SG 245847

Novell NetWare 5.
0 Integration Guide
David Watts, Roy Solterbeck, Pierluca Zampardi
International Technical Support Organization
www.redbooks.ibm.com
SG24-5847-00
SG24-5847-00
International Technical Support Organization
Novell NetWare 5.0 Integration Guide
November 1999
Take Note!
Before using this information and the product it supports, be sure to read the general information in Appendix B,
“Special Notices” on page 245.
First Edition (November 1999)
This edition applies to the following products:

• Novell NetWare 5.0
• Novell Directory Services 8
• BorderManager 3
• NetWare Cluster Services
• NDS for NT 2.0
• ZENworks 1.1 and 2.0
Comments may be addressed to:

IBM Corporation, International Technical Support Organization
Dept. HZ8 Building 678
P.O. Box 12195
Research Triangle Park, NC 27709-2195
When you send information to IBM, you grant IBM a non-exclusive right to use or distribute the information in any way
it believes appropriate without incurring any obligation to you.
© Copyright International Business Machines Corporation 1999. All rights reserved.

Note to U.S Government Users - Documentation related to restricted rights - Use, duplication or disclosure is subject to restrictions
set forth in GSA ADP Schedule Contract with IBM Corp.
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
The team that wrote this redbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Comments Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Chapter 1. What’s new in NetWare 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

1.1 New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
1.2 Comparison between versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Chapter 2. Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .15

2.1 BorderManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .15
2.1.1 Firewall services . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .16
2.1.2 Virtual private networks services . . . . . . . . . . . . . . . . .. . . . . .. . . . .20
2.1.3 Authentication services . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .21
2.1.4 Proxy caching services . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .22
2.2 ManageWise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .23
2.2.1 ManageWise agents . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .24
2.3 Novell Directory Services (NDS) Version 8 . . . . . . . . . . . . .. . . . . .. . . . .25
2.3.1 How to refer to objects in the NDS tree . . . . . . . . . . . .. . . . . .. . . . .26
2.3.2 Changes in NDS 8. . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .26
2.3.3 New features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .27
2.4 ZENworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .29
2.4.1 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .29
2.5 NDS for NT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .33
2.6 NetWare Cluster Services . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .33
2.6.1 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .34
2.7 Novell Storage Services . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .34
2.7.1 NSS storage groups, volumes and free space . . . . . . .. . . . . .. . . . .35
2.8 Novell StandbyServer for NetWare . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .36
2.8.1 Characteristics of StandbyServer . . . . . . . . . . . . . . . .. . . . . .. . . . .37
2.8.2 Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .37
2.8.3 Utility server feature . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .38
2.8.4 The dedicated link . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .39
2.8.5 Using NSS with StandbyServer . . . . . . . . . . . . . . . . . .. . . . . .. . . . .39
Chapter 3. Installing NetWare. . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . . .41

3.1 Preparing for installation . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . . .41
3.1.1 Minimum hardware installing requirements . . .. . . . . .. . . . . .. . . . .41
3.1.2 Information needed during the installation . . . .. . . . . .. . . . . .. . . . .42
3.2 Method 1: installing NetWare directly . . . . . . . . . . .. . . . . .. . . . . .. . . . .42
3.3 Method 2: installing with ServerGuide . . . . . . . . . . .. . . . . .. . . . . .. . . . .43
3.4 Continuing the NetWare 5 installation . . . . . . . . . . .. . . . . .. . . . . .. . . . .45
3.4.1 Installing the operating system patches . . . . . .. . . . . .. . . . . .. . . . .52
3.4.2 Installing NDS 8 and ConsoleOne . . . . . . . . . .. . . . . .. . . . . .. . . . .53
3.5 Creating NSS volumes . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . . .56
3.6 Installing ZENworks . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . . .58
3.7 Installing BorderManager . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . . .60
3.7.1 Installing . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . . .60
3.7.2 Installing patches . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . . .63
3.7.3 Installing the snapin for administration . . . . . .. . . . . .. . . . . .. . . . .65
3.8 Installing ManageWise . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . . .65
3.9 NDS objects and security . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . . .67
© Copyright IBM Corp. 1999 iii

3.9.1 File and directory rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.9.2 Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.9.3 File and directory security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.9.4 NDS security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Chapter 4. Netfinity Manager . . . . . . . . . . . . . . . .. . . . .. . . . . .. . . . . .. . 71

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . .. . . . . .. . . . . .. . 71
4.1.1 IBM Netfinity Manager . . . . . . . . . . . . . . . .. . . . .. . . . . .. . . . . .. . 72
4.1.2 Client Services for Netfinity Manager . . . . .. . . . .. . . . . .. . . . . .. . 72
4.2 Installing Netfinity Manager . . . . . . . . . . . . . . . .. . . . .. . . . . .. . . . . .. . 73
4.2.1 Server-based installation . . . . . . . . . . . . . .. . . . .. . . . . .. . . . . .. . 74
4.2.2 Client-based installation. . . . . . . . . . . . . . .. . . . .. . . . . .. . . . . .. . 75
4.2.3 Windows clients . . . . . . . . . . . . . . . . . . . . .. . . . .. . . . . .. . . . . .. . 76
4.3 Using Netfinity Manager . . . . . . . . . . . . . . . . . .. . . . .. . . . . .. . . . . .. . 81
4.4 Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . .. . . . . .. . . . . .. . 82
4.5 Setting Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . .. . . . . .. . . . . .. . 87
4.6 Using Capacity Manager . . . . . . . . . . . . . . . . . .. . . . .. . . . . .. . . . . .. . 88
Chapter 5. Integrating Windows NT with NetWare 5 . . . . . . . . .. . . . . .. . 89

5.1 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . 89
5.2 Installing NDS for NT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . 90
5.2.1 Items that you need prior to beginning the installation . . .. . . . . .. . 91
5.2.2 Installing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . 91
Chapter 6. Optimizing and tuning . . . . . . .. . . . . .. . . . .. . . . . .. . . . . .. 105

6.1 Server . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .. . . . . .. . . . . .. 105
6.1.1 Memory . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .. . . . . .. . . . . .. 107
6.1.2 Disk . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .. . . . . .. . . . . .. 109
6.1.3 Application . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .. . . . . .. . . . . .. 113
6.1.4 WAN Traffic Manager . . . . . . . . . .. . . . . .. . . . .. . . . . .. . . . . .. 115
6.2 NDS . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .. . . . . .. . . . . .. 119
6.2.1 NDS design . . . . . . . . . . . . . . . . . .. . . . . .. . . . .. . . . . .. . . . . .. 119
6.2.2 Partition and replication . . . . . . . . .. . . . . .. . . . .. . . . . .. . . . . .. 122
6.2.3 Time synchronization . . . . . . . . . . .. . . . . .. . . . .. . . . . .. . . . . .. 125
6.2.4 ZENworks design considerations . .. . . . . .. . . . .. . . . . .. . . . . .. 126
6.2.5 NDS health checking . . . . . . . . . . .. . . . . .. . . . .. . . . . .. . . . . .. 128
6.3 BorderManager tuning . . . . . . . . . . . . . .. . . . . .. . . . .. . . . . .. . . . . .. 130
Chapter 7. Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. 133

7.1 IBM clustering technology . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. 133
7.2 NetWare Cluster Services . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. 135
7.2.1 Preinstallation checklist . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. 135
7.2.2 Installing the Fibre QL2100 controller driver. . . . .. . . . . .. . . . . .. 138
7.2.3 Installing NCS . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. 140
7.2.4 Configuring NCS . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. 145
7.2.5 Other configuration features . . . . . . . . . . . . . . . .. . . . . .. . . . . .. 147
7.3 Novell StandbyServer for NetWare . . . . . . . . . . . . . . .. . . . . .. . . . . .. 151
7.3.1 Mirroring basics — calculating mirroring times . . .. . . . . .. . . . . .. 151
7.3.2 Preinstallation checklist . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. 152
7.3.3 Installing StandbyServer . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. 154
7.3.4 Starting StandbyServer . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. 162
7.3.5 Configure mirroring . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. 164
7.3.6 StandbyServer in a WAN environment . . . . . . . . .. . . . . .. . . . . .. 170
iv Novell NetWare 5.0 Integration Guide

Chapter 8. Scenarios . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . .173
8.1 Small configuration . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . .173
8.1.1 Installing the configuration. . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . .174
8.1.2 Configuring the environment . . . . . . . . . . . . . .. . . . . .. . . . . .. . . .174
8.2 Medium configuration . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . .187
8.2.1 Installing the configuration. . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . .188
8.2.2 Configuring packet filters for DNS and PING . .. . . . . .. . . . . .. . . .189
8.2.3 Configuring NAT . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . .191
8.2.4 DNS/DHCP setup . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . .192
8.2.5 Configuring for SMTP traffic . . . . . . . . . . . . . .. . . . . .. . . . . .. . . .197
8.2.6 Configuring VPN setup . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . .198
8.2.7 Configuring the VPN client . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . .207
8.2.8 Cyber Patrol . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . .211
8.2.9 ZENworks . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . .213
8.2.10 Remote access . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . .221
8.2.11 Using Catalog services for contextless login .. . . . . .. . . . . .. . . .229
8.2.12 Using LDAP server and client . . . . . . . . . . . .. . . . . .. . . . . .. . . .232
Appendix A. Installation worksheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

A.1 Memory calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
A.2 Installing NetWare 5 worksheet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
A.3 Installing BorderManager worksheet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
A.4 Replica planning worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
A.5 Installing NDS for NT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
A.6 Parameter settings worksheet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
A.7 NDS health check table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Appendix B. Special Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Appendix C. Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

C.1 International Technical Support Organization publications . . . . . . . . . . . . . . 247
C.2 Redbooks on CD-ROMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
C.3 Other publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
C.4 Referenced Web sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
How to get IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249

IBM Redbooks fax order form. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
List of abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
IBM Redbooks evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
v
vi Novell NetWare 5.0 Integration Guide
Preface
This redbook describes how to install Novell NetWare 5.0 and its key
components. It will help you install and configure these products and integrate
them with Netfinity servers from IBM.
NetWare 5.0 is Novell’s latest version of one of the most widely used network
operating systems. It combines the maturity and reliability of the traditional
NetWare network with the global reach and open standards of the Internet.
As well as explaining how to install NetWare and BorderManager, the redbook

describes how to integrate NetWare with Windows NT using the NDS for NT
product and how to implement clustering using StandbyServer and the new
NetWare Cluster Services. In-depth information about tuning and optimization are
also provided. Finally, various customer scenarios are provided to show you how
to implement Novell’s products in real situations.
This book is useful to anyone who wants to implement NetWare 5.0 on Netfinity
servers.
The team that wrote this redbook

This redbook was produced by a team of specialists from around the world
working at the International Technical Support Organization, Raleigh Center.
David Watts is an Advisory Specialist for Netfinity Servers at the ITSO Center in
Raleigh. He manages residencies and produces redbooks on IBM Netfinity
Servers. He has authored over a dozen publications, his most recent being the
third edition of Implementing Netfinity Disk Subsystems and the second edition of
Netfinity Server Management. He has a Bachelor of Engineering degree from the
University of Queensland (Australia) and has worked for IBM for over 10 years.
He is an IBM Professional Server Specialist.
Roy Solterbeck is a LAN/WAN specialist in Australia. He holds an Advanced

Certificate in Microcomputer Technology. His areas of expertise include Novell
NetWare and Windows NT. His primary role is to consult and install network
infrastructures. He holds Certified Novell Engineer (CNE) and Microsoft Certified
System Engineer (MCSE) certifications.
Pierluca Zampardi is an Advisory IT Specialist in the architecture department of

the NWS Strategic Outsourcing of Milano (Italy). He is certified as a Novell
Instructor and Administrator (CNA/CNI) on NetWare 3.1x and IntranetWare 4.1x.
Before joining IBM, he worked for 12 years as a consultant to the Novell and IBM
education centers. His areas of expertise include large systems implementation
and integration projects on LAN/WAN systems within Microsoft, Novell, Vinca,
TCP/IP and S/390 environments.
© Copyright IBM Corp. 1999 vii

Figure 1. The team (l-r) Roy, David, Pierluca
This book uses material from Novell IntranetWare and BorderManager for IBM
Netfinity and IBM PC Servers, SG24-2145. Thanks go to the authors:
Kiran Sukhtankar, Senior Technical Executive, India
George Mobbs, LAN Consultant, Australia
Rufus Credle, Advisory Software Engineer, ITSO Raleigh
Tim Gray, Senior Software Specialist, USA
Thanks to the following people from the International Technical Support

Organization, Raleigh Center for their invaluable contributions to this project:
Jakob Carstensen
Rufus Credle
Mike Haley
Steve Russell
Bill Sadek
Margaret Ticknor
Thanks to the following people from IBM:

Darla Carithers, Netfinity Development, Raleigh
Sylvester Cash, Netfinity Performance Lab, Raleigh
Dick Cicone, Novell Alliance Project Manager, Raleigh
Greg Clarke, Advanced Technical Support, Dallas
Scott Florence, Novell Alliance Manager, Salt Lake City
Monte Knutson, Novell Technical Alliance Manager, Raleigh
Thanks to the following people from Novell:

Steve Banister
Michael Bryant
Brent Clark
Brent Farr
Chuck Flood
Brian Howell
viii Novell NetWare 5.0 Integration Guide

Robert Wipfel
Kelly Frame
Carl Seaver
Sam Swim
Finally, thanks to Pierluca’s wife, Silvia Colucci for her assistance with Italian to
English translations.
Comments Welcome
Your comments are important to us!
We want our redbooks to be as helpful as possible. Please send us your

comments about this or other redbooks in one of the following ways:
• Fax the evaluation form found in “IBM Redbooks evaluation” on page 259 to
the fax number shown on the form.
• Use the online evaluation form found at http://www.redbooks.ibm.com/
• Send your comments in an Internet note to redbook@us.ibm.com
ix
x Novell NetWare 5.0 Integration Guide
Chapter 1. What’s new in NetWare 5
NetWare 5.0 has introduced many new features that make it one of the most
relevant software products in the networking field. In this chapter, we describe
these new features. We also compare the features of NetWare 5.0, IntranetWare
4.2 and NetWare 3.2 in Table 1 on page 12:
The features we discuss in this chapter are:

• Novell Directory Services (NDS)
• Changes in NetWare 5 loader
• Modifications that enable NetWare Core Protocol (NCP) to work with multiple
protocols
• New architecture on memory managing, including support for Virtual Memory
• Use of the NetWare configuration file to maintain tracks on the server
configuration and SET parameters
• DNS and DHCP
• WAN Traffic manager
• Catalog services and support for Lightweight Directory Access Protocol
(LDAP) Version 3
• ZENworks
• Console One
• Backup Utility
• NDS for NT
• IP or IPX support as core protocol
• Service Location Protocol (SLP)
• Migration Gateway
• Netscape FastTrack Server
• Multiprocessor Kernel
• Novell Directory Services (NSS)
• Novell Distributed Print Services (NDPS
• Full support on NetWare Peripheral Architecture (NWPA)
• Hot Plug PCI Support for I20
• Support on WinSock 2
• New console commands
1.1 New Features

• NDS
NDS (Novell Directory Services) is the world's leading global directory service
currently available. NDS allows multi-platform directory services to access
resources of any kind whether they reside on locally or across the WAN,
intranet or Internet. NDS enables the users to have a single point of
administration and a single login to access multiple resources wherever they
are located.
New features have been added to the NDS of NetWare 5:
– Replica synchronization is a new mechanism that sends only the
information that has changed. This results in less traffic on the network.
– Replica synchronization introduced another mechanism named transitive
vector that consists mainly of a group of modification time stamps that
represent the moved values from every replica to a specified ring of
© Copyright IBM Corp. 1999 1

replicas. Only one transitive vector exists for each replica. Using the
transitive vector, the synchronization process can achieve the convergence
among the replicas of one partition without needing to talk with every other
replica. Whenever a modification occurs in NetWare 5, the replica
synchronization will read the transitive vector to know which server needs
to receive the upgrade.
– Another feature of NetWare 5 to enhance the performance of the
synchronization process is to use a cache for modifications to the NDS
objects.
• Changes to the NetWare 5 loader
One of the new NetWare 5 features is inside of the loader. It is now no longer
necessary to type the command LOAD before loading a NetWare module or
utility. For example to load the monitor tool, instead of typing LOAD MONITOR, you
now only need to type MONITOR at the console.
• Modifications that enable NCP to work with multiple protocols
The new operating system is independent of the NetWare Core Protocol
(NCP). This means that internally the NCP can fulfil the requests from IPX,
TCP or UDP or any combination. To verify what are the protocols loaded and
in what order, new commands have been introduced:
– NCP STATUS
– NCP ADDRESSES
– NCP TRACE
– NCP DUMP
For example to verify which kind of protocols are working and in what order,
you can use the NCP ADDRESSES command as shown in Figure 2:
SRV_NW5_1:ncp addresses
Known NCP NetWork Service Addresses (Network Order):

[IPX] 6214501:000001:451
[TCP] 192.168.00.01:0524
[UDP] 192.168.00.01:0524
SRV_NW5_1:
Figure 2. NCP ADDRESSES command
It is possible to change the loading order of the protocols. To do this:

Type in MONITOR on the console. In the window that appears,
Select Server Parameters
Select NCP
Select NCP Protocol Preferences
Figure 3 appears where you can modify the protocols loading order, no matter
how they appear inside the bootstrap file AUTOEXEC.NCF. This modification
will be saved in the configuration file and it will be in effect every time you boot
the server.
2 Novell NetWare 5.0 Integration Guide

NetWare 5 Console Monitor 5.22 NetWare Loadable Module
Server name: 'NW5_BM3' in Directory tree 'IBM'
Server version: NetWare 5.00c - April 23, 1999
+----------------------------------------------------------------------------+
| NCP Parameters |
|----------------------------------------------------------------------------|
| NCP TCP receive window 23360 |
| Enable UDP Checksums on NCP packets 1 |
| NCP Packet Signature Option 1 |
| Enable IPX Checksums 1 |
+------------------------------------------------------------------------------+
| NCP Protocol Preferences |
|------------------------------------------------------------------------------|
|TCP IPX UDP |
| |
| |
+------------------------------------------------------------------------------+
| The NCP engine supports the following transports: IPX, |
| TCP, UDP. Example: SET NCP PROTOCOL PREFERENCES = TCP IPX |
| Setting: TCP IPX UDP |
| Maximum length: 126 |
+------------------------------------------------------------+
| |Time |
+-----------------------------+
Enter=Edit field Esc=Previous list Alt+F10=Exit F1=Help
Figure 3. Changing the order that the protocols load
The NCP STATUS command shows the number of NCP requests worked out
through the OS engine since boot. For example, the numbers shown on the
left side of ProcessNCPPacket requests and ProcessNCPPacketWithLength
requests represent NCP requests (not in use at this moment) that have been
processed through IPX and IP protocols as well as through the CLIB. The
NCPPacketReceiveHandler enables developers to define the length of the
packet receive buffers. Finally, NCPPacketReceiveHandler only shows the
NCP requests have been processed through the IPX protocol.
The NCP TRACE command allows you to see the NCP requests in one file. The
NCP DUMP command enables you to see all the NCP requests.
• New architecture on memory managing, including support for virtual
memory
NetWare 5 includes support that enables you to use much more than the
physical memory in the file server through the use of virtual memory which
programs and NLM applications could be swapped inside and outside of the
memory and then saved on the hard disk.
By default, the virtual memory allocates a file of 2 MB saved in the root of the
volume SYS. From that point the swap file could either increase or decrease
according to the number of NLMs and to the server applications that are
working at that moment and according to the amount of memory the server
needs to maintain for the users and the applications.
Furthermore you can select a different volume to create the swap file. You
could have multiple swap files. NetWare 5 will utilize them the best to obtain
performance.
Chapter 1. What’s new in NetWare 5 3

It is possible to use the SWAP command to either change the swap file on a
different volume or to add another one. Type HELP SWAP to display all SWAP
options as shown in Figure 4.
SWAP [ADD|DELETE volume_name]

Adds or removes the swap file from a volume and sets MIN, MAX and MIN Free.
If no parameters are given then swap file information is displayed
ALL VALUES ARE IN MILLIONS OF BYTES

MIN or MINIMUM = Minimum swap file size. (default = 2)
MAX or MAXIMUM = Maximum swap file size. (default = Free volume space)
MIN FREE or MINIMUM FREE = Minimum free space to be preserved on a
volume outside the swap file; this controls the maximum size of the
swap file on this volume. (default = 5)
Example: swap
Example: swap add vol2
Example: swap add vol3 min = 5 max = 100 min free = 10
Example: swap delete vol3
Example: swap parameter vol2 min = 2 max = 1000 min free = 100
NW5_BM3:
Figure 4. HELP SWAP console command
There are three basic items inside the virtual memory model:
– Primary storage
– Secondary storage
– Swap file
The primary storage is the physical memory that the server has. Secondary
storage represents the possible applications existing inside the swap file at the
moment.
For more details about how the virtual memory is configured through the SET
parameters, enter the following command on the console:
MONITOR !H
In the window that appears, select Server then Memory. Here you will find an
online help screen with detailed information about the single options.
As for the memory, NetWare 5 has a list of options needed to address memory
spaces. If you enter PROTECTION, you will see a list of addresses correctly used
by the server, as well the NLMs that have been loaded in those spaces.
It is also possible to use the console command PROTECT to load the modules in
an .NCF file on a address of protected space using the command:
PROTECT [filename].NCF
• Use of NetWare Configuration file to maintain the server configuration
and SET parameters
NetWare 5 has a new method to keep track of the information saved on .NCF
files. The NetWare configuration file stores names and values inside the
hierarchical database tree structure consisting of branches, nodes and leaves.

This file is saved in the SERVCFG.000 file that is stored on the directory
C:\NWSERVER as well as on the directory SYS:SYSTEM. The modifications
made through the use of the MONITOR tool are saved in this file.
• DNS, DDNS and DHCP
DNS and DHCP now have the benefits of NDS. This means that DNS and
DHCP will be replicated along with the NDS and allow administrators to
control these applications through NWADMN32. DNS and DHCP also support
Dynamic DNS (DDNS). DDNS allows dynamic updating of host names based
on their changing IP addresses. This reduces the manual overhead of DNS
and DHCP administration.
• WAN traffic manager
This management utility improves supervision of data that is being sent across
the WAN.
• Catalog services and support for LDAP Version 3
This service enables the administrator to produce a catalog of all or some
items in the NDS. Users can search on this catalog which is not based on the
context of the user or the object being searched for. LDAP service is a server
based on the interface between NDS and applications that comply with LDAP.
• ZENworks
ZENworks (short for Zero Effort Networks for users) is a desktop management
suite that provides application and user functionality leveraging the NDS to
ensure which users are supplied with which applications. NetWare 5 ships with
a cut-down version of ZENworks called the starter pack, which is an
integration of the Novell application launcher and Novell workstation manager,
including software distribution and workstation management.
• ConsoleOne
NetWare 5 has a server-based Java GUI (graphical user interface) that you
can use when you install the operating system. The NetWare GUI allows you
to use the programs on Java and the applets on NetWare.
You can access it from the Start Menu of the Java-based ConsoleOne. It is a
graphical tool that you can use either on the server or on a Windows client.
ConsoleOne enables you to perform from the server such system functions as
creating, deleting and renaming files, moving and copying files, and viewing
DOS volumes.
If you wish to disable ConsoleOne from automatically loading to the bootstrap
of the file server, you should do the following:
1. Load the NWCONFIG tool
2. Select the NCF files options
3. Edit AUTOEXEC.NCF file
4. Comment out the command line C1START.NCF
ConsoleOne works on Windows 95/98 or Windows NT. The requirements are:
– The NetWare 5 client installed
– A minimum of 200 MHz processor
– 64 MB of RAM
– 64 MB of swap file
– A minimum of 150 files allocated in the CONFIG.SYS file
– Monitor resolution of at lease 800x600

• Backup utility
NetWare 5’s new backup facility is based on the old backup (SBACKUP) but
functionality has been added to let administrators schedule multiple and
repetitive backups.
• NDS for NT
NDS for NT Version 2.0 allows you to control Windows NT servers in the same
way that you can manage and control NDS on NetWare. NDS for NT
eliminates the need to maintain or establish trust relationships between
domains.
NDS for NT includes NWADMIN which integrates with NT management
applications such as user manager, server manager and file sharing wizard.
The users only need to login once to NDS then they will have the rights
allocated to them in a domain or in the NetWare environment. NDS for NT
does not change the domain structure and is therefore compatible with
existing applications that communicate with the domain.
NDS for NT installs a special version of the Novell client.
Note: NDS for NT is an additional product and not part of NetWare 5.
• IP supported as a core protocol
One of the main criticisms of NetWare since the widespread use of the
Internet is the lack of support for the IP protocol.
In the past NetWare was able to communicate over IP by loading specific
NLMs that would encapsulate the IPX packets and send them using TCP/IP.
NetWare 5 includes native IP and IPX as the two protocol suites; these are
chosen during installation. NetWare 5 has compatibility mode drivers which
will enable old IPX clients to communicate with the new IP-based server. This
provides administrators with a minimum of disruption during the transition to a
pure IP environment.
In addition, there are a number of other components that facilitate IPX to IP
migration in NetWare 5. They include:
– Migration Agent
– Protocol Independent NetWare Client and Server
– Protocol Independent Novell Directory Services
– Service Location Protocol
– Domain Name Service
– Dynamic Host Control Protocol
• Service Location Protocol (SLP)
SLP is an industry-standard Internet protocol that gives the users a
plug-and-play environment for services in a pure IP environment.
Whether the user agent is on the server or on a workstation, it can register as
a client after it communicates with the directory agent to see what services are
available. Once the service is registered with the directory agent or service
agent, you can register or deregister the service.
Once the application has been registered with the SLP user agent, it can look
up a service or get a list of services and read the attributes of a service, using
either blocking calls or synchronous calls. In the IP environment, this
information is pulled out of the directory agent and put into NDS so that users

and administrators can determine what services are available in a local area,
provided the proper security rights are granted.
• Migration gateway
As the name suggests, this is a gateway that eases the move from an
IPX-based environment to a pure IP one. This gateway or agent allows all
routes and services from a pure IP segment of the network to communicate
with the IPX network. It will also enable the users the ability to connect two
IPX networks across an IP-based WAN.
• Netscape FastTrack Server
NetWare 5 includes Netscape FastTrack Server for creating, publishing and
serving Web documents.
FastTrack Server support major Web scripting languages so you can leverage
your scripting expertise in creating customized server-side applications. These
are:
– Perl 5
– NetBasic 6.0
– NetBasic 7.0 (a VB Script-compatible language)
– JavaScript
Java programmers can write servlets using the LCGI servlet Gateway running
alongside the Netscape FastTrack Server for NetWare. In addition, pre-built
NetBasic 7.0 components, Java Beans, and ActiveX controls make it possible
to assemble network applications.
Using the development environment of choice, Web scripters and RAD
developers can embedd network services into Web pages and construct
server-side applications that leverage the security of NetWare.
• Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol (LDAP) is a developing Internet
communications protocol that allows client applications to access directory
information. It is based on the X.500 Directory Access Protocol (DAP) but is
less complex than a traditional client and can be used with any other directory
service that follows the X.500 standard.
The most popular current use of LDAP is for allowing clients to access
directory services that store and publish telephone numbers and e-mail
addresses.
For more information about LDAP, refer to the following:
– The University of Michigan http://www.umich.edu/~dirsvcs/ldap/ldap.html
– Critical Angle Inc. http://www.critical-angle.com/ldapworld/index.html
LDAP services for NDS is a server-based interface between NDS and
applications that comply with LDAP.
Some typical features allow clients to do one or more of the following:
– Look up information about a specific person, such as an e-mail address or
phone number
– Look up information for all people with a given last name, or a last name
that begins with a certain letter
– Look up information about any NDS object or entry
– Retrieve a name, e-mail address, business phone number, and home
phone number

– Retrieve company name and city name
– Retrieve any information in the NDS database
• Multiprocessor kernel
NetWare 5 contains a multiprocessor kernel (MPK) that fully supports SMP
hardware. This enables NetWare 5 to load only one driver, unlike IntranetWare
4.11 which instead needs more than one driver for the complete management
of the MPK.
A greater number of core processes of NetWare 5 is multi-threaded and
therefore will use the MPK system. For example the following processes use
this technology:
– Java
– NetWare Debugger
– ODI/LSL
– Media Manager
– Virtual Memory
– Abend Recovery
NetWare 5 has introduced the DISPLAY INTERRUPTS console command to
display information concerning processors and interrupts in the server:
• Novell Storage Services (NSS)
In previous versions of NetWare, the NetWare File System (NWFS) took care
of all administration of files and volumes. In NetWare 5 the new NSS service is
available in conjunction with enhancements to the NWFS.
NSS is based on a 64-bit indexed storage system and increases dramatically
the size of volumes and files, number of directories and files and the speed at
which the volumes will be mounted and repaired.
NSS has the ability to store a large object or large number of objects without
degrading system performance. No matter how large a volume, directory, or
file is, NSS still performs well. Features of NSS are:
– The ability to store larger files (up to 8 terabytes). NSS can recognize and
use much more data on large devices than other file systems.
– The ability to store large numbers of files on an NSS volume (up to 8
trillion). This feature cuts down on directory level management time.
– The ability to have up to 1,000,000 files open simultaneously.
– Rapid access to data regardless of file size. Any size file can be opened in
the same amount of time.
– The ability to mount many more NSS volumes on a server — up to 255
depending on the NetWare Loadable Module and any physical limitations.
– NSS volumes that mount and verify themselves rapidly. Any size volume
can be recovered and mounted in under a minute if cleanly dismounted.
– Full CD-ROM support for ISO9660 and Macintosh HFS formats that include
automatic mounting using CDROM.NLM. The new CDROM.NLM along with
NSS makes it much faster and easier to mount your CD-ROM.
– DOS FAT partitions that can be made available dynamically as NSS
volumes.
– The ability to mount NSS volumes with only 1 MB of available RAM.

– Faster error recovery. NSS volume errors are noted quickly.
– The ability to define new name spaces (in addition to DOS, Macintosh,
LONG, and UNIX/NFS).
– The ability to define new media formats through the Loadable Storage
Subsystem (LSS) interface. Future formats could include UDF (universal
disk format) for use with DVD and many others.
– The ability to manage and enable a variety of storage devices from one
location by using NSS volumes. For this release, only hard drives and
CD-ROM devices are supported.
Some of the limitations of NSS are listed below. These, however, are being
developed at the moment by Novell.
– File compression.
– Block suballocation. The block size is fixed at 4 KB. When the variable
block size is supported, block sub-allocation will be added.
– Data migration. Hierarchical Storage Management (HSM) and Real Time
Data Migration (RTDM). A new version of HSM will be supported in the
future.
– SYS volume. For this release, the SYS volume must be a traditional
NetWare file system volume.
– Transaction Tracking System (TTS). Because TTS is not supported, NSS
cannot support a SYS volume at this time. A SYS volume and TTS will be
included in the near future.
– Network File System (NFS). You cannot put Network File System (NFS) on
an NSS volume. NFS will run on a server with NSS, however.
– Disk mirroring or duplexing. A separate controller installed with each disk
for disk mirroring. Disk mirroring will be supported in the near future. FTP.
You cannot put the File Transfer Protocol (FTP) on an NSS volume, as FTP
may crash the server. FTP will run on a server with NSS, however.
Creating an NSS volume is a multi-step process. NSS scans for all devices
that have free space, and lists each device’s space as a storage object. From
this list of storage objects the administrator can then choose which ones they
would like to make available to NSS. NSS then reserves this and the space
becomes a managed object. From these objects the administrator can create
storage groups and NSS volumes.
• Novell Distributed Print Services (NDPS)
NDPS provides bi-directional communication between users, printers and
administrators. Some of the features of NDPS are:
– Automatic driver download of new devices. Print drivers are stored in NDS.
– Tight integration with NDS and NWADMIN.
– Fully compatible with your existing queue-based printing resources.
– Reduce/remove SAP traffic - Direct printer communication by using SLP to
register the service.
– One NDS object per printer, containing all information.
– No user license required.

There are several components to NDPS:
Printer agent
The printer agent replaces the queue based printing components. Each printer
agent represents one printer. These can be directly connected to a NetWare
server, client workstation or directly to the network. The printer agent is not an
NDS object but a logical entity that is embedded in the printer software or
software loaded on the machine that has the printer attached.
NDPS manager
The NDPS object NDPS manager is used to create, configure and manage the
printer agents. Only one NDPS manager object can reside on a server and it
stores information that is used by the NWNDPS.NLM. When NDPS managers
create a printer there is a choice of two types of printers that can be setup.
– Public access printer - these printers, as the name suggests, are available
to all users on the network. They are not represented in the NDS and
therefore cannot leverage some of the advantages of the NDPS services,
such as event notification.
– Controlled access printer - these printers are NDS objects and can take full
advantage of all aspects of the NDPS services.
Printer gateways
As the term suggests, the idea of the gateway is to allow NDPS type printers
the ability to communicate with non-NDPS-aware printers, such as the old
print queue based printers that do not have the NDPS printer agent software
embedded in them. When a printer agent is created, it is necessary to specify
which gateway the printer agent is to use.
NDPS broker
The NDPS broker is created when the NDPS service is installed on the
NetWare 5 server. This broker in future iterations of NetWare may not only
register printer services but any service that NetWare wishes. Additional
objects are created automatically when the NDPS service is installed. This is
done so that the closest NDPS broker is only three hops away.
• Full support on NWPA - NetWare Peripheral Architecture
As already implemented in the previous versions of NetWare/IntranetWare, the
NWPA architecture has been developed to supply wide and reliable support to
the drivers of different vendors on host adapters and storage devices.
NWPA is divided into:
– Host Adapter Module (HAM) that aligns itself to adapter hardware
– Custom Device Module (CDM) that associates a host adapter bus with
storage devices
This new architecture allows a driver, still active in the server memory, to be
dynamically swapped out and replaced with another version without rebooting
the server.
• PCI Hot Plug and I 2 O
The NWPA supports the hot pluggable adapters. This feature generates an
alert when an error to those adapters occurs. To perform this function the
server must have loaded the Monitor Hot Plug and the Hot Plug Controller
Driver modules.

NetWare 5 supports the intelligent I2 O architecture specification, which is an
architecture you can use to develop device drivers. It works independent of the
operating system, processors platforms and the system I/O bus.
Implementations of I 2 O include the RAID controllers for the network data
storage and retrieval, ATM controllers and network adapters.
With NetWare 5, Novell releases a set of NLMs that can be used depending on
the hardware the system is using. These NLMs include the following:
– I2OPCI.NLM
– IOPX.NLM
– BKSTROSM.HAM
– SCSIOSM.HAM
– ETHEROSM.LAN
– FDDIOSM.LAN
– TOKENOSM.NLM
– NBI.NLM
– MSM.NLM
– ETHERTSM.NLM
– TOKENTSM.NLM
– FDDITSM.NLM
NetWare 5 automatically detects if the hardware exists, for example an
I2 O-aware mother board or add-on network boards. With this feature, the
NetWare servers should be able to achieve the maximum speed of output
possible.
• Support on WinSock 2
A great help to developers is the full support to the WinSock 2 as an industry
standard. It allows NetWare 5 to support all the operational ways that can be
applied to the operating system. The WinSock 2 by Novell is the preferred
interface for the applications that need to use a number of different protocols
at the same time in order to provide independent transport.
• New console commands
NetWare 5 has new console commands that you can use to display how the
SET parameters and the configuration of the system are correctly configured.
They are the following:
–DISPLAY ENVIRONMENT
–DISPLAY MODIFIED ENVIRONMENT
–RESET ENVIRONMENT
–SAVE ENVIRONMENT
–SAVE MODIFIED ENVIRONMENT
Although ALIAS is not a new command, it has new functions. It can help you to
remember the console commands more frequently used. Typing ALIAS
displays the aliases currently defined. Enter the command HELP ALIAS for more
information.
• Other new features
When NetWare 5 was released there were over 200 applications already
tested and certified to work with the new operating system. A current list of
supported applications can be find at:
http://developer.novell.com/netware5

For more information on other new features of NetWare 5, see the Novell Web
site, http://www.novell.com. These include:
– Secure Authentication Services (SAS)
– Public Key Infrastructure Services (PKI).
– Java Install
– Novell Upgrade Wizard
1.2 Comparison between versions

Table 1 compares the features that are included with NetWare 5.0, IntranetWare
4.2 and NetWare 3.2.
Table 1. Comparison between NetWare versions
Options NetWare 5.0 IntranetWare 4.2 NetWare 3.2
Novell Directory Services Included Included No
ZENworks Included Included No
NDS for NT Included Included No
NDS Version 8 Included No No
ConsoleOne Included No No
IP Protocol Included NetWare/IP NetWare/IP
Netscape FastTrack Server Included Included No

1 1
Netscape Enterprise Server Available Available No
DHCP support Included Included No
DNS support Included Included No
CGI scripting for Internet apps Included Included No

1
IPX/IP gateway No Available No
FTP services Included Included No
Netscape Communicator Included Included Included
Network Address Translator Available1 No No
BorderManager Available2 Available2 No
SMP symmetrical multi processor Up To 32 Up to 8 No
Memory protection Included No No
Virtual memory Included No No
Application prioritization Included No No
Supported connections Thousands Thousands Up To 250
NSS Novell Storage Services Included No No
Max volume size 8 TB 32 GB 32 GB

2
NDPS Included Available No
I2 0 support Included Available1 No

Options NetWare 5.0 IntranetWare 4.2 NetWare 3.2
PCI hot plug support Included Included No
Backup support Included Included Included
RSA security key Included Included No
Auditing Included Included No
Security authentication services Included No No
Public Key Infrastructure Included No No
JVM and JAVA Tools Included Available2 No
Perl 5.1 Included Included No
NetWare Connect for remote access Included Included Available2
Minimum CPU required Pentium i386 i386
Minimum memory required 64 MB 16 MB 6 MB
Notes:
1. Available by downloading a patch
2. Available by adding a free downloadable product

Chapter 2. Products
This chapter introduces some of the key products from Novell:
• BorderManager
• ManageWise
• NDS Version 8
• ZENworks
• NDS for NT
• NetWare Cluster Services
• Novell StandbyServer for NetWare
2.1 BorderManager
With the advent of Internet-based applications such as e-mail, browsing and Web
serving, it has become imperative that companies connect and deal with the
Internet on a daily basis. This has led to security and performance concerns
when doing this. BorderManager is a suite of applications developed by Novell
over the past years to combat the issues of security and performance while
connecting to the public Internet. Connecting to the Internet normally requires
multiple products.
1. A firewall to ensure that security is not breached.
2. A proxy server to keep down the costs of the Internet access.
3. A gateway to convert the clients running old protocols or one that converts
internal IP addresses into valid public addresses.
4. Remote access software for clients.
All of these software applications and management of these are shared by some
applications or hardware, but none can handle all. This means that you will have
to learn multiple interfaces.
This is where BorderManager as a total package can be managed generally from

the one interface. BorderManager is an extension of the new NetWare 5 operating
but can still be installed on NetWare 4.11. It will allow a company to connect to
the Internet and generally have all the areas covered that the company will need
to connect to the Internet.
This new version of BorderManager is broken up into four distinct products. You
can purchase these separate products or you can purchase all of them in the
Enterprise Edition. The Enterprise Edition consists of all the separate products
that are listed below:
1. Firewall services
– Full access control
– Application proxy services
– Caching services
– Site-to-site virtual private networks (VPN)
– Gateways
– Network Address Translation (NAT)
– Packet filtering
2. Virtual private networks services

– VPN access control
– Site-to-site VPN
– Client VPN
– NAT
– Packet filtering
3. Authentication services
– RADIUS accounting
– RADIUS authorization
– RADIUS authentication
4. FastCache services
– Proxy caching services
– Gateways
– NAT
Apart from being a total solution for your network borders, BorderManager is fully
NDS compliant. This enables the administrator to control the access to the
Internet or configure VPNs from NWAdmin. With the ever-increasing need for
reducing cost of ownership and increasing productivity, NDS is a tool that can
help in all these aspects, as well as being a powerful tool to control the security of
your network.
2.1.1 Firewall services

BorderManager secures and manages the border where the corporate intranet
connects to the Internet. With gateway filtering of all network traffic, irrespective
of it being inbound or outbound, BorderManager enables access to Internet
services from the intranet, access to the intranet from a remote location, and to
geographically dispersed sites, which means BorderManager allows
organizations to combine remote sites into a network called a virtual private
network (VPN). These VPNs then combine the intranet and the Internet. VPNs
also allow organizations to send data to the Internet that is geographically closer
to the users resulting in less network traffic and faster access.
Firewall services includes:

• Application proxy services.
• Site-to-site VPN. This will be discussed in 2.1.2, “Virtual private networks
services” on page 20.
• Gateways.
• Network Address Translation (NAT).
• Packet filtering.
One of the main aims of BorderManager is to improve the security of connecting

the corporate network to the Internet. To understand what BorderManager offers
in this area, it is important to look at the Open Systems Interconnection (OSI)
layers. The OSI model is an architecture that establishes a framework for the
development of standards for the interconnection of computer systems. Network
connection functions are organized into seven layers of communication functions.
These standards have been set by the International Organization for

Standardization (ISO). This body is made up of various representatives from
countries with the aim to standardize intellectual, scientific and economic activity.
Table 2. BorderManager services in the OSI model
OSI layer Services
Application VPN
Proxy Cache
Presentation VPN
Session VPN
Transport VPN
IP/IP gateway
IPX/IP gateway
Packet filtering
Network VPN
NAT
Packet filtering
Data link VPN

PPP (Point-to-Point Protocol)
Packet filtering
Physical [not applicable]
As the technology moves up the OSI model the finer the detail and the more
secure the firewall technology becomes. With this greater security, the firewall
must look at more of the packets that are passing through. For this reason the
speed of the firewall applications further up the OSI model will not be as great as
a packet filter set at the data link layer.
2.1.1.1 Application proxy

In the OSI model, the application proxy service is at the highest level of the
model, that the higher up the OSI model the service travels, the greater the
security. However, the greater the time it takes to pass through the proxy.
The application proxy has the ability to enhance the security of the lower layer
firewall services and control down to the command level in the application. For
example, the FTP commands can be selectively allowed or stopped. For example,
the company may have a FTP server from which they allow users to download
documentation files but they do not want anyone placing anything on the server.
The administrator would configure the application proxy to allow FTP get
commands but disallow FTP put commands. One of the main difficulties with
application proxy servers is that there is a proxy server for each application,
making it an overhead in administration and configuration. The decision to use an
application proxy or to move down the layers of the OSI model depends on the
security that the company needs and the amount of time the administrator can
spend.
BorderManager Enterprise Edition III includes HTTP, FTP, Gopher, mail, Real
Audio/video and DNS application proxies. It also includes some generic UDP and
TCP proxy that give the companies the ability to configure other proxies, such as
LDAP.
Chapter 2. Products 17
2.1.1.2 Gateways
Looking at the OSI model, the gateways work at the middle layers and are
therefore faster than the upper layer firewall services. The two gateways are as
follows:
• SOCKS gateway: One of the major enhancements of the SOCKS server is the
support for WinSock Version 2. This means that an implementation of this
SOCKS server will not mean a revisit to workstations so that they can
communicate to this new server. The SOCKS server can also protect the
companies internal network or client, allowing the corporation to leave the
existing firewall in place and allow the BorderManager to act as a SOCKS
client and pass information through the existing firewall by authenticating to it
on behalf of the users.
• IPS/IP and IP/IP gateway: These gateways allow the users to connect to the
Internet even if they are not running the IP protocol. The user gateway
receives TCP/IP commands and then converts them to the appropriate IP
range and command set and passes them on the appropriate router.
Again these are configured using NDS to ensure that only users who are
authenticated are allowed to access these services.
2.1.1.3 Address translation

BorderManager allows all users to share a common IP address. The advantage of
this is that it hides the intranet addresses from any Internet-based intruders and
thus enhances security. The address translation feature of BorderManager helps
in resolving limited network addresses when necessary and also creates proper
external addressing. One of the major limitations of the IP Version 4 addressing
scheme is the limited number of addresses. IP Version 6 will alleviate many of
these problems. With the proper use of NAT it is unnecessary to worry about too
many public addresses. The only ones you need are the ones that will be sent
information from the public interface, such as SMTP mail servers, and even these
you can cover with static NAT.
Address translation in BorderManager has two modes: static and dynamic. The
dynamic mode is used in situations when a corporation has configured the clients
with a private addressing scheme and now wish these clients to connect to the
Internet. The choice is either to reconfigure all the clients with valid IP addresses
or to set up the dynamic address translation to specify any IP address from a
certain range to be mapped to either one or multiple valid IP addresses.

