exit as follows:

  • If all the health checks are successful, the upgrade will continue.

  • If there are minor errors, the upgrade will prompt you to continue or exit.

  • If there are critical errors, the upgrade will exit.

See Section B.0, eDirectory Health Checks for a list of minor and critical error conditions.

3.5.3 Communicating with eDirectory through LDAP

When you install eDirectory, you must select a port that the LDAP server monitors so that it can service LDAP requests. The following table lists options for various installations:




eDirectory 9.1

Clear text (port 389)

Selects port 389.

eDirectory 9.1

Encrypted (port 636)

Selects port 636.

Port 389, the Industry-Standard LDAP Clear-Text Port

The connection through port 389 is not encrypted. All data sent on a connection made to this port is clear. Therefore, a security risk exists. For example, LDAP passwords can be viewed on a simple bind request.

An LDAP Simple Bind requires only a DN and a password. The password is in clear text. If you use port 389, the entire packet is in clear text. By default, this option is disabled during the eDirectory installation.

Because port 389 allows clear text, the LDAP server services Read and Write requests to the Directory through this port. This openness is adequate for environments of trust, where spoofing doesn't occur and no one inappropriately captures packets.

If you make a secure connection to port 636 and have a simple bind, the connection is already encrypted. No one can view passwords, data packets, or bind requests.

Port 636, the Industry-Standard Secure Port

The connection through port 636 is encrypted. TLS (formerly SSL) manages the encryption. By default, the eDirectory installation selects this port.

A connection to port 636 automatically instantiates a handshake. If the handshake fails, the connection is denied.

IMPORTANT:This default selection might cause a problem for your LDAP server. If a service already loaded on the host server (before eDirectory was installed) uses port 636, you must specify another port.

The eDirectory installation loads nldap.nlm, places an error message in the dstrace.log file, and runs without the secure port.

Scenario: Port 636 Is Already Used: Your server is running Active Directory. Active Directory is running an LDAP program, which uses port 636. You install eDirectory. The installation program detects that port 636 is already used and doesn't assign a port number for the NetIQ LDAP server. The LDAP server loads and appears to run. However, because the LDAP server does not duplicate or use a port that is already open, the LDAP server does not service requests on any duplicated port.

If you are not certain that port 389 or 636 is assigned to the NetIQ LDAP server, run the ICE utility. If the Vendor Version field does not specify NetIQ, you must reconfigure LDAP Server for eDirectory and select a different port. For more information, see Verifying That the LDAP Server Is Running in the NetIQ eDirectory Administration Guide.

Scenario: Active Directory Is Running: Active Directory is running. Clear-text port 389 is open. You run the ICE command to port 389 and ask for the vendor version. The report displays Microsoft*. You then reconfigure the NetIQ LDAP server by selecting another port, so that the eDirectory LDAP server can service LDAP requests.

NetIQ iMonitor can also report that port 389 or 636 is already open. If the LDAP server isn't working, use NetIQ iMonitor to identify details. For more information, see Verifying That the LDAP Server Is Running in the NetIQ eDirectory Administration Guide.

3.5.4 Installing NMAS Server Software

NetIQ Modular Authentication Service (NMAS) server components are installed automatically when you run the eDirectory installation program. The NDS login method is configured by default.

For more information on login methods, see Managing Login and Post-Login Methods and Sequences in the NetIQ eDirectory Administration Guide.

3.5.5 Installing into a Tree with Dotted Name Containers

You can install a Windows server into an eDirectory tree that has containers with dots in the names (for example, O=netiq.com or C=u.s.a). Using containers with dotted names requires that those dots be escaped with the backslash character. To escape a dot, simply put a backslash in front of any dot in a container name.

You cannot start a name with a dot. For example, you cannot create a container named “.netiq” because it starts with a dot (‘.’).

IMPORTANT:If your tree has containers with dotted names, you must escape those names when logging into utilities such as iMonitor, iManager, and DHost iConsole. For example, if your tree has “netiq.com” as the name of the O, enter username.netiq\.com in the Username field when logging in to iMonitor.

