3.2 Prerequisites

IMPORTANT:Check the currently installed NetIQ and Third Party applications to determine if eDirectory 9.1 is supported before upgrading your existing eDirectory environment. You can find out the current status for NetIQ products in the TID 7003446 It is also highly recommended to back up eDirectory prior to any upgrades.

  • Because NTFS provides a safer transaction process than a FAT file system provides, you can install eDirectory only on an NTFS partition. Therefore, if you have only FAT file systems, do one of the following:

    • Create a new partition and format it as NTFS.

      Use Disk Administrator. Refer to the Windows Server documentation for more information.

    • Convert an existing FAT file system to NTFS, using the CONVERT command.

      Refer to the Windows Server documentation for more information.

    If your server only has a FAT file system and you forget or overlook this process, the installation program prompts you to provide an NTFS partition.

  • (Conditional) NICI 3.1 and eDirectory 9.1 support key sizes up to 8192 bits for RSA encryption. If you want to use a 8K key size, every server must be upgraded to eDirectory 9.1. In addition, every workstation using the management utilities, for example, iManager, must have NICI 3.1 installed on it.

    When you upgrade your Certificate Authority (CA) server to eDirectory 9.1, the key size will not change but will still be 2K. The only way to create a 8K key size is recreate the CA on an eDirectory 9.1 server. In addition, you would have to change the default from 2K to 8K for the key size, during the CA creation.

    NOTE:The Windows Silent installer requires NICI 3.1 installed on the system.

  • If you are upgrading to eDirectory 9.1, make sure you have the latest eDirectory patches installed on all non-eDirectory 9.1 servers in the tree. You can get eDirectory patches from the NetIQ Support Web site.

  • .NET Management Framework 4.0 or above is required.

  • Make sure you have the latest Windows 2012 R2 Service Packs installed. The latest updated Windows Service Pack needs to be installed after the installation of the Windows SNMP service.

  • If you are upgrading from a previous version of eDirectory, it must be eDirectory 8.8.8.x or later. For more information on determining the eDirectory version, see Determining the version of eDirectory.

  • (Conditional) If you are installing a secondary server into an existing tree as a non-administrator eDirectory user, ensure that you have the following rights:

    • Supervisor rights to the container the server is being installed into.

    • Supervisor rights to the partition where you want to add the server.

      NOTE:This is required for adding the replica when the replica count is less than 3.

    • All Attributes rights: read, compare, and write rights over the W0.KAP.Security object.

    • Entry rights: browse rights over Security container object.

    • All Attributes rights: read and compare rights over Security container object.

    • (Conditional) If the W1.KAP.Security object exists, all attributes rights: read, compare, and write rights over this object. For more information about the W1.KAP.Security object, see Creating an AES 256-Bit Tree Key in the NICI Administration Guide.

  • (Conditional) If you are installing a secondary server into an existing tree as a non-administrator user, ensure that at least one of the servers in the tree has the same or higher eDirectory version as that of the secondary being added as container admin. In case the secondary being added is of later version, then the schema needs to be extended by the admin of the tree before adding the secondary using container admin.

  • While configuring eDirectory, you must enable SLP services and an NCP port (the default is 524) in the firewall to allow the secondary server addition. The NCP port must be configured to allow both inbound and outbound traffic.

    Additionally, you can enable the following service ports, based on your requirements:

    • LDAP clear text - 389

    • LDAP secured - 636

    • HTTP clear text - 8028

    • HTTP secured - 8030

    If you have enabled user-defined ports, you must specify these ports while configuring eDirectory.

  • If you are installing eDirectory on a virtual machine having a DHCP address or on a physical or virtual machine in which SLP is not broadcast, ensure that the Directory Agent is configured in your network.

  • If you do not have the latest Platform Agent (PA) installed while upgrading to eDirectory 9.1, please run the Novell_Audit_PlatformAgent_Win64.exe file from the <C:\NetIQ\eDirectory\auditds/ location to install.

  • The NetIQ eDirectory Management Toolbox (eMBox) lets you access all of the eDirectory back-end utilities remotely, as well as on the server. The command line client is a Java application. To run it, you must install the latest version of Oracle Java (1.8 or above). You must also ensure to upgrade any older version of Java by installing the patch upgrades available. Once you have the latest version of Java installed, export any of the following environment variables:



    • JRE_HOME

      NOTE:If you are using any prior version of eDirectory 9.0 SP4, To run the command line client, you must have access to the Java Runtime Environment, Oracle Java 1.8, which is installed with eDirectory.

Determining the version of eDirectory

To determine the version of eDirectory, follow one of the steps mentioned below:

  • Run iMonitor.

    On the Agent Summary page, click Known Servers. Then under Servers Known to Database, click Known Servers. The Agent Revision column displays the internal build number for each server. For example, an Agent Revision number for eDirectory 9.1 might be 40101.x.

    For information on running iMonitor, see Accessing iMonitor in the NetIQ eDirectory Administration Guide.

  • Run NDSCons.exe.

    In the Windows Control Panel, double-click NetIQ eDirectory Services. In the Services column, select ds.dlm, then click Configure. The Agent tabs displays both the marketing string (for example, NetIQ eDirectory 9.1) and the internal build number (for example, 40101.x).

  • View the properties of an ds.dlm file.

    Right-click the .dlm file in Windows Explorer, then click the Version tab in the Properties dialog box. This will display the version number of the utility. The default location for ds.dlm files is C:\NetIQ\eDirectory.

Configuring Static IP Address

Static IP address must be configured on the server for the eDirectory to perform efficiently. Configuring eDirectory on the servers with DHCP address can lead to unpredictable results.