Netfinity 7000 M10
NetWare 5
192.168.0.0 223.10.10.22
ISP/Internet
5847-00
Netfinity 5000
192.168.0.1
NetWare 5
BorderManager with NAT
dynamic-only mode
192.168.0.2 192.168.0.3
Firewall
Figure 5. Dynamic network address translation
Static NAT works in much the same way as dynamic NAT in that it changes IP
addresses from one to another. However, it does it for only one IP address to
another IP address, a one-to-one mapping where dynamic is a one-to-many.
Static NAT would be used if, for example, the company has a mail server that has
a valid IP address on the Internet and internally it has a corporate IP address
scheme.
Netfinity 7000 M10 192.168.0.1 223.10.10.23

NetWare 5
192.168.0.0 223.10.10.22
ISP/Internet
5847-00
Netfinity 5000
192.168.0.1
NetWare 5
BorderManager with NAT
dynamic and static mode
192.168.0.2 192.168.0.3
Firewall
Figure 6. Static and dynamic network address translation
2.1.1.4 Packet filtering

Packet filters are at the lower levels of the OSI model and are fast, since they only
look at a small portion of the packet. The packet filters are used in conjunction
with the upper layer firewall services and therefore the upper layers ensure the
finer details of the packet are controlled by these services. The packet filters filter
the information being passed by IP hosts, IPX address or ports. So if you did not
want any telnet capabilities, the filter could stop any telnet commands from
entering or exiting the network. These were the filters that were available in the
older version of BorderManager services; with the new version come two new
filters designed to increase the level of security and ease of administration.
• Stateful filters. One of the problems with the older filters was that when a filter
was set to allow a port such as HTTP out, the corresponding port for return
information had to be set. With stateful filters, the return port is configured
automatically. The Stateful filter is slower, since it opens the port when it is
required and then closes it after the conversation has finished. This is slower
than the static filters but the ease of use and removal of user error are reason
enough for their use. The added security is a definite plus for the connection to
the Internet.
• ACK (Acknowledgement) bit filters. The ACK filter enables a higher level of
security for the packet filter. When a TCP session is begun it goes through a
handshaking process, as shown in Figure 7.
1. SYNa bit set

2. SYNb bit set and ACKa
3. ACKb
Netfinity 5000
NetWare 5
BorderManager with NAT ISP/Internet
dynamic and static mode
5847-00 Firewall
Figure 7. Handshaking TCP session
The sequence is:

1. The handshaking starts with the host requesting the beginning of a TCP
session with the SYN (synchronize) bit set.
2. The reply then returns with the SYN bit and ACK bit also set
3. The initiating node sends back an ACK bit, thereby confirming the
conversation.
The initiating node can only start the conversation with the SYN bit set and no
ACK bit. The ACK filter enabled for port 21 (FTP) will allow the conversation to
begun only from the internal network. Any conversation begun from the public
side of the network will not have an ACK bit set and will therefore not be allowed.
2.1.2 Virtual private networks services

Virtual private networks (VPNs) are a very cost-effective method of connecting
users and sites to each other. The main idea behind VPNs is that when speed is
not a major consideration but costs are, then a company could connect two sites
over the infrastructure set up by the Internet service provider (ISP).

Site-to-site communications
5847-00
Firewall Firewall
Figure 8. VPN communications
Connecting users via VPNs is also becoming very popular. It allows the user to
connect to the ISP using a local phone number and then connect to the
company’s site. Again the costs of setting up the infrastructure is borne by the
ISP and the company does not have to worry about administration and ensuring
that the infrastructure is stable and running.
BorderManager’s VPN service allows site to site communication, client/server

and extranet. The extranet allows trusted business partners to connect to the
company’s network in a trusted and secure manner. Another feature of the VPN
service is that it allows the company to segment its network in to a normal
segment and secure segment, which may be the payroll department, for example.
The secure segment would allow only certain users to connect via VPN. They are
connected with encryption so that even users within the company will not have
access to this segment.
Other features of VPNs are that the encryption is done only on the information
that is being sent to the secure network so that the internal non-secure networks
continue to work at normal speeds. The encryption and compression are defined
in the Request for Comment (RFC) 1825-1828 and support RC2, RC5, DES and
3DES.
Since all the BorderManager services are fully integrated with NDS, the
administration of the VPN is done via the normal administration tools so that
individual users, groups or containers are able to be allowed or denied access to
the VPN.
2.1.3 Authentication services

The area of remote access to the corporate network is one of the largest holes in
security enforcement of the network. Once tight remote access security is
enabled, the users must remember a new user name and password combination.
The BorderManager Authentication Services (BMAS) uses the standard Remote
Authentication Dial-In User Service (RADIUS) protocol and is NDS enabled. ISPs
often provide a service with RADIUS and a company can then use the ISP’s
infrastructure to save on administration and long-distance connection costs and
still maintain control of the users and their access locally. Users then use the
same login that they have at the office and are familiar with, and they can get
access to all their home drives and so on as if they were in the office. As BMAS is
RADIUS compliant the ability to use third-party hardware and software that
supports RADIUS enables the company to not develop their own dial-in access
structure, but still use the existing NDS database to authenticate its users. BMAS
can also be installed on Windows NT 4.0. Figure 9 shows the outsourcing of the
RADIUS infrastructure and keeping the user management internal to the
company.
1. User connects to ISP 2. Authenticates to NDS
5847-00
ISP Internet
Netfinity 5000
ISP running NetWare 5
RADIUS Proxy Border Manager
services with RADIUS server
Figure 9. RADIUS administration local; infrastructure housed by ISP
2.1.4 Proxy caching services

This section describes three applications of Novell’s Internet object cache that
provide significant benefits to intranet and Internet users:
• Proxy caching
• Proxy cache hierarchies
• Web server acceleration
To obtain an in-depth description of BorderManager proxy cache services, you

should review the following documents: Three Ways to Deliver Cache
Performance to Your Intranet and Internet Users and A Quick Guide to Web
Acceleration, by Ron Lee, Novell Senior Research Engineer. These can be found
at:
http://www.novell.com/bordermanager/appnotes.html
2.1.4.1 Proxy caching

Proxy caching is an integral part of the proxy services you implement at your
organization Internet border (connecting point between your network and the
Internet). Novell combines caching with its proxy service to provide a
high-performance foundation upon which you can build your security policy,
user-level access controls, and content filtering. Without adequate bandwidth and
the fast response times provided by Novell Internet object cache, the security,
controls, and filtering you try to deploy will only compound your users’ frustration
with the long response times of the Internet.
2.1.4.2 Proxy cache hierarchies

In many organizations, the advantages of a proxy cache can be multiplied by
placing additional caches throughout the organization. Multiple proxy caches can
be configured in a hierarchy to move shared content closer to those who use it.
With a cache hierarchy in place, first-time accesses and cache misses may be
fetched from other caches within your organization, rather than returning all the
way to the original Web server in your intranet or on the Internet. Using a
hierarchy, you have the added advantage of caching popular intranet content on
the remote end of WAN links, thus improving performance for remote users and
reducing the amount of traffic going across those links.

2.1.4.3 Web server acceleration (reverse proxy)
Web servers can be a bottleneck in your intranet or Internet infrastructures.
Typical Web servers quickly run out of connection capacity and tend to produce
slow response times. In sites where performance is important, the only options
usually considered are to upgrade to a more expensive Web server system or to
split the content set across multiple Web servers. Neither of these options make
sense when caching offers such an elegant, cost-effective means to overcome
the problem.
Configured as a Web server accelerator, Novell Internet object cache eliminates

the Web server bottleneck by placing a dedicated cache in front of the Web
server and handling requests for all of the Web servers cacheable content directly
from its own cache. Caching is the obvious solution because typically, Web sites
are constructed with approximately 95-100 percent cacheable content. Once this
material is fetched from the Web server and cached in the Web server
accelerator, the accelerator can handle all of the requests for that content. This
leaves a small percentage of dynamic requests to be passed through the
accelerator for the originating Web server to process. Web server acceleration is
a flexible network service that can be designed to compliment the architecture of
any intranet or Internet Web site. The following examples show how this powerful
service can be combined to meet several different needs. The seven examples
are:
• A single server configuration in which a Web server and Web server
accelerator are combined into a single NetWare 5 server.
• A dedicated Web server accelerator.
• A Web server accelerator for multiple mirrored Web servers.
• A Web server with multiple Web server accelerators.
• Novell mission-critical configuration: an infrastructure that combines multiple
mirrored Web servers and multiple Web server accelerators for optimal
redundancy.
• A Web server accelerator configured for optimal scalability.
• A Web server accelerator configured to accelerate a remote Web site.
2.2 ManageWise
Novell's ManageWise is a network management application that has the ability to
manage NetWare and Windows NT servers, as well as user workstations. The
base product also includes traffic analysis, virus protection and inventory
management capabilities. In some instances the main administrator might not
want the full functionality of ManageWise available to certain users. For example,
it is possible to reduce the functionality available to the network operator on the
night shift, or restrict a junior operator's ability to access the routers and
reconfigure the backbone.
ManageWise is based on a distributed system, which means that although the

network can be managed from a central location (the ManageWise console),
certain system components (management agents) need to be deployed
throughout the network. ManageWise includes the following major components:
• ManageWise Console
The ManageWise Console is a Windows application that provides an
integrated interface for managing the NetWare networks. The ManageWise
Console provides a graphical user interface, a database of all network
information, an alarm management system, and NetExplorer Manager.
• NetExplorer
NetExplorer is a network discovery system, and is installed on a ManageWise
server and communicates with routers, NetWare servers, and the NetWare
LANalyzer Agent to discover the network segments, routers, servers, HMI
(hub management interface) hubs, and workstations. (A ManageWise server
running NetExplorer is referred to as a NetExplorer server.) NetExplorer
organizes the information it discovers and sends it to the ManageWise
Console. This forms most of the data in the ManageWise database. After an
initial installation of ManageWise, it has no information about the network.
NetExplorer is then used to gather the information that it needs to monitor and
manage the network.
2.2.1 ManageWise agents

ManageWise agents are deployed at strategic locations in the network
and perform five main functions:
• They record and maintain statistics that reflect the state of the system and
make them available to the ManageWise Console for historical analysis.
• They capture packets and make them available to the ManageWise Console
for later analysis.
• They log information for historical analysis using the ManageWise Console.
• They watch for problem conditions and report them to the ManageWise
Console.
• They carry out commands issued by the ManageWise Console.
Agents are typically assigned very specific tasks, such as keeping watch over a
specific NetWare server (NetWare Management Agent) or overseeing a network
segment (NetWare LANalyzer Agent). Agents that are available separately
include:
• NetWare Management Agent
The NetWare Management Agent provides real-time server performance data
and information about server alerts to the ManageWise Console. It should be
deployed on each server that is to be managed from the ManageWise
Console.
• NetWare LANalyzer Agent
The NetWare LANalyzer Agent enables a NetWare server to monitor all traffic
on Ethernet, token-ring or FDDI network segments to which the server is
attached. A single NetWare server running NetWare LANalyzer Agent can
monitor several network segments simultaneously.
• NetWare Hub Services Agent
NetWare Hub Services Agent enables both local and remote management of
server-based hubs that comply with the HMI specification. This agent also
enables the monitoring of hub performance, and monitoring of each node
attached to a hub, and enables or disables network access to nodes
connected to the hub.

2.3 Novell Directory Services (NDS) Version 8
For those people who have had nothing to do with Novell’s NDS and are
wondering what are the advantages of using NDS, say, against bindery or the
Microsoft domain system, an analogy is to imagine listing all the files and
directories on your hard drive as one long list. It makes it difficult to find and
manage the files under your control. Then list those same files and directories in
their respective areas and all of a sudden you can quickly find the files you want
and also understand their relevance to the root of the volume. NDS is based on
that kind of directory structure as applied to resources on the network.
Breaking down the objects on the network like this enables you to cut up the
directory structure and store it in different areas of your network. This was
extremely useful for sites spanning slow WAN links. Replicating the portion of the
tree that is across the WAN allowed the users to get to their resources locally
rather than across the WAN. For example, refer Figure 10:
NDS Tree
Company ROOT
O=Company
OU=LA OU=London OU=Australia
OU=Marketing OU=Sales
OU=Melbourne
OU=Support OU=Sales OU=Finance

OU=Marketing OU=Sales
Figure 10. Example of NDS tree
The section of the tree that is circled has been copied: one copy is on the master
server based at the head office in London. Another copy of that portion of the tree
is based in the Australian office server. This allows users in Australia to be
authenticated to the local copy of the replica rather than connecting across the
WAN to the copy in London and still have access to all resources in the whole tree
to which they have security access.
One of the major advantages Novell has had over its competitors in the Intel
server area is the NDS. Novell’s endeavors seem to be leading to everything
being bigger, faster and better. To this end, Novell has released NDS 8, the latest
version of NDS that has added features and benefits. Most of these additions are
aimed at the larger businesses or ISPs that have thousands of objects in the tree.
But why should smaller to medium sites go to Version 8? As Novell endeavors to

increase performance and consolidate into one management console,
ConsoleOne, it is the start of a base for Novell to build on. These
small-to-medium sites that are currently running an older version will have no real
business need to upgrade to NDS 8. However, as they convert to NetWare 5 or
begin to use NDS for NT then a move to NDS 8 should definitely be considered as
a basis for the future growth and eto take advantage of enhancements that Novell
will release over the coming years.
2.3.1 How to refer to objects in the NDS tree

The ability to use the directory system means that you must be able to point to or
refer to an object relative to where you are or relative to the [ROOT] of the tree.
This is the same when you do this in the file and directory analogy. When you
type the path to the DOS file you specify the path either relative to your position in
the directory tree or relative to the root of the drive. As you go down the tree each
object has a type associated with it.
In Figure 10, the OU and O objects are container objects (directories); any object
placed in these containers that have no object below them in the tree are called
leaf objects. Each leaf object is referred to by its common name. For example, if a
user object is named Jenni, then that is the object’s common name. Container
objects do not have common names, however.
The methods of referring to object names available in NetWare are:

• Distinguished names. These names can be relative to the position you are in
the tree or relative to the [ROOT] of the tree. A distinguished name uses the
type of object and then the name. For example, the user Jenni that is based in
the Melbourne container is:
CN=Jenni.OU=Melbourne.OU=Australia.O=company
The objects in the name are separated by periods, similar to the backslash (\)
used in DOS paths. If a leading period is used it directs NDS to ignore the
current context of the object and resolve the name at the [ROOT] object. A
trailing period cannot be used.
• Typeless names. The typeless names use the same rules as the distinguished
names, but do not require the object type prior to the object name. For
example:
.Jenni.Melbourne.Australia.company
The term relative means that you are referring to the object from the position
that you are currently in within the tree.
2.3.2 Changes in NDS 8

We have already discussed the added features and benefits of NDS in NetWare
5. These features are incorporated into this newer version of NDS. However, the
structure of NDS 8 has changed from that of NDS in NetWare 5 and we must be
aware of these structural changes.
NDS storage methods in the old version differ from those in NDS 8. The older
versions stored all the NDS data in four separate files and multiple streams files
in the SYS: volume. The four files were database files and each one contained
specific information about the NDS and the streams files were standard files that
were named using hexadecimal characters:
• PARTITIO.NDS — lists all the database partitions on the server.

• ENTRY.NDS — information for each object contained in the server’s replica.
• VALUE.NDS — each object has multiple values and these were stored here.
• BLOCK.NDS — an overflow database for the VALUE.NDS
• Streams files — contains information regarding login scripts and print job
configurations.
Being a database, it was important to ensure that as transactions are being

written there must be some form of methodology so that in the case of server
failure the database could roll back or complete the transactions. The Transaction
Tracking System (TTS) was the way in which NetWare 5 controlled this process.
The NDS 8 structure is now founded on a more scalable model. It consists of

three basic files. The difference from the old system is that all the NDS
information is now kept in one file, except for the information kept in streams files.
The stream files still are named and contain the same information as they did in
the previous versions. Transaction tracking is now done via log files so that it has
the ability to roll forward by using these files and redoing the transactions not
written to disk. The files used for NDS 8 are:
• NDS.DB — This is the major control file for the database and also contains the
roll back log.
• NDS.LOG — Is the log used to roll forward in the event that a transaction was
not written to disk.
• NDS.01 — All records and indexes are kept in this one file. As the file grows
above 2GB then an NDS.02 file is created.
2.3.3 New features

NDS 8 has some new features and utilities that can be used for managing the
NDS in ways that have not been previously available. The functionality of the
management utility ConsoleOne is primitive at the moment but Novell intend to
ensure that all functions will become available and be “snapped in” for different
products and will not be reliant on different desktop operating systems. The new
features and benefits are:
• Increase NDS capacity and performance. With the log files and new
database structure the ability to read, write or search the NDS objects faster is
vastly improved over large-scale databases. The new structure also allows for
a much larger NDS tree containing billions of objects and a container
containing millions.
• ConsoleOne. This new management utility is based on the old ConsoleOne
shipped with NetWare 5. The new version is built on a much faster framework
of code so performance is somewhat faster than the old version. The new
features of ConsoleOne are:
– Customize searches and views.
– Configure the LDAP services for groups of users.
– Manage all the NDS objects in the tree and change properties for multiple
NDS objects at one time.
– Using the schema manager you can extend the NDS schema.
– User templates for creating new users.
– The inheritance of attributes down the tree to the level of properties.
– Control the areas of access, security and space for the NetWare files
system.
These new updates are only the beginning and as Novell releases more
patches, functionality of the ConsoleOne will improve. ConsoleOne has the
advantage over NWAdmin of not relying on the memory of the workstation as
the databases increase in size. Also, the allocation of rights has been
simplified into a more tabular system that most computer users are used to.
Since ConsoleOne is Java based, it can be ported to be accessible from a
Web browser.
The types of tasks that are performed by ConsoleOne and not NWAdmin are:
– Create LDAP containers in NDS.
– Browsing very large NDS trees.
– Searching allows up to 2000 objects, whereas NWAdmin shows only what
it can in the available memory.
– Able to create any object that the schema has in it, compared to NWAdmin,
which can only do the ones it has snapin for.
– Can handle dots in names.
– Change multiple objects in a single operation.
• Increased performance for LDAP. LDAP (Lightweight Directory Access
Protocol) in NDS 8 is compliant with LDAP Version 3 and therefore anything
written to that standard will be compatible with NDS 8 LDAP. The LDAP is
managed by ConsoleOne and has tighter integration with the NDS than past
versions. Another enhancement is the capability to search across other
servers if the object is not found on the local copy by using referrals.
• New DSrepair. DSrepair is a utility that has been available since the beginning
of the NDS era. DSrepair has enabled the administrator to fix sychronization
and database errors, but the users were not able to access the NDS during
this time. The new DSrepair allows the repair utility to be run while the NDS
database is open so that users are not affected. Some of the other features
included are:
– The database will be checked without the administrator having to start the
process manually.
– Can perform an index check.
– Free space can be reclaimed from the records that have been discarded.
• BulkLoad. BulkLoad is a utility for adding, deleting or modifying NDS objects
in batch mode. It is based on the LDAP data interchange format (LDIF) and
many of the e-mail packages can export in this format.
• Upgrade of current NDS. The ability to update the NDS simply and easily is
imperative. The installation procedure for NDS 8 does only one reboot. The
speed of the install depends on the amount of trustee rights on the volumes
and the number of NDS objects that must be updated. There are certain
prerequisites, which will be discussed in the installation instructions in the
Chapter 3, “Installing NetWare” on page 41.
• Replication and partitioning . In the older versions of NDS, there were
certain rules that needed to be followed, such as the amount of replicas on a

server and the number of replicas per ring. With NDS 8, the only limitations
are the amount of bandwidth and disk space. The old rules should be followed.
Refer to 6.2.2, “Partition and replication” on page 122.
2.4 ZENworks
Total cost of ownership (TCO) is one of those grey areas that administrators are
asked to account for. Most companies really have little or no idea of the cost of
ownership in the IT infrastructure. As the IT departments are asked to cut down
the amount of administrators and increase the functionality and services offered
by the IT department, this total cost of ownership is becoming more relevant and
important every day. TCO has been rated as high as 80% of the IT budget by
companies that research and analyze IT company information. With a number as
high as this, companies are demanding that the TCO be decreased; to do this
means to decrease the amount of administration time needed to do adds, moves,
and changes to the user environment.
ZENworks developed by Novell is a tool designed to decrease the TCO. The aim
of ZENworks is to allow the administrator to add printers, lock down desktops,
allow users to move and keep their environment, and distribute applications.
There are many applications that do this; some are designed for very large
scenarios and others aimed at the smaller Intel-based-server customers. All of
these have similar or greater features; the power of ZENworks is that it leverages
and is totally integrated with NDS, making it fault tolerant, able to be replicated,
and present one administrative interface.
ZENworks is based on previous applications that Novell has enhanced and

combined, allowing the administrators to work with one product suite rather than
several separate products. ZENworks is based in part on the Novell Application
Launcher (NAL). This product enabled the distribution of applications either on
the network or locally installed. Another product incorporated was the Novell
Workstation Manager, which enabled the administrator to control the look and feel
of the user’s desktop.
NDS is the key in making ZENworks a powerful and easily used tool. The NDS
has some new objects added to it for the use of ZENworks. These NDS objects
enable the administrator to control the features listed in 2.4.1, “Features” on page
29. A workstation object allows the importation of information from the machines
that are connected to the network. Policy packages are based on Microsoft’s
policies where they enable the control of the user’s desktop. The difference in
using NDS is that it is replicated and stored in the NDS rather that relying on files
and ensuring these files are stored and replicated if changes are made.
2.4.1 Features
ZENworks can run on NetWare 4.11 and NetWare 5 and can be leveraged the
same in both operating systems. NetWare 5 comes bundled with the ZENworks
Starter Pack. This is a subset of the full product that can be purchased from
Novell. In this section, we will discuss all features available to ZENworks and then
list those that are in the Starter Pack first and then the features available with the
full product.
2.4.1.1 Features available in the Starter Pack
The ZENworks Starter Pack shipped with NetWare 5 allows an administrator who
already has a remote management product implemented to enhance their
management capabilities by now having a tool that will control users’ desktops,
dispense applications, and import workstation information to the NDS.
• Policies. Currently, if a company uses Windows NT clients for security,
stability and multitasking reasons, then the control of such an operating
system is based on policies that disable a user’s access to specific tasks such
as the RUN command in the Start menu or more importantly, disallows the user
to change settings in the Control Panel. To administer these, the user must
either be created as a user on the workstation, implement NT servers and the
domain structure, or use NDS with ZENworks. There are many different
policies; these policies are based on the operating system and the type of
policy whether it be workstation, users, printers or dynamic local users.
• Printers. This feature is also a policy but it enables the administrator to
associate a printer to a user; when this user logs on the printer configuration
and drivers are installed. There is no need to visit the workstation.
• Client configuration . Changing a NetWare client’s configuration to implement
a certain feature such as packet burst would mean a visit to each workstation
to enable this. Often the reason that this is being done is a problem with the
workstation that needs to be rectified immediately. With client configuration it
is possible to change these settings on all workstations in all areas of the NDS
tree on the next login.
• Location profiles. In a situation where printers are configured for the user
who is a sales manager and travels between the head office and his home
office on a weekly basis, the printer configured above would be of no use while
at the head office. The location profile allows the user to select the profile or
location where they are logging on, and a different printer will be configured
that is local to that site.
• Mandatory user profiles. Many sites wish that the look and feel of all
workstations were the same no matter which workstation that user logs in to in
the organization. Mandatory profiles allow the administrator to enforce the
same desktop every time that person or any person associated with the profile
logs in. If for some reason the files required for that mandatory profile are not
on the workstation that the user logs in to, ZENworks will automatically
download the required files.
• Dynamic local user. One of the advantages of Windows NT is the increased
security available as a desktop operating system. The disadvantage is that
you must have a user configured locally or a domain system to log in to. NDS
removes this need — as the user logs in to NDS, a user is created locally in
the Windows NT security database. That user can then be left or removed
when the user logs off the machine.
• Scheduled updates. Updating the desktop operating systems with the latest
patches or updates is a significant part of the TCO. The ability to install these
updates or patches at a predetermined trigger, such as activation of a screen
saver, or at a predetermined time is an excellent feature of ZENworks.
• Login restrictions. Login restriction is a feature that has been around for a
long time. The administrator configures that only specific users are allowed to
log on to specific machines based on MAC addresses. This is fairly limiting but
with ZENworks, the ability to allow users from a certain state to log on to only

workstations in that state is the only implementation of the ZENworks
restriction policies.
• Application distribution. TCO is increased dramatically by the installation of
applications on the desktops even if the files are installed on the server. With
the advent of registry settings ZENworks is able to take a snapshot of the
registry settings and have the application installed, and then take a snap shot
again. This snapshot captures all the new files and registry settings needed to
install the application.
When a user is associated with this new application by the NDS manager, the
user can then click the icon and the first time all the files are downloaded and
the registry settings are changed. The second time the user logs on, the
application object checks to ensure that all the settings and files are still there;
if not it repairs them and the user continues to work. This decreases the time
and effort needed to install the application and then support it on an ongoing
basis.
If a user’s applications are normally housed on the server when he logs in to
the NDS normally he would then be trying to download the application from
this home office server. With ZENworks, the user is automatically mapped to
the server in his current location. The servers would have to be configured in
the same manner, but this should be the case in most situations anyway.
2.4.1.2 Full feature pack

The features that are listed below are available with the purchase of the full
version of ZENworks. The added features are based on help desk management
tools. If the company already has an investment and will get no benefit from the
added features, then there is no added expense. However, the integration of the
help desk management tools into NDS is a very strong argument for a change or
implementation of the full version of ZENworks.
• Help desk icon . ZENworks help desk utilities ensure that the users know
whom to contact in the event of difficulties and then enable those users to
pass information on to the relevant people. This is achieved by associating the
appropriate help desk person’s NDS identity to the help desk policy. The end
user then has the help desk icon placed on their desktop via ZENworks; when
they double click all the information they require is there. They can then e-mail
the error messages or phone in the information.
• Remote control. The administrator must setup a replication of the existing
NDS structure so that they can find the workstation they wish to take over.
ZENworks remote control agent is based on the NDS so that if the NDS is well
set up, it is not difficult to track down the workstation object.
Another issue with remote control applications is the need for the workstations
to advertise their presence or once configured the management workstation
polls the workstations. The NDS workstation object has the MAC address of
the workstation and therefore does not need to advertise or poll.
• Software license metering . With the Novell License Services (NLS) it is
possible to control the use of licenses of the users logging in to the NDS and
launching an application that has an application object. As the user launches
an application, whether it be already installed on the workstation or newly
installed, the NLS takes note and adds the information into NDS. It is then
possible to restrict users when the amount of licenses is reached or to have a
certain number allowed to use the application until new licenses are
purchased. Reports are also included, which can be viewed by the NLS
manager.
Check 2000 is an add-on that check Y2K readiness of the BIOS, workstation
operating systems, and applications. These results are stored in a predetermined
location and can be collated for viewing.
2.4.1.3 New features in ZENworks 2.0

ZENworks 1.1 is the version that we worked on while writing this book. We have
added the new features that are available ZENworks 2.0, which will be available
by the time this book is published.
ZENworks is based on earlier Novell applications that have been collected into a
suite of applications covering application control, workstation look and feel and
remote management:
• Application control
– Associating the application object to the workstation allows the
administrator to control the use of the application based on the user that is
logged in to the machine at that time.
– Pre-install. This feature allows the installation of applications to a machine
that is on but that has no one logged in to (if you used IBM’s Wake-on-LAN
technology, the machine would not even need to be on). Then when a user
logs on, the installation finishes with the user-specific information.
– Pre and past distribution scripts. These scripts are run as part of a
distribution of a specific application and will not run if the distribution has
already been run.
– System requirements. Filters the installation of the application depending
on whether the machine has specific DLLs, registry settings and so on. It
allows the icon to be displayed even if the application was not available
because it did not meet system requirements.
– Prompted macros allow users to enter specific information during the
installation.
– Run applications as a Windows NT system user. Allows the installation of
applications based on a system user even if the person logged on has
rights as a normal user only .
– Force run/wait processing. The administrator is able to queue the installs
so that it will wait for another installation to finish prior to starting the next.
• Workstation Management
– Extensible desktop policies. The older desktop policies were unable to use
ADM policy files that applications such as Office 97 and Internet Explorer 4
and these new policies can be associated to user, group or container.
– Hardware inventory. The inventory is now stored in a database that is
ODBC compliant. A selection of items are still stored in the NDS.
– Software inventory. Again the information is stored in an ODBC database
and in-house applications can be added.
– Reporting. Creates pre-designed reports.

• Remote Management. In most of the instances below specific rights and
settings must be enabled in the NDS, and policy packages must be set.
– Remote execute. The administrator is able to start an application on a
specific workstation.
– Remote view. Allows the administrator to look at what the user is doing but
without mouse and keyboard control.
– File transfer. Uses IP to transfer files to a designated workstation.
– Workstation diagnostic. Views the real-time status of a workstation’s
configuration.
– Rights wizard. Grant rights to a user or multiple users and provides a view
that shows the rights to a specific object.
– Audit log for Windows NT. Records information on who has accessed a
machine remotely and for how long.
– Help request information. Gives the user the ability to view and e-mail
useful information to the help desk.
– Configurable trouble ticket. The old ticket sent preconfigured information;
this is now able to be added to or changed depending on the help desks
requirements.
2.5 NDS for NT

NDS for NT V2.0 is the latest release of a product that Novell has developed to
enable administrators to control a Windows NT domain structure using NWAdmin.
This means that the administrator is able to control the whole network from one
central point. NDS for NT enables the administrator to either work with the
existing domain structure or control all new NT servers with NDS.
NDS for NT is covered in detail in Chapter 5, “Integrating Windows NT with

NetWare 5” on page 89.
2.6 NetWare Cluster Services

NetWare Cluster Services (NCS) was announced September 15, 1999 with initial
support for clusters of up to eight nodes. Plans indicate future support for up to
12 nodes in the cluster. NCS, code name Orion II, is a multinode cluster solution
providing high availability within a critical business networking environment. NCS
replaces an earlier product Novell High Availability Server (NHAS), code named
Orion I. NHAS supported only two servers in a cluster, whereas NCS supports up
to 32 using Fibre Channel hardware, and up to two using SCSI hardware.
NCS is aimed at customers that need to reduce risks and costs deriving from
unexpected hardware and software failure. NCS supports Netfinity Fibre Channel
disk subsystems and work is in progress to fully support ServeRAID SCSI as
well.
Once the cluster has been configured, it is possible to create volumes and
resources that are always available to the network clients. Many NetWare 5
functions and services can be clustered, such as Web services, e-mail server,
databases and IP addresses. Other services that are part of Novell Directory
Services (NDS) are automatically fault-tolerant.
Administration of NCS clusters is handled through the ConsoleOne interface on

the server or on a Windows workstation.
2.6.1 Features
NetWare Cluster Services has the following features:
• Support for the shared disk or local disk configuration.
• Up to eight active nodes in one cluster. Any NetWare server in the cluster can
run resources (applications, services, IP addressing and volumes) in the event
of a single or multinode failure.
• Administration from a single point through the graphical Java-based
ConsoleOne configuration and monitoring utility.
2.7 Novell Storage Services

NetWare 5 has introduced Novell Storage Services (NSS) volumes that can
support files up to 8 terabytes, with no limit as to the number of volumes that can
be mounted.
When you configure the NSS, a minimum of three partitions exists: one for the
NSS, one for the NWFS (NetWare File System) and one for DOS. According to
the number of hard disks being installed on the server, you can find one or more
NSS storage groups and NSS volumes in the NSS configuration. For this
particular NetWare 5 release, you are able to create a storage group for each
NSS volume.
When you create a NSS storage group, you can also have a NSS partition type 69
(a logical partition). When ownership of storage free space is requested, exactly
that space becomes a storage group and an NSS partition.
The physical partitions can only contain segments for four different operating
systems. In this way each area available as free space could be taken by the
NSS. For example, if three areas were located on the hard disk, one for DOS, one
for NetWare and another for a different operating system, only one more area
could be left for NSS. If the partition number exceeds four, an error message
appears.
Since the NSS gets free space from different devices, the NSS partition does not
depend on a particular device. This means that the NSS cannot just have the
ownership on the fourth physical hard disk partition but can also use free space in
another area and another partition that are grouped together within a storage
pool.
The NSS cannot take possession of a partition given to another operating

system, although it can use free space in a NetWare volume already existing that
does not yet have a NetWare partition. Once the NSS has taken possession of
the free space in a NetWare volume, the NetWare File System automatically
acknowledges the reduced NetWare volume object.

Some media, such as CD-ROMs, do not contain partitions and consequently they
are not converted by NSS. They will be included within a storage deposits list,
storage objects or storage groups that can be used as read-only data and are
included in a storage pool if you need to load and read them.
Since the NSS acknowledges non-partition, the different partitions are not listed
when some storage groups and NSS volumes are configured, as the NSS cannot
use them in the NSS volumes. The NSS acknowledges free space blocks rather
than separate partitions.
2.7.1 NSS storage groups, volumes and free space

You can compare NSS storage groups to segments of NetWare volumes or other
types of free space in the server. The free space is a logical space that resides in
a particular hard drive. The storage groups and the NSS volumes are not
combined in the whole free space on the server by the devices that the NSS
acknowledges, as for example the hard disks. Whatever storage free space block
is available on the hard drives, it can be converted in the NSS storage. You can
use free space in a NetWare partition only if a volume NetWare exists, although
not in an empty NetWare partition. Since the free space is contained in a group of
different devices, the NSS volumes are logical volumes.
When you need a storage deposit, the storage groups can be created with their
NSS grouped volumes.
When the provider finds free space in a system, it also acknowledges a CD-ROM
and creates a storage group for that CD-ROM. This also applies to other devices
with which the NSS can do nothing.
The main difference between the NetWare volumes and the NSS volumes is that
the NSS volumes can contain bigger files and enable a greater number of larger
volumes. Furthermore in the NSS there are different ways to assign free space to
the NSS volumes. The storage groups and the NSS volumes are strictly grouped
when they are created. The storage group is a higher level grouping system that
contains a single identification number. For this release you can only create a
single storage group for each NSS volume.
2.7.1.1 The provider

As you begin the configuration of the NSS environment, if you choose a provider,
it scans all devices by searching the whole available free space to be taken by the
NSS. It also includes any device that has been hot swapped in and out of the
server. One provider looks for free space on devices suitable for IBM partitions
and another provider searches for free space on NetWare volumes, so that it is
not necessary to know what provider is needed. Depending on what you are
going to do, the NSS acknowledges the NetWare free space or it works on a IBM
partition. You could, however, use both providers.
2.7.1.2 The storage object

The storage objects, including the free space, are stored by the provider within an
object group. The objects can be used by the NSS for data (for example, a
CD-ROM) and the free space that can be used is shown in a list of managed
objects after the consumer takes possession.
2.7.1.3 NSS Consumer Services
If you choose that a consumer assigns the ownership of the available free space,
it will gather the whole free space that it has been given and initializes the NSS.
The NSS Consumer Services is the default consumer. This means that the free
space now belongs to the NSS partition. The chosen free space becomes a
storage deposit. You are able to choose the Loadable Storage Subsystem (LSS)
where you are locating the storage. If you wish to create more storage groups and
NSS volumes, we recommend that you let the NSS take possession of the whole
free space that is available.
2.7.1.4 The Storage Group

The NSS creates a storage group. The consumer that has been chosen searches
for a free space block in the managed objects list. From the block you can decide
how much space you are supposed to use for a storage group and NSS volume.
You can choose the whole amount shown or a part of it. If you choose a part of
the whole amount, you are able to create different storage groups and NSS
volumes that can be added to the total.
2.7.1.5 NSS volume

The NSS creates an NSS volume. You need to choose a consumer and the name
for the NSS volume. The NSS then creates the NSS volume.
2.8 Novell StandbyServer for NetWare

Vinca StandbyServer for NetWare is a hardware-independent high-availability
solution that connects a secondary server directly to the main file server. Data is
mirrored between the two servers to create a fully redundant system protecting
users against both hardware and software failures. Mirrored data flows over an
industry-standard, dedicated data link or over existing network wiring. When the
main server fails, StandbyServer for NetWare switches operations automatically
to the secondary machine. Users are back online in a matter of moments with a
complete copy of their data.
Note: There is no difference between StandbyServer from Novell and

StandbyServer from Vinca.
The following products are available:

• StandbyServer for NetWare
• StandbyServer Many-to-One for NetWare
• StandbyServer Entry-Level
In this redbook, we will be working only with the new version StandbyServer for
NetWare.
StandbyServer Many-to-One uses the same configuration as StandbyServer

except there is more than one primary server and there is one extra hard disk in
the standby machine for each primary server.
This software works like StandbyServer except that when any primary server
fails, the standby server takes over its role. At the time of publishing,
Many-to-One was not supported by NetWare 5.