3.5.6 Unattended Install and Configure to eDirectory 9.1 on Windows

eDirectory 9.1 automates the eDirectory installation and upgrade so that eDirectory is installed or upgraded silently on Windows servers without human intervention.

On Windows, the unattended installation of eDirectory uses predefined text files that facilitate the unattended installation or upgrade. You can perform either of the following setup using the unattended installation of eDirectory:

  • Standalone installation or upgrade of eDirectory depending on whether it is a complete installation of eDirectory or not. The standalone upgrade process upgrades only the installed files.

  • Configuration of installed eDirectory. If you install eDirectory, a complete configuration of eDirectory is performed. Otherwise, when you upgrade eDirectory, the installer only configures the upgraded files.

For more information on how to mention the setup for unattended installation, refer to the section Adding Features to the Automated Installation.


  • .NET Management Framework 4.0 or above is required

  • Ensure that Windows 2012 R2 Server is updated with the latest windows patch

The following sections discuss various features that can be used to configure the unattended installation, including the install location, no display of splash screens, port configurations, additional NMAS methods, stopping and starting SNMP services, etc.

Response Files

Installing or upgrading to eDirectory 9.1 on Windows operating system can be made silent and more flexible by using a response file for the following:

  • Complete unattended installation with all required user inputs

  • Default configuration of components

  • Bypassing all prompts during the installation

A response file is a text file containing sections and keys, similar to a Windows.ini file. You can create and edit a response file using any ASCII text editor. The eDirectory upgrade reads the installation parameters directly from the response file and replaces the default installation values with response file values. The installation program accepts the values from the response file and continues to install without prompts.

Response File Sections and Keys

The eDirectory 9.1 installation requires changes to the sections in the response file to add information about the eDirectory instance to be installed, including the tree name, administrator context, administrator credentials (including user name and passwords), installation locations, etc. A full list of the keys and their default values is available in the sample response files which are delivered with the eDirectory installation. There are four response files available at <eDirectoryInstallPath>\NetIQ\eDirectory\Sample_Response_File during the eDirectory installation:

  • newtree.ni: This file is used to configure a new eDirectory tree.

  • existingtree.ni: This file is used to add a server to an existing eDirectory tree.

  • upgrade.ni: This file is used to upgrade the eDirectory server.

  • deconfigure.ni: This file is used to de-configure an eDirectory tree.

NOTE:You should use any of the provided response files during the eDirectory installation.There are essential parameters and set by default in these files. When editing these files, ensure that there are no blank spaces between the key and the values along with the equals sign ("=") in each key-value pair.

Adding Features to the Automated Installation

Most details for configuring the eDirectory Installer have default setting for the manual installation. However, during unattended installation, each configuration parameter must be explicitly configured. This section discusses the basic settings to be configured, irrespective of any sequence of installation or additional features.

eDirectory Server Details

Regardless of whether it is an upgrade or a primary/secondary server installation, the details of the server being installed or upgraded must be provided to the Installer. Most of this information is configured in the tag [NWI:NDS].

  • mode: By default, the mode key is set to configure. This configures eDirectory.

  • Tree Name: For a primary server installation, this is the name of the tree that needs to installed. For a secondary server installation, this is the tree to which this server must be added.

  • Server Name: The name of the server that is being installed.

  • Server Container: Any server added to a tree has a server object containing all the configuration details specific to the server. This parameter is the container object in the tree to which the server object will be added. For primary server installations, this container will be created with the server object.

  • Admin Login Name: The name (RDN) of the Administrator object in the tree that has full rights, at least to the context to which this server is added. All operations in the tree will be performed as this user.

  • Admin Context: Any user added to a tree has a user object that contains all the user-specific details. This parameter is the container object in the tree to which the Administrator object will be added. For primary server installations, this container will be created with the server object.

  • Admin password: The password for the Administrator object created in the previous parameters. This password will be configured to the Administrator object during primary server installations. For secondary server installations, this needs to be the password of the Administrator object in the primary server that has rights to the context to which the new server is added.

    We recommend you to set the admin password in an environment variable and mention the environment variable name in the response file. Once the silent configuration is complete, remove the password from the environment variable.