StandbyServer Entry-Level is similar to StandbyServer but with the following
restrictions:
• The primary server’s license cannot connect more than 25 users
• More than one hop between the primary and the standby is not allowed
• The utility server feature is not available.
This product is also currently not supported by NetWare 5.
2.8.1 Characteristics of StandbyServer

StandbyServer has the following characteristics and advantages:
• Total fault tolerance of the server. Since data is mirrored on another server, full
device redundancy is obtained.
• Automatic failover on the StandbyServer. When the primary server is
damaged, the one in standby position becomes the new primary server
without human intervention.
• The servers do not need to be identical. They could be similar, but not
necessarily. The StandbyServer must contain enough disks so as to have
enough space to mirror the volumes of the primary server and sufficient
memory to mount the mirrored volumes, in case of failure.
• The StandbyServer can also work as the active server. When using the utility
server configuration, the standby server can also work as active server and
can at the same time mirror the primary server.
• Since data has been stored in mirror on the two server at the same time,
NetWare will read both disks, permitting you to read both at the same time and
increase performance. All NDS structures are mirrored. The NDS structures
such as replicas, time synchronization, and so on are automatically mirrored
on the standby machine.
• The StandbyServer software includes high-availability transaction-based and
server-mirroring solutions that can connect one or more secondary standby
servers to a critical primary server. If a primary server is damaged on a
hardware or software level, the standby server will automatically replace it, by
making data and network services available to the users in short time.
• Data is mirrored between the servers using both a high-speed connection and
the network that also connects the clients. This gives the opportunity to set up
a high redundancy system that protects the users from unexpected failures on
the server.
2.8.2 Architecture
The following terms are used here:
• Primary role: the role of the primary server and the standby server when it is
working as primary server.
• Primary server: the name given to the server that is providing the services to
the network when all is working correctly.
• Standby server: the server that at a certain point works in standby. When all is
working well, this is the machine on which data is mirrored.
• Standby role: the role the standby machine has when it is working as the
primary server. The standby machine is always ready to automatically take the
primary role when the primary server fails.
StandbyServer is created using NLMs modules. It is compatible with the Novell

certified server architecture provided with Intel x86 processors. The use of
StandbyServer along with the utility server feature enables the standby server to
operate not only in standby but also as the utility server. See 2.8.3, “Utility server
feature” on page 38.
The software architecture consists of three items:

• The primary server
• A standby machine
• A communication path that can be either the network client or a dedicated link
StandbyServer uses the Novell mirroring feature through which all read and write
operations of data are at the same time carried out on the primary and standby
machine. The connection between the primary server and the standby machine is
monitored so as to assure access to the primary server. As soon as the primary
server is no longer reachable, the standby machine automatically takes the
primary role.
The failover operation takes place almost instantaneously. Since the volumes and
their data are mirrored, the bindery objects and the NDS are mirrored as well.
This means that the Novell and Microsoft clients can regain the connection, and
even automatically reconnect to the active servers.
NetWare 5 does not support mirroring with the last NSS (Novell Storage
Services) feature introduced on the volumes. See 2.8.5, “Using NSS with
StandbyServer” on page 39 for details about NSS.
When the standby machine will take on the primary role depends on the selected
configuration. If the AutoSwitch option as shown in Figure 119 on page 159 has
been enabled, the use of the standby machine will be automatically started up.
Otherwise, it can be started manually by sending out an alert that will warn the
administrator the failure that just occurred. The administrator will then take action
to bring the standby machine online or recover the primary machine.
2.8.3 Utility server feature

In a basic configuration, the standby server does not perform any productive work
— it just mirrors the primary server’s data and waits for the primary server to fail.
However, you can configure the standby server to act as a utility server.
With this feature, the standby server is used for both a fault-tolerant mirror of the
primary server and as an independent server running its own processes. This
configuration requires that an extra disk be available in the standby server to be
used as the local SYS: volume. This local SYS: volume is not mirrored and can be
used to run local utilities.
When the primary server fails and the standby server assumes the role of the
primary server, the local SYS: volume on the standby is renamed to
SYS_UTILITY: by the SYSSWAP.NLM program so that the mirrored SYS: volume
from the primary can be renamed to SYS: by StandbyServer.

When the standby server has assumed the role of the primary server, all activities
related to the utility server function are halted.
2.8.4 The dedicated link

The dedicated link is a direct connection used for data mirroring. It is important to
dedicate this kind of link for the following reasons:
• The link is dedicated to the mirroring of data between the servers, which
ensures the servers are always identical.
• In case of failure, the failover process begins sooner.
• The traffic between the servers does not impact a user’s access to the server.
In order to set up the dedicated link, it is necessary to load the following NLM
modules on each machine:
• VINCAIP.NLM
• VINCAIPX.NLM
• VNCIPX2.NLM
The dedicated link can be set only using specific Ethernet adapters that can
operate at 100 Mb connected together using a crossover cable. Figure 11 shows
the pinouts for a crossover cable.
8 1 White/Green
7 2 Green
Green 6 3 Orange
5 4
4 5
White/Green 3 6 White/Orange
White/Orange 2 7
Orange 1 8
RJ-45 RJ-45
Figure 11. Category 5 Ethernet crossover cable pinouts
2.8.5 Using NSS with StandbyServer

NetWare 5 has introduced the feature of the Novell Storage Services (NSS)
volumes that can support files up to 8 terabytes with no limit as to the number of
volumes that can be mounted. However, NSS does not currently support
mirroring, which means that it cannot be used with StandbyServer for NetWare 5.
Hence, only the use of the standard NetWare file system is currently supported.
Chapter 3. Installing NetWare
This chapter discusses the three basic methods on installing NetWare 5 on IBM
Netfinity hardware.
1. Installing NetWare directly and manually creating the DOS boot partition
2. Installing NetWare using ServerGuide
3. Installing NetWare directly and letting the installation routine create the DOS
boot partition automatically.
The third installation method will not be discussed as the installation steps are the
same as all the others except that the installer boots the supplied NetWare 5
CD-ROM.
After the three methods have been explained, and the merits of each outlined, we
will continue with the installation of NetWare 5. This installation will install all the
add-ons that are available with NetWare 5, even those that may not be the most
appropriate for your installation. These methods of installation are applicable no
matter what hardware is used as long as the base requirements are met.
Prior to doing any of these installations you must ensure that your server is at the
latest BIOS level. This includes the system itself and your RAID card, if you have
one. You can get these files at
http://www.pc.ibm.com/support
The RAID configuration must also be complete prior to installation, unless you are
using SoftwareGuide. SoftwareGuide lets you configure the RAID subsystem
during installation. This can be accomplished by using the RAID configuration
diskette or CD-ROM that is supplied with the server or RAID controller.
3.1 Preparing for installation

Before you begin, you will need to understand the minimum hardware
requirements, and to gather information about your installation. If you aren’t using
ServerGuide or the NetWare CD, you will also have to prepare a DOS partition.
The CD installations will create the DOS partitions for you during the installation
or prompt you and place you in the correct applications to do this.
3.1.1 Minimum hardware installing requirements

The minimum memory and disk space for installing NetWare are as follows:
• 64 MB of memory
• 400 MB of disk space available on the SYS: volume
• 35 MB of disk space available on the DOS boot partition
• CPU must be of the Pentium class
Note: These requirements are the bare minimum and should only be used on a
test server, not a production server. To correctly size your server memory, refer to
the memory worksheet in A.1, “Memory calculations” on page 235.

3.1.2 Information needed during the installation
During the installation you will be asked for certain pieces of information. This
section lists these pieces so that you can have them prepared prior to starting the
installation. If you are comfortable with the NetWare 5 installation, you can use
this as an easy setup guide.
In A.2, “Installing NetWare 5 worksheet” on page 236 there is a worksheet that

you can print or photocopy that, when filled in, will contain the information
required for the installation. We recommend you save this worksheet with the rest
of your server documentation for later use.
You will need the following information during the installation:

• Boot partition — if you want to keep the existing or create a new one
• Directory that you wish to install to (NetWare provides a default)
• Country code, code page, keyboard (you normally accept the defaults)
• Video/mouse (you normally accept the defaults)
• Drivers:
– platform support (that is, SMP or not)
– Hot-plug support
– Disk subsystem controllers
– Storage devices,
– Network cards
– Other NLM you may wish to load
• How you want the volumes setup
• Server name: Ensure that you have implemented a naming convention prior to
installation.
• Network protocols and addresses
• Time zone
• NDS information:
– New or existing NDS tree
– Admin user and password
– Context of server and admin
• License location
See A.2, “Installing NetWare 5 worksheet” on page 236 for a complete list of
information required.
3.2 Method 1: installing NetWare directly

First, you need to create the DOS boot partition manually. The items that you will
need are:
• Hardware configured ready for normal installation (such as the RAID arrays
and logical drives in the ServeRAID configuration)
• A DOS boot disk or installation diskettes — either PC DOS 7.0 or MS DOS
6.22. One of the later versions is preferred but you can use earlier versions if
necessary. Also ensure that you have the FDISK and FORMAT programs
available.
We recommend installing the full version of DOS so that you have all the utilities
at your disposal. There will be many times when you will need access to the DOS
utilities (such as the text editor to edit AUTOEXEC.BAT to comment out the server

command so that you can boot the server with the /na (no AUTOEXEC.NCF)
switch).
To create the DOS partition, do the following:

1. Boot the DOS installation disk and press F3 twice to exit to a command
prompt:
2. Type FDISK and configure a partition that is appropriate for your NetWare 5
system. The size of the partition is related to the amount of memory your
system has. The formula for this is:
DOS partition = 50MB + Server Memory
The reason behind this is that if you have a server abend (either the CPU or
NetWare has a critical error and the operating system has entered the
NetWare fault handler) then it will be possible to save the memory dump to the
local drive.
3. Reboot the machine after creation, making sure that you have marked the
partition active in FDISK.
4. Boot from the installation disk or from a DOS diskette.
a. Using the installation diskette will allow you to format and install DOS all in
one step. If you install DOS, ensure that you edit the CONFIG.SYS and
AUTOEXEC.BAT file to have these statements, and no others:
CONFIG.SYS:
FILES=30
BUFFERS=30
AUTOEXEC.BAT:
@ECHO OFF
C:
CD \NWSERVER
SERVER
Ensure that no memory management statements are included in these
files, because they will prevent NetWare from loading.
b. From a DOS boot disk, format the drive using FORMAT /S and copy all the
DOS executables that you want.
5. The installation procedure now continues at 3.4, “Continuing the NetWare 5
installation” on page 45.
The advantages of using this method over ServerGuide are:

• It does not have limitations such as no more than 2 GB of memory and a
minimum of 500 MB primary partition.
• The installation of DOS and NetWare are installed into the directories that you
specify.
3.3 Method 2: installing with ServerGuide

The ServerGuide software supplied by IBM allows you to install the major
operating system including NetWare 5. ServerGuide is a series of CD-ROMs that
is shipped with each Netfinity server. For information on ServerGuide, go to:
Chapter 3. Installing NetWare 43

http://www.pc.ibm.com/us/server/sguide/
With the purchase of a Netfinity server, you can receive an update to selected
ServerGuide CDs. Updates are shipped to you at no additional cost. For details,
go to:
http://www.pc.ibm.com/coupon/
The ServerGuide installation is straight forward and the information given is

usually enough to set up the NetWare 5 server. The NetWare portion of the
installation is actually done from the NetWare 5 CD-ROM that you must supply.
This is discussed in 3.4, “Continuing the NetWare 5 installation” on page 45.
The advantages of installing NetWare using ServerGuide are:

• The hardware configuration of RAID is included on a bootable CD.
• Selection of drivers to be installed is automated and simplified.
• ServerGuide bases its decisions on the model of file server you are installing.
The disadvantages of such an installation are:

• A small number of files are installed in the root of the C: drive.
• The label for the volume that is created uses a lowercase alphanumeric
character. When you try to remove this using FDISK, you cannot enter lower
case. You must go to a command prompt and use the label command to
rename the volume.
We recommend you use ServerGuide
We recommend you install with ServerGuide because it allows the installer to

not worry about the selection of special drivers during the installation.
To install NetWare using ServerGuide, do the following:

1. Place the SoftwareGuide CD-ROM (or primary CD-ROM if your version of
ServerGuide does not have SoftwareGuide) in the server and reboot the
server.
2. The server reboots and loads drivers and virtual memory.
3. Select the Operating System installation icon.
4. Select the Novell icon.
5. You then have two choices.
a. Select NetWare 4.11 or 5.
b. Choose whether you want to do a custom installation. In almost all cases
you will choose to do a custom install.
6. The ServerGuide software will then prompt you to remove all CDs and disks
from the server and to click OK.
At this point the server reboots and a DOS prompt asks you to insert the
NetWare 5 CD. The CD can be inserted as soon as the server starts to reboot.
The next part of the installation is continued in 3.4, “Continuing the NetWare 5
installation” on page 45.

3.4 Continuing the NetWare 5 installation
This section describes the portion of the installation that is the same for all three
installation methods.
This is the most important part of the installation, as it is the basis of your network
structure. If this is the first server it will be the basis for your whole network. If it is
an additional server in your existing network, then you must ensure that it is
placed correctly in the Novell Directory Services (NDS) tree.
To continue the installation, do the following. You will need the information you
gathered using the worksheet in A.2, “Installing NetWare 5 worksheet” on page
236.
1. Select the language that you wish to use during installation.
2. Read the license agreement by selecting Read License Agreement. Select
Accept License Agreement to continue the installation.
3. Modifications to the boot partition are the next set of questions. If you already
have created the size that you wish and formatted, select Continue; you
should now go to step 8. If you are using the bootable CDs, select Modify and
create the partitions that you require.
Note: Remember any repartitioning will destroy the existing data.
4. If you modify the boot partition, then the NetWare installation will give you the
default of 50 MB. This is generally too small, so select Modify and enter the
amount of disk space required for your installation. Select Continue.
5. You will then be prompted to ensure that you are making the right choice.
Select Continue.
6. The machine will then reboot after you press any key.
7. When the machine reboots it will then format the partition created in the
previous steps.
8. Select Continue unless you want to change the directory that NetWare is
installing to.
9. Select Modify or Continue, depending on your installation, for the country,
code page and keyboard.
10.Select Modify or Continue for mouse and video unless you have specific
hardware that requires a change to the default information.
11.The installation then copies the files required to the boot partition. Three areas
of information are required in the next screen:
a. Platform support module — If you have multiple processors or plan to
install multiple processors you should ensure that you have the correct
modules installed.
b. PCI Hot Plug support module — If the hardware supports this feature it will
be automatically detected.
c. Storage adapters — These are .HAM drivers used to connect to the hard
drive controllers. If you are installing NetWare on a server with a
ServeRAID adapter the AHA2940 on-board controller, drivers should be
deleted by selecting Modify unless of course you have hard drives
connected to them. Otherwise, select Continue.

Note: DSK files are not supported by NetWare 5.
12.Again three areas of information are displayed on the screen:
a. Storage devices — Generally IDE or SCSI.
b. Network boards — Ensure that you have the right one listed according to
the information that you have. If you need to modify or load one that you
have downloaded, select Modify.
c. NetWare Loadable Modules (NLM) — Here you can specify specific NLMs
that you wish to have loaded. Select Modify and press the Insert key to
install any new fonts. If none are found or configured you will get an error.
Press Enter and a new screen will come up where you can insert and
specify a directory to install from. If you’re leaving everything standard,
then select Continue.
13.Volume information is the next screen. NetWare by default takes up all the free
space that is available to it. This is not what you want for the SYS: volume.
Select Modify and create the SYS: volume with enough size for all the
NetWare 5 files that will be installed, as follows:
– NetWare 5 only: 250 MB
– NetWare 5 and all other networking products: 375 MB
– NetWare 5 and all other networking products + documentation: 550 MB
If the hardware that you are installing on has Hardware Redirection, that takes
away the need for Hot Fix. Set the Hot Fix amount to 0.
14.Press F10 to save the settings and return to the Continue menu choice. Press
Enter to continue.
15.The server then begins copying to the new SYS: volume you just created. The
next screen that comes up is the new NetWare 5 Java-based installation
screens as shown in Figure 12.
Note: The Java-based installation screens are a little slow to react to button
presses. If you prefer to use the keyboard, Table 3 shows the key commands
to enable you to do the install without the use of a mouse.
Table 3. Keystrokes for Java install console
Keystroke Action
Tab Move focus to next element
Shift+Tab Move focus to previous element
Enter Select
Up arrow Move cursor up
Down arrow Move cursor down
Right arrow Move cursor right
Left arrow Move cursor left
Hold down Shift key with arrow keys Accelerate cursor movement
Keypad 5 Select or click an object
Keypad 0 Lock a selected object (for dragging)
Keypad . (period) Unlock a selected object (to drop)

Keystroke Action
Keypad + (plus) Double-click an object
Alt+F7 Move to next window
Alt+F8 Move to previous window
Server Properties
Enter the server name.
Server Name
SERVER1
Next > Cancel Help
Figure 12. Naming the NetWare 5 server
16.Enter the name of the NetWare 5 server. Click Next. Figure 13 appears.
Configure File System
Review the following volume information. The following volumes

have been created. To create a new volume, select Free Space and
click Create.
Volumes
Name Size (MB)
Big DOS; OS/2; Win95 Partition Volume 1027
SYS 599
Free Space on [V372-A1-D00] Seagate ST32550r 417
Create Delete Modify
< Back Next > Cancel Help
Figure 13. Installation and configuration of the NetWare 5 file system
17.The file system information is then displayed and can be configured

depending on which area of disk space you click on.
– Create option if you click on a free space.
– Delete an existing volume.
– Modify option if an existing volume is highlighted.
Click Next when complete. Figure 14 appears.

Protocols
Specify the network protocol for each network board.

Network Boards Protocols
+ SERVERS IP
NE2000_1
IP Address
123.45.67.89
Subnet Mask
255.255.255.0
Router (Gateway)
IPX
Figure 14. Network card protocol configuration
18.If your system has multiple network cards in it, you will have to configure each
one individually. Select the card that you wish to work on and then check
which protocols you wish to use.
When you have finished configuring all the boards that you require, click the
Next button. Figure 15 appears.
Time Zone
Enter the time zone information.
Time Zone
(GMT-11:00) Midway Island, Samoa

(GMT-10:00) US Hawaiian-Aleutica Time
(GMT-09:00) US Alaskan Time
(GMT-08:00) US & Canada Pacific Time
(GMT-08:00) Tijuana Pacific Time
(GMT-07:00) US & Canada Mountain
Daylight Saving Time
Allow system to adjust for Daylight Saving Time.
Figure 15. Selection of the time zone
19.Select the appropriate time zone for where you are installing the NetWare 5
server. You select this by scrolling down the list. When you select the time
zone, the check box for daylight savings may or may not be checked
depending on where you live. Ensure that you standardize this setting
throughout your organization.
20.Once this is done, click Next to continue. You are then asked if you want to
install into an existing NDS tree or to create a new tree.
The configuration of the NDS tree is very important and will affect the future
simplicity and performance of the whole network. Ensure that you have the
right information. Select the type of NDS install this installation will be.

a. Selecting the existing tree option displays Figure 16. You will need the
following information:
• Tree name.
• Context for server object.
• Admin login for the tree that you are logging in to. The entry must be
entered in the full NDS format and context.
• Password for the user that you entered in the above step.
NDS
Enter NDS information. Installing into an existing tree

requires supervisor rights in the destination container.
NDS Information
Tree Name
ACME
Context for Server Object

OU-SALES.O-ACME_INC
Administrator Login
Name (full NDS context)
Password
Figure 16. Configuring the NDS for an existing tree
Selecting the option to create a new tree produces Figure 17, which requires
the following information:
• Tree name.
• Context for the server object.
• The new admin name.
• The admin context. The default will be the context for the server that you
just entered, so ensure the context is the one that you want.
• Password for the admin user.
NDS
Enter NDS information to create a new tree.
NDS Information
Tree Name
ACME_INC
Context for Server Object

OU-SALES.O-ACME
Administrator Information
Admin Name ADMIN
Admin Context OU-SALES.O-ACME
Password ******
Retype Password ******
Figure 17. Configuring NDS for a new tree

Note: Before you click Next to continue, make sure the information is correct.
Once it is authorized either by the server or the existing NDS tree, you can’t go
back.
21.A summary of all the information for the NDS you have just entered will come
next. This is purely a summary and nothing can be changed. Click Next.
Figure 18 appears.
Licenses
Insert the license diskette or enter the path to the license file
(*.nlf).
License Location:
A:\
Install without licenses
Description
Figure 18. Installing the licenses for a NetWare 5 install
22.The location of the license file is required and you can either browse using the
mouse or type in the information. There is also a check box that enables the
installation without licenses if you want to install them at a later date.
Additional Products and Services
Please select the components to install:
LDAP Services 8.71 MB

NDS Catalog Services 4.33 MB
WAN Traffic Manager Services 1.13 MB
Secure Authentication Services (including SSL) 1.70 MB
Novell PKI Services 1.07 MB
NICI Cryptographic Modules
Description
Select All
Deselect All
Figure 19. Additional products
23.The other networking products that can be installed during the process are
now listed. You can select all, none, or just a few. The selection will depend on
what is required on your network.
If you select some products to be installed, you may see the following
windows:

– LDAP Services windows request information about whether you want to
use catalog services.
– DNS/DHCP services require the context for the following objects.The best
context for these is as high up in the tree as possible for the ease of
resource allocation.
• The Locator object
• Group object
• RootSrvr Zone
24.The summary screen that follows (Figure 20) looks straightforward. However,
if you select the Customize button then each area that you have installed
previously can be reconfigured with more options.
This would be the equivalent of selecting a custom install of a Microsoft
installation, as compared to a standard install. In most cases you will want
have a look to understand what has been configured on your new NetWare 5
system. For further information refer the NetWare 5 user manuals.
Summary
Products to be installed:
NetWare Operating System 261.62MB
Customize
< Back Finish Cancel Help
Figure 20. Summary of installed components
Pressing Customize shows a window similar to Figure 21.
Product Customization
Select a component to customize
Description
+ NetWare 5 NetWare 5
+ NetWare Operating System
File System
Protocols
NDS
Novell Distributed Print Services (NDPS)
Additional Products and Services Disk Space Required (MB): 261.62
Properties
Close Help
Figure 21. Customizing the NetWare 5 install.

25.Click Finish and the server will begin copying files. Once it is completed you
have the opportunity to read the README file or select Yes or No for a reboot.
Select Yes and ensure that your machine starts up with no errors.
3.4.1 Installing the operating system patches

One thing that everyone must do no matter what operating system you are
running is to install patches as they are released by the developers. NetWare is
no exception.
The patch can be downloaded from http://www.support.novell.com by selecting

Minimum patch list.
Notes:
• Know the location of the patch files.
• You no longer need to type LOAD before an NLM name.
• Ensure that no one is logged in with DLLs open because this may cause the
server to abend.
• Depending on what services are loaded (for example LDAP) you may be
required to log in during the patch installation. So don’t walk away expecting it
to finish on its own.
To install the patches, do the following:

1. Type NWCONFIG at the server console.
2. Select the Product option.
3. Select I nstall a product not listed and press Enter.
4. Press F3 to specify a path to the where the patch files are located.
5. Type the path to the patch, ensuring you have included the volume in the
information and press Enter.
6. You should see Figure 22:

NetWare Configuration
+-- Other Installation Items/Products --+

| |Install Unix Print Services |
| |Install Other Novell Products |
+------------------------------------------------------------------------------+
| Indicate which file groups you want installed: |
|------------------------------------------------------------------------------|
| [X] Backup files replaced by NetWare 5 Support Pack v2.0. |
| [X] Install NetWare 5 Support Pack v2.0. (49 MB) |
| [ ] Tivoli Ready TMA (2 MB) |
| |
| |
+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
| "Backup files replaced by NetWare 5 Support Pack v2.0." Help |
| |
| The Backup Files option will backup files before overwriting. These files |
| are copied to the path SYS:\SYSTEM\BACKSP2 |
| |
+------------------------(To scroll, <F7>-up <F8>-down)------------------------+
Accept marked groups and continue <F10>
Mark/unmark a file group <Enter> Previous screen <Esc>
Help <F1> Abort nwconfig <Alt><F10>
Figure 22. Installing patches
The window gives you three choices. These can be selected using the arrow
keys and the space bar:
a. Back up the files — make sure there is enough room on your SYS: volume
b. Install support pack
c. Install Tivoli Ready TMA
Select the ones that you require and press F10 to save and continue.
7. There are two warnings — press Enter at both of these.
8. During the installation, certain NLM windows will become unavailable during
the installation such as NWCONFIG. The copying of the files is a fast process.
Then it will take a few minutes to decompress all the files in the patch. When
the installation is finished, press Enter and Esc to exit NWCONFIG.
9. Reboot the server.
Note: When rebooting the machine after installation ensure that you do not
choose Restart Server as this will not upgrade SERVER.EXE.
3.4.2 Installing NDS 8 and ConsoleOne

Once the basic installation is complete, the next step is to upgrade to NDS
Version 8. There are two scenarios for installing NetWare 5:
• A totally new installation with no other NetWare servers in the network
• There are existing NetWare servers in the network and NDS, and licensing
have been upgraded to accommodate the new NetWare 5 server’s NDS

To upgrade to NDS 8 the prerequisites are the same; and therefore, if all the
prerequisites have been met, it is advisable to upgrade to the latest version now
and avoid any future work or down time due to another upgrade.
Note: One thing listed in the README that could be a show stopper for the
upgrade is that some of the backup utilities use explicit IDs to reference the NDS.
NDS 8 has new explicit IDs. Therefore, the backup utility may not be able to back
up this new version of NDS. So ensure you check with the backup vendor prior to
proceeding with the upgrade.
The minimum requirements for NDS 8 are:

• NetWare 5 server.
• NetWare Service Pack 1 or higher. We suggest using the Service Pack 2 (or
higher).
• Administrative rights to the root of the tree, since the servers schema must be
updated.
Note: General install

• Ensure that all users are logged out, because the server will reboot during
the installation.
• Comment out all applications that rely on the command buffer such as
database products, ZENworks, BorderManager and ManageWise. This can
be accomplished by editing the AUTOEXEC.NCF file and placing a # or ; or
REM prior to the statement.
• Ensure DSrepair is closed.
• If you require ephemeral (short lived TCP/IP ports) for SSL connections
then NICI 1.2.0 is required, which can be downloaded from
http://www.novell.com/catalog/catindex.html.
• For the testing phase of the install, you will need 1 to 2 KB per object and
this space must be on the SYS: volume.
• For IP-only networks, IPX must be loaded. Since the Btrieve needs IPX, this
can be loaded manually and then on the reboot it will not load.
The installation steps are:

1. Place the files required for NDS 8 on the NetWare server volume and take
note of the path to these files. The size is of the NDS 8 files is around 50 MB.
2. If you are installing on a server that does not hold a copy of the Root directory,
then ensure the steps below are followed; otherwise go to step 3:
a. Download DSrepair for the version of the operating system that you are
running from http://support.novell.com/search/ff_index.htm and then
search for DSrepair.
b. Expand and copy the correct version of DSrepair into the SYS:\system
directory of a server having a copy (Master or Read/Write).
c. Run DSrepair. Select Advanced options > Global Schema Operations >
Post NetWare 5 schema update and press Enter.
d. You will then be prompted for the admin password. Ensure that you use
either a relative distinguished name or a relative typeless name.

3. Start NWCONFIG.
4. Select the following option pressing Enter each time. Select Product options
> Install a product not listed and press F3 to specify the path that you have
noted in the worksheet.
5. The files begin to copy immediately. No questions are asked whether you are
sure that you want to install or select NDS 8 for installation. This is different
from most applications installed this way, so ensure that you are ready to
install NDS 8.
6. The server will then reboot and put you back to ConsoleOne. Press Alt + Esc
to take you to the System Console and there will be a prompt stating that you
must have all volumes mounted for the trustee assignments to be upgraded.
Either use the VOLUMES command to see that all volumes are mounted, or type
the command:
MOUNT ALL
7. Once this is complete, the install will update the NDS and for this it needs the
admin user and password. Enter these using a relative typeless or
distinguished name.
8. The server now needs to reboot and this can be done now or later. Select
Restart now. If you select No then ensure that you do not use the RESTART
SERVER command, since this method does not update SERVER.EXE.
9. Edit the AUTOEXEC.NCF so that all the applications that you commented out
are now commented back in. Reboot to ensure that the server comes up the
way it should.
If you need to upgrade the security services, then refer to Page 19 of the NDS
8 Overview and Installation manual. You will be prompted if you require this by
an error on the NetWare 5 server console, as shown in Figure 23:
NetWare 5 LDAP v3 for NDS

Version 3.10 December 16, 1998
Copyright 1997, 1998 Novell, Inc. All rights reserved.
NLDAP: LDAP has not been configured with a valid SSL certificate.
SSL connections will fail until configured.
See Novell PKI Services and LDAP Services for NDS
help for more information.
Figure 23. System console error for security when upgrading NDS 8
10.Setting the cache size for the NDS increases the performance of NDS and
should be changed. The setting will based on the applications that are
installed on the server and the amount of cache required by the server for the
normal file and print functionality.
Therefore there will have to be some adjustment as to the cache size during
the first few weeks of the server’s run time to ensure optimum performance.
The basic rules for the cache are:
– If the machine is running other services the server should have enough
memory so that the cache can be set to 40% of the server memory.
– If the machine is running NDS only then set it as high as the cache will
allow, up to 80%.

There are two cache commands: one uses the hexadecimal format and the
other standard megabytes. If you wish the hexadecimal format, see page 20 of
the NDS 8 Installation and Overview document. The megabytes command is:
set dstrace=!mb[megabytes]
So for 16 MB, the command is:
set dstrace=!mb16
Post installing tasks
• Set up ConsoleOne
• If you have not installed the WAN traffic manager previously you will need to
run the NetWare 5 install and install the WAN manager without updating the
NLM.
• Force backlinker updates by using the command set dstrace=*B.
• Ensure that you update all versions of the DSrepair utility on all servers.
• The first time that DSrepair is run there will be some errors. Refer to the
README.TXT file that comes with the installation files.
Installation of ConsoleOne is based on Version 1.2. The older version is left intact
on the server, which can be a little confusing, because there are multiple
directories housing different versions of ConsoleOne. At present, it is not possible
to run ConsoleOne on the NetWare files server, but this is under development.
The workstation requirements are:
• 64 MB RAM
• 200 MHz
• NetWare 5 client software
The installation is similar to most Windows installations and should therefore be

familiar to all users. The path to the files required is:
SYS:\PUBLIC\MGMT\CONSOLEONE\1.2\INSTALL.
Map a drive to this directory and run the setup program in that directory. The
workstation will need to be rebooted after the installation.
3.5 Creating NSS volumes

In this section we discuss how to configure and create Novell Storage Services
(NSS) volumes. You will need at least 10 MB of space on a disk not already
partitioned. For information about NSS, see 2.7, “Novell Storage Services” on
page 34.
Follow these steps:

1. Load NWCONFIG at the server console and select NSS disk options. Figure
24 appears.

+---------------------------------------------+
| Available NSS Options |
|---------------------------------------------|
| |Storage (configure NSS storage)|
| |NSS Volume Options (configure NSS volumes)|
| |Return to the previous menu |
+---------------------------------------------+
Figure 24. NSS options window
2. Select Storage. Figure 25 appears.

+----------------------------------------+
| Available NSS Storage Options |
|----------------------------------------|
| Update provider information (optional) |
| Assign ownership |
| Release ownership |
| View free space |
| Return to the previous menu |
+----------------------------------------+
Figure 25. NSS storage options
If you have not changed anything while NWCONFIG is loaded then you will not
need to update provider information. Select Assign ownership.
3. Select the areas of free space that you want ownership of.
4. Press Esc and then select the NSS volume options. You will be prompted to
log in as the administrator at this point. Make sure that you type in the correct
context. For example, .admin.au. Figure 26 appears.
+--------------------------------+
| Available NSS Volume Options |
|--------------------------------|
| Create |
| Modify |
| Delete |
| View volumes |
+--------------------------------+
Figure 26. NSS volume options
5. Select Create. Figure 27 appears.

+---- Select Create Option ----+
| Storage Group |
| NSS Volume |
+------------------------------+
Figure 27. NSS volume creating options
6. Select Storage Group and select the free space that you previously wanted to
manage. This can be split into several groups or one big group.
7. Press Esc and select NSS Volumes you should see the pieces of free space
that you have selected previously. Select the free space that you want to make
a volume and press Enter.

8. Name the volume, press Esc and you now have a working NSS volume.
If you have problems seeing the free space in the first place, select Update
Provider Information and enter of the two available providers. The NSS
providers will then go out and integrate the disk systems again.
3.6 Installing ZENworks

The ZENworks starter pack that is included with NetWare 5 is a product that can
help with total cost of ownership of user desktops. As it is part of the NetWare 5
bundle, we have included it as an installation that should be carried out as it were
a part of the operating system. The benefits and features of the starter pack is
discussed in 2.4, “ZENworks” on page 29.
The ZENworks starter pack is included as a separate CD that when inserted in to

a workstation will start automatically and allow you to choose the ZENworks as
an installation.
There are certain choices that must be made and these tie in to choices made
earlier when we said that a solid NDS design will give you a solid and easily
managed network. ZENworks needs the same forethought and consideration
when installing and telling it what context to put items in.
1. Select English.
2. Select ZENworks.
3. Select Install ZENworks.
4. A warning message appears asking you to ensure that all clients are not
logged in, as the NDS schema must be added to. Click Next.
5. On the license agreement screen, click Yes.
6. Selecting the custom installation allows you to add or remove the components
that you want, as shown in Figure 28:
Figure 28. ZENworks custom choices

7. We selected custom, because it lets you copy the client code to the network.
Click Next.
8. Figure 29 shows the components that can be installed.
Figure 29. ZENworks installation components
9. As can be seen from Figure 29 there are certain things that may be left
uninstalled. We suggest leaving the defaults as all these components are part
of the ZENworks package. Select Next.
10.The server that you are connected to will appear in the list of servers that you
wish to install ZENworks on to. If you are authenticated to multiple servers
then all servers will show on the list. Select the servers that you wish to install
ZENworks on and select Next.
11.Select the language that you wish installed. Depending on the CD that you
have, you may have one or many choices. Select Next.
12.A summary window is displayed. Select Next.
Figure 30. ZENworks install workstation rights
13.Figure 30 appears where you specify the rights for the workstation object.
There are specific rights that workstation need to right information to the NDS.

Make sure that you check the box that says include subcontainers; press
Next.
14.You will be prompted that the process was successful. You can then leave the
check boxes at their defaults and let the install program to launch the readme
and/or the setup log; click Finish .
15.Once this is done you need to configure the installation refer to 3.6, “Installing
ZENworks” on page 58. Also there is a very in-depth book downloadable from
the ZENworks cool solutions home page at
http://www.novell.com/coolsolutions/zenworks/downloadables.html
3.7 Installing BorderManager

BorderManager as discussed in 2.1, “BorderManager” on page 15 is a
compilation of products. In this section, we will be installing Enterprise Edition V3.
This incorporates all the products in one, enabling the customer to configure and
implement all the services offered by BorderManager. For more information go to
2.1, “BorderManager” on page 15.
The installation is based on the Java ConsoleOne and must therefore be installed
from the Novell server console. This installation is based on NetWare 5 with the
latest service pack installed but not NDS 8. (For information on installing NetWare
5 and the service pack refer to Chapter 3, “Installing NetWare” on page 41.) The
reason for this was all the literature that was available to us was based on
NetWare 5. The install was tested with NDS 8 and the install and configuration
worked the same.
.
Note
It is a good idea to ensure that you have all the TCP/IP communication set up,
tested and working prior to installing BorderManager, since when the filters are
set up you may find it difficult to know what is failing; the filters that you set up
or the IP configurations.
Also ensure that you have run INETCFG once prior to installing BorderManager.
The information that you will require prior to starting the install is:
• Version of BorderManager that is being installed, such as the proxy firewall
services, or the full Enterprise edition.
• CD-ROM support loaded on the Novell server, with the BorderManager CD
inserted and mounted as a volume.
• Decision on which of the Network interfaces will be public or private. Also if
you want them secure or if you want it to have the proxy services loaded for
the private interfaces.
• TCP/IP configuration information.
• A security policy from the company so that you know what to allow in and out.
3.7.1 Installing
1. Make sure that the BorderManager CD is in the CD carrier and that you have
loaded the CD-ROM NLM by typing CDROM at the server console. With NetWare
5 the CD will mount automatically and will not index as in the past versions

due to the NSS services as discussed in Chapter 1, “What’s new in NetWare
5” on page 1.
2. Using ConsoleOne at the server console select Install.
3. Click New Product. This is where you can install other items that were not
installed during the NetWare 5 installation.
4. Browse to the CD that is mounted or type the path and click OK.
5. The install will start copying files these files are only used for the install not the
actual BorderManager installation. Follow the prompts until you reach the
window with the license agreement.
6. Read and accept the license agreements by clicking Accept the license
agreement.
7. You can select to use the trial licenses if you are testing or waiting for licenses
to arrive. In the path window the A: drive is already listed and if you click Next
you will be prompted that there are two license files and that you will placed in
a browse window to select the one that you require.
The licenses for the NetWare 5 operating system that comes with
BorderManager enterprise edition are placed in the same directory. The
browse window will show two files; select the one that starts with BM. The one
that we had during our installation was BMEEFULL.NLF. Highlight the one that
you want and click OK and then Next.
8. The next window is a summary of the services that you are installing and when
the licenses will run out if some of the services are installed with trial version
licenses. Click on Next.
9. If the server has had Novell Internet Access Server (NIAS) in the past this
installation will overwrite this installation but keep all configurations. Click
Next.
10.The next piece of information that is required is the network card setup.
Whether the card has a private and public interface will depend on the
configuration of the machine on which you are working. If in doubt what is
public and what is private, look in Chapter 8, “Scenarios” on page 173.
11.If you select the interface to be public, an additional check box is enabled,
letting you secure all public networks. This should be checked, since it is far
more secure to enable this and then allow the communications throughout.
If you select the interface to be private, an additional check box is enabled
letting you set a proxy for this interface. If this proxy setting is also checked it
sets up access control so that no one has access by default. This may mean
that if you have one card you may loose communication with it.
It you get really stuck enter FILTCFG at the server console, which displays
Figure 31.

Filter Configuration 4.00 NetWare Loadable Module
+------------------------------------------+
| Filter Configuration Available Options |
|------------------------------------------|
| Configure TCP/IP Filters |
| Configure IPX Filters |
| Configure AppleTalk Filters |
| Configure Source Route Bridge Filters |
| Save Filters To A Text File |
| Configure Interface Options |
+------------------------------------------+
Choose from the list of supported protocols.

ENTER=Select ESC=Previous Menu F1=Help
Figure 31. FILTCFG command
a. Select Configure TCP/IP Filters and press Enter. Figure 32 appears.
+-------------------------------------------------------------+
| TCP/IP |
|-------------------------------------------------------------|
| |Global IP Logging Disabled |
| |Outgoing RIP Filters Enabled |
| |Incoming RIP Filters Enabled |
| |Outgoing EGP Filters Enabled |
| |Incoming EGP Filters Enabled |
| |OSPF External Route Filters Enabled |
| |Packet Forwarding Filters Enabled |
+-------------------------------------------------------------+
Figure 32. Configuring TCP/IP filters
b. Select Packet Forwarding Filters and press Enter. Figure 33 appears.
+-------------------------------------------------+
| Packet Forwarding Filters |
|-------------------------------------------------|
| Status: Enabled |
| |
| Action: Deny Packets in Filter List |
| (Permit Packets Not in Filter List) |
| |
| Filters: (List of Denied Packets) |
| Exceptions: (List of Packets Always Permitted) |
+-------------------------------------------------+
Figure 33. Packet forwarding filters

c. Move the cursor to Status and press Enter to change to Disabled. Press
Esc to exit FILTCFG. This will disable the filters and allow you access until
you sort out what you need and what you don’t. Make sure that you
disconnect from the public network until you have sorted out your security.
Return to the ConsoleOne screen to continue the installation.
12.If you have configured TCP/IP as suggested at the start of this section then
this information will be entered for you in the next screen, which is the DNS
information. If the DNS domain is not listed, enter it and click Next.
13.Once again, if the information for the IP address of the DNS servers are not
listed then enter the information and click Next.
14.A summary screen is shown. Click Next and the installation will begin.
15.As the installation continues, there may be some conflicts with files that are
being installed and files installed by the service pack. The files that are in the
service pack are more recent and should be left. So select Do not overwrite
and then click OK.
16.There will be other conflicts and if you are confident that all be OK then you
can select Do not warn for any conflicts and click OK.
17.You will then be prompted to reboot; click OK .
3.7.2 Installing patches

Only the 40-bit version of the patches is normally available. To obtain the 128-bit
version, go to
http://ez.ic3.com/pages/novell_ez/templates/nicius.htm?novell_ez+870-000317-001
If you install the 40-bit patch on a 128-bit system, the VPN security will be
downgraded.
Note: you should know the location of the patch files before you start.
1. Start NWCONFIG from the console.
2. Select the Product option.
3. Select I nstall a product not listed and press Enter.
4. Press F3 to specify a path to the where the patch files are located.
5. Type in the path to the patch, ensuring you have included the volume in the
information, and press Enter.
6. You should then see the Welcome screen. Press Enter.
7. You will then see Figure 34, warning you about installing older versions of files
due to patches already installed.

+----------------------------------------------------------------------+
| File Copy Status (Main Copy) |
| |
| |
| |
| |
+----------------------------------------------------------------------+
| Warning: A file that is being installed would downgrade existing |
| file SYS:SYSTEM\NLS\4\PROXY.MSG to an older version. Currently |
| installed software that uses this file may not work correctly if you |
| allow it to be overwritten. It probably should not be overwritten. |
| |
| However, in the confirm box that follows, you may continue and |
| overwrite this file anyway, if you wish. (nwconfig-5-451) |
| |
| Press <Enter> to continue. |
+----------------------------------------------------------------------+
Figure 34. Installation warning
8. Press Enter and the file copy process begins. If there are existing files of the
same name you will see Figure 35.
+---------------------------------------+
| Select an action: |
|---------------------------------------|
| |Continue and overwrite file PROXY.MSG|
| |Do not overwrite the file |
| |Always overwrite newer files |
| |Never overwrite newer files |
| |Abort copying |
+---------------------------------------+
Figure 35. Overwriting existing files
9. Select Never overwrite newer files and the press Enter.

10.When the files have been copied one final message appears.
+------------------------------------------------------------------------+
| |
| Novell BorderManager 3.0 patch installation is complete. |
| This patch includes new NLMs, VPN client and snapin files. |
| Please restart the server, then run BorderManager snapin setup again. |
| If you use VPN client, please reinstall VPN client. |
| |
| Press <Enter> to continue. |
| |
+------------------------------------------------------------------------+
Figure 36. Patch installation completed
11.Ensure that you reinstall the snapin file if you have already done so. The VPN
clients installed will also need to be reinstalled with the latest version of the
client.
12.Reboot the server.

3.7.3 Installing the snapin for administration
As part of the BorderManager installation, a snapin is required for NWAdmin. This
snapin is required to get the features that BorderManager has added to the NDS
schema.
1. Ensure that you are logged in to the server and have sufficient rights to map
the following drive:
SYS:\PUBLIC\BRDRMGR\SNAPINS
Once this drive is mapped run the SETUP executable in this directory.
2. A welcome screen is displayed. Click Next.
3. The installation will find where the NWAdmin utility is. If it does not, then type
the path or browse to the NWAdmin utility. Normally it is in
SYS:\PUBLIC\WIN32. Click Next.
4. The installation then copies the files and then asks if you want to view the
README.
5. The installation asks if you would like to run NWAdmin.
6. The other application that must be installed is the DNS/DHCP service
manager, Go to the SYS:\PUBLIC\DNSDHCP directory and run the SETUP.
This will install the manager for those services and allow you to either launch
from NWAdmin or from the icon on the desktop.
Next, the more difficult part of the installation of BorderManager is the

configuration of the services that you require. This will depend on the security
and services you want to run. For some examples, refer to Chapter 8, “Scenarios”
on page 173.
3.8 Installing ManageWise

We are not covering ManageWise in depth in this book. We do, however, need it
to gather some of the information on the traffic that flows between the servers. So
we cover the installation of ManageWise, discuss it as a product and use it in a
scenario.
To install ManageWise on the administrator’s workstation:

1. Put the CD-ROM into the machine making sure that you have mapped to the
SYS: drive that you want to make the ManageWise server.
2. Select Install ManageWise. The first window will ask if you want to install or
add licenses. Select Install ManageWise.
3. Figure 37 appears prompting you to select the server that you want to install
to.

Figure 37. ManageWise target server
4. Ensure that you select the drive that you mapped to the SYS: drive; in our
case it was the H: drive. If you do not have one mapped, click Network and do
so.
5. We selected the custom install. Figure 38 appears.
Figure 38. ManageWise custom install options

6. Since we wanted to make this a NetExplorer server (one that maps the
network to the ManageWise console) and we also wanted to install the
ManageWise console, we selected all options then pressed Continue.
7. Follow the prompts and after the files have been copied you are shown a
summary of what has been installed, as seen in Figure 39.
Figure 39. Installation status
8. If you click Post-Install Setup, you will be shown the tasks that you need to do
to complete the different components available in ManageWise.
9. From there you are prompted to update the configuration files. These files are
changed by the ManageWise installation to enable you to run the required
options on the NetWare server.
10.Finally we copied the ManageWise files to the other server that we wanted to
manage and edited the AUTOEXEC.NCF file to add the same command that
was added by the ManageWise installation. This was to start MW_AUTO.NCF.
This NCF loads the USER.NLM and the LDISCAN.NLM. The LDISCAN refers
to a file to determine what the server name is and where it should put some
information. You must edit MW_AUTO.NCF and ensure that the server name is
correct after the load statement of the LDISCAN. For more information the
ManageWise CD has all the documentation in PDF format.
3.9 NDS objects and security

The main emphasis on the newer versions of NetWare is the NDS and the
benefits that can be derived from an object-based hierarchical directory tree. NDS
allows us to allocate file system, access rights, and resource allocation based on
the objects in NDS.

In this chapter we will describe the type of objects and how they can be used to
allocate file system security. All other security system use the objects in much the
same manner and can therefore be worked out based on our discussion on file
system security. To be able to get to the file system security we must first log in
and gain access to the network. This is a form of access security and will also
allow users access to printers or to the Internet via a BorderManager firewall.
3.9.1 File and directory rights

This section describes file and directory rights. This will help you understand how
the rights given to a file or directory either allow or prevent certain actions from
being performed.
The basic rights for file and directory objects are:

• Supervisor: Allows the users that has been given these rights to do whatever
they wish. They can allocate other users access and this right cannot be
blocked. If a user is given supervisor rights to this server object, they will gain
total control over all files and directories.
• Read: Object given the read right will be able to open and read the file and run
the executable as long as the application does not need to write to the
directory or file.
• Write: This right allows the objects to open and change the contents of the file.
• Erase: As the name suggests, the object given this can delete the files and
directories.
• Modify: The name or the attributes of the file and directory can be changed.
• File Scan: Makes it possible to see the files and directories but that is all.
• Access control: The objects that have this right are able to change the access
of other objects to these files and directories.
3.9.2 Objects
File and directory rights must be based on the object’s rights to the files and
directories. The different types of objects will depend on the type of rights that are
given to the files. Objects that contain many user and group objects, such as a
container, should not be given supervisor rights to everything as the rights flow
down, so all other objects inside the container will also have supervisor rights.
The basic type of objects are:

• User: This is a leaf object, which means that it does not have any other objects
below it in the NDS tree, and that it represents a person who logs on to the
network and will want access to certain files and directories. The users object
also contains certain properties that are relevant to users, such as phone
number, e-mail address and password restrictions.
• Group object: The group object is also a leaf object and contain properties
relevant to a group and the list of users that are part of the group. When an
administrator gives certain rights to files or directories, then all the users in the
group get those rights.
• Container: These objects include [ROOT], Organization and Organization unit.
These objects contain other objects below them in the NDS tree. The [ROOT]
object contains all other objects, such as the Organization and the

Organization contain the Organization unit. These containers can and should
be used as groups. As discussed in 3.9.4, “NDS security” on page 69, the
Organization is divided into areas based on geography and there will be
certain access or file rights that will be used by all those in that geographical
area.
3.9.3 File and directory security

Now that we know the types of rights and the types of objects, we will show how
the security for file systems works. The main aim is that you get an understanding
of the rights and how they flow down the tree.
If a user is given specific rights at one level of the file tree then the rights flow
down to the subdirectories and files. The only way this can be done is via an
inherited rights filter (IRF).
[RW F ]
5847-00
User
object
[RW F ]
[RW F ]
Volume
[RW F ] Directory 1 Directory 2 IRF[R F ]

[R F ]
[R F ] Subirectory 1 Subirectory 1 [R F ]
Files [R F ]
Figure 40. File system security
Following Figure 40 above, the user has been given read, write and file scan
rights [RWF] at the volume level. Therefore the rights flow down and the user has
the same rights at Directory 1 and 2. However, at Directory 2 there is an IRF set
that stops the [W] from passing through. Therefore they only get the [RF] rights
and this flows down to all subdirectories and files.
3.9.4 NDS security

In the same way that you allow access to the network or files, you can allow
access to the NDS. NDS security is separate from the file system and login
security. NDS security allows the administrator to allow access to certain NDS
objects while stopping access to others. For example, if an administrator wanted
to hide an object, such as an administrator equivalent created in case the real
administrator was deleted, he could hide this from all users and only he would
know that it was there.
As in file system security, a user or object must be given a trustee assignment or

given rights so that it can be given the correct rights to that object. The rights then
flow down to the NDS objects below it. In the case of a leaf object the NDS rights

will only be relevant to itself. The main differences between file system and NDS
security are:
• There are two sets of rights: object and property.
• Rights do not flow from the NDS object to the file system except for the one
instance already mentioned.
• The supervisor right can be blocked in NDS security.
3.9.4.1 Object rights

Object rights allow a user to view, delete, or rename an object. The object rights
treat the object as a whole unit and the object rights refer to the object as that
unit. The types of rights are:
• Supervisor: Allows total access to the object and can be blocked via the IRF.
• Browse: objects granted trustee rights are allowed to see the object.
• Create: It is possible to create an object below the object that a trustee
assignment has been given.
• Delete: As the name suggests.
• Rename: Allows the renaming of the object.
3.9.4.2 Property rights

These rights allow the control of specific properties within the object. If a trustee
assignment has been made and you want it to flow down, check the All properties
box. In the case of a user you could allow access to the e-mail address, but not
the private phone number. The types of rights are:
• Supervisor: Allows total access to the property and can be blocked via the IRF.
• Compare: Gives the ability to compare and get a true/false answer, but does
not give the ability to see what the value is.
• Read: Gives the ability to read the value and implies the Compare right.
• Write: Grants the right to change and delete the property and implies the Read
right.
• Add self: Is only relevant to properties that contain NDS objects and allows the
user to remove them or add themselves to the object.

Chapter 4. Netfinity Manager
Netfinity Manager is IBM's comprehensive hardware systems management
environment for IBM Netfinity and PC Server systems. It provides an easy-to-use
graphical set of local and remote services designed to make the server and client
systems simple and affordable to manage. It is shipped with all IBM Netfinity and
PC Server systems as part of ServerGuide. The whole aim of Netfinity Manager
is to give you, the network administrator, a suite of tools designed to assist in the
management and monitoring of your server platform both remotely and locally
from the server console.
4.1 Introduction
Netfinity Manager operates in a peer-to-peer mode that minimizes the need for
expensive system management hardware. All that is required is the presence of a
physical network or a serial link. Netfinity Manager has its own interprocess
communication (IPC) system that is used for communication between Netfinity
Manager modules and services, locally and when operating remotely over a
network. It has a very flexible modular design that allows for a variety of
system-specific installations and plug-in options to be used.
There are two “flavors” of Netfinity Manager:

1. IBM Netfinity Manager
2. Client Services for Netfinity Manager (Client Services)
In a NetWare environment, you install Client Services on the NetWare servers

and the manager software on the administrator’s Windows system. Only the
Client Services software is available for NetWare.
Netfinity Manager is included with every IBM Netfinity system. One license of the
manager code and 10 licenses of the Client Services are included.
Note: NetWare 5 requires Netfinity Manager 5.20.3 or later. You can download
the latest version of Netfinity Manager from:
http://www.pc.ibm.com/us/netfinity/smtools2.html
or use the following path:
Go to http://www.pc.ibm.com/support
Select Server from the Select a server pull-down
Click Downloadable files
Click Netfinity Manager
IBM Netfinity Manager and Client Services for Netfinity Manager (Client Services)
are both split into two components:
1. Base program, comprised of a group of base services
2. User interface, comprised of a group of matching GUI components
During the installation of Netfinity Manager, all of the base services are installed.
At the same time some optional plug-in modules are also installable. These are:
• Advanced System Management Support
• Capacity Manager

• Remote Workstation Control
• Update Connector Manager
• World Wide Web Enhancement
Each icon in the user interface has a corresponding base service. Each of these
base/GUI combinations is explained in 4.4, “Functions” on page 82.
During the installation of Client Services, only the base services necessary to
control the installed hardware are installed. Depending on the type of client you
request, the matching GUI components are also installed.
Note: All services will be installed if you are installing the Netfinity Manager
regardless of whether the system has a DMI Service Layer, ECC Memory, a
System Partition, a RAID adapter, or a PFA-enabled disk drive. This enables a
network administrator to remotely access these services on other systems within
the network.
We now discuss the two flavors of Netfinity Manager: Netfinity Manager and
Client Services. In 4.4, “Functions” on page 82, we go into detail about each of
the functions.
4.1.1 IBM Netfinity Manager

Netfinity Manager is the managing portion of the system. In the PC environment,
this component would normally be installed on the administrator's workstation
and/or the servers themselves.
Netfinity Manager is used for managing remote systems as well as the server or
workstation it is installed on. As a result, a Netfinity Manager installation includes
the code for all Netfinity functions and communications drivers to enable
management of all other machines with Netfinity installed. As well as having all
the base services locally, it can include the following extra functions if they are
chosen at install time:
• Advanced System Management Support
• Capacity Manager
• Update Connector Manager
• World Wide Web Enhancement
For further details on all the Netfinity Manager functions, see 4.4, “Functions” on
page 82.
4.1.2 Client Services for Netfinity Manager

Client Services for Netfinity Manager is the managed portion of the system. It can
be configured in three client modes of operation:
• Stand-alone client — non-networked system that can only manage itself
• Passive client — networked system but cannot manage itself
• Active client — networked system that can manage itself and be managed
When installed on NetWare, Client Services is installed as a passive client and

cannot manage itself. Instead, Netfinity Manager on another machine in the
network must be used to manage the server.

4.1.2.1 Supported platforms
Netfinity Manager runs on the following operating systems:
• OS/2 Warp V3.0, or later
• OS/2 Warp Server (including the SMP version)
• Windows 95 and 98
• Windows NT 3.51 and 4.0
Client Services for Netfinity Manager runs on the following operating systems:
• NetWare 3.12, 4.1, 4.11 and 5.0 (NetWare 5 requires V5.20.3 or later)
• Windows 95 and 98
• Windows NT 3.51 and 4.0
• OS/2 Warp V3.0, and later
• OS/2 Warp Server (including the SMP version)
• Windows 3.x
• SCO UnixWare 7
Netfinity Manager is designed to work with the following network protocols:

• TCP/IP
• IPX
• NetBIOS
• Serial
• SNA (LU. 6.2) (except on NetWare and Windows 3.x)
Note: For information on the revisions of network stacks supported, see Chapter
2 of Netfinity Manager Quick Beginnings, 10L9272.
4.2 Installing Netfinity Manager

This section describes how to install on your NetWare server. Only Client
Services for Netfinity Manager is available for NetWare. You can install the Client
Services for NetWare in two ways:
• Server based
• Client based
Security Not Enabled
When you install Netfinity Manager on your NetWare servers, by default, no

security is enabled. To enable security you must access Netfinity Manager on
the server from a Windows workstation on your network, then use Remote
Systems Manager to connect to the server and create a new user ID and
password in the incoming password list. You should then remove access from
the <PUBLIC> user ID.
Warning : Make sure you create a new user ID first before you delete
<PUBLIC> access. Otherwise, you will lose all access to the server from
Netfinity Manager.
See Chapter 2 in Netfinity Server Management, SG24-5208 for more

information about security.
Chapter 4. Netfinity Manager 73

4.2.1 Server-based installation
If you wish to install Client Services for NetWare from your server console, follow
these steps:
1. Insert your ServerGuide CoPilot Applications CD-ROM in your server
CD-ROM drive.
2. Mount the CD-ROM as a volume by typing CDROM at the console.
3. At the console, type:
LOAD <vol:>NETFIN\EN\NETWARE\SERVICES\NETFINST.NLM
where <vol> is the volume of the CD-ROM. Follow the prompts to install the
product.
4. Figure 41 appears where you can select the network driver you want to enable
and make other setting changes:
Netfinity Network Driver Configuration
1: System Name : SYD01

2: Network Drivers : Novell IPX - Enabled
Novell IP - Enabled
3: Keywords
<Not Used>
<Not Used>
<Not Used>
<Not Used>
<Not Used>
<Not Used>
<Not Used>
<Not Used>
4: Network Time-Out : 15
5: Options
6: Save
7: Reset
8: Exit
Select an entry (1-8) ->
Figure 41. Netfinity Manager configuration
These settings are:

– System Name: The name that Netfinity Manager will report to remote
systems. It can be up to 32 characters including spaces.
– Network Drivers: The list of protocols that Netfinity Manager detects. By
default, it enables both IPX and TCP/IP during NetWare installs.
– Keywords: Enter up to 8 keywords that you can use to group specific
systems together. Keywords are case sensitive.
– Network timeout: The number of seconds that Netfinity Manager will wait
when attempting to communicate with a remote system that is not
responding. The default is 15 seconds.
5. Two lines are added to the AUTOEXEC.NCF file. Confirm the change:
SEARCH ADD SYS:NETFIN

LOAD NETFBASE
6. You can either restart the server or simply issue the following two commands:
NETFBASE
Note: If you need to re-configure Client Services from your server console, issue
the command NFCONFIG.
4.2.2 Client-based installation

To install Client Services for NetWare from a Windows NT or Windows 95 client,
follow these steps:
1. Map a network drive of the server you want Client Services installed to.
2. Insert the ServerGuide CoPilot Applications CD-ROM that contains Netfinity
Manager V5.20.3 or later. The CoPilot installation program starts
automatically.
3. Select your language.
4. Select Client Services for Netfinity for NetWare (Installation from a
Windows NT client) .
5. Click the Install button.
6. When prompted, change your installation drive to your mapped network drive
and change the directory name to NETFIN.
7. The installation proceeds, copying files to the server.
8. Follow the prompts to add two lines to the bottom of your AUTOEXEC.NCF
file:
LOAD NETFBASE
9. Once the installation is completed, type NFCONFIG at the server console to
configure Netfinity Manager. You will see Figure 42:

Netfinity Network Driver Configuration
1: System Name : SYD01

2: Network Drivers : Novell IPX - Enabled
Novell IP - Enabled
3: Keywords
<Not Used>
<Not Used>
<Not Used>
<Not Used>
<Not Used>
<Not Used>
<Not Used>
<Not Used>
4: Network Time-Out : 15
5: Options
6: Save
7: Reset
8: Exit
Select an entry (1-8) ->
Figure 42. NFCONFIG — configure Netfinity Manager
10.Make adjustments to the settings. These are:

– System Name: The name that Netfinity Manager will report to remote
systems. It can be up to 32 characters including spaces.
– Network Drivers: the list of protocols that Netfinity Manager detects. By
default, it enables both IPX and TCP/IP during NetWare installs.
– Keywords: Enter up to 8 keywords that you can use to group specific
systems together. Keywords are case sensitive.
– Network timeout: The number of seconds that Netfinity Manager will wait
when attempting to communicate with a remote system that is not
responding. The default is 15 seconds.
11.You can either restart the server or manually issue the two commands in
step 8.
Note: If you need to re-configure Client Services from your server console, issue
the command NFCONFIG.
4.2.3 Windows clients

Netfinity Manager is supplied on the ServerGuide CoPilot ApplicationGuide
CD-ROM. Code is included for Windows NT and Windows 95/98 clients.
Insert the CD-ROM and the first window lets you choose a language for displayed
messages. The next screen is the main installation window (Figure 43). Select the
option according to your operating system and click the Install button in the lower
left corner.

Figure 43. CoPilot ApplicationGuide main installation screen in Microsoft Windows NT 4.0
You will be prompted to select what features you want to install.
Figure 44. Netfinity Manager installation

These options are:
• Advanced System Management support — providing support for the
Advanced System Management adapters and processors in servers such as
the Netfinity 5000 and Netfinity 7000 M10.
• Capacity Manager — provides the manager user interface to gather and
process performance data from other systems running Netfinity Manager V5.1
or later.
• Remote Workstation Control — providing the ability for this workstation to take
over the mouse and keyboard functions of another Netfinity Manager system.
• Update Connector Manager — provides a facility to gather information about
various updates available for your client systems and to apply them remotely.
• World Wide Web Enhancement — provides the ability to access this Netfinity
Manager system from a Web browser.
For more information about these and other functions of Netfinity Manager, see
Chapter 2 in Netfinity Server Management, SG24-5208.
After installation, Figure 45 appears, letting you configure the software.
Figure 45. Network Driver Configuration
This window has the following fields:

• System Name
This is the name that Netfinity Manager will report to a remote system. It can
be anything you like up to 32 characters including spaces.
• Network Drivers
This is a list of the protocols that Netfinity Manager detects on your system.
The serial interface is always in the list.
The supported drivers under OS/2 Warp and Windows NT are:
– TCP/IP

– NetBIOS
– IPX
– SNA/APPC
– Serial
• Driver Enabled
By default, all network protocols are disabled. In order for Netfinity Manager
on this system to be accessible via a specific protocol, that protocol driver
must first be enabled.
• Protocol Addressing
If the selected protocol requires addressing information from you, a field will
appear requesting the information, as follows:
– NetBIOS: Network address
– TCP/IP: (none)
– Serial: Unique machine dial-up name
– SNA: Mode name
– IPX: (none)
When enabling the IPX or TCP/IP Network Driver, the network address cannot
be altered and it will not appear on the screen. No field will appear beneath
the Driver Enabled check box if the IPX or TCP/IP Network Driver is selected.
When enabling the NetBIOS network driver, a network address will be
assigned and displayed automatically in the Network Address field. To change
this default name, enter a new address. However, this address must be unique
to the network that the system is on. If this NetBIOS address is identical to the
NetBIOS address of another system on the network, it will prevent Netfinity
Manager from starting properly.
When enabling the Serial Netfinity driver, identify the system with a unique
machine dialup name. This name can be up to 32 characters long, and must
be unique to the system. If this name is not unique, it can prevent remote
Netfinity Managers from using the Serial Connection Control service to access
the system.
• More than one network adapter
If your system contains more than one network adapter, Netfinity Manager will
work with only the first two or four drivers in the binding order:
– NetBIOS: Netfinity Manager works with only the first two network drivers in
the binding order of the NetBEUI protocol. All other network drivers in the
binding order are ignored.
– TCP/IP: Netfinity Manager works with only the first four network drivers in
the binding order.

Figure 46. Multiple Network Adapters
Figure 46 shows a configuration for three network adapters under Microsoft

Windows NT 4.0 at installation time.
The system has two network adapters (one Ethernet, one token-ring) and a
modem installed. The token-ring adapter was installed after the modem and
Ethernet adapter. Therefore the default binding order was:
1. Ethernet
2. Modem
3. Token-ring
Since Netfinity Manager supports only the first two networks in the binding
order for NetBIOS, token-ring was ignored. To correct this we opened Control
Panel > Network > Bindings and adjusted the order of the listed protocols so
that the first two were the ones we wanted to access via NetBIOS.
• System Keywords
Enter your chosen keywords, remembering that they are case sensitive. This
section is optional, but is useful for categorizing the servers and for later
management in the Remote Systems Manager.
• Network Time-Out
The Network Timeout field shows the number of seconds that Netfinity
Manager will wait when attempting to communicate with a remote system that
is not responding. If Netfinity does not establish contact with the remote
system within this time, it cancels the communication attempt and displays an
error. The Network Timeout default setting is 15 seconds. This default setting
may not need to be altered, but is useful for systems that are under heavy load
or are connecting over unreliable or stressed links. Increasing it can help to
correct application timeout problems.
Save your settings by clicking Save and then exit by clicking Exit. Netfinity
Manager is now installed.

For Windows and OS/2, you must reboot once the installation is complete.
4.2.3.1 Security
Once installation is complete, one user ID will be defined in the Security
Manager, with all accesses granted. Since this user ID is the <PUBLIC> user ID,
it means that everyone has access to your system.
The first step after installation and reboot should be to open the Security
Manager, and remove all accesses from the <PUBLIC> user.
Security Not Set By Default!
If you do not change the security settings, any Netfinity Manager system will be
able to access every function on your system. This can lead to disastrous
results.
Don't forget to uncheck the box that authorizes Security Manager access. If this
box remains checked, <PUBLIC> users (that is, those users not having a user ID
and password) will still have the ability to change their security access to all other
functions.
See Chapter 2 in Netfinity Server Management, SG24-5208 for more information

about security.
4.3 Using Netfinity Manager

To use Netfinity Manager you will need to install the manager software on a
Windows workstation connected to your network and the client software on your
NetWare servers. See 4.2, “Installing Netfinity Manager” on page 73 for details.
From the Windows workstation, click the Netfinity Service Manager icon from
the Netfinity program group. The main Netfinity Manager window appears:
Figure 47. Netfinity Manager main window
To access Netfinity Manager installed on the NetWare servers, do the following:

1. Open Remote System Manager
2. Open the All group

3. Click System > Discover Systems. After a few moments, this will find all
systems on your network via all enabled protocols. (For TCP/IP only the local
subnet is searched by default although this can be widened through the use of
a TCPADDR.DSC file as described in Chapter 2 in Netfinity Server
Management, SG24-5208.)
4. Double-click on one of the NetWare server icons. You should see a window
similar to Figure 48.
Figure 48. Netfinity Manager on a NetWare server (Netfinity 3000)
4.4 Functions
The Netfinity Manager main window consists of a set of icons that constitutes the
user interface component of Netfinity Manager and provide an interface to the
base services that perform all the interactions with the hardware and
communications drivers.
Figure 49. A Typical Netfinity Manager Window
The functions that are available in a standard installation are briefly discussed
below. Complete instructions on how to use each of these services can be found
in the online help provided with the product or the Netfinity Manager Command
Reference, 10L9270, which is available either as a PDF on the CD-ROM or in
hardcopy if Netfinity Manager is purchased separately.

• Advanced System Management
The Advanced System Management service (recently renamed from Service
Processor Manager) enables communication between Netfinity Manager and
the Advanced System Management processors and adapters. It can be used
to configure and monitor many of your system's features. With the Advanced
System Management service, you can configure events such as POST, loader,
and O/S timeouts, critical temperature, voltage, and tamper alerts and
redundant power supply failures. This service also enables you to dial out and
directly access and control a remote system's Advanced System Management
processor or adapter.
In addition, the Advanced System Management service enables you to
remotely monitor, record, and replay all textual data generated by a remote
system during POST. While monitoring a remote system during POST, you can
enter key commands on your keyboard that will then be relayed to the remote
system. A fuller description of this function can be found in Chapter 4 of the
redbook Netfinity Server Management, SG24-5208.
• Alert Manager
The Alert Manager is an extensible facility that allows receiving and
processing of application-generated alerts. A predefined set of alert profiles is
available to monitor the subsystems of the servers (for example RAID alerts,
PFA alerts, ECC memory monitors).
A variety of actions can be taken in response to alerts, including logging
alerts, notifying the user, forwarding the alert to another system, executing a
program, playing a WAV file, generating a simple network management
protocol (SNMP) alert message, dialing out to a digital pager service (with a
modem), or taking an application-defined action. Actions are user-definable,
using a highly flexible action management interface. For further details see
4.5, “Setting Alerts” on page 87.
• Capacity Management
All Netfinity Manager 5.1 (or later) systems can automatically monitor and
store data on the performance of your system. Up to a month of data is stored
on each system. You can use the Capacity Management feature to collect this
data from multiple systems on your network, compile the data into reports, and
view the data in simple-to-read line graphs. You can use Capacity
Management to:
– Generate reports on data captured within the last month
– Schedule reports to be generated automatically at a later time
– View previously generated reports
See 4.6, “Using Capacity Manager” on page 88 for details on Capacity
Manager.
• Cluster Management
This icon is available when you have the MSCS (Microsoft Cluster Server)
Cluster Administrator installed on your system.
• Critical File Monitor
Critical File Monitor enables you to be warned whenever critical system files
on your system are deleted or altered. There is a set of standard files that can
be monitored, and user-specified files can be added to the list. For example it
will monitor the CONFIG.SYS for changes in its size, date and time stamp.

• DMI Browser
DMI Browser enables you to examine information about the DMI-compliant
hardware and software products installed in or attached to your system. The
Desktop Management Interface (DMI) is an industry standard that simplifies
management of hardware and software products attached to, or installed in, a
computer system.
• Dynamic Connection Control
The Dynamic Connection Manager function enables remote Netfinity Manager
managers to access your system via a phone line and modem or a null modem
cable, or via the RS-485 connection of the Advanced System Management
device in your server. Your system must have a properly installed and
configured modem that supports at least 9600 bps for the function to work.
Dynamic Connection Manager is discussed in detail in Chapter 4 of the
redbook Netfinity Server Management, SG24-5208.
• ECC Memory Setup
The ECC Memory Setup allows for monitoring of ECC memory single-bit
errors, and can automatically scrub, or correct, the ECC memory when errors
are detected. Also, you can keep a running count of single-bit errors, and can
set a single-bit error threshold that will cause a non-maskable interrupt (NMI)
if the ECC single-bit error threshold is exceeded.
This service supports only specific implementations of ECC.
• Event Scheduler
You can use Event Scheduler to automate many Netfinity Manager services.
With Event Scheduler, you can automatically gather and export System
Information Tool, System Profile, and Software Inventory data, distribute or
delete files, restart systems, execute commands, and access and manage
system partitions on all of the Netfinity Manager systems on your network.
Scheduled events can be performed one time only, or can be performed
according to a user-defined schedule. See Chapter 2 of the redbook Netfinity
Server Management, SG24-5208 for further details.
• File Transfer
You can use the File Transfer service to easily send to, receive from, or delete
files or directories on remote Netfinity Manager systems in your network.
• Power-On Error Detect
The Power-On Error Detect service is available only on Micro Channel
machines. It will install a shrieker system on the system partition, which will
broadcast any POST alert. This alert will be received by all Netfinity
Managers.
• Predictive Failure Analysis
The Predictive Failure Analysis (PFA) service enables you to continually
monitor and manage PFA-enabled and SMART-enabled hard disk drives. A
PFA-enabled hard disk drive features hardware designed to help detect drive
problems and predict drive failures before they occur, thus enabling you to
avoid data loss and system downtime. In addition to the PFA hard disk drives,
Netfinity Manager supports hard disk drives that conform to the SMART
standard.

SMART stands for self-monitoring analysis and reporting technology and is
the successor to the PFA technology that was pioneered by IBM. The PFA
technology subsequently became the ANSI-standard SMART SCSI protocol
and led to the setting up of the SMART Working Group (SWG). The SMART
standard has now been extended to IDE/ATA drives.
All disks in the current server range are either PFA or SMART enabled.
• Process Manager
You can use Process Manager to view detailed information about all
processes that are currently active on any system. You can also stop or start
processes and generate Netfinity Manager alerts if a process starts, stops, or
fails to start within a specified amount of time after system startup. See 4.5,
“Setting Alerts” on page 87 for full description and examples.
• RAID Manager
The RAID Manager service enables you to monitor, manage, and configure an
assortment of RAID adapters and arrays without requiring you to take the
RAID system offline to perform maintenance. Use the RAID Manager to gather
data about your system's RAID array and RAID adapter, rebuild failed drives,
add (or remove) physical drives, perform data integrity tests, and many other
RAID system tasks. This service is available for both stand-alone and network
use by any system that has a supported RAID adapter.
All IBM SCSI RAID adapters are supported by Netfinity Manager.
• Remote Session
You can use Remote Session to establish a text-based command-line session
with any remote Netfinity Manager system. For NetWare servers, this equates
to the equivalent of an RCONSOLE session.
• Remote System Manager
Remote System Manager lets you access other Netfinity Manager systems in
your network using any of the supported protocols. You can define groups of
systems based on protocol and/or operating system and/or predetermined
keywords and can request that Netfinity Manager automatically detect all
eligible systems and populate the group.
For TCP/IP automatic discovery of remote systems is, by default, limited to the
local subnet. However, you can specify remote subnets through the use of the
TCPADDR.DSC file. Place this file in the Netfinity Manager directory with the
following information in it:
tcpipaddress subnetmask
where tcpipaddress is the numeric TCP/IP address of any system in the
remote subnet, and subnetmask is the TCP/IP subnet mask for the remote
subnet. For more information, see Chapter 2 of the redbook Netfinity Server
Management, SG24-5208.
This feature in Netfinity Manager 5.0 or higher enables you to monitor or
control the screen display of a remote Netfinity Manager system. Once you
initiate a Remote Workstation Control (RWC) session with another Netfinity
Manager system, you can passively monitor events that are occurring on the
display of the remote system or actively control the remote system's desktop.

• Screen View
The Screen View service takes a “snapshot” of any remote Netfinity Manager
system's graphic display and displays it on your screen. This method, although
not interactive, is faster than using Remote Workstation Control, if you only
want to see the screen of the remote machine. It also has less impact on and
creates less network overhead.
• Security Manager
The Security Manager can prevent unauthorized access to some or all of your
Netfinity Manager services. It uses incoming user ID and password
combinations, and allows only authorized remote users to access the
specified Netfinity Manager functions.
The Security Manager applies only to network use. It does not prevent
unauthorized users from accessing Netfinity Manager functions while they are
working locally. You should implement other local security measures to prevent
this. For further details please see Chapter 2 of the redbook Netfinity Server
Management, SG24-5208.
• Serial Connection Control
When you select Advanced System Management Support during Netfinity
Manager installation, Serial Connection Control is replaced by Dynamic
Connection Manager, which provides network and RS-485 connectivity as well
as the serial connectivity provided by Serial Connection Control.
• Service Configuration Manager
This function enables you to save the configuration of a selected system to a
service configuration file (SCF). Once created, SCF files can be used by Event
Scheduler to restore the configuration back to the same system, or it can be
used (in conjunction with the Event Scheduler) to propagate that configuration
on any other similar systems you choose.
An example can be the System Monitor function. If you define thresholds and
alerts on one system, you can save these in a file using the Service
Configuration Manager. Later, you can distribute this file to other systems,
which then will use these settings for their own system monitor.
• Software Inventory
Software Inventory enables you to make an inventory of software products
installed on the system. You can also manage software product dictionaries to
define products that are not in the default dictionary. You can define these
products based on the SYSLEVEL, or on one or more required files. These
files can be matched by file date and size.
Note: There is currently no way to update the supplied database of software
products that Software Inventory detects.
• System Information Tool
The System Information Tool enables you to quickly and conveniently access
detailed information on the hardware and software configurations of your
system.
• System Monitor
The System Monitor provides a convenient method of charting and monitoring
the activity of a number of components in a system, including processor
usage, disk space used, and network usage. These convenient monitors are

detachable and sizable, enabling you to keep only the monitors you need
available at all times. You can use System Monitor's Threshold Manager to set
threshold levels for any of the monitored components. When exceeded, these
thresholds will generate user-configured alerts.
In Netfinity Manager, extra monitors are included to monitor operating
system-specific features. There are also extra monitors to monitor some
specific hardware values, such as system board temperature and fan speed.
The open architecture of Netfinity Manager also allows other manufacturers to
include their own specific monitors. Examples of these are UPS systems from
American Power Conversion, Inc (APC), where voltage and temperature
monitors are available. See Chapter 2 of the redbook Netfinity Server
Management, SG24-5208-01 for more information on the UPS extensions.
• System Partition Access
System Partition Access is available only on Micro Channel systems that have
a system partition. It allows you to back up and restore system partitions and
to manage files located on the system partition (diagnostic files and adapter
definition files).
• System Profile
The System Profile function enables you to record information that is not
directly related to the hardware or software. Examples are user name,
location, telephone and so forth. Also a lot of system-specific fields are
available, for example, serial number and purchase date. The appearance is
that of a notebook, which makes it easy to use.
• Web Manager Configuration
Most Netfinity Manager functions can be accessed through the Internet or an
intranet via a Netfinity Manager with the Web Manager functions enabled.
Once enabled, you can use any Web browser to perform a subset of the
Netfinity Manager functions.
You can use the Web Manager Configuration service to limit access to specific
TCP/IP addresses or ranges of addresses. When enabled, all authorized
systems running a Web browser can access a subset of the Netfinity Manager
functions. This enables you to do remote system management over the
Internet, without having to install Netfinity Manager.
4.5 Setting Alerts

The Alert Manager is an extendable facility that allows receiving and processing
of application-generated alerts. These alerts can be the result of informational,
warning or error messages and can originate from a variety of hardware and
software sources both within and outside of Netfinity Manager.
A full list of alerts generated by the base Netfinity Manager functions can be
found in Appendix J “Netfinity Alerts” of the Netfinity Manager User’s Guide,
10L9271. A full list of alerts generated by the Advanced System Management PCI
Adapter and Advanced System Management Processor can be found in Appendix
A of the redbook Netfinity Server Management, SG24-5208.
A variety of actions can be taken in response to alerts, including logging alerts,

notifying the user, forwarding the alert to another system, executing a program,

playing a WAV file, generating an SNMP alert message, dialing out to a digital
pager service, or taking an application-defined action. A complete list of actions is
listed in Chapter 2 of the redbook Netfinity Server Management, SG24-5208.
The base service that is at the heart of the alerting function is Alert Manager – all
alerts that are generated by Netfinity base services are sent to it. Alert Manager
matches an incoming alert against one of its default and user-definable filters
(called profiles) and then if, matching, carries out the appropriate action.
Alerts can be the result of informational, warning, or error messages and can
originate from a variety of sources. In fact, there is a constant stream of these
messages being generated. You would normally only want to be made aware of a
subset of these. You do this by defining an alert action.
For more information, see the redbook Netfinity Server Management,

SG24-5208.
4.6 Using Capacity Manager

Netfinity Capacity Manager is an efficient system management tool integrated
into the Netfinity Manager software to help you to measure the potential
bottlenecks of various subsystems. You can use this tool to forecast performance
degradation of a server and its subsystems. You may plan for an appropriate
action to overcome the bottleneck well in advance, so as to prevent overall
performance degradation.
The key concept to understand about Capacity Manager is that the data is always
being gathered. Unlike Performance Monitor, you do not have to start the logging
of data. With Capacity Manager, you simply specify what data you want retrieved
from the servers and workstations in your network and it is gathered up and
displayed graphically for you. Up to one month’s worth of data is automatically
saved by every system running Netfinity Manager 5.1 or later.
Resource utilizations over time are collected from network systems and merged
into a single report that can be viewed graphically or exported into a spreadsheet
for further analysis. These reports show at a glance potential capacity
bottlenecks within the selected systems. Your analysis and ability to predict
bottlenecks is critical when planning for future upgrades. Capacity Manager gives
you the ability to plan the allocation of hardware upgrades for the systems that
really need them before a capacity bottleneck occurs.
Capacity Manager is available as part of Netfinity Manager V5.1 onward. New to

Netfinity Manager V5.2 is a performance analysis feature of Capacity Manager.
For more information see Chapter 6 of the redbook Netfinity Server Management,
SG24-5208.