    IMPORTANT:You provide the administrator user credentials in the response file for an unattended installation. Therefore, you should permanently delete the file after the installation to prevent the administrator credentials from being compromised.

  • DataDir: By default the DIB is installed in the Files subfolder inside the NDS location, but administrators can change this parameter and provide a different location. If no value is provided for this parameter, the value will be set to <Install location>/DIBFiles by default.

  • EBA: Enhanced Background Authentication (EBA) provides an improved and more secure background authentication protocol for authenticating to the NCP servers in the tree. eDirectory provides the option of enabling EBA while configuring the eDirectory tree or later. By default, EBA is not configured on eDirectory unless it is changed in the response file. To enable EBA, set Require EBA to Yes.

  • FIPS: NetIQ supports eDirectory running in Federal Information Processing Standard (FIPS) mode. To enable eDirectory in FIPS mode, set Require FIPS for TLS to Yes.

The following is a sample of text in the response file for all the basic parameters described above:

New Tree=Yes
Server Container=myorg
Admin Context=myorg
Admin Login Name=Admin
Admin Password=env: PASSWORD_VAR
Require IPV6=NO
Require EBA=NO
Require FIPS for TLS=NO
LDAP TCP Port=389
LDAP SSL Port=636
Require TLS=No
Require SS=YES

Adding NMAS Methods

eDirectory supports installation of multiple NMAS methods, both during install and upgrade. During manual installations, you can select the NMAS methods to install and configure. This can also be achieved in automated installations.

The NMAS-related configuration settings are provided inside the [NWI:NMAS] tag. The tag has two keys to be configured, and both are mandatory:

  • Choices: This key informs the eDirectory installation component on the number of NMAS methods that need to be installed.

  • Methods: This key lists the NMAS method options that need to be installed. Currently, there are 6 supported NMAS methods. The method names and their types are as follows:

    Table 3-1 NMAS Methods

    Method Name

    Method Type


    Certificate mutual login method

    Challenge Response

    The NetIQ challenge response NMAS method


    Digest MD5 login method


    Security Assertion Markup Language authentication method


    NDS login method (default)

    Simple Password

    Simple password NMAS login method

NOTE:The method names should exactly match those listed in the above table, as options to the Methods key. The Installer matches the exact string (with case) for choosing the NMAS methods to install.

The NDS NMAS method is mandatory and will be installed automatically if no NMAS methods list is provided. However, if you are creating an explicit list, do not remove this method from the list.

If the NMAS methods are configured using this methodology in the response file, eDirectory shows a status message while installing, without prompting for user input.

The following is sample text in the response file for choosing the NMAS methods:

Methods=CertMutual,Challenge Response,DIGEST-MD5,NDS,Simple Password,SAML

HTTP Ports

eDirectory listens on preconfigured HTTP ports for access through the Web. For example, iMonitor accesses eDirectory through Web interfaces. They need to specify certain in order to access the appropriate applications. There are two keys that can be set prior to installation to configure eDirectory on specific ports:

  • Clear Text HTTP Port: The port number for the HTTP operations in clear text.

  • SSL HTTP Port: HTTP port number for operations on the secure socket layer.

The following is sample text in the response file for configuring HTTP port numbers:

Clear Text HTTP Port=8028
SSL HTTP Port=8030

LDAP Configuration

eDirectory supports LDAP operations. It listens for LDAP requests in clear text and SSL, on two different ports. These ports can be configured in the response file prior to installation so that when eDirectory is started, it listens on these configured ports.

There are three keys in the [NWI:NDS] tag that configure the LDAP ports:

  • LDAP TCP Port: The port on which eDirectory should listen for LDAP requests in clear text. If no port is mentioned, 389 will be assumed by default.

  • LDAP SSL Port: The port on which eDirectory should listen for LDAP requests in SSL. You can also use a key to configure whether eDirectory should mandate secure connections when bind requests send the password in clear text. If no port is mentioned, 636 will be assumed by default.