Chapter 5. Integrating Windows NT with NetWare 5
One of the key requirements of NetWare customers is to integrate their Windows
NT servers into their NetWare network. NDS’s ability to control much of the
network from a central admin utility and be able to distribute its administration as
it sees fit is one of Novell’s major strengths. Customers need the ability to extend
the functionality and control of NDS into the Windows NT space.
NDS for NT V2.0 is the latest release of a product that Novell has developed to
enable administrators to control a Windows NT domain structure using NWAdmin.
This means that the administrator is able to control the whole network from one
central point. NDS for NT enables the administrator to either work with the
existing domain structure or control all new Windows NT servers with NDS.
5.1 Features
• Ability to add users to multiple domains. If a customer has a multidomain
Windows NT configuration, and a user on one domain needs to access
another domain, then there must be a trust relationship enabled. If this is a
two-way trust, then the administrators from both domains now have full access
to the other domain. Alternatively, you can create a master domain model,
where all users in a domain are controlled centrally and local administrators
have control of the resources in that domain only.
NDS for NT allows the administrator to put the same user in multiple domains
without the necessity for a trust relationship, or taking note of all the users
rights and then recreating them in the domain they wish access to.
• Includes NWAdmin. The same interface that Novell administrators are used
to is available on the Windows NT server and must be installed separately.
The NWAdmin utility has the ability for the administrator to view access
privileges for the user across separate domains. With Windows NT’s User
Manager, the administrator must go to each separate domain. If the company
is currently running an NT domain structure or the company takes over a site
that has the NT domain structure, it is necessary for the NT administrators to
learn the NWAdmin tool as they can still administer the domain with the
current NT tools, and the information will be transferred between the NDS and
NT domain structure.
• Local replica for Windows NT. It is now possible with V2 to have a site that
only contains Windows NT servers without having to communicate across the
WAN back to a NetWare replica. The NDS can be partitioned as discussed in
6.2.2, “Partition and replication” on page 122.
The ability to place a partition on a Windows NT primary domain controller
(PDC) or the backup domain controller (BDC) enables the administrator to
control a site across the WAN that runs Windows NT only and still achieve
good performance and control using NDS for NT. Novell suggests that the
Windows NT replica should only be a read/write replica and that another
replica should be kept on a NetWare server so that some of the NetWare-only
utilities can be used to keep the replica at its optimum, such as DSRepair. The
replica can only be installed on to a PDC or BDC that has been installed with
the NTFS file system.

NDS for NT also alleviates the need to have a BDC, as the domain structure is
kept in the NDS and replicated and partitioned according to the administrator’s
control. When importing an NT domain into NDS, it must be planned, since the
addition of the new object must be controlled to ensure that the NDS database
rules are not broken.
• Domain conversion . The conversion from a Windows NT domain into NDS is
controlled by the domain object wizard that asks what context the domain
should be placed in:
– If you want NT domain and NDS passwords synchronized at all times
– If you want to create new users in NDS or use existing users or leave as is
The wizard then moves and/or merges the Windows NT users, groups and
workstations into the NDS. A report is generated that shows the users
associated with NDS users, groups and workstations that have been created.
The workstations that have been created would allow the use of ZENworks
that is included with NDS for NT, which again will help decrease the TCO.
Some of the tools that are installed with NDS for NT include:
– Domain object wizard that allows the control of replicas in NT and uninstall
NDS for NT.
– NDS manager is another method for controlling NDS partitions and
replications.
• Mailbox manager for Microsoft Exchange. One of the extensions of NDS is
the ability to manage an Exchange server’s mailbox information from the
NWAdmin utility. Once the utility is installed on the workstation (this can be
done on multiple workstations), the Exchange information database can then
be imported into the NDS. The mailbox manager is very similar to the
Exchange administration manager and users can then be added. The
automatic update of NDS is not available when using the Exchange manager.
For this to occur the upload utility must be run. The install of NDS for NT does
not change the domain structure and therefore existing clients and
applications continue to log in and act as they did prior to the installation.
5.2 Installing NDS for NT

Ensure that you have the latest stable service pack for Windows NT and that all
communications via the network are set up and working. The server must use the
NTFS file system for security. The installation will not proceed past a certain point
unless this is done. Insert the NDS for NT installation CD and the welcome
screen will appear.
The installation first installs the files and configures the server to work as a Novell
client. On a number of occasions, we have found that the addition of another
component on a live application server caused instability, failure, or slowing down
of the application services on the server. So, you should run a pilot installation
first prior to a production installation. Our recommendation is to install the NDS
for NT on dedicated PDC and BDC servers that are not running any applications.
When installing on these servers ensure that the PDC has a backup domain
controller and that you also have tested these installations.
These recommendations are based on past experience, and the release of the
latest NDS for NT with the latest client may have alleviated some of these
problems. Installing NDS for NT on the servers that we used during writing this

book went smoothly and without any problems. So ensure that the code that you
have on the CD is the latest NDS for NT. Do not download any client, because it
must be the client supplied with NDS for NT.
5.2.1 Items that you need prior to beginning the installation

Before you begin, you need:
• An administrator-equivalent user and password for the Windows NT domain.
• An administrator-equivalent user and password for the NetWare NDS tree.
• A NDS design for the placement of the domain object, users and workstation
that will be imported into the NDS.
• To decide whether to force passwords synchronization.
• Users and workstations that will or want to be migrated.
• To decide whether existing NDS users will be used or new ones created.
5.2.2 Installing
The following are steps in the installation of NDS for NT:
1. Ensure that you are logged in to the server as administrator equivalent.
2. Select NDS for NT.
3. Agree to the license agreement after reading or do not agree and you will
exited out of the installation.
4. The installation begins copying the files for the client portion of the installation.
5. The machine reboots and you are prompted to log in to the Novell NDS and
the server. Ensure that you are logging in as an administrator for the NT server
domain and admin equivalent for the Novell network since you need to update
the NDS and the NT server.
6. The server will then autorun a domain wizard.
Chapter 5. Integrating Windows NT with NetWare 5 91

Figure 50. Welcome screen of the Domain Wizard
7. The welcome wizard that is started is the same as the one that is installed with
the management utilities. Iit gives you some added features that you will not
use during this first installation. Click Next.
8. You are then asked to select the tree that you will be installing into. This is why
that you must install using the admin equivalent for NetWare.
Figure 51. Selecting the tree for the NDS install

9. You have logged in to the tree that you will be installing into, so select the
correct tree from the drop down list. When you click Next, the choices of
context of the domain object and the users is displayed.
Figure 52. Selecting context of the NT domain object and the context for users
10.Figure 52 has two sections. The actual context of the NDS domain object in
the tree must be carefully planned, since with all NDS tree items the design
will be the basis for an easy and secure network. The other is the default
context for the users that will be created.
11.Once these two contexts have been selected you must select if you want NDS
for NT to force synchronization of passwords. We think this is a good idea,
because users often find it difficult with more than one password. Selecting
this option will ensure that the passwords stay the same no matter which of the
password utilities they use. Select Next.
12.You will then be prompted if you want to search for users in the NDS tree that
you would like to match to the NT domain users.

Figure 53. Selecting the searching method for the NDS tree
13.If you choose to skip the search then you will only be given the option to create
new users rather than associating the users with existing NDS users. So
depending on the choice, you will either be put into the selection of the NDS
tree that you wish to search, or the final results so we will go through the
search method.
14.The next window asks for the default action for the users when you get to the
importing screen.

Figure 54. Default method for users during the importation of NT users in to NDS
15.The default method for the handling of users allows the administrator to cover
the majority of the users that are being imported. So planning and getting the
right information before the installation is imperative. Select Next.
Figure 55. NDS context for searching for users
16.Selecting the context of the tree that you wish to search allows the
administrator to search the whole tree or only the section of the tree that is
relevant to the users of that domain’s geographical area.

17..After clicking Next, you will see a window that asks you what you want to
search. Press the Search button and then click Next.
18.You will see a summary of the users and workstations available to import.
Figure 56. Summary of users and workstation to be imported in to NDS
19.This summary of users and workstations allows you to select each user and
workstaiton independently and ensure that they are being handled in the
appropriate way. The need for proper planning for the NDS is imperative, since
the incorporation of all these users and workstations must be in the correct
context, one that will still allow easy management of all the NDS objects.
Select Next when all the objects will be handled according to your
configuration plans.
20.The next screen is a summary of what you have already done. Click Move and
the process will begin. When the process is complete, click Next.
21.You are then given an option to view the log files now or at a later date. They
are kept in the SYSTEMROOT%system32\ directory and the file is called
MOVE.LOG. If not all the user or workstation objects have been moved you
will be asked to start the search again or to go on with the installation.

Figure 57. View log file and create replica window
22.The other option that is given in this window is to install a replica on the local
NT server. If there is no NetWare server in the location and the only Novell
server is across a WAN link, then a replica should be placed on the local
server to allow speed in accessing the NDS resources. We will not place a
replica at this time but will install one separately later in this chapter.
23.When this is complete, you will be asked to reboot the machine. Reboot and
you are now ready to install the administration applications. Installing these
you use the same CD. Select Admin Utilities.
24.At the welcome screen, click Next.
25.Agree to the license agreements by selecting Yes.
26.Read the screen showing all the latest information available and select Next.
27.You are then given the option to install the applications locally on the Windows
NT server or to place them on a Novell server. We found that doing the install
to the Novell server did not place all the utilities there and did not create the
shortcuts required. So to alleviate this we installed them to both the NT server
and the NetWare server in two separate installations.
28.The last few screens are the normal install shield screens asking for the
directory that you would like to install into and the program folder you wish to
use.
29.Once this is done you will be given three applications that you can use:
– Domain object wizard
– NetWare administrator
– NDS manager
We will now look at the installation of a replica of the NDS database on the
Windows NT server. This will be done using the Domain Object Wizard, which is

one of the utilities that have been installed. You must be logged in to the local
server as a Windows NT domain administrator.
1. Run the wizard by clicking Start > Programs > Novell > Domain Object
Wizard .
2. A welcome screen tells you that you are going to install a replica of the NDS
tree onto the local Windows NT server. Select Next.
3. The next screen prompts you for NDS information.
Figure 58. NDS information for installing replica on local NT server.
4. The screen has three areas to complete: the actual user, the NDS context, and
the password for this information. Fill in the information and select Next.
5. The next screen gives you a default server name for the server that it is about
to create.

Figure 59. Server name of the server created in NDS for the placement of the NDS replica
6. The server name is the default of the domain object created in the NDS during
the installation with a -NT on the end. The other information is the NDS
context of this new server that will be created. This context can not be
changed because it is based on the context of the domain object that was
created during the installation of NDS for NT.
7. Figure 60 from the partition manager shows that there are two NT servers now
in the NDS. It looks like you have two servers for the one NT server.
Remember one of the server objects acts similar to a group, and the second
one is created is for the replica only.
Figure 60. NDS information
8. Once you have chosen the server name and clicked Next, you will then be
prompted where to put the NDS files. These can only be put on an NTFS

because security is a priority for Novell. Select the directory that you want to
place the files in and click Enter.
9. The installation copies a replica of the NDS to the local server. This takes
some time even if the NDS is small. Once this is complete you must reboot the
server.
10.ASince the NDS is loosely consistent and it takes time to replicate the
changes it takes some time for the NDS replica and the time sychronization to
take place so wait a few minutes prior to trying to do anything.
The removal of the replica and the removal of NDS for NT is also done by the
same domain wizard. When the wizard is run and it finds a replica on the local
copy you get prompted to remove the local copy. Once this is completed you then
get the choice of removing the NDS or just finishing and closing the wizard. Once
you have made the decision to remove NDS for NT then you will have another
decision that needs to be made. See Figure 61.
Figure 61. Removal of NDS for NT screen
These choices allow you to ensure that the information that you have put in to the
NDS is migrated to the domain or not. You also have the choice to update all the
passwords that have been changed from NDS to the domain so that users do not
need old passwords. The final option is to leave the domain as it is and remove
NDS for NT. When we did this it removed NDS but we had to manually delete the
domain object.
Once the installation is complete, you will be able to administer the NT domain
through the NDS, which means adding users to domains, allows users access to
multiple domains, viewing access rights in one place, NT files share
administration and then controlling permissions to these.

Figure 62. Domain information in NDS
NDSCON.EXE gives some valuable information and also shows what modules
are loaded. It is installed in the directory that you specified during the NDS for NT
installation process. NDSCON.EXE is in the I386\NDSSRV directory. When you
run this application you get the following screen.
Figure 63. Module loader for NT
This is a utility that allows you to see what modules for NDS are running on the
server. Figure 63 indicates that the server has both NDS and bindery mode
running. If you click the Load Module button, you get Figure 64.
Figure 64. NDS for NT loadable modules
This window shows what other modules can be loaded on this screen. By
highlighting the DSTRACE module and clicking Load , the module will load and
show you information about what the NDS is doing.

Figure 65. NDS for NT DSTRACE screen
Figure 65 shows information on what the NDS on the server is doing and is a
good place to begin if you need to troubleshoot. There are many optiosn as to
what you can see on this screen. By selecting Edit > Options you are given the
options that can be viewed on this screen, as shown in Figure 66:

Figure 66. DSTRACE options
The options allow you to see any or all of the information.
Another module that can be loaded from this NDSCON is the monitor.
Figure 67. NDS for NT monitor
The monitor window shows you the connection information in regards to the NDS.
It shows the IP port information and the IP address of the server that it is
communicating with.
The next area to discuss is the additional NDS objects that will be created as part
of the installation and the guidelines for placing these objects in the NDS tree.
The same rules that apply for normal NDS partitioning and replication and NDS
design still apply and these have been discussed in 6.2.1, “NDS design” on page
119. The guidelines for the objects created depend on how your network is
designed. If for example you are going to have only an NT server and the rest of
the network is across WAN links, then you will place the replica on the local

server and ensure that all users for that site are placed in that replica. The main
guidelines to follow are:
• Limit the number of members of the NT domain to 3000.
• If your network has multiple domains, then you must ensure that all domains
are in separate partitions of the NDS.
• If the number of objects in the domain is greater than 1000, create a partition
for the domain.
• Have NDS for NT installed on all PDCs and BDCs.
• The NT domain PDCs and BDCs must be in the same SAP (Service
Advertising Protocol) broadcast NDS domain as the users that are being
supported by the NDS partition.

Chapter 6. Optimizing and tuning
The server itself, the network that it connects to, and the other machines that it
talks to all need to be tuned. Tuning a server and its environment is a high priority,
but lower than that of reliability and security, so these should not be impacted by
the tuning process. This chapter will cover the server optimization, NDS
optimization and time synchronization.
NetWare, like other operating systems on the market, is self tuning and allocates
resources over time to the needed areas. As the server is up and running for a
period of time, the server becomes more tuned to its environment. If the server is
brought down and then restarted, the tuning process begins all over again.
6.1 Server
The central point of the network is the server and we will therefore start with its
tuning. One thing must be stressed: there are no straight do-this type answers
when it comes to tuning — each server has different applications loaded and
different demands placed on it by the network to which it is connected.
We often see when working on servers where technicians have tried to optimize
systems by entering many set commands without really ensuring this has the
effect they wanted. The only way that you can ensure that the optimizing is
working is to have some form of baseline to start with.
To this end we suggest that you install IBM Netfinity Manager. See 4.2, “Installing
Netfinity Manager” on page 73 for details. Alternatively, use ManageWise or the
STAT.NLM utility from Novell.
The STAT.NLM utility allows you to gather information about the memory, LAN
and disk communications plus a few others. The most important thing is that it
gathers information over a period of time and then can be converted in to a format
readable by database applications to give you trends and a benchmark.
Once the information has been gathered, it gives you an understanding of busy
and slow times and this will then be a baseline to verify that any changes you
make actually result in better performance. Part of the benchmarking should also
be based on copying, opening and saving files to the server. The other
information that should be covered and gathered is via MONITOR.NLM, as shown
in Figure 68.

Server name: 'SYD01' in Directory tree 'IBM'
+---------------------------------------------+
| General Information |
+---------------------------------------------+
| Utilization: 1% |
| Server up time: 0:03:56:39 |
| Online processors: 1 |
| Original cache buffers: 32,198 |
| Total cache buffers: 20,784 |
| Dirty cache buffers: 0 |
| Long term cache hits: 100% |
| Current disk requests: 0 |
| Packet receive buffers: 500 |
| Directory cache buffers: 153 |
| Maximum service processes: 500 |
| Current service processes: 11 |
| Current connections: 1 |
| Open files: 24 |
+---------------------------------------------+
| |File open/lock activity|
| |Disk cache utilization |
+-------------------------+
Figure 68. MONITOR.NLM
The monitor screen has numerous selections allowing you to set parameters to
view disk, LAN driver, and memory information. This information should be
gathered after the server has been up for a couple of weeks. Over time, the
server will allocate resources; to gather the information immediately after the
server has come online is useless unless you wish to compare changes from day
one.
The areas that should be looked at and documented are the directory cache
buffers and the current service processes.
These first two values will change over time. The rule of thumb is to set the
minimum at 80% of the figure reached after a few weeks of operation.
The reason for 80% is that during the time that the server has been up there have
been peak times and resources have been allocated that are no longer needed.
By setting it to 80%, enough resources will be allocated to these areas and the
clients will not notice a slowdown until the server has allocated the required
resources. Obviously if this has not gone above the minimum then you may even
wish to go lower and have resources for other areas, though this will most likely
not be the case.
To find the minimum, type SET at the server console and a number-based menu
system will be displayed that will enable you to select the area that you are
interested in. The other method is to use Monitor and select the server
parameters.
Once you have benchmarked your server and you wish to know when the cache
buffers goes below a certain limit, then it is possible to set these under the server
parameters in Monitor. Select file caching and for Minimum File Cache Report
Threshold, enter the figure that you would like to be notified at.

The other areas that we will look at:
• Memory
• Disk
• Network
• Applications
6.1.1 Memory
The most common server memory rule is that the addition of more memory will
improve performance. Although sometimes the addition of memory will not help
because memory is not the bottleneck, memory is one of the major contributors to
speed and performance to a file server.
6.1.1.1 Virtual memory

Most administrators are familiar with the process of virtual memory and swap files
because these have been used in servers for many years. The swap file in Novell
is the same — it increases the server’s available memory space by making a file
on a disk an overflow space. Swapping information in and out of memory does
use resources, and as the server’s memory is depleted and server performance is
decreased, then swapping begins and again slows the server’s performance. The
following facts about the swap file allow you to choose the best method for
deployment of the swap file:
• The SYS swap file is created by default.
• The SYS swap file can be deleted.
• Swap files can be created on each volume.
• A swap file can be created for a volume even while the volume is not mounted.
• Information moved from memory will be placed in any available swap file.
• When the volume is dismounted the swap file is deleted.
• Only SYS is automatically created — all others must be added to
AUTOEXEC.NCF.
To get information on the swap command type HELP SWAP at the server console. It
is possible to create, delete, and set specific parameters on each swap file.
Remember to keep them across server boots, the parameters must be entered in
the AUTOEXEC.NCF startup file. A general rule for swap files is that multiple
volumes are better than just one and creating them on a non-system volume is
also good so that you can keep the SYS volume as static as possible.
6.1.1.2 LRU sitting time

One of the old rules is that if the total cache buffers went below 40% of the
original cache buffers, it was time to add memory. Even though this can be used
as a rule of thumb it is often very inaccurate — for a small network, it can get
lower and for large network it may need a higher percentage to provide
appropriate performance. A more accurate method of calculating if a server
required more memory is the LRU sitting time.
The LRU sitting time is based on the most recently used (MRU) and least recently
used (LRU) algorithms. It works so that as the MRU cache buffers are used again
and again they are put at the top of the list. As they are used less and less, the
LRU cache buffers are finally removed from the list all together as more often
used items are placed above them. If there is not enough memory then the LRU
sitting time drops and drops. Novell recommends that the LRU sitting time should
not go below 12 minutes. This number should be viewed at the busy times of the
Chapter 6. Optimizing and tuning 107

day, not at quiet times, as it is dynamic and at quiet times the LRU sitting time can
be hours. To view the information run MONITOR and select Disk cache utilization .

+-----------------------------------------------+
| Cache Utilization Statistics |
+-----------------------------------------------+
| Short term cache hits: 100% |
| Short term cache dirty hits: 100% |
| Long term cache hits: 99% |
| Long term cache dirty hits: 94% |
| LRU sitting time: 5:01:39.6 | Parameters
| Allocate block count: 20,534 | to monitor
| Allocated from AVAIL: 16,620 |
| Allocated from LRU: 3,914 |
| Allocate wait: 0 |
| Allocate still waiting: 0 |
| Too many dirty blocks: 0 |
| Cache ReCheckBlock count: 0 |
+-----------------------------------------------+
| |LAN/WAN drivers |
| |Loaded modules |
| |File open/lock activity|
| |Disk cache utilization |
+-------------------------+
Esc=Previous list Alt+F10=Exit F1=Help
Figure 69. Disk cache utilization
As can be seen in Figure 69, our server is a test server and therefore has a very
high LRU sitting time. However, we have witnessed some servers having LRU
sitting times of seconds rather than minutes.
The other value to look at this screen is the percentage of long term cache hits.
These are the amount of disk blocks that were in cache when requested. As this
value decreases, the server must go to disk to get the information, which is much
slower. If this figure drops below 90%, extra memory may be needed.
6.1.1.3 Service processes

We have already said that this value should be monitored. The service processes
take execution threads as they arrive. As more service processes are needed,
more are allocated. Novell recommends that you set the maximum at 2-3 per
connection, and the maximum at 1000. If these are not required they are not
allocated. This does not work peak times, when the service processes are
allocated, and for some networks these are not used for 99% of the time.
To speed up the allocation of these processes during the time when you are
benchmarking and waiting for the server to reach an optimum performance level,
you can set the new service process wait time to 0.3 seconds (the default is 2.2
seconds).
6.1.1.4 Cache buffers

Cache buffers are the buffers that are left for file caching after all memory has
been allocated to required resources. As more and more services are loaded

and/or services require more resources, then the number of available cache
buffers is decreased. If you believe that a process needs more resources, it is
important not to allocate too many. This can lead to a degradation in
performance. When changing these parameters ensure that you do one at a time
and document what you have done. Then perform the tests and compare the
results against your baseline to see whether performance has improved or not.
6.1.1.5 Directory cache buffers

The tracking of all the files is done by tables such as the hash, FAT, turbo FAT,
and suballocation. These tables keep track of where all the files are and try to
ensure that they are quickly accessed. As these tables grow they remove
resources from the cache buffers, but it is must faster to use the tables than going
through the files to find the ones that are needed.
The minimum setting should be set at 2-3 buffers per connection. While setting
the benchmarks, you can set the time for the allocation of these resources to 0.5
seconds rather than the default of 2.2 seconds.
Name spaces increase the need for handling the allocation of the file locations.
As each name space is added, increment the multiplication by one. So if you have
one name, space multiply by one, two multiply by three and so on.
6.1.1.6 Garbage collection

Garbage collections works in the same manner as the disk defragmenter does for
the disk system. They allow fragmented memory to be gathered and restored for
the use of the servers memory. You can force it to retrieve memory for you by
going to Monitor and selecting Virtual memory > Address space and pressing
F4. You see if it is necessary to change the default of 15 minutes for garbage
collection and to see if it has any adverse effects on the system.
6.1.2 Disk
This area of tuning will cover the areas of the file and disk subsystems. As the
server writes to or reads from the hard drives, the process and the size of the disk
blocks that it can receive will affect the performance of the server. For example,
the IBM ServeRAID controller has two modes for writing to the disk: write through
(WT) or write back (WB). The WB mode allows the RAID controller to say that has
written to disk when it is holding it in its cache. The server operating system then
does not have to wait for the RAID controller to write to the physical disk. To
prevent data loss, the RAID controller should be installed with a battery backup in
case of power failure.
The performance of the RAID subsystem increases as the number of drives

increases. A rule of thumb for this is that as the number or disks are doubled, the
server throughput will increase by 50%.
For more information on this and other IBM disk subsystems see Implementing
Netfinity Disk Subsystems: ServeRAID SCSI, Fibre Channel and SSA,
SG24-2098.
One method to improve performance is to categorize you users. That is, they may
make many more writes than reads or vice versa. To improve the performance for
either of these, you can use the following settings as a guideline. All of these
settings can be set in the relevant areas in the monitor server parameters screen.

For a write-intensive network:
• Dirty disk cache delay time = 7 (default 3.3)
• Maximum concurrent directory cache writes = 25 (default 10)
• Dirty directory cache delay time = 2 (default .5)
• Maximum concurrent disk cache writes = Leave as default unless you are
approaching the figure then increase.
For a read-intensive network:

• Maximum concurrent directory cache buffers = 5 (default 10)
• Maximum concurrent disk cache writes = 40 (default 200)
• Directory cache buffer non-referenced delay = 60 (default 5.5)
6.1.2.1 Dirty cache buffers and current disk requests

Dirty cache buffers are the cache waiting to be written to disk. If this number
increases, the server will have to allocate more resources. The current disk
requests are pending calls to read from the disk and for the same reason, as
these increase, they will consume resources. In Monitor, the values of dirty cache
buffers and current disk requests should return to zero periodically. If they do not
and you have enough cache buffers to allocate some resources to this area then
set these settings:
• Set maximum concurrent disk cache writes = 500 (default is 50)
• Set dirty cache delay time = 0.5 (default 3.3)
• Set maximum concurrent directory cache writes = 100 (default 10)
These setting will allow some more allocation of resources and should be
monitored when these changes are made. If the values after a time still do not go
down to zero, then the disk subsystem that you have is not capable of handling
the workload.
A method of improving performance is using RAID with multiple disks so that the
writes can be to multiple disks rather than one. Also remember that your SCSI
bus will only operate at the speed of the slowest SCSI device; if you have some
drives that are SCSI F/W and the others are straight SCSI, then they will all
operate at the slower SCSI speed. Separate the disks or purchase more and
create multiple volumes so that users are spread across the drives.
6.1.2.2 Suballocation
Suballocation has enabled the retrieval of space from the older systems running
NetWare 3.x. As the older versions were unable to suballocate a file was written
to the disk, if it wrote some of the file to one disk block and was unable to fit it,
then the rest would be written to another block and no other files were able to use
that block. With suballocation, the files can be written in 512 bytes enabling
numerous files or parts of files to be written to one sector. With suballocation, it is
possible to always set the block size to the larger 65 KB block size and allow
suballocation to handle the smaller files and file ends. With today’s information
and applications the files are ever increasing in size.
It is important to have around 15% of the blocks available to be used for

suballocation. These blocks are not related to the free space on the server, since
deleted files that are not purged are also taking up these blocks. So it is important
to either purge the server on a regular basis using the command:
purge /all

or purge always with the command:
set immediate purge of deleted files = on
To be notified of the decrease in the number of available blocks, set a warning

threshold in Monitor by clicking Server Parameters > File System.
6.1.2.3 RAID systems

When using RAID systems, Novell recommends you set the block size to the
same as the stripe size. By setting this to larger sizes enables NetWare to write
more to the disks at one time.
NetWare defaults to a 64 KB volume block size for NetWare volumes greater than
2 GB. A lot of Novell documentation recommends not deviating from the defaults
but the 64 KB block size will only be optimized for large files such as imaging,
multimedia, and other workloads involving streaming data. If most of the files
transferred are small, a smaller block size would be more appropriate. Also,
knowing the request size(s) the application uses is important in determining the
volume block size and stripe unit size. We set the stripe unit size to match the
request size. You can also set the stripe unit size to be the next size higher than
the request size.
The Netfinity Performance Lab in Research Triangle Park, North Carolina runs
the Ziff-Davis NetBench and Bluecurve Dynameasure applications to benchmark
the NetWare operating system. For these environments, optimal performance is
obtained by setting the NetWare volume block size and the ServeRAID stripe unit
size to 16 KB. Performance is better when these two parameters are the same
size.
With controllers like the ServeRAID adapter, the Hot Fix blocks are often made
redundant because the hardware does it faster and more efficiently. When setting
up the volume, set the value to zero so that there are no hot fixes set. This
enables you to look at Monitor and see if the hot fix is increasing and if the drives
are starting to fail. Again the new drives have warning systems, using PFA and
SMART, that will tell you if a drive is beginning to fail.
6.1.2.4 File compression

NetWare file compression is extremely robust and often users are not aware that
the file is compressed due to the speed at which the compression is occurring.
However, setting for immediate compression can lead to high CPU utilization.
Another potential problem would occur if you were to schedule compression to
run at the same time as when backup programs are running (for example,
midnight). You can change the compression schedule with the command:
set compression daily check starting hour = 0 - 23 0 is equal to midnight.
If you are having trouble with compression or are unsure what the server is doing
with compression, use the command:
set compress screen = on
The other command that is useful here is the minimum file delete wait time,
because if the value is too high the server will not delete files fast enough and as
the server fills up you may get the error compressed files are not being
committed. This can be alleviated using the command:
set decompress percent disk space free to allow commit = x

Where x is one less than the current value. You can see the current value by
entering the same command with no value.
6.1.2.5 Network
The other bottleneck is often the connection to the network. An older method for
improving this is to add a card to the server and split the network and split the
load that way. This is fine in small networks, but in larger networks, the use of
switches is by far the method most used today and will improve performance.
6.1.2.6 Packet receive buffers

The packet receive buffers allow the smooth control of information coming in to
the server. As the load increases, the server must allocate more of these buffers.
If the buffers cannot handle the workload, the No ECB Count value, found by
clicking Monitor > LAN/WAN drivers, will increase. Select the driver that you
want information about and then press Tab to see more information.
The No ECB Count value is actually displayed as the Receive discarded, no

available buffers parameter shown in Figure 70. The ECB term comes from an old
version of NetWare and Novell still uses it today. The No ECB count basically
means that the server is passing information too quickly to the card and the card
may be a bottleneck. If this figure rises very quickly as soon as the server is
initialized the card may be faulty and should be monitored or replaced.

+------------------------------------------------------------------+
| IBMTRPO_1_TSP [IBMTRPO mem=F3EFE700 int=9 frame=TOKEN-RING_SNAP] |
+------------------------------------------------------------------+
| |
| Generic counters |
| Total packets transmitted: 2,757 |
| Total packets received: 4,491,096 |
| Receive discarded, no available buffers: 0 |
| Transmit failed, packet too big: 0 |
| Transmit failed, packet too small: Not supported |
+--| Receive failed, adapter overflow condition: 0 |-+
| | Receive failed, packet too big: 0 ||
|--| Receive failed, packet too small: Not supported |-|
| || Transmit failed, miscellaneous error: 0 |]|
| || Receive failed, miscellaneous error: 6 ||
| || Transmit failed, retried: 0 ||
| || Receive failed, checksum error: 0 ||
| || Receive failed, packet length mismatch: Not supported | |
| || Bytes transmitted modulo 4GB: 239,198 | |
| || Bytes transmitted rollover (times 4GB): 0 ||
+--+------------------------------------------------------------------+-+
Tab=Next window Alt+F10=Exit F1=Help
Figure 70. No ECB Count
Another problem that often occurs in a NetWare server when the buffer size is
equal to the size set in the maximum packet receive packet size. In NetWare the
default size is 4224 bytes, but the actual largest size for Ethernet is 1514 bytes.

Therefore, each buffer is wasting around half of its space with no information. To
correct this problem use the command (or set it in Monitor):
set maximum packet receive packet size = 1514
To work out how many packet receive buffers you may require, use the rule of one
packet receive buffer per connecting user and 10 per LAN card listed in Monitor.
The other value of note that can be found in Monitor is the number of packets
queued for transmission. If this is too high, it may mean that the network adapter
may not be fast enough for the server.
6.1.2.7 Large Internet Packet (LIP)

In older versions of NetWare, the ability to cross routers and still have the size of
the physical packet size stay at the maximum was not possible. As soon as the
packet crossed a router the size was set to 512 bytes, since the server and client
had no way of knowing what each was communicating when passing through a
router. The newer versions avoid this, since the server accepts whatever the
client sets as its maximum packet size.
One problem with this is that the LIP packet can cause high utilization on the
server if the client cannot negotiate the size correctly. You can disable or
troubleshoot with the command:
set allow LIP = on
6.1.2.8 NCP packet signature

Maintaining security and high performance can be a balancing act. The ability to
increase the security of the conversation between the client and the server by
attaching a unique signature to each packet obviously puts a load on the server
and client. However, if security is a major concern this can be set at the server
with:
set NCP packet signature option = x
where x can equal 0, 1, 2, or 3 as follows:

• 0 = Do not do packet signature
• 1 = Do packet signature only if the client requires them
• 2 = Do packet signatures if the client is capable of packet signature
• 3 = Must do packet signature
In older clients, this is set in the NET.CFG using the command

set enable IPX checksums = x
In the newer clients, it is set the Advanced Settings tab.
6.1.3 Application
Support for processes for handling applications and also for monitoring NetWare
5 has been improved. In some instances, however, this has made troubleshooting
and tuning more difficult.
6.1.3.1 Prioritizing
The new kernel in NetWare 5 allows certain applications to have a higher priority
than the processor which increases performance for those specified applications.
This is done from Monitor by selecting the kernel, choosing the application and

pressing F3. A box appears, as shown in Figure 71, allowing you to set a new
share value. The default share value for applications is set to 100.

+----------------------------------------------------------------+
| Application 'NetWare Application' |
+----------------------------------------------------------------+
| Share value: 100 |
| Execution time, in microseconds: 637,472 |
| Number of threads: 197 |
| |
| |
| |
+----------------------------------------------------------------+
+-------------------------+
| Applications |
+-------------------------|
| NetWare Application |
+--------------------------------------+
| New share value: |
+--------------------------------------+
|| |
|| |
|| |
+-------------------------+
Enter=Accept changes Esc=Discard changes Alt+F10=Exit F1=Help
Figure 71. Setting an application’s priority
The important thing to remember here is that the share value is relative to the
base system. That is, if we set an application to have a value of 200 and the other
application stays at the default, the new application will have twice as many
processing resources.
It is possible to create applications from the applications that Novell has already
installed. For example, if you want DHCPSRVR to become an application with a
high share value, use the command:
load -A=newdhcpsrvr dhcpsrvr.nlm
6.1.3.2 Symmetric Multiprocessing (SMP)

NetWare in the past has always been based on a uniprocessor model and in the
latest releases this SMP support has been added and improved. As an
application sends requests, the kernel receives these requests as threads waiting
to be serviced. These threads can be executed on a single processor or if an
application has been configured to use another processor or the processor is too
busy, this thread can be sent to another processor increasing the performance of
the server. For more information on setting parameters and configuring
applications, see the individual application’s documentation.
For NetWare there are certain components that have been programmed to be
SMP-aware. Some of these are Open Data-link Interface (ODI), memory and the
direct file system.
You can set the threshold that the server will use to swap to the other processor if
the first is busy. This value is set in Monitor under the SMP selection. This area of

NetWare is very sensitive, so be aware that small changes here can have large
and dramatic influences.
6.1.4 WAN Traffic Manager

Another way of saving on costs in NetWare 5 is the object that can be created in
the NDS. The LAN area object uses an NLM called the WAN Traffic Manager
(WTM) that is loaded on the server console. The type of use for this utility is that
you can disable WAN traffic according to time or a certain cost. In this section we
will show you how to set up WTM and import the policies. The rest will depend on
what kind of restrictions you want to apply. You must be aware that any
restrictions that you apply may have implications in the replication and
synchronization of the NDS and should be done very carefully.
1. Select the container object that you would like the LAN area object to be
created. Right click and select Create and then select the LAN area object.
2. Double-click the object and select the Server that belongs to the LAN area.
Add the server that you want controlled by the WAN manager.
3. Click WAN policies. Figure 72 appears.
Figure 72. WTM policy page
4. From the drop-down list at the top select the type of policy that you want to
import. See the application help for information about the policies. Also, see
TID 2942079 and the NetWare 5 documentation.
5. Once you have selected the policy, press the Load Group button to display
the information. All should be OK with no errors.
6. Click Advanced. Figure 73 appears.

Figure 73. WAN policy delete window
7. This is where you can then remove the items that you do not want. In this
window, we had loaded two policies: the NDSTtype and one of the time
policies. In this window, we could delete everything except for the 7 am - 6 pm
entry so that it is the only time WAN traffic would flow. If you click Edit you can
change the times.
Commands that are available after the WTM.NLM is loaded are:

WANMAN=OFF/ON
WANMAN POLICY DISABLE= policy name
WANMAN LOGFILE - ON/OFF
WANAMAN LOGFILE MAXSIZE=filesize
WANMAN REFRESH IMMEDIATE
6.1.4.1 How much traffic is there?

How much traffic the NDS and server communication produces depends on how
big your NDS is, how dynamic, what protocols you have loaded, and so on. To get
an accurate answer, you have to do your own studies to find out how much traffic
the server produces.
What we have done here is to give you a very rough guide to what to use. We set
up our two servers and removed as many unnecessary functions as possible. We
wanted two Novell servers with only NetWare and BorderManager installed. We
then disabled and removed the BorderManager services and installed the
ManageWise components that were required to see monitor BorderManager. See
3.8, “Installing ManageWise” on page 65 for ManageWise installation information.
1. We started the ManageWise console and ensured that the servers were
manageable. To do this we selected View > All NetWare File Servers as
shown in Figure 74:

Figure 74. ManageWise servers
2. As can be seen in the third column “Manageable”, the servers are

manageable. When we first started the NLMs on the server, however, it took a
few minutes before they became manageable.
3. Click the (graph) button.
Figure 75. ManageWise trends window
4. Among the trends that can be selected, we were interested in the amount of
traffic in KB coming in and out. We used both servers to see if they generate
the same or different amount of data.
5. Choosing the items shown in Figure 75 gave us information from both servers
(Figure 76 and Figure 77):

Figure 76. KB transmitted and received from one server
Figure 77. KB transmitted and received from the other server
6. This shows the information that we had gathered so far and they both seem to
be pretty close. Rather that relying on viewing the information on the screen,
we exported the information using the export function ( ).
7. We then analyzed the data using a spreadsheet package.
8. The graph displayed activity at 15-minute intervals from 11pm to 8am. The
export of the data gave us a figure for transmitted and received. We added
these two together as shown in Figure 78.

KBytes total
700
600
500
KBytes
400
300
200
100
0
Time in 15 minute blocks Total Syd01
Total NW5_BM3
Figure 78. WAN traffic from the two servers
9. This graph shows the total amount of KB sent and received for each card.
These servers have both IP and IPX bound; to determine the amount of each,
a protocol analyzer would be needed. The other way is to put two cards in the
machine and bind one protocol to each card and determine the traffic
requirements this way.
10.The average of both servers came to about 527 KB per minute.
11.To determine bandwidth out per second, divide the 527 by 60 = 8.78 KBps,
indicating the link traffic for straight NDS traffic and heartbeat information is
minimal.
12.The final step is to work out what other traffic will be going across the
connection.
6.2 NDS
The NetWare network is based on the NDS and the importance of a good design
cannot be overstated. With forethought and planning, it is possible to have a
flexible, solid and easily administered NDS tree that will service your network for
many years.
The first part of the NDS creation phase is designing the NDS tree. This process
is the basis for your network, so enough time must be spent on the design phase.
Obviously the amount of time spent on designing will depend on the size of your
network. A company that has one site and one server will not have to spend a lot
of time on design, but you will still need to make sure that the design is flexible
and that the naming conventions are easily understood. The same principle will
also be relevant for a large network which will required a lot more time on the
NDS design, partition/replication and time synchronization strategies.
6.2.1 NDS design

The first part of the design process is to gather all the information that you can on
the structure of the network, sites and resources at the sites. The structure is the

WAN diagrams, speeds of links and types of links. The site’s information will have
such things as routers, communications media and the speeds of these. The
resources will be users, printers, servers and any other items that will connect to
the network. The basis for the NDS design is to makes sure that all users have
easy and responsive access to these resources.
Naming conventions don’t really come under the heading of tuning and
optimization but, as a user or administrator, if you have ever tried to type paths
and connect to server names that made no sense, you could understand why
these are important. Naming conventions are based on the individual network,
the location of the server, what the server does, and so on. For example, a server
located in the Melbourne head office in Australia, running BorderManager only
and is the second one of its type in that office is named AUHOBM02. Unless you
know what the acronyms mean (such as HO for head office), it will not make a lot
of sense. If you know what they all mean and they are easy to pick up, you will
quickly know where the server is located and what it does.
There are some basic rules when creating an NDS tree. With the introduction of
NDS 8 the rules have changed some. As mentioned previously, we recommend
that with any new NDS tree that NDS 8 be implemented, and existing NDS trees
should be implemented with the guidelines set down by Novell. For more
information please go to:
http://www.novell.com/products/nds/
The rules on the size of replicas and number of objects per replica and
organization units no longer apply or have been increased. Where this is the case
we will note it for the current version of NDS. The other rules were made to
decrease the amount of WAN traffic and to ensure that the required resources are
located as close to the users as possible.
1. Design the tree in a triangular fashion (wide section at the bottom of the tree).
2. Design the top of the tree based on the WAN infrastructure.
3. Design the bottom of the tree based on your network’s resource organization.
The NDS tree consists of containers and objects as discussed in 2.3.1, “How to
refer to objects in the NDS tree” on page 26. These container objects and the
placement of leaf objects is the design of the tree.

Here is a sample design of a worldwide organization, including replication,
partitioning and time synchronization strategies.
Table 4. Sample organization
Region Site Link Speed/K Site name
NA (North America) Rochester Central RCR
Portland 256 PLD
Denver 256 DNV
EL Segundo T1 ELS
San Diego 256 SDG
Fort Worth 256 FRW
Tallahassee 256 TLH
Newark 256 NWK
Myrtle Beach T1 MRB
Webster T1 WBS
SA (South America) Rio 256 RIO
ME (Middle East) Tel Aviv 19.2 TAV
Cairo 9.6 CRO
EU (Europe) Heyford 64 HFD
Marseilles 64 MRS
Bonn 64 BON
Moscow 9.6 MOS
PR (Pacific Region) Bangkok 56 BAN
Melbourne 56 MEL
Manila 56 MAN
Seoul 56 SEO
Osaka 256 OSA
This information is enough to design a tree that resembles the WAN topology and
includes the following departments:
• Accounting (AC)
• Sales (SA)
• Information systems(IS)
• International sales (IL)
• Domain Marketing (DM)

[Root]
O=AU
OU=NA SA EU PR
BR
PLD ELS FR RS IL TLH JP KO TH AU PH
PLD ELS SDG FRW DNV TLH NWK MRB RCR WBS RIO HFD BON MRS MOS TAV CRO OSA SEO BAN MEL MAN
IS IS IS IS IS IS IS IS IS IS IS IS IS IS IS IS
2 2 4 4 2 4 3 15 3 3 2 2 4 1 3 4 2 1 1 1 1
5170-01
The shaded area is

repeated in each
location.
HR IS SP AC PR IL DM
4 11 8 3 11 12 11
Figure 79. NDS tree design
As can be seen by the construction of the tree in Figure 79, we have broken up
the tree into geographical regions and therefore do not have more than 10
organization units (OU) per level. We recommend that you keep the number of
OUs per level to between 10-15. When creating such a tree, keep in mind the
replication of the partitions and stick to the rules for NDS partitioning and
replications.
The country container is used primarily for connecting to public directory services
that are X.500 compliant; in most cases a country container only adds another
level that is not necessary and can be done by an organizational unit. When
naming the tree ensure that you do not use the same name for the organization
(O) object, because when troubleshooting it makes more difficult to differentiate
where the problem lies.
6.2.2 Partition and replication

Now that the tree has been designed, it is possible to create the partition and
replications strategy for where to place the physical copies of sections of the tree,
as discussed in 6.2, “NDS” on page 119. Once that copy is placed as close to the
users as possible we then also have to think of fault tolerance. If the server where
the copy of NDS fails and the users still need to log on then they will want to log
on across the fastest link possible and in most cases at the same location if
possible.

This becomes difficult if the site has only one server. When this server fails and
the users still need access to the network it is better to have another copy of the
NDS across the fastest WAN link than to have no logon possibilities at all.
To create or merge partitions, use the NDS manager

(SYS:\PUBLIC\NDSMGR.EXE), a Windows-based application. If you need more
information beyond the online help, refer to the NetWare 5 documentation.
Rules for replication and partitioning are:

• Partition the top of the tree based on WAN infrastructure.
• Do not create a partition that spans a WAN link.
• Partition according to the placement of the local servers.
• Partition the top of the tree based on the number of objects (NDS 8’s
maximum number of objects is 100,000).
• Maintain three replicas for fault tolerance.
• Replicate locally whenever possible.
• Replicate to provide bindery services.
• Place a master replica where the IS support is, not at remote sites.
• Create partitions to minimize the amount of subordinate references.
Place the master copy where the support team is so that if any NDS design
changes need to be made, it needs to be done on a server that holds the master
replica. The speed in which support can respond to a server going down is much
faster and hence the master will be up much faster.
A subordinate reference is placed when a server has a copy of the parent

partition but not the child. If you had a tree that had 30 OUs and there was a root
partition, if you placed the root partition on a server it would have to hold 30
subordinate references to keep track of all the replicas. The subordinate
reference is a pointer that is involved in the replication and must be
communicated to during the replication process.

[Root]
O=AU
OU=NA SA EU PR
BR PLD ELS FR RS IL TLH JP KO TH AU PH
PLD ELS SDG FRW DNV TLH NWK MRB RCR WBS RIO HFD BON MRS MOS TAV CRO OSA SEO BAN MEL MAN
IS IS IS IS IS IS IS IS IS IS IS IS IS IS IS IS
2 2 4 4 2 4 3 15 3 3 2 2 4 1 3 4 2 1 1 1 1
5170-01
HR IS SP AC PR IL DM
4 11 8 3 11 12 11
Figure 80. Partitions of the NDS tree
Some of this may seem a bit unusual, especially partitioning root and global in
partitions of their own when they will have few objects and noone accessing the
resources. This decreases the amount of subordinate references. By using the
Replica worksheet in Appendix A.4, “Replica planning worksheet” on page 241
and removing this level of partitioning, you will see the number of references
actually increases. This can be done manually as we have done it here. However,
there are some applications that will do this for you. One of these you can find at:
http://www.netwarefiles.com
We suggest replicate manually at first and then use these applications to check
your calculations. Our worksheet ended up as follows (Table 5):

Table 5. Replication example
Server Partions
[ROOT] Global NA PLD ELS SDG FRW DNV TLH NWk MRB WBS SA EU HFD MRS MOS TAV CRO PR SEO BAN MEL MAN
RCRIS-S01 M M M M M M M M M M MRB M SUB SUB SUB
RCRIS-S02 RW RS RW SUB SUB SUB SUB SUB SUB SUB SUB SUB M M M M M M M M M M M M
ELSIS-S01 RW RW RW SUB SUB RW SUB SUB RW SUB RW
PLDIS-S01 RW
SDGIS-S01 RW
FRWIS-S01 RW
DNVIS-S01 RW
TLHIS-S01 RW
NWKIS-S01 RW
MRBIS-S01 RW RW RW RW
WBSIS-S01 RW RW RW RW RW
RIOIS-S01 RW RW SUB RW SUB SUB
HFDIS-S01 RW RW SUB SUB RW RW RW SUB SUB SUB SUB
BONIS-S01 RW RW RW
MRSIS-S01 RW RW
MDSIS-S01 RW
TAVIS-S01 RW
CRDIS-S01 RW
OSAIS-S01 RW RW SUB SUB SUB RW RW RW RW RW
SEOIS-S01 RW RW SUB SUB SUB
BANIS-S01 RW
MELIS-S01 RW
MANIS-S01 RW
The worksheet shows where all the replicas will sit and what type of replica they
will be. All the masters are placed on the servers at Rochester, where all the IS
support team is based. The servers they have been placed on are all running a
high availability and fault-tolerant configuration such as Vinca StandbyServer,
SFT III or NetWare Cluster Services (NCS).
The best way to design a tree is to follow our guidelines and create your own so
that you know where all the links and servers are. While there is no right or wrong
answer to the NDS design question, some answers are more right than others.
6.2.3 Time synchronization

Time synchronization is checked prior to doing anything on the partitions.
Synchronization across different time zones is by means of Universal Time
Coordinated (UTC) on all the servers. There will be another time that is relative to
your location, which is offset from the UTC.
The default time synchronization strategy that is installed by NetWare works on

up to 30 servers. If you are having to sync across WAN links, a few WAN links are
fine, but ensure that they are reliable and that the speed of the WAN links is
enough for the time synchronization traffic and any other traffic that you may
need.
There are four types of time servers:

• Single: This is the first server that is installed on the network. It may be the
only server that is installed.
• Secondary: Every server after the first server is installed as a secondary time
server. This server polls the time provider server and adjusts its time to meet
that of the time provider.
• Primary: Part of a time provider group, the primary servers contact all other
time providers and then compare the calculated network time and adjust their
time to 50% of the difference.
• Reference: These servers work in the same way as primary servers in that
they poll all other servers and calculate the network time. However, they do not
adjust their time. The reference server is placed in a time provider group to
enable the manual setting of time. This can be done via a modem or an

external time source. The reference is equal to 16 primary servers in the
priority calculations of the network time.
The time provider group is set up when you have multiple WAN connections or
over 30 servers, since the default configuration will prove to be inefficient and
create too much WAN traffic. The time provider consists of a reference server and
up to seven primary servers.
Reference
Reference
Primary
Primary
Primary Primary
Primary Primary
Primary
Primary
Figure 81. Time provider group
In our example, there were over 30 servers in the Rochester area, which had to
span WAN links, so we created multiple time provider groups.In our configuration,
the sites with the fastest links in each geographical region became reference
servers, which communicated with an external atomic clock so that they were
synchronized. The servers with the next fastest links became primary servers and
all others became secondary. The configuration of these groups can be based on
SAP or on configured lists; we chose configured lists and ensured there was
redundancy in these lists. With configured lists, traffic is reduced but
administrative overhead is increased.
Configuring the time source type and the basic setting is done in Monitor under
Server Parameters. To enable the configured lists, go to the same area and set
Time sync configured sources to On and then select Timesync > Add time
sources and enter the IP address of the servers. For more information see the
NetWare 5 documentation or TID 2930686. This TID is based on NetWare 4.11
but the parameters are the same. The main difference is it is all done with
SERVMAN not Monitor.
6.2.4 ZENworks design considerations

The NDS guidelines that we have discussed are still relevant when adding the
ZENworks objects to NDS. Be aware that the amount of objects per container
may reach the advised limits, making it more difficult to find the objects that you
wish to manage.
A few new objects are added when ZENworks is installed. Since the NDS schema
is being increased and with the addition of all these objects, you must plan for the

size of the NDS database to grow over the next few years. Novell recommends
that the SYS volume be created as a 4 GB volume. To ensure that the NDS
volume is in a healthy state before adding new objects, run the NDS health
checks as described in 6.2.5, “NDS health checking” on page 128.
The new objects that are created are as follows:

• Application objects. There are two types of application objects. One is the
application folder, which is only used by the administrators so it should be
placed in the partition most convenient to them. The application object itself is
contacted by users whenever they run the application. Like any other NDS
object that a user connects to, it is important to place it as high in the tree as
possible and make sure that users do not have to go across a WAN link to
access them. If necessary, create application objects and application servers
in each geographical area so that little or no communication and downloading
is done across the WAN.
The site that contain multiple application servers can also have multiple
application objects, each pointing to a specific server and each used for load
balancing and fault tolerance.
When ZENworks first starts, it looks for applications that are associated with
the user that is logged in. You can configure it so that, rather than searching to
the top of the tree, it only searches in its own container. The settings are
changed in the details by selecting the Launcher configuration page >
General > Set application inheritance level . The levels that should be set
are:
– 0 or 1 for a user whose objects are in the same container.
– 2 for the user that has an application association to an application object in
the container the next level up.
– -1 in small scenarios, since this searches to the top of the tree.
• Workstations. Again there are two type of workstation objects:
– The Group object. These hold workstations rather than users.
– The Workstation object. These double the amount of objects that your
network contains so be careful not to exceed the number of objects per
container.
Refer to 6.2.2, “Partition and replication” on page 122 for these figures. The
workstation should be placed in the same container as the user objects,
because the design of the NDS tree will have put the users as close to the
replica of the NDS as it can and the workstation objects also need to have fast
access to the NDS partition. Put the workstations in their own containers if the
administrators are the only ones accessing them or the number of objects for
the container is over the limits.
• Policy packages. There are a total of seven container, user and workstation
packages:
– The container package can only be associated to containers and should be
placed as high as possible without going out of the site container (the
container that shows the boundary for the geographical area).
– The user policy objects in the same container as the users that are
associated with it.
– The workstation policy object in the same container that the workstations
that are associated with it.

6.2.5 NDS health checking
The ways to make sure that the health of the NDS database and time
synchronization is as can also be used to troubleshoot the synchronization
process. All of this will be done at the server console. First, ensure that time
synchronization is OK, since the NDS partitioning and replication rely on the time
synchronization to do its work.
1. At the server console type TIME. The third line will state that time is or is not
synchronized. If it is not, then type DSREPAIR.
2. Select Time synchronization and press Enter. The server will then create a
report of what it found. If this takes some time it may be that the server is
trying to communicate with one of the time provider servers and cannot. This
may mean that you have a communications problem between servers.
/****************************************************************************/
Netware 5.00 Directory Services Repair 5.14 , DS 7.30
Log file for server ".NW5_BM3.MELB.IBMAU" in tree "IBM"
Time synchronization and server status information
Start: Wednesday, July 7, 1999 9:11:07 am Local Time
DS.NLM Replica Time Time is Time

Server name Version Depth Source in sync +/-
---------------------------+---------+---------+-----------+--------+-------
.SYD01.SYDNEY.IBMAU 7.30 0 Secondary Yes +1
.NW5_BM3.MELB.IBMAU 7.30 0 Single Yes 0
3. This log gives you information about the version of the DS.NLM that you have
loaded on all your servers. Ensure that they are all on the latest version
possible for each server’s NOS version.
4. Check in the left-hand column to ensure that only servers that are up and
running are listed. If a server has been removed from the network and has not
been removed from the NDS then follow the procedures listed in TID 2908056.
If a server has crashed and you want to retain all links and for the time being
enable the remaining servers to synchronize properly and then enable the
server to be placed back in NDS, follow TID 2920601.
5. The second column reports the replica depth. If the server is holding a copy of
the [ROOT] then they will be listed as having a depth of 0. If a server shows a
replica depth of -1 then that means that they do not hold a replica. So if you
have a server that holds a replica and it shows up as -1 it often means that it is
in a transitional state or that it is having problems getting the replica. A server
that holds a replica of an organization unit and not at the organization or root
would have a depth of 2.
6. The time source shows the type of time server. In this column you must ensure
there is a time provider; otherwise, no server will be able to get their time.
Refer back to 6.2.3, “Time synchronization” on page 125 on information about
the type of providers.
7. Check that the time is synchronized on all the servers. If not, you will have to
ensure that the communication channels are open and if all this checks out
you may need to tune some of the parameters. Refer to TID 2908867.

8. Server-to-server synchronization checks must be done at a server that holds a
replica, since the servers that do not hold a replica, are not involved with the
NDS synchronization process. Type the following commands at the server
console:
set dstrace=on (enable the trace screen)
set dstrace=*H (force a synchronization)
Switch to the dstrace screen using Alt+Esc or Ctrl+Esc and watch the process.
The final result that you are looking for is a prompt saying All proceed=Yes in
green. If you see some partitions have the Yes and others have a red No, this
will help you resolve where the problems are.
9. If the displayed messages scroll past too quickly to find what the problem is,
place the output into a file with the following commands:
set ttf=on (trace goes to SYS:\system\dstrace.dbg)
set dstrace=*R (resets the file to 0 bytes)
set ttf=off (turn off the trace)
Searching for -6 in this file will show any errors that occurred during the
synchronization process. Make sure that you turn off the trace, since this may
cause high utilization on the server.
10.Some of the other options available in the dsrepair screen are:
– Report synchronization status (shows the status of the replica
synchronization)
– Under the advance parameters:
• Check external references. Shows the state of all servers in the back
link list.
• Replica and partition operations. Ensure that this is set to on.
• View remote server ID list and then select Verify all remote servers
IDs. This may show why the server is having trouble communicating.
• In replica and partition operations select View replica ring . This should
be done at the servers that hold the master and read/write copy to
ensure that they match.
Table 6 has been reproduced from the June 1996 Appnote “Managing Novell
Directory Service Traffic Across a WAN: Part 1”. It shows the actual traffic
generators for the NDS, how often the occur, and how to view and force them.
Table 6. Traffic generators
Process Function Frequency Viewing Forcing
Immediate Synchronize critical 10 seconds after event set dstrace = on Create and object
sync changes set dstace=+sync or change attribute
set dstrace=+in
Slow sync Synchronize noncritical 22 minutes after event set dstrace = on login in or out
changes set dstace=+sync
set dstrace=+in
Heartbeat Ensure replica 30 minutes configurable set dstrace = on set dstrace = *h

consistency set dstace=+sync
set dstrace=+in

Process Function Frequency Viewing Forcing
Scheme Sync Ensures schema 240 minutes configurable or set dstace=+schema set dstrace=*ss
consistency when scheme changes
Limber Checks server object 180 minutes or when name set dstrace=+limber set dstrace=*l
for changes of server is changed
Backlink External reference 780 minutes configurable set dstrace=+blink set dstrace=*b
consistency
Connection Creates server-to- N/A set dstrace=+vclient n/a

Management server connections
Server status checks server with no 360 Seconds n/a n/a

replica
6.3 BorderManager tuning

The configuration parameters of a BorderManager server that is working as a
proxy server will have to be totally different. The type of work that the proxy
server is doing is based on a lot of fast small reads that if possible should be read
from memory. The more memory a cache server has, the more it can put in its
cache and service the client’s request faster.
The same benchmarking and tuning principles that have been discussed in the
normal NetWare 5 tuning can be applied here. Set your level after the server has
been up and running awhile. The main difference is that you will set a few more
parameters to begin with to ensure that the BorderManager server works fast
straight away.
The following configuration settings are designed for a server running only
BorderManager, because the setting that we will be using will make our file and
print server run at less than its optimum.
1. Disk:
– Create volumes that are used only for cache. These volumes should be set
up with a block size of 8 KB. Then monitor and determine the average size
of your files by using the calculations in A.1, “Memory calculations” on
page 235 and adjust accordingly. Then you will want to make sure that your
RAID controller is also set up with the same strip size.
– Use only 8.3 DOS file names.
– Disable compression and suballocation. These are CPU intensive and if
suballocation is set and you need to purge the file, the server must then go
to the whole block and work out which part of it must be purged.
– Ensure that the files are purged immediately.
– NSS volumes must have the amount of cache buffers that NSS will allocate
for caching. The setting should be around 60%. You can go higher but NSS
requires an amount of space left for its normal functions. Use the set
command:
load NSS /cachebalance=60
– Set the maximum number of file locks = 100000
2. Communications

– Ensure that the HOSTS file and RESOLVE.CFG are as clean and lean as
possible, the HOSTS file should have all unused entries removed and the
RESOLVE.CFG should have only the required DNS servers. Ensure the
first listed is the fastest and most reliable.
– Make sure that the physical packet receive sizes are set to the correct size
for the frame types. For example, Ethernet is 1514.
3. Memory
– Maximum packet receive buffers should be set so that the server has
enough buffers to handle the incoming requests. Set maximum packet
receive buffers =10000.
– Then you must also ensure that the minimum is sufficient to enable fast
responses straight away. This can be increased once you have set your
benchmarks and gathered your information. Set minimum packet receive
buffers = 5000.
– Once the server starts working you want to make sure that the allocation of
these buffers are fast, so set the parameter New packet receive buffer wait
time to 0.1.
– Because a lot of memory will be fragmented and you need to have enough
available for cache, set the garbage collection interval = 5.
– Look at the strategies discussed in 6.1.1, “Memory” on page 107 and follow
the same principles, such as if the dirty cache is staying too high, adjust
the maximum concurrent disk cache writes.
– Make sure that the service processes have enough for the proxy server’s
workload. Set minimum service processes = 500 and then set maximum
service processes = 1000.
4. NWAdmin
– In NWAdmin of BorderManager, set Maximum hot unreferenced time to 30.
This will keep the object in hot cache for a longer period of time and can be
adjusted depending on the statistics you get from the server caches
statistics screen.

Chapter 7. Clustering
A cluster is a group of computers that together provide a set of network resources
to a client. A simple cluster is two systems but, in general, any number of systems
could provide those resources. The key point is that the client has no knowledge
of the underlying physical hardware of the cluster.
This means that the client is isolated and protected from changes to the physical
hardware, which yields a number of benefits. Perhaps the most important of these
benefits is high availability. Resources on clustered servers act as highly
available versions of unclustered resources.
If a node (an individual computer) in the cluster is unavailable or too busy to

respond to a request for a resource, the request is transparently passed to
another node capable of processing it. Clients are therefore unaware of the exact
locations of the resources they are using. For example, a client can request the
use of an application without being concerned about where the application
resides or which physical server is processing the request. The user simply gains
access to the application in a timely and reliable manner.
Another benefit is scalability. If you need to add users or applications to your

system and want performance to be maintained at existing levels, additional
systems can be incorporated into the cluster. A topical example would be a Web
site that shows rapid growth in the number of demands for Web pages from
browser clients. Running the site on a cluster would allow the growth in demand
to be easily accommodated by adding servers to the cluster as needed.
Buying a large symmetric multiprocessing (SMP) machine and just adding central
processing units (CPUs) and memory as demand increases is not a viable
long-term solution for scalability. An SMP machine scales very poorly when the
number of CPUs increases beyond a certain point. The primary bottleneck is the
bandwidth available to access the system. As the CPU count increases, so does
the amount of traffic on the memory bus, which eventually limits system
throughput. In contrast, a well-implemented cluster can scale almost linearly.
In an ideal cluster, users would never notice node failures and administrators
could add or change nodes at will. Unfortunately, this is not the case today.
Current Intel-based clusters provide many of the features and functions of an
idealized cluster but fall short in some areas as we will discuss in this chapter.
For more information about clustering see the redbook Netfinity Clustering
Planning Guide, SG24-5845.
7.1 IBM clustering technology

As described in Chapter 2 of Netfinity Clustering Planning Guide, SG24-5845,
there are two clustering models:
• Shared disk model. Disk storage is provided by a common disk subsystem that
can be accessed by all cluster members. The clustering software manages
disk accesses to prevent multiple systems from attempting to make changes
to the same data simultaneously.

• Shared nothing model. Each cluster node has its own disk storage space.
When a node in the cluster needs to access data owned by another cluster
member, it must ask the owner. The owner performs the request and passes
the result back to the requesting node. If a node fails, the data it owns is
assigned to another node or another set of nodes in the cluster.
Currently, the clustering solutions available to NetWare users from IBM use the
shared nothing clustering model. The solutions are based on one of two typical
configurations:
• Shared disk clustering configuration
In this configuration, the data is stored in external disk enclosures that are
connected to all servers in the cluster. Only one copy of the data is stored, and
should any server fail, the other remaining servers in the cluster take over the
failing system’s processes and data I/O.
An example of a shared-disk configuration is shown in Figure 82.
Client access
Dedicated link
5847-00
Internal Internal
Shared
disks disks
disks
Figure 82. Shared-disk configuration
• Mirrored disk clustering configuration

In this configuration, multiple copies of the data are stored - one copy locally at
each server. The solution usually consists of one primary server and one or
more secondary servers. The secondary servers act as backup servers to the
primary and optionally, they can perform additional functions. If one of the
servers fails, the surviving server takes over its functions, either keeping its
existing functions or dropping them in preference for the failed server’s
functions.
An example of a mirrored-disk configuration is shown in Figure 83.

Client access
Primary Standby
Dedicated link
5847-00
SYS SYS
Internal
DATA DATA disks
Mirrored
disks
Figure 83. Mirrored-disk configuration
At the time of publication, these two solutions had been tested and certified on
the Netfinity 5500 and Netfinity 7000 M10. For the latest information, see
http://www.pc.ibm.com/us/netfinity/serverproven
7.2 NetWare Cluster Services

In this section, we describe how to install NCS in a Fibre Channel configuration.
We do not cover ServeRAID-based SCSI configurations in any detail.
7.2.1 Preinstallation checklist

Before you install NCS, ensure you have the following:
• A minimum of two NetWare 5 servers configured to use TCP/IP on the same
subnet.
• A subsystem of shared disks connected to all servers in the cluster.
• For Fibre Channel configuration, host adapters, cables and hubs used to
connect the servers to the subsystem of shared disks. For ServeRAID
configurations, supported ServeRAID adapters and cables.
• It is necessary to install the Support Pack 2 of NetWare 5 or the current
available version in the cluster server. You can download the support pack
from:
http://www.support.novell.com/misc/patlst.htm#nw
• At least 64 MB available memory in each cluster server (128 MB is
suggested). See Appendix A, “Installation worksheets” on page 235 for the
memory sizer worksheet.
• All servers in every cluster must exist in the same NDS tree.
• At least one local disk (not shared) for the volume SYS in each server.
• The Novell client should be at least Version 3.0.0.0 for Windows 95 or Version
4.50.819 for Windows NT, which should be installed in the workstations used
to manage and connect to the cluster.
• ConsoleOne installed (from NetWare Cluster Services product CD) on the
workstation used to manage the cluster.
Chapter 7. Clustering 135

• At least two NDS replicas on the cluster servers. A maximum of six NDS
replicas are suggested for the partition containing the cluster. More than six
NDS replicas will reduce the NDS performance.
• A subsystem of shared disks is advisable for each cluster. If used, make sure
of the following instructions:
– At least 10 MB of free disk space on the system of shared disks to set up a
special cluster partition.
– The NCS installation will automatically allocate a cylinder on a disk’s
system drive shared for the special partition of the cluster. If the drive
where the cluster partition has been set up on the shared disks system is
bigger than 10 GB you could need much more disk space.
– The shared disk system is properly configured and working.
– Ensure the correct drivers are installed before you begin.
– NCS can use either NSS or the normal NetWare file system for shared
volumes.
– The disks containing the shared subsystem should be configured as
RAID-5 or RAID-1 to add fault tolerance to the shared system.
• It is recommended that the machine used as client to manage the cluster is
provided with a processor at 300 MHz or higher and has at least 90 MB of
memory. These features are advisable for the best performance of
ConsoleOne that is needed to set up and manage the cluster environment.
• Modify the loading of the TCP/IP protocol on all servers involved within the
cluster environment. The following modification must be done to
AUTOEXEC.NCF:
Replace LOAD TCPIP.NLM with
LOAD TCPIP.NLM FORWARD=ON
Alternatively, if you use the NetWare automatic configuration tool INETCFG,
do the following to modify the TCP/IP setting:
1. Enter INETCFG from the console prompt.
2. Select Protocol
3. Select TCP/IP. Figure 84 appears.
4. Highlight IP Packet Forwarding and press Enter to select Disabled (“End
Node”)
5. Save and select Reinitialize System from the main menu.

+----------------------------------------------------------+
+------------| TCP/IP Protocol Configuration |
| Internetwor|----------------------------------------------------------|
|------+-----| TCP/IP Status: Enabled |
| |Boar| | IP Packet Forwarding: Disabled("End Node") |
| |Netw|-----| |
| |WAN | Pro| RIP: Enabled |
| |Prot| |App| OSPF: Disabled |
| |Bind| |IPX| OSPF Configuration: (Select to View or Modify) |
| |Mana| |Sou| |
| |View| |Sou| LAN Static Routing: Disabled |
| |Rein| |TCP| LAN Static Routing Table: (Select For List) |
+------| |Use| |
+-----| SNMP Manager Table: (Select For List) |
| DNS Resolver Configuration: (Select to View or Modify) |
| |
| Filter Support: Disabled |
| Expert Configuration Options: (Select to View or Modify) |
+----------------------------------------------------------+
Enable to send and receive RIP packets.

Figure 84. TCP/IP options
This option disables the IP forwarding. If the forwarding has been enabled, the
automatic reconnection of the client, in case of failure, will not work and the
users will not be able to reconnect to another cluster server after the failover.
• Another parameter to be verified in case you are using the NSS feature of the
volumes is the following:
NSS /AUTODEACTIVATE VOLUME=ALL
The NCS automatically mounts all cluster volumes on the servers in the
cluster. This command ensures that the cluster volumes have not been
mounted, even if by chance, on different cluster servers. In fact, this could
cause a data corruption. If you don't use this command, the command MOUNT
ALL could be typed on each server console and every server could try to mount
a volume that could be mounted on another cluster server.
• Novell patches and software:
– NW5SP2A.EXE — Support patch kit 2a for NetWare 5
– W95302.EXE — Client v. 3.0.2 for Win95 /98
– WNT46E.EXE — Client v. 4.5.819 for Microsoft NT 4.0
All these products are be available from: http://www.novell.com/download/
• Microsoft software: You will need to install Service Pack 4 or later for Windows
NT clients.
• IBM software — use these versions or later versions
– 37L6140.EXE — IBM ServeRAID BIOS Firmware Update Diskette V3.11b
– 00N9003.EXE — IBM Hot Plug PCI System Bus Driver for Novell NetWare
4.11, 4.2 and 5.0 diskette V1.03
– 33l3938.EXE — IBM ServeRAID DOS Configuration Diskette V3.10
– NET2100.ZIP — Netfinity Fibre Channel PCI Adapter NetWare Driver
V2.09 (QL2100 driver)
These are available from http://www.pc.ibm.com/support

7.2.2 Installing the Fibre QL2100 controller driver
If you are using a Fibre Channel configuration, you will first have to install
NetWare on another storage subsystem, such as a ServeRAID one.
To install the device driver for the IBM Netfinity Fibre Channel PCI Adapter, you
should use the driver in the NET2100.ZIP file downloaded from the IBM site as
described above (the QL2100 driver):
1. Start NWCONFIG
2. Select Driver Options
3. Select Configure disk and storage device drivers
4. Select Load an additional driver
5. You will then see a list of the available drivers. Press the Insert key and enter
the directory where the QL2100 driver is located.
6. Select the QL2100.HAM driver as shown in Figure 85.
+----------------------------------------------------------------------------+
| Select a driver to install: |
|----------------------------------------------------------------------------|
| |QL2100.HAM | QLogic QLA2100/QLA2100F FC PCI Host Adapter Module |
|| |
|| |
|| |
|| |
+----------------------------------------------------------------------------+
+----------------------------------------------------------------------------+
+-----------------------------------------------------+
| "QL2100.HAM" Help |
| |
| This HAM driver is for the QLogic QLA2100 and |
| QLA2100F Fibre Channel PCI host bus adapters. |
| (QLA2100 is copper, QLA2100F is optical). |
+-----------(To scroll, <F7>-up <F8>-down)------------+
Select a listed driver <Enter> Install an unlisted driver <Ins>
Figure 85. Selecting the QL2100.HAM driver
7. When prompted to copy the driver, select Yes.

8. Figure 86 appears prompting you to specify the number of the PCI slot where
the adapter is installed. The slot number is the actually PCI slot number plus
1000. Figure 86 shows an adapter in slot 4.

+------------- QL2100 Parameters --------------+

¦ ¦
¦ Slot Number: 10004 ¦
¦ Scan All Luns: No ¦
¦ ¦
¦ Driver version: Version 2.09 (990107) ¦
¦ ¦
¦ ¦
+----------------------------------------------+
+--------------------------------------------------+
+----------¦ "Scan All Luns" Help ¦
¦ Dri¦ ¦
+----------¦ This tells NetWare to scan for all Logical ¦
¦ ¦Select/M¦ Units on each target device attached to this ¦
¦ ¦Save par¦ adapter. ¦
+----------+----------(To scroll, <F7>-up <F8>-down)----------+
Save parameter settings <F10> or <Esc>
Help <F1> Modify a parameter <Enter> Abort nwconfig <Alt><F10>
Figure 86. Specifying the slot number
9. If the driver is installed correctly, the QL2100 driver will appear in the installed
driver list as shown in Figure 87.
+-------------- Selected Disk Drivers ---------------+

| |QL2100 (currently loaded) |
| |IPSRAID (currently loaded) |
| |AHA2940 #01 (currently loaded) |
| |AHA2940 #02 (currently loaded) |
| |IDEATA #01 (currently loaded) |
+----------------------------------------------------+
+--------------------------------------+
| Additional Driver Actions |
|--------------------------------------|
| |Discover and load additional drivers|
| |Select an additional driver |
| |Deselect a selected driver |
| |Return to previous menu |
+--------------------------------------+
Help <F1> Previous screen <Esc> Change Lists <Tab> Abort <Alt><F10>
Figure 87. Driver successfully installed

10.Edit STARTUP.NCF and verify that the correct driver is loaded.
11.Repeat these steps for each server that belongs to the cluster.
7.2.3 Installing NCS

The NCS installation makes use of the ConsoleOne user interface. To install NCS
do the following:
1. Follow the instructions that accompany the NCS CD-ROM to start the
installation program. You will see the opening screen and the license
agreement.
2. Figure 88 appears where you can either create a new cluster or edit an
existing cluster.
Figure 88. Installing NCS — new or existing cluster
3. Select Create a new cluster and click Next.
Figure 89. Installing NCS — naming the cluster

4. Enter the following items:
– Cluster object name
– Tree name
– NDS context where you will set up the cluster object
You can select the tree and context by clicking . Doing so lets you select
these items as shown in Figure 90.
Figure 90. Installing NCS — selecting the NDS tree and context
5. Select the tree and then the context that you require. In our example, this
yields Figure 91.
Figure 91. Installing NCS — NDS details filled in
6. Click Next. Figure 92 appears where you select the servers that are to join the
cluster.

Figure 92. Installing NCS — selecting the servers
7. Click to select the servers as shown in Figure 93, then click Add to
Cluster. Repeat for each server that will participate in the cluster.
Figure 93. Installing NCS — selecting the servers
Each time you click Add to Cluster, the name and IP address of the server is
added to the list as shown in Figure 94.
Figure 94. Installing NCS — servers selected

Click Next. If you have correctly configured your shared disk devices (Fibre
Channel or ServeRAID), Figure 95 will appear with the shared disk device
already selected.
Figure 95. Installing NCS — selecting the shared disk devices
If the shared media exists but it is not automatically selected, make sure that:
– Support for NSS volumes has been loaded on all nodes
– The shared volumes can be accessed from each server in the cluster.
Verify this by entering the VOLUMES command on the console of each node.
You can also mirror the Cluster Partition to add fault tolerance to the cluster.
Since we have configure the shared disks for RAID-1 or RAID-5, this is not
necessary.
8. Select the options you want, then click Next. Figure 96 appears. Here you can
specify if you want the servers to be rebooted automatically upon completion
of the installation.

Figure 96. Installing NCS — rebooting the servers automatically
9. Once the installation is complete, you will see Figure 97.
Figure 97. Installing NCS — installation complete
10.If you did select the servers to be automatically rebooted, this now occurs.
Figure 98. Installing NCS — reboot
Once the servers are rebooted, the NCS status window will be available showing
you the status of the nodes, similar to Figure 99.

CLUSTER MEMBERS (NODE 01)
6-15-99 1:40:27 EPOCH 1 (2/32)
NODE STATES WHEN
00 - UP - 6-15-99 1:35:19
(01) - UP - 6-15-99 1:35:19
Figure 99. NCS status screen
7.2.4 Configuring NCS

Once you have installed NCS, the next step is to create and configure the cluster
resources. You also need to enable the NetWare volumes and to create the
resources cluster template.
7.2.4.1 Enabling the cluster volumes

You will normally want to give the NetWare clients access to the disks in the
shared disk enclosure. You will therefore need to enable these volumes for the
cluster. This capability enables the volumes to be moved or mounted on different
servers in the cluster during a failure or when a manual failover is needed.
Note: Some applications do not require that the NetWare clients access the
shared volumes, so cluster enabling may not be necessary.
1. Start ConsoleOne. A new version was installed as part of NCS.
2. Select the cluster object.
Figure 100. Creating a new cluster volume
3. Click File > New > Cluster > Cluster Volume. Figure 101 appears.

Figure 101. New Cluster Volume
4. Click to select a volume to be enabled for clustering.

5. Enter the TCP/IP address for the volume. Each cluster-enabled volume
requires an IP address.
6. If you check Define Additional Properties, you will be shown the resource
properties window where you can define additional details about the volume.
7. Click the Create button to create the volume. Clicking View > Cluster State
(Figure 102) shows that the volume is created.
Figure 102. New resource CLUSTER_VOL created and offline
Figure 102 shows the new cluster resource CLUSTER_VOL created. It also
shows the status of the servers and the shared resources.
8. To put the new resource online, click the cluster resource name in the table.
Figure 103 appears where you can set its state to online.

Figure 103. Setting the cluster resource online
9. This will set the resource’s state to Running, as shown in Figure 104.
Figure 104. Cluster resource online
7.2.5 Other configuration features

Here, we introduce the functions available when configuring cluster resources for
use by NCS. For more details, consult the documentation that ships with NCS.
7.2.5.1 Cluster resource templates

The use of cluster resource templates simplifies the process of creating cluster
resources that are similar or identical. You can create templates for whatever
applications or resources you wish to add to the cluster. A typical use of the
template is with the IP service. You can also use it to configure server
applications that work in the cluster. You can edit and customize it for specific
server application.
To create the template resources from ConsoleOne, click File > New > Cluster >
Cluster Resources. Figure 105 appears.

Figure 105. New Cluster Resource
If you choose to create a resource template, you may use one of the templates
shown in Figure 106.
Figure 106. Resource templates
If you checked Defined Additional Properties in Figure 105, then Figure 107
appears where you can do so. Here you may change the node assignments for
the selected resource template. From other tabs in the properties window, you
can also configure the scripts for load and unload operations and configure the
failover and failback modes.
Figure 107. Resource template properties — node assignment
For more information, see the NCS product documentation.

7.2.5.2 Cluster resources
Resources must be created for each volume or application that is to be under the
control of NCS. These cluster resources can include Web sites, email servers,
databases and any other server-based applications or services that you wish to
have highly available for users.
From ConsoleOne, select the cluster object then click File > New > Cluster >
Cluster Resource then check Create Resource Template as shown in Figure
105 on page 148.
A load script is required for each resource, service or volume in the cluster. The
load script gives the commands necessary to start up the resource or service or
to mount the volume on a server. You can use any command that you would use
in an NCF file.
For the application or the cluster resource you can add an unload script in order
to specify how the application or the resource should end. It is not necessary for
all applications or resources; however, it can guarantee that during a failback or a
manual migration, a resource unloads before it reloads on another node.
7.2.5.3 Failover and failback

You can configure resource failover and failback for use both manually and
automatically. If you wish that the applications or resources move automatically
on particular nodes in case of hardware or software failures, you have to
configure them to failover automatically.
Figure 108. Failover policies
By configuring the failback as automatic, the return of resources back to preferred

nodes can be achieved. The preferred node is the one that is listed first on the list
of nodes in the node property page.
Use manual failover if you want to be able to intervene when a failure occurs and
before the resource is moved onto another server. To configure the failover mode
into manual gives you time to bring up failed nodes or to migrate the resources
onto another node after having enabled the resource to move.
The manual failback works as a manual failover. You need to use the manual
failback in order to avoid a resource comes back to its preferred node after it is
brought back online.

7.2.5.4 Assign nodes to a resources
When you create a resource on a cluster or cluster-enable a volume, the cluster
nodes are automatically assigned to the resources or the volume. The
assignment order is the same as the nodes appearing in the resource list. You
can assign or unassign nodes to the resource or volume or change the failover
order.
7.2.5.5 Migrate resources

You can migrate resources to different servers in the cluster without waiting for a
failure to occur. You can migrate resources to reduce the loading on a specific
server or else to bring down for maintenance or to increase the performance of
the resources or applications transferring them onto a more faster machine.
Migrating the resources lets you balance the load across the cluster and to
balance the applications among the servers. To do this for a resource click its
name in ConsoleOne’s Cluster State view (Figure 102 on page 146). Since the
resource is currently running, Figure 109 appears where you can click Migrate to
migrate the resource to the specified migration target (if you only have two nodes
in your cluster, then the partner server will be listed as the target).
Figure 109. Migrating a resource to a partner node
Within a few seconds the state of the resource will change as follows:
• Unloading from the current node
• Loading on the preferred node
• Running on the preferred node
The Cluster State view in ConsoleOne lists the status of the servers and cluster
resources. The servers and resources are displayed in different colors depending
on their operating status.
The number of
times the cluster
state has
changed
Master server
(yellow circle)
Figure 110. Status of the servers and resources

• Servers:
– Green: normal operating condition
– Red with broken icon: failed
– Red without broken icon: unknown state
– Yellow circle: master of the cluster (initially the first server started)
• Resources:
– Green: normal operating condition
– Red: administrator intervention required
– No icon: offline, idle the state is in transition
The epoch number is the number of times the cluster state has changed. This
changes every time the state a server enters or leaves the cluster.
7.3 Novell StandbyServer for NetWare

In this section we describe how to install StandbyServer. We assume you have
already installed NetWare 5 as described in Chapter 3, “Installing NetWare” on
page 41.
7.3.1 Mirroring basics — calculating mirroring times

Once the StandbyServer has been installed (as described in 7.3, “Novell
StandbyServer for NetWare” on page 151) the mirror can be set up. This means
that NetWare is able to read and write data at the same time on multiple disk
devices using a mirror environment.
Note: StandbyServer creates mirrors of entire partitions, not of volumes or files.