  • Require TLS: Whether eDirectory should mandate TLS when receiving LDAP requests in clear text. If no value is provided for this parameter, by default it will be set to Yes.

The following is sample text in the response file for LDAP configuration:

Require TLS=Yes
LDAP TLS Port=389
LDAP SSL Port=636

Controlling Automated Installation

The response file can also be edited to control the flow of automated installation.

Stopping SNMP services

This feature is specific to an eDirectory installation on Windows. Most Windows servers have SNMP configured and running. When eDirectory installs, the SNMP services need to be brought down and restarted after the installation. With manual installations, the Installer prompts the user on-screen to stop the SNMP services before continuing the installation. This prompt can be avoided during automation by setting the key in the[NWI:SNMP] tag:

  • Stop service: Set the value to Yes to stop the SNMP services without prompting. The status of is displayed on-screen.

The following is sample text in the response file for stopping SNMP services:

Stop service=yes

SLP Services

eDirectory uses SLP services to identify other servers or trees in the subnet during installation or upgrade. If SLP services were already installed on your server by eDirectory installation previously, the current version of the eDirectory detects and upgrades SLP to the latest version. If no SLP is installed, eDirectory installs the SLP services during silent installation.

Specifying Default Parameters for Default Server Certificates

eDirectory provides the option to specify the default RSA key size, Elliptic Curve and certificate life for the CA certificates and default server certificates while configuring a new eDirectory tree. You can specify the following default parameters for the CA and default server certificates during silent installation of a new eDirectory tree in the response file:

  • RSA Key Size: To specify the key size for RSA certificates. Allowed values are 2048, 4096 and 8192 bits.

  • EC Curve: To specify the curve limit for EC certificates. Allowed values are P256, P384 and P521.

  • Certificate Life: To specify the certificate life in number of years.

The values specified here will be set on corresponding attributes on the Organizational CA object when the new tree is configured.

These attributes can be set in the [NWI:PKI] tag of the newtree.in file while installing a new eDirectory server, as shown in the below sample:

RSA KeySize=4096
EC Curve=P521
Certificate Life=4

For more information, see Creating an Organizational Certificate Authority Object in the NetIQ eDirectory Administration Guide.

Primary/Secondary Server Installation

eDirectory Installer provides options for the unattended install of a primary or a secondary server, into a network. There is one key that help the Installer decide whether it is a primary or a secondary server installation.

  • Primary Server: Use New Tree key in the [NWI:NDS] tag and set it to Yes for a new/primary tree installation in the newtree.ni file or in a similar response file which is required for setting up a new server.

  • Secondary Server: Use New Tree key in the [NWI:NDS] tag and set it to No for a secondary tree installation in the existingtree.ni file or in a similar response file which is required for setting up a secondary server.

For example, the keys for installing a primary server in a new tree would be as follows:

New Tree=Yes

and for a secondary server installation into an existing tree:

New Tree=No

Unattended Installation of eDirectory using Response File

Launching the eDirectory Installer on Windows is easy. The eDirectory_910_Windows_x86_64.exe delivered in the eDirectory release is invoked in the command line with a few additional parameters.

Depending on the setup mode you have mentioned, use either of the following commands:


<Download Location Path>\eDirectory_910_Windows_x86_64.exe /qn

For example, D:\builds\eDirectory_910_Windows_x86_64.exe /qn

NOTE:Run the following command to install eDirectory in custom location:

eDirectory_910_Windows_x86_64.exe /qn INSTALLDIR="C:\<Install Location>


<eDirectory installed location> ./EConfig.ps1 -rfile <Sample_Response_Files location>\newtree.ni

For example, C:\NetIQ\eDirectory> ./EConfig.ps1 -rfile C:\Sample_Response_Files\newtree.ni

NOTE:The log files can be accessed from the following locations:

  • C:\Program Files\NetIQ\eDirectory\installlogs

  • C:\Program Files\NetIQ\eDirectory\logs

3.5.7 Locating Log Files


The first part of the dsinstall.log file available at <Windows Drive>\NetIQ\eDirectory lists environment variables that are set. The second part contains status messages documenting the eDirectory installation process.