That's why the sizes of the partitions of the mirror set need to be identical. The
DOS disk from which the server is started is excluded from mirror operations.
Physically, a NetWare partition consists of a large data store area and another
small area named hot fix. The hot fix area is where NetWare rewrites bad blocks
where it detects a disk fault. NetWare mirrors only the partition that contains data
and not the hot fix area.
Note: For ServeRAID and Fibre Channel implementations, the hot fix area is not
used because the respective RAID controllers handle all remapping of failed
sectors.
The Hot Fix partition contains a mirror table which NetWare uses to define if the
mirror is carried out and if it is synchronized with other parts of the mirror set.
NetWare determines the most updated device based on a number of components

from the mirror table:
• Mirror status components specifies the member in the mirror set that need to
be synchronized.
• Time stamp component within this mirror table specifies the most current
member of the mirror set. The table that has the latest time stamp is
considered to be the one that contains the most updated data. The mirror
synchronization will therefore start from that specific device.

Never use NWCONFIG.NLM or INSTALL.NLM on the standby machine running in
non-utility server configuration to access the mirrored drives.This can give them a
newer time stamp and can cause the older data to overwrite the newer data at the
mirror synchronization.
Never use NWCONFIG.NLM or INSTALL.NLM on the standby machine running in

utility server configuration, to mount the mirrored drive volumes for the reasons
stated above. However, you can use these utilities to manage the utility server
environment.
Take into consideration that the logical partitions are mirrored, not the volumes. A
volume can be built onto multiple disks. This will increase the response time but
at the same time the number of failures. The best way to enhance the volume size
and therefore the partitions is to use RAID arrays.
It is necessary that inside the two servers, the RAID configuration is identical in
each part.
Notes:
• Mirroring is performed between the NetWare partitions. Not the volumes or
files.
• Avoid using any disk repair utility like VREPAIR on the mirrored drive set. It is
always a good practice to break the mirror set and then run VREPAIR on the
removed part of mirrored set.This gives a better chance of recovering from any
damage done by the repair utility itself.
• NetWare 5 supports disk mirroring only on the traditional NWFS volume
configuration. NetWare 5 does not yet support mirroring on NSS
implementation.
7.3.1.1 Calculation of the mirror time

The time requested to accomplish a mirror depends on different aspects: the disk
speed, the disk channel speed, the dedicated link speed if it exists. This term can
be estimated through the following formula:
N=DS/(60*RQ*AR/Ss)
where:
• N=number of requested minutes
• DS=disk size that has to be mirrored in bytes
• RQ=4096 bytes
• AR/Ss=average of requests/sec that can be displayed on the standby server
screen by pressing M.
For example:
8,589,934,592/(4096*60*400) = 87 minutes
7.3.2 Preinstallation checklist

Before you begin the installation of StandbyServer ensure that the following are
performed/checked:
• The LAN adapter and disk controller drivers should be certified on NetWare 5
or are taken from the NetWare 5 installation CD-ROM. Other versions of the

drivers may not be completely supported and may cause serious interruptions
to the system.
• The latest patch levels available on both the servers in the cluster are
installed.
• The backup of the server volume should be carried out.
• During the initial mirroring operation, a significant amount of data is
transferred between the servers. Be aware that this may cause a degradation
of network performance.
• Verify that all the server hardware is correctly configured, do not use system
interrupts that are in use by the system, such as IRQ 9 and IRQ 15.
• Use high-speed network adapters for the dedicated link: use 100 Mbps
Ethernet, FDDI or token-ring devices.
• When you install them, use a dedicated network and use a identification name
(for example, NET=DEDLINK for IPX or the same network for IP). Configure
the adapters to support full duplex.
• For the dedicated link, the protocol IPX is much more efficient for the
mirroring. Alternatively, use TCP/IP.
• Use a crossover cable for the dedicated link. The cable configuration is shown
in Figure 111 and involves crossing over the send and receive pairs on each
RJ-45 connector.
8 1 White/Green
7 2 Green
Green 6 3 Orange
5 4
4 5
White/Green 3 6 White/Orange
White/Orange 2 7
Orange 1 8
RJ-45 RJ-45
Figure 111. Category 5 Ethernet crossover cable pinouts
• At least one disk must be dedicated to the primary server to contain the SYS
volume. Make sure the standby machine has enough space in the NetWare
partition to hold the mirror of the primary server.
• Adjust the amount of RAM installed based upon calculations provided by the
Novell documentation or by the free tools such as NRAME.ZIP from:
http://www.itlab.orst.edu/download/default.htm
• If you are using the ServeRAID controller, make sure that the write policy is
set to write-back. This configuration will enhance dramatically the mirroring
functions. (Note, however, that changing the write policy with destroy all data.)
• Also for NetWare 5, as with other Novell versions, you need to configure the
DOS file CONFIG.SYS with:
FILES=40
BUFFERS=15
• Do not use the console commands REMOVE DOS or SECURE CONSOLE as this
impacts the use of StandbyServer.

• When using the utility server feature you have to install the StandbyServer in
the same NDS tree of the primary server. See 2.8.3, “Utility server feature” on
page 38 for information about the utility server feature.
7.3.3 Installing StandbyServer

After having verified that all requirements have been fulfilled in 7.3.2,
“Preinstallation checklist” on page 152, proceed as follows.
Note: the installation is performed from the standby machine, not the primary.
1. Start NetWare on both the primary server and the standby machine.
2. Load VINSTALL.NLM from the standby machine at the console prompt (after
having loaded the CD-ROM support) by typing the following:
LOAD VINCA:\NW\SBS50\VINSTALL
3. After reviewing and accepting the license, Figure 112 appears.
+------------------------------------------------------------------------------+
¦ VInstall v5.00 for StandbyServer NetWare Loadable Module ¦
+------------------------------------------------------------------------------+
+---------------------+
¦ ¦
¦ Welcome to VInstall ¦
¦ ¦
+---------------------+
+-------------------------------------------------------------------+
¦ Installation Options ¦
¦-------------------------------------------------------------------¦
¦ ¦Install StandbyServer. ¦
¦ ¦Update StandbyServer files. ¦
¦ ¦Add a vault machine to the StandbyServer configuration. ¦
¦ ¦Edit .NCF files on this machine only. ¦
¦ ¦Edit all StandbyServer .NCF files. ¦
¦ ¦Create product configuration file. ¦
¦ ¦Uninstall StandbyServer. ¦
¦ ¦Exit VInstall. ¦
+-------------------------------------------------------------------+
Press ESC to exit. Use arrow keys and Enter to select an option.
Press ALT+F10 to abort VInstall.
Figure 112. StandbyServer installation — main menu
4. Select the first option Install StandbyServer and the installation of the
product will start. If all preinstallation requirements have been met,
StandbyServer will search for the network servers that could belong to the
cluster and presents you with a list of servers as shown in Figure 113.

+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
+-------------------------------+
¦ Select Primary Server ¦
¦-------------------------------¦
¦ ¦SRV-NW5-1 ¦
¦¦ ¦
¦¦ ¦
¦¦ ¦
¦¦ ¦
¦¦ ¦
¦¦ ¦
¦¦ ¦
+-------------------------------+
Use arrow keys and Enter to select a primary server.

Figure 113. StandbyServer installation - select the primary server
5. Select the server you want to be the primary. Figure 114 now appears.
+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
+--------------------------------------------------+
¦ Login to server SRV-NW5-1 ¦
¦--------------------------------------------------¦
¦ User Name: ADMIN ¦
¦ Password: ¦
+--------------------------------------------------+
Use arrow keys to move cursor to the User Name field.

Enter a user name and password to continue. Press ESC to cancel.
Figure 114. StandbyServer installation — login to the primary

6. Type in the name and password of the administrator. You have to insert the full
name, complete with NDS context. You may get the error message shown in
Figure 115 if you don’t fully specify the administrator’s user name.
+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
+-------------------------------------------------------------------+
¦ Login to file server SRV-NW5-1 was unsuccessful. Error:[fffffda7] ¦
¦ Make sure your user name and password are correct. ¦
¦ You may try using a distinguished user name (like .admin.novell). ¦
¦ Make sure the bindery context is properly set on both the Primary ¦
¦ and Standby machines. To try logging in again, select no when ¦
¦ prompted to manually setup. ¦
¦ <Press ENTER to continue> ¦
+-------------------------------------------------------------------+
Figure 115. StandbyServer installation — incomplete user name entered
7. Press Enter to continue to Figure 116.

During our experiments, we were unable to provide the user name that met the
requirements of the VINSTALL software. After consultation with Novell support
we decided to continue on with the manual installation method by selecting
Yes from Figure 116.

+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
+----------------------------------------------------------------------+
¦ Manually setup VInstall communications on the Primary Server? ¦
¦ (requires loading an NLM off the install disk on the Primary Server) ¦
+----------------------------------------------------------------------+
+------+
¦ ¦No ¦
¦ ¦Yes ¦
+------+
Figure 116. StandbyServer installation — manually setup communications
8. Select Yes and press Enter. The installation continues and you enter the
communications parameters manually.
+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
+-----------------------------------------------------------------+
¦ IPX and IP protocols are installed on this server (SRV-NW5-2). ¦
¦ Select the protocol that VInstall and StandbyServer should use. ¦
+-----------------------------------------------------------------+
+----------------------------------------------------+
¦ Select a protocol to continue ¦
¦----------------------------------------------------¦
¦ ¦IPX ¦
¦ ¦IP ¦
+----------------------------------------------------+
Choose IPX or IP protocol for this primary server. Press ESC to cancel.
Figure 117. StandbyServer installation — select a protocol

9. Select the protocol that you wish to use for the dedicated link. We selected
TCP/IP. Press Enter and Figure 118 now appears on the standby server.
+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
+--------------------------------------------------+
¦ Manually setup communications modules: ¦
¦ ¦
¦ Waiting for remote...take disk to SRV-NW5-1 and ¦
¦ type "load SYS:CLUSTER\NSBS\vload vincaip app=1" ¦
¦ and press Enter on the console of SRV-NW5-1. ¦
+--------------------------------------------------+
Waiting for remote...
Figure 118. StandbyServer installation — waiting for the primary server
10.From the primary system enter the command listed in Figure 118 on the
standby system. The command specified depends on the protocol selected in
step 9.
Figure 119 now appears on the primary console.

+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
+----------------------------------------------------------------------------+
¦ StandbyServer Options ¦
¦----------------------------------------------------------------------------¦
¦ Standby Machine: Version: 5. 0 SRV-NW5-2 ¦
¦ 5.00 NetWare Directory: C:\NWSERVER ¦
¦ StandbyServer Directory: C:\STANDBY ¦
¦ ¦
¦ Primary Server: Version: 5. 0 SRV-NW5-1 ¦
¦ NetWare Directory: C:\NWSERVER ¦
¦ Primary IP Network: Address=192.168.0.1 Mask=FF.FF.FF.0 ¦
¦ ¦
¦ AutoSwitch: Enabled ¦
¦ Disk Read Blocker: Disabled ¦
¦ SNMP Support: Disabled ¦
¦ Utility Server: Enabled (Enabled recommended) ¦
¦ ¦
¦ ¦
+----------------------------------------------------------------------------+
Use arrow keys to select field, Enter to change the field.
Press F10 to accept options. Press ESC to cancel.
Figure 119. StandbyServer installation — options on the primary server
Figure 119 lets you configure different StandbyServer settings. The four
options at the bottom of the window are as follows:
– AutoSwitch: When AutoSwitch is enabled (the default), the standby server
automatically fails over and assumes the primary role if the primary server
fails. If it is disabled, failover is performed manually by the administrator.
– Disk Read Blocker: When enabled, disk reads only go to the disks in the
primary server. When disabled (the default), disk reads are serviced by
whichever side of the mirror is faster to respond.
– SNMP Support: When enabled, VMAN.NLM is loaded on the standby
server, which issues SNMP traps when the primary server fails over.
– Utility Server: When enabled, the standby server is automatically
configured to function as a utility server. When disabled, no configuration
changes are made.
Note: All these parameters are customized and changeable after the
installation.
11.Once you have finished selecting the options, press F10 to continue. The file
copy process then begins.
12.Once the file copy is completed, new AUTOEXEC.NCF and STARTUP.NCF
files will be created and you are asked if you wish to view or edit them (Figure
120):

+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
+-------------------------------------------------------+
¦ VInstall has created new STARTUP.NCF and AUTOEXEC.NCF ¦
¦ files for the primary and standby machines. ¦
+-------------------------------------------------------+
+-----------------------------------+
¦ View/Edit new .NCF files? ¦
¦-----------------------------------¦
¦ ¦No ¦
¦ ¦Yes ¦
+-----------------------------------+
Use arrow keys and Enter to select an option.

Figure 120. StandbyServer installation — edit the NCF startup files
13.If you select Yes, Figure 121 appears letting you select files to edit.
+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
+--------------------------------------------------------------+
¦ Edit new SRV-NW5-2 and SRV-NW5-1 NCF files. ¦
¦--------------------------------------------------------------¦
¦ ¦New SRV-NW5-2/C:\NWSERVER\STARTUP.NCF ¦
¦ ¦New SRV-NW5-2/C:\NWSERVER\AUTOEXEC.NCF ¦
¦ ¦New SRV-NW5-2/C:\STANDBY\STARTUP.NCF ¦
¦ ¦New SRV-NW5-2/C:\STANDBY\AUTOEXEC.NCF ¦
¦ ¦Edit another file on SRV-NW5-2 ¦
¦ ¦New SRV-NW5-1/C:\NWSERVER\STARTUP.NCF ¦
¦ ¦New SRV-NW5-1/C:\NWSERVER\AUTOEXEC.NCF ¦
¦ ¦New SRV-NW5-1/C:\STANDBY\STARTUP.NCF ¦
¦ ¦New SRV-NW5-1/C:\STANDBY\AUTOEXEC.NCF ¦
¦ ¦Edit another file on SRV-NW5-1 ¦
¦ ¦Continue Installation ¦
+--------------------------------------------------------------+
Press ESC to exit. Use arrow keys and Enter to select a file to edit.
Figure 121. StandbyServer installation — edit the NCF startup files

14.If you make changes to any of the files you will be given the chance to save
the original files as .OLD files or to save the changes into .NEW files for later
implementation.
15.Once the installation is complete, you will see Figure 122.
+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
+----------------------------------------------------------------------------+
¦FINISH STEPS: ¦
¦1. Remove Directory Services on SRV-NW5-2 using NetWare install. ¦
¦2. Remove SYS volume on SRV-NW5-2 using NetWare install. ¦
¦3. Down SRV-NW5-1. ¦
¦4. Down SRV-NW5-2. ¦
¦5. Type standby<Enter> in the SRV-NW5-2/C:\STANDBY directory. ¦
¦6. Type server<Enter> in the SRV-NW5-1/C:\NWSERVER directory. ¦
¦7. Use NetWare install on SRV-NW5-1 to begin mirroring. ¦
¦NOTE: These steps are also saved in the file FINISH.TXT in all ¦
¦ StandbyServer directories. ¦
+----------------------------------------------------------------------------+
+---------------------------+
¦ Install Complete ¦
¦ <Press ENTER to continue> ¦
+---------------------------+
Use arrow keys and Enter to select an option. Press ESC to backup.
Figure 122. StandbyServer installation — final steps
This window shows the steps you need to perform once VINSTALL exits.
When you press Enter, VINSTALL closes and the list of steps are repeated on
the NetWare console as shown in Figure 123.
FINISH STEPS:
1. Remove Directory Services on SRV-NW5-2 using NetWare install.
2. Remove SYS volume on SRV-NW5-2 using NetWare install.
3. Down SRV-NW5-1.
4. Down SRV-NW5-2.
5. Type standby<Enter> in the SRV-NW5-2/C:\STANDBY directory.
6. Type server<Enter> in the SRV-NW5-1/C:\NWSERVER directory.
7. Use NetWare install on SRV-NW5-1 to begin mirroring.
NOTE: These steps are also saved in the file FINISH.TXT in all
StandbyServer directories.
*****LOAD INSTALL NOW, REMOVE D.S. AND REMOVE SYS!*****
SRV-NW5-2:
Figure 123. StandbyServer installation complete
Note that there are two additional steps listed in Figure 123. You must first
remove Directory Services and any volumes created on the standby server.

Now that StandbyServer installation is complete, you need to remove NDS and
the SYS volume from the standby server (unless you have configured the standby
server as a utility server in Figure 119 on page 159).
7.3.3.1 Removing the SYS volume from the standby server

Follow these steps to remove the volumes from the standby server:
1. Start NWCONFIG from the console of the standby server. Figure 124 appears.
+---------------------------------------------------------------+
¦ Configuration Options ¦
¦---------------------------------------------------------------¦
¦ ¦Driver Options (load/unload disk and network drivers)¦
¦ ¦Standard Disk Options (configure NetWare partitions/volumes)¦
¦ ¦NSS Disk Options (configure NSS storage and volumes) ¦
¦ ¦License Options (install or remove licenses) ¦
¦ ¦Copy Files Options (install NetWare system files) ¦
¦ ¦Directory Options (install NDS) ¦
¦ ¦NCF files Options (create/edit server startup files) ¦
¦ ¦Multi CPU Options (install/uninstall SMP) ¦
¦ ¦Product Options (other optional installation items) ¦
¦ ¦Exit ¦
+---------------------------------------------------------------+
Use the arrow keys to highlight an option, then press <Enter>.
Figure 124. NWCONFIG
2. Select Standard Disk Options then NetWare Volume Options.

3. A window will then appear with all the existing volumes configured on the
server. Select each of them and press the Delete key to remove them.
7.3.3.2 Removing NDS from the standby server

To remove NDS do the following:
1. Start NWCONFIG from the console of the standby server.
2. Select Directory Options.
3. Select Remove Directory Services from this server.
4. Select Yes when you are prompted to confirm the removal.
5. Enter the Administrator’s full context name and password.
7.3.4 Starting StandbyServer

Now, to restart the servers and start StandbyServer, do the following:
1. Type DOWN on each server console, then EXIT.
2. On the standby server, change to the C:\STANDBY directory and start
StandbyServer by entering STANDBY. Figure 125 appears.

+----------------------------- StandbyServer 5.00 -----------------------------+
¦ Primary Server Name: SRV-NW5-1 ¦
¦--------- Disk Drive Information --- [ 2 drives] -------- Link Driver Info ---¦
¦ 0: IBM RAID rev:1 9094 MB ¦ Handle :1 ¦
¦ 1: IBM RAID rev:1 9096 MB ¦ Driver Name : vip ¦
¦ ¦ ¦
¦ ¦---- CPU Utilization ---¦
¦ ¦ 0% ¦
¦ ¦---- Standby Up-Time ---¦
¦------------------ Activity Meter -------------------¦ 00:00:23:30 ¦
¦ |----|----|----|----|----|----|----|Max Reqs/s: 10 ¦---- Date ----- Time ---¦
¦ ¦ 07/08/1999 16:09:54 ¦
¦---------------------- Dialog ------------------------------------------------¦
¦PING PING PING PING PING PING PING PING PING PING PING PING PING PING PING ¦
¦PING PING PING PING PING PING PING PING PING PING ¦
¦ ¦
¦ ¦
¦ ¦
+------------------------------------------------------------------------------+
StandbyServer is communicating with the Server. <ESC> to exit <h>elp
Figure 125. StandbyServer console
If you have enabled AutoSwitch, Figure 126 will also appear in the console list.
+-------------------------------- AutoSwitch ----------------------------------+

¦ Primary Server Name : SRV-NW5-1 ¦
¦----------------------------- Connection Status ------------------------------¦
¦ StandbyServer Link : CONNECTED ¦
¦ Network Server Connection : CONNECTED ¦
¦----------------------------- AutoSwitch Status ------------------------------¦
¦ AutoSwitch : ARMED ¦
¦ Failover Delay : 40 SECONDS ¦
¦---------------------------------- Dialog ------------------------------------¦
¦ 07/08/99 15:45:18 Waiting for SBS link and Network connection ¦
¦ 07/08/99 15:46:37 Pinging server SRV-NW5-1 [192.168.0.1]. ¦
¦ 07/08/99 15:46:37 Server SRV-NW5-1 [192.168.0.1] found. ¦
¦ 07/08/99 15:46:37 SBS link and Network connection to server SRV-NW5-1 OK ¦
¦ 07/08/99 15:46:37 AutoSwitch is armed ¦
¦ ¦
¦ ¦
¦ ¦
¦ ¦
¦ ¦
¦ ¦
¦ ¦
¦ ¦
¦ ¦
+------------------------------------------------------------------------------+
AutoSwitch ARMED <ESC> to exit <h>elp
Figure 126. AutoSwitch console

3. On the primary server, change to the C:\NWSERVER directory and type
SERVER to start NetWare.
From the AutoSwitch console, you can check the connection between the servers
through both the dedicated link and the network link. These are both listed as
CONNECTED. We can also notice that the autoswitch is listed as ARMED, meaning that
it is ready to automatically take over the operations of the primary server without
any human intervention.
7.3.5 Configure mirroring

The next step consists of configuring the mirroring by using NWCONFIG. Keep in
mind that the mirror happens between the NetWare partitions and not the
volumes.
1. At the prompt of the primary server console type NWCONFIG.
2. Select Standard Disk Options. Figure 127 appears.
+----------------------------------------+
| Available Disk Options |
|----------------------------------------|
| |Modify disk partitions and Hot Fix |
| |Mirror/Unmirror disk partitions |
| |Scan for additional devices (optional)|
| |Initialize hard disk |
| |NetWare Volume Options |
| |Return to the previous menu |
+----------------------------------------+
Figure 127. NWINSTALL — standard disk options
3. Select Modify disk partitions and Hot Fix. A window similar to Figure 128
appears.

+-----+-----------------------------------------------------------------+
¦ ¦ Disk Partition Type Logical ID Size ¦
¦---+-+-----------------------------------------------------------------¦
¦ ¦D¦ ¦ Big DOS; OS/2; Win95 Partition 0x8 54.7 MB ¦
¦ ¦S¦-¦ NetWare Partition 0xC 484.4 MB ¦
¦ ¦N¦ ¦ Free Space 8133.8 MB ¦
¦ ¦L¦ ¦ ¦
¦ ¦C¦ ¦ ¦
¦ ¦D¦ ¦ ¦
¦ ¦N¦ ¦ ¦
¦ ¦M¦ ¦ ¦
¦ ¦P+-¦ ¦
¦ ¦Exi+-----------------------------------------------------------------+
+---------------------+-------------------------------+---------+
¦ Disk Options ¦
¦-------------------------------¦
¦ ¦Change Hot Fix ¦
¦ ¦Create NetWare disk partition¦
¦ ¦Delete any disk partition ¦
¦ ¦Return to previous menu ¦
+-------------------------------+
Help <F1> Previous screen <Esc> Abort nwconfig <Alt><F10>
Figure 128. NWCONFIG — modify disk partitions
4. Then check the drives one by one; a partition must exist and the partitions
must have the same size as the ones will be mirrored. Take note of the drive
labels (for example "0xF ->Device: 0x5" in Figure 129) to be able to follow the
mirror procedure more carefully.
5. From the Available Disk Options window (Figure 127), select Mirror/Unmirror
disk partitions. Figure 129 appears showing a list of the disk partitions on the
primary server and the standby server. Currently, none are mirrored.
+---------------------------------------------------+
| Available Devices |
|---------------------------------------------------|
| |Device #5 [V2D1-A3-D8:0] IBM RAID rev:1 |
| |Device #6 [V2D1-A3-D9:0] IBM RAID rev:1 |
| |Device #E [V5E0-A4-D0:0] STANDBY 0 IBM RAID rev |
| |Device #F [V5E0-A4-D0:1] STANDBY 1 IBM RAID rev |
+---------------------------------------------------+
Figure 129. NWCONFIG — mirroring disk partitions
6. Take note of what appears on the screen, taking into consideration that if there
is no partition on a specific drive, it will not be shown in the window and
therefore it will not be available for the mirror operations.
Warning
Pay particular attention to this operation because a mistake could cause the
total erasure of the volumes of the primary server and consequently require
you to reinstall the whole environment.

7. Select the first drive containing the volume SYS of the primary server and
therefore without the “standby” label. Press Enter and Figure 130 appears
showing only one partition in the mirrored set so far.
+---------------------------------------------------------------+
¦---+----------------------------------------+------------------¦
¦ ¦D¦ Available Disk Options ¦d network drivers)¦
¦ ¦S¦----------------------------------------¦artitions/volumes)¦
¦ ¦N¦ ¦Modify disk partitions and Hot Fix ¦ge and volumes) ¦
+------------------------------------------------------------------+
¦ Disk Partition Mirroring Status ¦
+----------------------------------------------------------------------------+
¦ Mirrored Disk Partitions (Logical Partition #12) ¦
¦----------------------------------------------------------------------------¦
¦ ¦In Sync - Device #5 [V2D1-A3-D8:0] IBM RAID rev:1 ¦
¦¦ ¦
+----------------------------------------------------------------------------+
To add a disk partition to the set, press <Ins>.

To remove a partition from the set, press <Del>.
To return to the previous list, Press <Esc>.
Figure 130. NWCONFIG — mirror set incomplete
8. Press the Insert key. The available drives will appear as shown in Figure 131.

+---------------------------------------------------------------+
¦---+----------------------------------------+------------------¦
+---------------------------------------------------------------+
¦ Available Disk Partitions ¦
¦---------------------------------------------------------------¦--+
¦ ¦Logical Partition 0x15 [V5E0-A4-D0:0] STANDBY 0 IBM RAID rev ¦ ¦
¦¦ ¦------------+
¦¦ ¦ ¦
¦¦ ¦------------¦
+---------------------------------------------------------------+ ¦
¦¦ ¦
+----------------------------------------------------------------------------+
View and modify associated mirror set <Enter>

To add disk partitions to the set, highlight them and
press <F5>. To return to the previous list, press <Esc>.
Figure 131. NWCONFIG — selecting the disk partition to add to the mirrored set
9. Select the corresponding drive that must contain that specific volume on the
standby server. It will have the “standby” label. Press Enter.
+---------------------------------------------------------------+
¦---+----------------------------------------+------------------¦
+------------------------------------------------------------------+
+----------------------------------------------------------------------------+
¦ Mirrored Disk Partitions (Logical Partition #12) ¦
¦----------------------------------------------------------------------------¦
¦ ¦In Sync - Device #5 [V2D1-A3-D8:0] IBM RAID rev:1 ¦
¦ ¦Out Of Sync - Device #E [V5E0-A4-D0:0] STANDBY 0 IBM RAID rev ¦
+----------------------------------------------------------------------------+
To add a disk partition to the set, press <Ins>.

To remove a partition from the set, press <Del>.
To return to the previous list, Press <Esc>.
Figure 132. NWCONFIG — mirrored set complete but the standby disk is out of sync

10.Figure 132 shows the mirrored set If all operations have been carried out
correctly.
11.By pressing Esc and Enter to reenter this screen, you will see that the
synchronization of the mirror begins automatically as shown in Figure 133.
+---------------------------------------------------------------+
¦---+----------------------------------------+------------------¦
+-----------------------------------------------------------------+
¦-----------------------------------------------------------------¦
¦ ¦Remirroring (20% done): Logical Partition: 0xC ->Device: 0x5 ¦
¦¦ ¦
¦¦ ¦
¦¦ ¦
+-----------------------------------------------------------------+
View and modify associated mirror set <Enter>

Restore an out-of-sync partition <F3> Previous menu <F10> or <Esc>
Help <F1> Abort nwconfig <Alt><F10>
Figure 133. NWCONFIG — synchronization in progress
12.Repeat these steps for other drives that are to be set up as mirrors.
7.3.5.1 Breaking the mirror

If you need to remove the mirror, do the following:
1. Start NWCONFIG from the prompt of the primary server console
2. Choose Standard Disk Options
3. Choose Mirror/unmirror Disk Partition
4. Select the requested mirror set
5. Choose the partition provided with the label “standby”
6. Press the Delete key
7. Confirm the removal
7.3.5.2 Customizing the mirror

If you want to enhance the mirror speed, you may customize some of the
NetWare parameters, as follows:
1. Enter MONITOR from the console
2. Select Server Parameters
3. Select Disk.
Consider the following changes:

• Remirror Block Size from 1 to 2
• Concurrent Remirror Request from 30 to 32

• Enable Hardware Write Back from OFF to ON
You must add these changes to all the AUTOEXEC.NCF and STARTUP.NCF files
of both the file servers.
7.3.5.3 Testing failure recover

Before starting the environment it would be advisable to test that the cluster
environment is working.
In general we divide the system interruptions into two categories:

• Partial interruption (due to hardware malfunction for example)
• Total interruption (due to an abend for example)
In the case of a partial interruption, keeping in mind that the mirroring and the
communication between the servers is controlled by the StandbyServer software,
it is sufficient to unload the AutoSwitch function and exit the StandbyServer
software on the primary server. To do this, on both machines, simply press Esc on
both the AutoSwitch screen and the StandbyServer screen and confirm the exit.
In the case of total interruption, you can test this by bringing down the primary
server, or turn off the power to the primary server. After 40 seconds (a modifiable
delay - see the StandbyServer documentation), the standby server will recognize
the primary server’s failure and start the failover process. After the new primary
server comes up, Figure 134 will be displayed until the message is removed by
pressing Esc. The users and the network administrator will receive a window
similar to Figure 135.
Your StandbyServer has successfully AutoSwitched and taken over the

functions of your primary server.
You should now complete the following steps:

1 - Repair the primary server.
2 - Type "STANDBY" <Enter> in the C:\STANDBY directory on the primary
server to run StandbyServer.
3 - Allow all drives to remirror. The time it takes to remirror will
depend on how long the drives have been out of sync.
4 - Disable the AutoSwitch function by pressing 'p' at the AutoSwitch
screen on the primary server.
5 - Down and exit this server.
6 - Down and exit the primary server.
7 - Type "STANDBY" <Enter> on this machine from the C:\STANDBY directory.
8 - Type "SERVER" <Enter> from the NetWare directory on the primary server.
A warning will be broadcast periodically to the workstations logged in

to this server until this NLM is unloaded by pressing ESC. The warning
can also be disabled by pressing the SPACE bar.
Figure 134. StandbyServer failover completed

Figure 135. Message received by users
The clients will see a momentary interruption of the network services. If your
clients have the following settings, they will not be forced to re-log in with their
own username and password.
• For Windows 95/98 with the IntranetWare client Version 3.0.2.0 or later:
– Auto Reconnect Level = 3
– Handle Net Errors = ON
– Name Cache Level = 0
– Net Status Timeout = 60
– NetWare Protocol = NDS
• For Microsoft NT client with the IntranetWare client Version 4.50.819 or later:
– Advance Settings menu: Auto Reconnect = ON
– Protocol Preferences menu: Preferred Network Protocol = IP
– Protocol Preferences menu: Protocol Component Settings = NDS
If the failure was real, you can now perform diagnostics on the failed primary
servers. You should restart StandbyServer on the new primary server by running
STANDBY from the C:\STANDBY directory. This will cause mirror synchronization to
begin immediately and it is advisable to let this finish before undertaking other
operations.
7.3.6 StandbyServer in a WAN environment

The mirroring of data across a wide area network (WAN) connection offers
increased protection from catastrophic failures. Since the development of
networks based on the client/server model has gained importance, the
opportunity of data mirroring over the WAN has become one of the most
important tools for administrators.
In this section, we provide an introduction to the mirroring capability of NetWare

file servers in a WAN environment using StandbyServer for NetWare 5.
Note: We are not promoting all products put on the market or existing in the
technology field. We are only trying to make a comparison between
telecommunications services to be used to implement a mirroring environment
with a WAN and a short summary about the setting of a few parameters that can
be useful within this environment. We suggest the reader study
telecommunications and other documentation on the topic.

7.3.6.1 WAN services
Telecommunications vendors (telcos) have proposed a wide range of WAN
services. A customer has to choose which one meets their particular needs. The
most recommended connection lines for mirroring in a WAN area are:
• Leased lines — A vendor charges a monthly fixed amount no matter how long
you are using the connection. You can have the following three types:
– T1 with 24 channels at a transmission speed of 1.544 Mbps
– T3 at 44.736 Mbps
– SONET (Synchronous Optical NETwork) at 155 Mbps
• Frame relay — Less expensive than the leased lines when three or more
locations need connectivity or data traffic is variable rather than a constant
stream that usually takes place when mirroring traffic. The lower cost variant is
the 0-CIR; this means that each frame is drop-able. Telcos offer a guarantee
that the packets will be sent correctly.
• SMDS (Switched Multimegabit Data Service) — gives low bandwidth between
1 Mbps and 34 Mbps.
• ATM (Asynchronous Transfer Mode) — is one of the latest WAN technologies.
It is very important because it can send not only data but also voice and
images. Very similar to the 0-CIR frame relay, ATM has a low service cost
called UBR (unspecified bit rate) that has turned to be suitable to the wide
area server mirroring.
7.3.6.2 Critical WAN parameters

The parameters to take into consideration for the calculation of the real charges
within a wide area server mirroring are:
• Bandwidth
Bandwidth Is the most critical parameter. The bandwidth requested should be
taken into consideration. Just as you are supposed to estimate the use of a
bandwidth that includes a remote mirrored file server, the key point is to
understand how much this mirroring needs.
The most important thing to be considered for the WAN traffic is the disk write
activity. In order to understand the activity achieved by the file server you may
use the Novell monitor statistics. Novell records each time a disk write has
been carried out. Lastly you should consider the average and peak of the disk
write activity. The WAN bandwidth should approach this peak value.
• Latency
Latency should also be considered when mirroring a WAN. Latency is the total
time the signal is employing to go through the communications channel.
Latency reduces the effective bandwidth of the WAN link.
In unmirrored server environments, the read latency can be reduced by forcing
the read requests in order to transfer them to the local server rather than from
the remote server. As for StandbyServer for NetWare, the blocking disk reads
remotely take place when you type Yes in the field Disk Read Blocker during
the product installation.

+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
+----------------------------------------------------------------------------+
¦ StandbyServer Options ¦
¦----------------------------------------------------------------------------¦
¦ Standby Machine: Version: 5. 0 SRV-NW5-2 ¦
¦ 5.00 NetWare Directory: C:\NWSERVER ¦
¦ ¦
¦ Primary Server: Version: 5. 0 SRV-NW5-1 ¦
¦ NetWare Directory: C:\NWSERVER ¦
¦ Primary IP Network: Address=192.168.0.1 Mask=FF.FF.FF.0 ¦
¦ ¦
¦ AutoSwitch: Enabled ¦
¦ Disk Read Blocker: Disabled ¦
¦ SNMP Support: Disabled ¦
¦ Utility Server: Enabled (Enabled recommended) ¦
¦ ¦
¦ ¦
+----------------------------------------------------------------------------+
Use arrow keys to select field, Enter to change the field.
Press F10 to accept options. Press ESC to cancel.
Figure 136. StandbyServer options
The effect resulting from the bandwidth reduction due to the write latency can
be reduced once more by configuring different options of the StandbyServer
NLM modules. When the WAN connection is reliable (for example, if it is
implemented over Fibre Channel), the write acknowledgment can be turned off
by configuring the “noacks” option inside the VINCAIPX.DSK module. The
latency can also be reduced by lowering the requests number allowed in a
WAN connection and reducing the buffers option=n where n is 1-10, defaulting
to 5. The data packet size should be increased to the maximum extension
possible for the physical media. For example, if the servers are connected to
an external WAN router via an Ethernet connection, the packet size of the
VINCAIPX.DSK should be equal to a packetsize=1492.
• Network outages
WANs are susceptible to different outages such as cable cuts and switching
equipment failures. In order to protect the mirror from these interruptions, it is
advisable to increase the StandbyServer time-outs beyond the default value
so that the mirrored servers do not disconnect during this short time.
• Bit error rate
The communication channels are often liable to errors due to external
interference. For the channel’s high BER it is recommended that you enable
the “checksum” of VINCAIPX.NLM and VINCAIP.NLM.

Chapter 8. Scenarios
The best way to incorporate all the products that are in the NetWare stable is to
base them on scenarios that depict real-world examples. We will then use the
installation instructions and worksheets that have been created in this redbook.
After the installation, we will then configure these scenarios so that they perform
the tasks we have outlined in the objectives of each scenario.
As this is not a live network with users connecting, the ability to configure and
ensure all aspects have been covered is not possible. The main aim is to create
the basis of the network and leave the user-based configurations such as login
scripts, security, etc.
The scenarios are based on two separate companies, each with special
requirements as to size, amount of users expected and the amount of fault
redundancy/tolerance required. We start off with a small company with one server
consisting of 50 users and wishing to connect to the Internet. As we go from one
scenario to the next, the size of the company increases and therefore the
complexity.
8.1 Small configuration

Smaller companies often have no in-house skills and cannot afford to employ
someone full time to manage their environment. For this reason the environment
must be kept as simple as possible with little need for intervention.
• The customer that we are looking at is one that has approximately 50 users.
These users store all their files on the server and the applications are stored
locally on the workstations.
• The users require Internet access and are concerned about the security of the
network. In this document we are not covering the speeds and feeds to the
Internet. This customer has a 128 Kbps dial-up connection to their ISP.
• They have a mixture of Windows NT 4.0 and Windows 95 workstations.
• The BorderManager server has one network card, connecting to the internal
LAN. The other interface is the modem to the ISP.
Sizing WAN links for browsing
Here are some rules we use to size the links required for browsing. These are
only rules of thumb to give you a starting point; they are not definitive answers.
• Start with 16 Kbps per user for browsing.
• Approximately one third of users use the Internet at one time.
• Multiply 16 Kbps by the number of users (16 x 8 = 128).
• If you use the one third rule, then 8 x 3 gives you 24 users for a 128 Kbps
line.
• Proxy servers over time provide a 50% increase in performance due to
caching.
• Therefore, multiplying 24 users x 2 means that 128 Kbps should service 48
users.

Netfinity 7000 M10 IPX only IP only
NetWare 5
ISP/Internet
5847-00
NetWare 5
Border Manager
- Proxy
- Firewall
- IPX to IP Gateway
- Access control
Figure 137. Small site scenario diagram
8.1.1 Installing the configuration

Installing the configuration is based on the installation instructions throughout this
document. Ensure that you have all products installed and have your
communications protocol(s) working properly.
1. Install NetWare 5 and the patches according to Chapter 3, “Installing
NetWare” on page 41 ensuring that you install all products that are required.
The worksheet in A.2, “Installing NetWare 5 worksheet” on page 236 will
ensure that you have all the information that you require. Anything that is
missing can be filled out during the install and then kept with the server
documentation.
2. Install the client supplied with NetWare 5 using the Novell Client Software
CD-ROM. All that needs to be done is to install the appropriate client, choose
Custom and select Novell IP gateway. This will ensure when the server has
all the components installed that the client will have access to the IP network.
3. Configure the users, printers and login scripts as required.
4. Install BorderManager using the steps in 3.7, “Installing BorderManager” on
page 60.
5. The selection of public and private interfaces in the BorderManager setup is
based on the actual configuration. In our example, the only interface selected
was the WAN call over the modem to the ISP and this was marked as public.
The choice to secure all public interfaces was also selected.
8.1.2 Configuring the environment

Configuration of the environment is a phased process:
1. Configure NIAS (Novell Internet Access Server) to enable dialout to the ISP.
2. The IPX/IP gateway must be enabled and set as a transparent proxy.
3. Clients must be enabled to use the IP gateway.
4. Access rules must be set for the user or users.
8.1.2.1 Creating an on-demand dial-out to the ISP

We need to create a connection to the ISP to enable browsing and connection to
the Internet. In our scenario users are connected via an ISDN line. In our

examples, we used a modem, but the process is the same. Some of the
communication parameters will, however, be different.
1. Enter INETCFG at the server console where you have the WAN card or modem
connected.
+------------------------------------------------------------------------------+
| Internetworking Configuration 3.32 NetWare Loadable Module |
+------------------------------------------------------------------------------+
+-------------------------------+
| Internetworking Configuration |
|-------------------------------|
| |Boards |
| |Network Interfaces |
| |WAN Call Directory |
| |Backup Call Associations |
| |Protocols |
| |Bindings |
| |Manage Configuration |
| |View Configuration |
| |Reinitialize System |
| |Go To Fast Setup |
+-------------------------------+
Add, delete, and modify WAN Call Destinations.

ENTER=Select ESC=Exit Menu F1=Help
2. Once in the above, select Boards. Press the Insert key and enter an
appropriate name and press Enter. Next, select the board that you are using
and press Enter; in our case we are using the WHSMAIO board.
Chapter 8. Scenarios 175

+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
+-------------------------------+
|-+--------------------------------------------------------------------------+
|| Configured Boards |
| |------+---------------------------------------------------+---------------|
| | Boar| WHSMAIO Board Configuration | Comment |
| | |E100|---------------------------------------------------| Transfe... |
| | |IBMT| WHSMAIO Board Name: COM_1 | Transfe... |
| | |VPTU| AIO Board Name: unknown | - |
||| | AIO Driver: unknown | |
| +------| |---------------+
| |Reinit| AIO Board Options: <Select to View> |
| |Go To | |
+--------| First AIO Port Number: 0 |
| Number of AIO Ports: 0 |
| Driver-Specific Configuration: |
+---------------------------------------------------+
Select this field to choose the AIO board configuration.

3. You are automatically placed in the AIO Board Options window. Press Enter.
Once in the next window we selected the type of board that we were using
(AIOCOMX) and then selected COM_1. Press Esc and save the changes.
4. Return to the INETCFG screen and next select Network Interfaces and select
COM_1 created in the previous steps. You will be prompted to select the type
of communication (we selected PPP the only choice we were given). Press
Enter.

+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
+----------------------------------------------------------------+
+------| PPP Routing Network Interface Configuration |
| Inter|----------------------------------------------------------------|
+------| Interface Name: COM_1_1 |----+
| | Interface Group: (None) | |
|------| Interface Status: Enabled |----|
| Boar| | |
| |COM_| Framing Type: ASYNC | |
| |E100| Physical Type: RS-232 | |
| |IBMT| Interface Speed: 9600 | |
| |VPTU| Modem/DCE Type: USRobotics Courier V.EVERYTHING ... | |
+------| Modem/DCE Options: (view or modify) |----+
| |Rein| Local Telephone Number: (None) |
| |Go T| |
+------| Authentication Options: (view or modify) |
| Timeouts & Retries: (view or modify) |
| Negotiation Options: (view or modify) |
| Enterprise Specific Traps: (view or modify) |
| Physical Options: (view or modify) |
+----------------------------------------------------------------+
Select the type of Modem or other DCE Device attached to this interface.
5. The window highlighted the Modem/DCE Type. Press Enter and select the
type of modem. If yours is not listed and it is a standard compatible modem,
select the Hayes compatible modem. Ensure that you have RS-232 and
ASYNC in the Physical Type and Framing Type fields respectively. Click
Modem/DCE Options and ensure that you have AT set. These should all be
set by default. Press Esc until you are prompted to save.
6. Return to the INETCFG screen and select WAN Call Directory and press
Enter. Then press the Insert key and type a name that you would like and
press Enter. You will be prompted to select the type of communication. We
selected PPP (the only choice we were given). Press Enter.

+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
+-------------------------------------------------------------------+
+----| PPP Call Destination Configuration |
| Int|-------------------------------------------------------------------|
+-----| Call Destination Name: IGN |----+
| | Call Type: On Demand (activated by data) | |
|-----| Interface Group: |----|
| Cal| Interface Name: COM_1_1 | |
| |VPT| Telephone Number: 9,5955301 | |
| | | Idle Connection Timeout: 00:10:00 (HH:MM:SS) | |
| | | Outbound Authentication: Either PAP or CHAP | |
| | | Password: (None) | |
| | | Local System ID: | |
| | | Remote System ID: (None) | |
|| | | |
+-----| Call Retry Options: (view or modify) |----+
| ISDN Parameters: |
| Multilink Configuration: (view or modify) |
| Special Options: (view or modify) |
+-------------------------------------------------------------------+
Enter the Local System ID to be reported with this outbound connection.

7. Select the type as On Demand and enter the other information as given to
you by the ISP, such as user ID, password and number. Press Esc, save your
changes and return to the INETCFG screen.
8. Select Bindings and press the Insert key. Select Interface and select the
COM_1 that we created in the previous steps.

+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
| Binding TCP/IP to a WAN Interface |
|------------------------------------------------------------------------------|
| Network Interface: COM_1_1 |
| Interface Group: |
| |
| Remote Router will Dynamically Assign the IP Address: No |
| |
| WAN Network Mode: Numbered Single Point-to-Point |
| |
| Local IP Address: (Not Specified) |
| Subnetwork Mask of Connected Network: (Not Specified) |
| WAN Call Destinations: (Select For List) |
| |
| RIP Bind Options: (Select to View or Modify) |
| OSPF Bind Options: (Select to View or Modify) |
| Expert TCP/IP Bind Options: (Select to View or Modify) |
+------------------------------------------------------------------------------+
Internet Service Provider or remote router will Provide the IP Address

9. Select whether your IP address will be dynamically allocated or not. This will
depend on your ISP but generally you will be allocated an IP address as you
will have SMTP traffic set. For our example we chose dynamic.
10.You can also click Expert TCP/IP Bind Options and set up NAT as described
in 8.2.3, “Configuring NAT” on page 191. Next select the WAN Call
Destination and press Enter and the Insert key.
11.Press Enter on the WAN call destination that you have created. In our case we
only had one call IGN, so we selected that WAN call.

+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
| Binding TCP/IP to a WAN Interface |
|----+-------------------------------------------------------------------------+
| Net| Configured WAN Call Destinations |
| Int|----+--------------------------------------------------------------------+
| | De| WAN Call Destination To IP Address Mapping Configuration |
| Rem| |IG|--------------------------------------------------------------------|
| | | | WAN Call Destination: IGN |
| WAN| | | Type: Automatic |
| || | |
| Loc+----| Remote IP address: |
| Subnetwo| Verify Remote Address: |
| WAN Call| |
| | Source IP Address Mapping on LAN: |
| RIP Bind| |
| OSPF Bin| Header Compression: Disabled |
| Expert T| |
+---------| Static Routing Table: (Select For List) |
| RIP Bind Options: (Select to View or Modify) |
+--------------------------------------------------------------------+
Name of WAN call destination to use when this IP address is encountered.
12.In this window ensure that the Type is Automatic and then press Esc until
prompted to save the database. Keep pressing Esc until prompted to save the
TCP/IP information. Exit INETCFG.
13.You must restart the server, because you have created a new board.
Reinitializing the system that is a choice in the INETCFG is not enough. Once
you have rebooted and the board has loaded and you have changed
information, then you can use the command to reinitialize the system.
14.If for some reason it does not work, you can load CONLOG.NLM on the server
console in the AUTOEXEC.NCF (this can be done in the INETCFG by clicking
Manage Configuration) and then reboot the server. After rebooting use the
command load edit etc\console.log and this will show a list of commands as
they were run during the server initialization. When you reinitialize the system,
this will also be in the CONSOLE.LOG file.
8.1.2.2 Enabling IPX gateway

The first step is to run NWAdmin, making sure that all the snapins have been
installed and NetWare 5 and BorderManager are up and running.
1. Go in to the NWAdmin and double-click the leaf server object.

Figure 138. Setting up BorderManager IPX/IP gateway
When the server object details appear, click the BorderManager Setup button on
the right and you will see Figure 138. Select the Gateway tab and check the box
next to the IP/IPX Gateway.
2. Next select the Transparent Proxy tab. Figure 139 appears.
Figure 139. Transparency Proxy tab
3. Check Transparent Proxy and click OK.

4. Check Enforce Access Rules or the rules that you are going to set up later
will not work.
8.1.2.3 Client configuration for IPX gateway

The next configuration area is the workstation. Make sure that you are at the
latest patches on the operating system. The configuration that is shown next is on
Windows NT 4.0 with Service Pack 4. Without SP4 we had problems connecting
to the NetWare 5 server.
1. Right click the Network neighborhood icon and select Properties or click
Control Panel and double-click the Network icon.
2. Select the Protocols tab.
Figure 140. Control Panel of NT 4.0 Workstation with Novell IP gateway installed
3. During the installation of the NetWare client, if you selected custom and then
checked IP gateway you should have the protocol Novell IP Gateway installed
as above. If not, go no further and install the client with those options as
discussed in 8.1.1, “Installing the configuration” on page 174. Double-click
Novell IP Gateway or highlight it and click Properties.

Figure 141. Enabling the IP Gateway window
4. Check Enable Gateway and then enter the name of the server that you
installed BorderManager on and then enabled using NWAdmin in the previous
section. Ensure that the syntax is either a relative or a distinguished name. We
suggest that you use the fully distinguished name, because it does not rely on
the context of the user. After the name you must use -gw as shown in Figure
141.
5. Next enter the preferred tree and click OK.
6. You will need to reboot the workstation.
7. To ensure that you are connected, follow the same steps as above and ensure
that the fields under Current Gateway Status are filled in.
8.1.2.4 Access rule allocation

Configuring access rules is the third and final step. You have enabled the gateway
and enabled the filters. Finally, using NDS you must enable the users to use the
proxy server.
1. Select the container level where you wish to set the rules. Click the container
and select Details. Figure 142 now appears.

Figure 142. Container object details for creating access rules
2. On the object properties page, select BorderManager Access Rules (click

Effective Rules to check the rules in effect).
Figure 143. Window showing effective rules
3. The default rules for the container is to deny all users everything. If you wish to
enable someone to browse the Internet using the HTTP proxy then you would
have to create a rule to enable it. Select OK and then click the button (next
to the red cross icon).

Figure 144. Adding access rules in NWAdmin
4. Select the type of access that the users will require and the sources and
destination and click OK . Then the rule is added in to the list of access rules in
this scenario. As this is installed in the default configuration, no more needs to
be done.
5. Wait for a few minutes until the NDS is updated.
8.1.2.5 Changing filter to stateful type filter

We also set the HTTP filter to a stateful filter as follows:
1. Type FILTCFG at the console prompt . Select Configure TCPIP filters ->
Packet Forwarding Filters.
2. Select the exception rules at the bottom of the window.

+-------------------------------------------------------------------------+
| The Highlighted Filter Will Forward The Following TCP/IP Packets: |
|-------------------------------------------------------------------------|
| Packet Type: www-http (Protocol - TCP, Dest Port - 80, Src Port ... |
| Source: Interface - IBMTRPO_1 |
| All Circuits |
| Any Address |
| Destination: Interface - <All Interfaces> |
| All Circuits |
| Host Address - 9.24.104.207 |
| Logging: Disabled |
+------------------------------------------------------------------------------+
| Exceptions: Packets Always Permitted |
|------------------------------------------------------------------------------|
| Source Circuit Packet Type Destination Circuit |
| |IBMTRPO_1 - ipx/tcp <All Interfaces> - |
| |IBMTRPO_1 - VPN-AuthGW <All Interfaces> - |
| |IBMTRPO_1 - VPN-KeepAlive <All Interfaces> - |
| |IBMTRPO_1 - VPN-SKIP <All Interfaces> - |
| |IBMTRPO_1 - www-http <All Interfaces> - |
| |<End of List> |
+------------------------------------------------------------------------------+
3. On the screen above is a list of all the rules that will be allowed to pass
through the packet filter. Select the www-http entry and press Enter.

+------------------------------------------------------------------------------+
| Define Exception |
|------------------------------------------------------------------------------|
| Source Interface Type: Interface |
| Source Interface: IBMTRPO_1 (Public) |
| Source Circuit: |
| |
| Destination Interface Type: Interface |
| Destination Interface: <All Interfaces> |
| Destination Circuit: |
| |
| Packet Type: www-http Protocol: TCP |
| Src Port(s): <All> Dest Port(s): 80 |
| ACK Bit Filtering: Disabled Stateful Filtering: Disabled |
| |
| Src Addr Type: Any Address |
| Src IP Address: |
| Dest Addr Type: Host |
| Dest IP Address: 9.24.104.207 |
| Comment: Added by BCAPI to allow default Web Proxy Cach ... |
+------------------------------------------------------------------------------+
Select from the list of defined Packet Types.
4. This window is the configuration of the rule for HTTP traffic that passes
through the firewall. Select Packet Type and press Enter.

+------------------------------------------------------------------------------+
| Defined TCP/IP Packet Types |
|------------------------------------------------------------------------------|
| Name Protocol Src Port(s) Dst Port(s) Comment |
| |tcp TCP <All> <All> Transmission Control Pro|
| |telnet TCP <All> 23 |
| |telnet-st TCP <All> 23 Stateful Telnet |
| |tftp UDP <All> 69 Trivial File Transfer Pr|
| |udp UDP <All> <All> User Datagram Protocol |
| |uucp TCP <All> 540 Unix To Unix Copy Protoc|
| |uucp-path TCP <All> 117 UUCP Path Service |
| |VPN-AuthGW TCP <All> 353 VPN Client Authenticatio|
| |VPN-KeepAlive UDP <All> 353 VPN Client Keep Alive an|
| |VPN-SKIP 57 SKIP Protocol for VPN |
| |VPTUNNEL UDP <All> 2010 IPX/IP Encryption |
| |who UDP <All> 513 Login query service |
| |www-http TCP <All> 80 World Wide Web HTTP |
| |www-http-st TCP <All> 80 Stateful HTTP over TCP |
| |www-http/udp UDP <All> 80 World Wide Web HTTP Over|
| |www-https-st TCP <All> 443 Stateful HTTPS over TCP |
| |xdmcp TCP <All> 177 X Display Manager Contro|
+------------------------------------------------------------------------------+
Select from the list of defined packet types.
ENTER=Select INS=Insert F3=Modify DEL=Delete ESC=Previous Menu F1=Help
5. Select www-http-st which is the preconfigured packet type for http traffic with
stateful filtering. Press Enter and then press Esc until you are prompted to
save the filter list. Select Yes and you now have a stateful filter for HTTP
traffic.
We experimented with the filters, access, and transparent proxy and found that
the transparent proxy made no difference to our IPX client, but all the rest allowed
or disallowed access as we configured them. We also downloaded some port
scanners and other tools that allow us to look at firewalls and if they are secure or
not. The BorderManager firewall seemed to stop all traffic that was expected and
allowed what we had allowed.
When we tried running Netscape Navigator or Microsoft Internet Explorer the first
time, they came back with errors immediately. When we tried again, the IP
gateway passed the information on extremely quickly.
8.2 Medium configuration

The configuration for this site is based on three sites:
• Two main office sites with NetWare 5 servers, Windows NT servers running a
mail application, and Windows NT 4.0 and Windows 95 clients.
• Another “site” is the managing director’s home, where he works occasionally.
We need to ensure that the time difference between the two sites does not
impede his productivity.
The problems that face this client is that there is only one administrator based in
the head office and he must ensure rapid deployment of applications, and
support, decrease TCO, and increase end-user productivity.

The administrator has decided to implement the following strategies:
• To connect all sites via VPN Performance is not an issue, as no time-critical
applications are running across the WAN.
• Implement NDS for Windows NT to facilitate administering users in both
operating systems.
• Use IP as the only protocol, implementing the DHCP and DNS services.
• The company also requires Internet access for all its users, with restricted
access for all users depending on time, URL, and what group they belong to.
• The sites are connected to the Internet via 512 Kbps permanent ISDN lines
with routers. The managing director uses a modem to connect to the ISP.
• The ISP offers the VPN service across its infrastructure. All information
required has been passed on to the ISP and everything is set up by the ISP.
• BorderManager will be used as the firewall application and for connecting the
VPN sites together. The BorderManager server will be configured with NAT,
VPN, all levels of firewall, and Cyber Patrol.
• ZENworks will be implemented to control the administration of desktops with
policies, and application distribution.
• As all the hardware is IBM hardware, the Netfinity Manager is included with it.
The administrator has decided that, rather that purchasing the full ZENworks
product he is going to use the remote control and alert functions of Netfinity
Manager.
• The sites house approximately 100 users with no remote access required.
• The mail application will send all its mail through the main site at the head
office. Therefore, only one MX record is needed and all the internal mail will
travel across the VPN.
8.2.1 Installing the configuration

Proceed as follows:
1. Install NetWare 5 and the patches according to Chapter 3, “Installing
NetWare” on page 41, ensuring that you install all products that are required.
The worksheet in A.2, “Installing NetWare 5 worksheet” on page 236 will
ensure that you have all the information that you require. Anything that is
missing can be filled out during the install and then kept with the server
documentation.
2. The next piece was to install the client that was supplied with the NetWare 5
box kit. The Novell Client Software CD needs to be installed, with the
appropriate client. Choose custom and Novell IP gateway. This will ensure
that when the server has all the components installed that the client will have
access to the IP network.
3. Configure the users, printers and login scripts as required.
4. BorderManager was then installed using the steps in 3.7, “Installing
BorderManager” on page 60.
5. The selection of public and private interfaces in the BorderManager setup was
based on the actual configuration. The only interface selected was the WAN
call over the modem to the ISP and this was marked as public. The choice to
secure all public interfaces was also selected.

6. The NT server was installed with the mail application and setup according to
the specifications of the product. This document will not cover either the
Windows NT installation or the installation and configuration of the mail
product. We will enable SMTP traffic to pass to the outside world.
7. Netfinity Manager was configured for alerts, and the capacity manager was
used to enable reports for our benchmarking information. Refer to 4.2,
“Installing Netfinity Manager” on page 73.
8. ZENworks starter pack was installed according to the instructions in 3.6,
“Installing ZENworks” on page 58.
Netfinity 7000 M10

Netware 5
ISP/Internet
Netfinity 5000
Netware 5, BorderManager
Proxy, Firewall, NAT, Access
Netfinity 5500 M10 control, VPN
Windows NT 4.0
Notes 4.61
Figure 145. Medium site scenario
8.2.2 Configuring packet filters for DNS and PING

Once the environment was installed, we made sure that the IP configuration
worked with the BorderManager server. The workstations were able to ping using
DNS names through the firewall. This could be turned off at a later date. To allow
PING commands to pass through the firewall, do the following:
1. Start FILTCFG and navigate to the TCP/IP packet forward filters exception list.
2. Define two filters in the exception list as shown in Figure 146 and Figure 147.
These define DNS and ICMP-PING requests to pass through the firewall.

+------------------------------------------------------------------------------+
|------------------------------------------------------------------------------|
| Source Interface: <All Interfaces> |
| Source Circuit: |
| |
| Destination Interface: IBMTRPO_1 (Public) |
| |
| Packet Type: dns/udp-st Protocol: UDP |
| ACK Bit Filtering: Stateful Filtering: Enabled |
| |
| Src IP Address: |
| Dest Addr Type: Any Address |
| Dest IP Address: |
| Comment: Enables DNS entry information |
+------------------------------------------------------------------------------+
Select an address type.
Figure 146. Packet filters for DNS and PING (1)

+------------------------------------------------------------------------------+
|¶ Define Exception ¶
|
¶------------------------------------------------------------------------------¶
|------------------------------------------------------------------------------|
|¶ Source Interface Type: Interface ¶
|
|¶ Source Interface: <All Interfaces> ¶
|
|¶ Source Circuit: ¶
|
|¶ ¶
|
|¶ Destination Interface Type: Interface ¶
|
|¶ Destination Interface: IBMTRPO_1 (Public) ¶
|
|¶ Destination Circuit: ¶
|
|¶ ¶
|
|¶ Packet Type: ping-st Protocol: ICMP ¶
|
|¶ Src Port(s): Dest Port(s): ¶
|
|¶ ACK Bit Filtering: Stateful Filtering: Enabled ¶
|
| |
| Src IP Address: |
| Dest Addr Type: Any Address |
| Dest IP Address: |
| Comment: |
+------------------------------------------------------------------------------+
Figure 147. Packet filters for DNS and PING (2)
Note: These two filters have the public interface as the destination allowing the
DNS information and the ICMP packet through the firewall. Because we used

stateful filters this was all that was needed. No return path was required and the
security is much greater.
8.2.3 Configuring NAT

The next thing that needs to be done is to convert our private IP addresses to
public ones using Network Address Translation (NAT). There is a Request For
Comment (RFC) that deals with private addressing RFC1918 that you can look at
when designing you address scheme. We will configure the public interface with
static and dynamic NAT as we need to allow the outside world to contact our
SMTP server.
1. As we are setting up our public interface to have two valid IP addresses one
for normal communication and the other for the SMTP mail communication we
must add a second IP address to the public interface. This is achieved by
simply typing on the server console:
add secondary ip address 9.24.104.31
2. If you wish to display what secondary IP addresses have been set simply
replace the add with display with out the IP address and to remove replace
with delete and specify the IP address if you have multiple addresses mapped.
3. Load INETCFG and select Bindings > Select The Public Interface > Expert
TCPIP Bind Options > Network Address Translation.
4. Highlight Disabled and press Enter.
+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
+-------------------------------+
+------------------------------------------------------------------------------+
| Protocol To Interface/Group Bindings |
|-----+-----+-----------------------------------------------------------------++
| Pro| | Expert TCP/IP LAN Options ||
| |IPX|-----|--+-------------+--------------------+----------------------------+
| |TCP| Netw| N| | Status: |translation |
| |TCP| | F|-------------|--------------------|----------------------------|
| | | Loca| | Network Inte| |Disabled | IBMTRPO_1 |
| | | Subn| U| Interface Gr| |Dynamic Only | |
+-----| | B| | |Static and Dynamic| |
| Go| RIP | M| Status: | |Static Only | Disabled |
+----| OSPF| | Network Addr+--------------------+ (Select to View or Modify) |
| Expe| F+---------------------------------------------------------------+
+-----| Router Discovery Options: (Select to View or Modify) |+
| |
| Network Address Translation: (Select to View or Modify) |
+-----------------------------------------------------------------+
Network Address Translation Status. Choose from the menu
5. You now have the option of setting the mode of the NAT server, we will be
selecting the static mode for the reason already described. If you are selecting
the dynamic only then there is no more configuration to do, so press Esc and
answer yes to the prompt about saving the information.

6. We have selected Static and Dynamic and the static information must be
entered to tell it what private IP address will be used by which public address.
7. Select Network address translation table and press Enter.
+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
+-------------------------------+
+------------------------------------------------------------------------------+
| Protocol To Interface/Group Bindings |
|-----+-----+-----------------------------------------------------------------++
| Pro| | Expert TCP/IP LAN Options ||
| |IPX|-----|--+---------------------------------------------------------------+
| |TCP| Netw| N| Network Address Translation |
| |TCP| | F|-----+-------------------------------------------------+-------|
| | | Loca| | Netw| Network Address Translation Table | |
| | | Subn| U| Inte|-----+-----------------------------------+-------| |
+-----| | B| | Pub| Network Address Translation Entry | | |
| |Go| RIP | M| Stat| |<Em|-----------------------------------| | |
+----| OSPF| | Netw| | | Public Address: | |odify) |
Expe| F+-----| | | Private Address: | |-------+
+-----| Router | | +-----------------------------------+ | |+
| +-------------------------------------------------+ |
| Network Address Translation: (Select to View or Modify) |
+-----------------------------------------------------------------+
Network Address Translation Public Address
8. This screen will allow you to enter the public IP address that your ISP has
given you for the SMTP mail server. The ISP must also enter this as a MX
record in to the DNS database. In the private address field enter the IP
address that you have manually configured on the SMTP mail server.
9. Press Esc until you are prompted to save the information where you select
Yes. Make sure that the BorderManager is filtering the RIP packets so that the
internal addresses are not displayed to the outside world.
10.There are some limitations as to what ICMP packets NAT will handle for this
information. Go to http://www.support.novell.com and search on 2928309.
This is the number of a Technical Information Document (TID).
8.2.4 DNS/DHCP setup

The next stage is to set up DHCP and DNS services. To enable this to happen,
install the DNSDHCP manager as discussed in 3.7, “Installing
BorderManager” on page 60. Then run DNSDHCP manager and configure the
DNS services.

Figure 148. DNS server creation
1. Set up a DNS server in the local location so that the clients do not have to go
out across the WAN to get the DNS information. Click (the create button)
to select the DNS server. Select the server and click OK.
2. To enable the DNS service on the server we entered the LOAD NAMED command
into AUTOEXEC.NCF.
3. Once this is done create a zone for the customer’s DNS setup, and set up a
secondary zone to download the DNS information from the ISP DNS server.

Figure 149. DNS zone configuration
4. Figure 149 shows where you configure primary and secondary IN-ADDR
ARPA zones. The information will be supplied by the ISP or you will have the
information already.
5. Next, configure the DHCP services. To install a DHCP server, select the DHCP
tab and then click the Create button ( )
.
Figure 150. DHCP server creation
6. Select the DHCP server and click OK. Then, select the server that you wish to
be the DHCP server.
7. To run the DHCP server, add the DHCPSRV command to the AUTOEXEC.NCF
file.
8. Next, configure the global options for all the DHCP clients. Click the Global
Preferences button . Figure 151 appears.

Figure 151. Global options for DHCP services
9. Click Modify for a list of global options that can be set.
Figure 152. Global DHCP options
10.Select the global option that you require, such as DNS server or default router,
then add those o the right-hand box. By highlighting the global options and
then clicking Add at the bottom you can set the number of the IP address to
the actual name server.
11.Next, set a DHCP zone or zones for clients using this DHCP server. By
clicking the server at the bottom of the DHCP tab and selecting the Create
button you can create the zone.

Figure 153. Creating subnet for DHCP server
12.Figure 153 shows all the information required to create a subnet, including
context, default server and the name of the subnet. Once this is completed,
highlight the subnet that has been created and click Create. Select Create
Subnet Range.
Figure 154. Creating subnet address range for DHCP services
13.The window shown in Figure 155 allows you to create an address range for
DHCP requests. Once the range has been created you can then specify which
address that you want to exclude by selecting the subnet and clicking the
Create button and highlighting the IP address. There are two default
addresses that are already set aside: 0 and 255.
Figure 155. Excluding and IP address from the range automatically
14.Entering the IP address stops the DHCP server from allocating this to a client,
so servers with an IP address manually configured will not get a conflict. The
method above is the automatic mode. If you change the Assignment Type and
select Manual, you will see the window in Figure 156.

Figure 156. Excluding an IP address from the range
15.The window in Figure 156 allows you to be more specific and allocate an IP
address.
16.Reboot and the workstations are ready to use DHCP.
If you have any problems in either the TCP/IP configuration or the server, you can
use the TCP/IP debug command, which provides a lot of information. However,
with CONLOG loaded ( type CONLOG at the server console) you will be able to edit
the file SYS:\ETC\CONSOLE.LOG and see the information. To set TCP/IP debug,
type
set tcpip debug = 1
The command to load DHCPSRVR with switches is as follows:

dhcpsrvr -dx x = 1 [or 2 or 3 for the level of debug required]
dhcpsrvr -h for help
8.2.5 Configuring for SMTP traffic

Since we are using an ISP to get our mail automatically, we need to allow the
SMTP traffic through. We have configured our remote site to get the mail from us
and therefore need to allow the SMTP traffic to pass from our site to the remote
site only. The main office site where the administrator is located downloads the
mail from an ISP. If our server goes down, mail will be stored at the ISP and then
forwarded when the link or server returns. Only a specific IP host needs access
through our firewall. To configure this, we followed the same process as per 8.2.2,
“Configuring packet filters for DNS and PING” on page 189 and then configured
the filter.

+------------------------------------------------------------------------------+
|------------------------------------------------------------------------------|
| Source Interface: IBMTRPO_1 (Public) |
| Source Circuit: |
| |
| Destination Interface: <All Interfaces> |
| |
| Packet Type: smtp-st Protocol: TCP |
| ACK Bit Filtering: Disabled Stateful Filtering: Enabled |
| |
| Src Addr Type: Host |
| Src IP Address: 22.154.33.106 |
| Dest Addr Type: Host |
| Dest IP Address: 9.224.104.207 |
| Comment: |
+------------------------------------------------------------------------------+
Configuring the filter was the same as all the others that allowed incoming traffic,
except this time we specified the source IP address, which is the IP address of
the SMTP host the ISP has.
8.2.6 Configuring VPN setup

With both servers at each geographical site installed with BorderManager
Enterprise edition, we will enable a VPN between the two servers. We will only
focus on the servers and not the ISP in the middle.
When BorderManager was installed, one of the cards was made a public
interface. This card was the interface to the outside world and was therefore
secured by the BorderManager installation. As part of the setup, exceptions were
defined for VPN use as shown in Figure 157.

+-------------------------------------------------------------------------+
| The Highlighted Filter Will Forward The Following TCP/IP Packets: |
|-------------------------------------------------------------------------|
| Packet Type: VPN-SKIP (Protocol - 57) |
| Source: Interface - IBMTRPO_1 |
| All Circuits |
| Any Address |
| Destination: Interface - <All Interfaces> |
| All Circuits |
| Host Address - 9.24.104.207 |
+------------------------------------------------------------------------------+
| Exceptions: Packets Always Permitted |
|------------------------------------------------------------------------------|
| Source Circuit Packet Type Destination Circuit |
| IBMTRPO_1 - ipx/tcp <All Interfaces> - |
| IBMTRPO_1 - VPN-AuthGW <All Interfaces> - |
| IBMTRPO_1 - VPN-KeepAlive <All Interfaces> - |
| IBMTRPO_1 - VPN-SKIP <All Interfaces> - |
| IBMTRPO_1 - www-http-st <All Interfaces> - |
| <End of List> |
+------------------------------------------------------------------------------+
Add, Delete or Modify Exceptions to Filters
ENTER=Modify INS=Insert DEL=Delete TAB=Switch View ESC=Previous Menu F1=Help
Figure 157. Exceptions for VPN use
Figure 157 shows there are three exceptions that have been set up to allow the
VPN to function over the public interface. If you have trouble communicating over
the VPN you can get information on the filter’s exceptions. In the BorderManager
documentation under Prerequisites, see the table showing these for site-to-site
and site-to-client communication.
The first area that we will configure is the master VPN. This is all done at the
server console.
1. At the server console type NIASCFG. The first time NIASCFG is run you will be
prompted that all information will be moved into the NETINFO.CFG file. You
can then continue and configure what you want and reboot or press Esc and
reboot.
2. Select Configure NIAS -> Virtual private network -> Master server
configurations. You will be prompted that only one master VPN is allowed per
VPN. Select Continue and press Enter.
3. Select Configure IP address and press Enter.

+------------------------------------------------------------------------------+
| VPN Server Configurator Ver 4.50 NetWare Loadable Module |
+------------------------------------------------------------------------------+
+--------------------------------------+
| VPN Server Configuration |
|-----+-----------------------------------------+
| |Mas| Master Server Configuration |
| |Sla|------+---------------------------------------------+
| |Upd| |Conf| Configure IP Addresses |
| |Dis| |Gene|---------------------------------------------|
| |Rem| |Copy| Public IP Address: Not Configured |
+-----| |Auth| Public IP Mask: Not Configured |
+------| |
| VPN Tunnel IP Address: Not Configured |
| VPN Tunnel IP Mask: Not Configured |
+---------------------------------------------+
Public IP address of this server.

4. The screen allows you to enter the Public address of the VPN. This can be the
address of the Internet or a private address that you wish to secure inside your
own network. The information required is the IP address of the interface that
you wish to secure and the IP address that the VPN tunnel will use. This can
be any IP address that you wish to use. The main constraint is that all VPN
slaves must also be on the same subnet.
5. Fill the information that you want in the required fields and press Esc and you
will be prompted to save the information.
6. Next, select Generate encryption information and press Enter.
7. You will be prompted to enter a random seed. This is a random set of
alphanumeric characters that the VPN will use to create the encryption
information. This information does not need to be recorded in any way and you
can enter up to 255 characters. Press Enter when complete.
8. The information will then be entered in the NDS and when this is complete
press Enter.
9. Next select Copy encryption information . A file will be sent to the slave
server to be used for its encryption information, so here you need to type the
path where you want MINFO.VPN saved. The default is a:\ but you can save it
to any volume or location. Press Enter.
10.The file will be copied and upon creation you will be prompted and can press
Enter.
11.From here press Esc until you are out of NIASCFG.
Next we will configure the slave VPN server. There can be multiple slave servers
but as stated previously they must all communicate via their IP addresses and

must therefore be on the same subnet. You will need the MINFO.VPN file
generated on the master VPN server during the creation of the encryption server.
1. At the server console type NIASCFG. The first time NIASCFG is run you will be
prompted that all information will be moved in to the NETINFO.CFG. You can
then continue and configure what you want and reboot or press Esc and
reboot.
2. Select Configure NIAS > Virtual private network > Slave server
configurations. Press Enter.
3. Select Configure IP address and press Enter.
4. The screen allows you to enter the Public address of the VPN. This can be the
address of the Internet or a private address that you wish to secure inside your
own network. The information required is the IP address of the interface that
you wish to secure and the IP address that the VPN tunnel will use. This can
be any IP address that you wish.
5. Fill the information that you want in the required fields and press Esc and you
will be prompted to save the information.
6. Next select Generate encryption information and press Enter.
7. You will be prompted to point to the MINFO.VPN. Type the path and press
Enter.
+------------------------------------------------------------------------------+
| VPN Server Configurator Ver 4.50 NetWare Loadable Module |
+------------------------------------------------------------------------------+
+--------------------------------------+
| VPN Server Configuration |
|-----+----------------------------------------+
| |Mas| Slave Server Configuration |
| |Sla|------+--------------------------------------------------+
| |Upd| |Conf| Message Digest for Authentication |
| |Dis| |Gene+--------------------------------------------------|
|Rem| |Copy| 82 A2 01 FA 09 E5 0E 6C AF 99 EB AF 8B 76 82 A2 |
+-----| |Auth+--------------------------------------------------+
+-+------------------------------------------------------------+
| Does the message digest authenticate to the master server? |
|------------------------------------------------------------|
| |No |
| |Yes |
+------------------------------------------------------------+
ENTER=Select ESC=Exit Menu F1=Help
8. On this screen you can either just answer yes or for added security ensure that
this information matches the digest information from the master VPN server.
9. From NIASCFG, select Virtual private network -> Master server
configurations -> Authentication encryption information. Compare the
values shown here with those on the master VPN server. If they are not the
same, someone has tampered with the file.

10.Select Yes and you will be prompted to enter a random seed. This is a random
set of alphanumeric characters that the VPN will use to create the encryption
information. This information does not need to be recorded in any way and you
can enter up to 255 characters. Press Enter when complete.
11.The information will then be entered in the NDS and when this is complete
press Enter.
12.Next select Copy encryption information.A file will be sent to the VPN
administrator for the creation of the VPN in NDS and for safe keeping. Type
the path where you want SINFO.VPN saved. The default is a:\ but you can
save it to any volume or location that you wish. Since there may be more than
one slave server, these files should be customized and then kept in the same
directory. Press Enter.
13.The file will be copied and upon creation you will be prompted and can press
Enter.
14.From here press Esc until you are out of NIASCFG.
Next, using NWAdmin, we will configure NDS to allow access to the VPN.
1. Open NWAdmin ensuring that you have updated the snapins since installing
the patches.
2. Click BorderManager Setup and then select the VPN tab.
Figure 158. VPN tab in NWAdmin
3. Double-click Master Site To Site.

Figure 159. VPN master information window
4. This window lists only the master server at present. Click the (add) button
and you will be prompted with the path of the SINFO.VPN file that was created
during the installation of the slave server. Press Enter once you have entered
the path to the SINFO.VPN file.
Figure 160. Slave digest information
5. This is the digest information for the slave. Compare it to the server console or
use RCONSOLE and select Virtual private network > Slave server
configurations > Authentication encryption information . Compare the
numbers: If they are not the same someone has tampered with the file. Select
Yes to continue.
6. You will then be prompted to enter information about protected networks or
workstations. Because we are only protecting one network and that is done
automatically, select No.
7. Click the Status button in Figure 159. Now there should be two servers listed.

Figure 161. Status of VPNs
8. Click the Synchronize All button and ensure that each entry is up to date. We
will return to this screen later to check the status of the VPN. Click OK.
9. Click Control Options (Figure 159) to modify the control of the VPN
connections.
Figure 162. Control options for the VPN communications
10.Both protocols are enabled. We will disable IPX as we only require IP in our
scenario. If you disable both of the protocols you will be prompted that VPN
communication will cease to work. This is a good way to stop any
communication over the VPN with out unload or removing the VPN.
11.The next section is for the information on how the calls will be initiated. If you
know that the calls are always going to come from one end then you can select
One Side communication. However, in our case the communication will be
initiated from both ends, so we will enable Both sides.
12.The other section is the design of the topology. We decided to leave the
default as we have only two sides. The topologies are as follows:
– Full Mesh (default) — All servers are interconnected to form a web or
mesh, with only one hop to any VPN member. There is communication
between every member in the VPN. This topology is the most fault-tolerant.
However, it requires more WAN traffic to pass. If a VPN member goes
down, only the connection to that VPN’s network is lost. Once the

encryption keys have been established, the master server is no longer
required.
– Star — The master server is the hub of this topology and all
communications a from the central master server out to the slaves. This
topology has the least amount of traffic. However, it has a single point of
failure in the master server.
– Ring In — Each member communicates with its immediate neighbors. The
ring runs from the master server to the slave servers and back to the
master server. This topology has less traffic than the mesh network and is
more reliable than the star network.
13.Return to the VPN master screen and double-click on the server. You will see
Figure 163.
Figure 163. VPN server protected areas and encryption methods.
14. We left all of these at the defaults but it is possible to allocate other networks
or clients to be protected. Also the different types of encryption can be
configured here. One important area is the methodology for allowing static or
dynamic IP RIP. We chose static as we only had two networks and for the
added security. For more information refer to “Designing and Planning a VPN”
and “Options for Determining Which Private Networks are Protected by the
VPN” in the BorderManager user manual.
15.When you click OK and you exit out of the VPN configuration the server loads
certain NLMs depending on what server you are working on. Figure 164
shows some of the console information that is shown at this time.

6-30-1999 5:51:24 pm: CSL-2.6-20
Call connection established for protocol IP to destination 68-100-1
VPTUNNEL@192-168-100-1.
6-30-1999 5:51:24 pm: IPXRTR-6.60-119

Call to destination SYD01 is established.
6-30-1999 5:51:48 pm: BRDSRV-2.4-11

Timestamp synchronization of BRDSRV.NLM is completed.
8-100-1
6-30-1999 5:51:58 pm: BRDSRV-2.4-11
Timestamp synchronization of IPXIPGW.NLM is completed.
6-30-1999 5:51:58 pm: BRDSRV-2.4-11

Timestamp synchronization of PROXY.NLM is completed.
6-30-1999 5:52:07 pm: BRDSRV-2.4-11

Timestamp synchronization of VPMASTER.NLM is completed.
NW5_BM3:
Figure 164. VPN console messages
We now have a working VPN. Or do we? The first and most basic test is to see if
we can ping the other server’s VPN IP address. Make sure that your filters are set
correctly. If this works, you can then check the status information on the VPN.
1. Return to the VPN master screen and select Status. Select a server and click
Activity.
Figure 165. VPN activity window

2. If you click Clients, it will show you the information on the clients that are
connected to the VPN. If you select Security you will see activity information
on the security. If you see a green or light blue indicator (such as ) it means
that you are connected.
3. Return to the VPN master screen and select Statu. Select a server and click
Audit log . Set it up to start at the time that you want and to gather information
that you do or don’t want.
4. There is a way to bring both of these up without having to go to the server in
NWAdmin. In NWAdmin select Tools > Novell BorderManager.
Figure 166. BorderManager services information
5. Double-click the Virtual Private Network service. See Figure 167.
Figure 167. VPN BorderManager service
6. Right click on the Virtual Private Network service in the BorderManager

services window, and select Activity log to see the activity and log
information.
8.2.7 Configuring the VPN client

Now that the server VPN is up and running and communicating, the next portion
is to set up the VPN to support the client to dial in and connect through the ISP
and the VPN. We will not discuss how the machine will connect to the ISP, but
how to configure the VPN software on the client and the server portion.
1. Open NWAdmin ensuring that you have updated the snapins since installing
the patches and that you are selecting the server that is the master VPN
server.
2. Select the BorderManager Setup button and then select the VPN tab.
3. In the enable services window, double-click client to site. Figure 168 is
displayed.

Figure 168. VPN client setup on master server
4. You can get digest information or specify whether to encrypt all or some of the
networks that the client is connecting to. Click OK if any selections have been
made, or Cancel to accept the defaults.
5. The access rules must be set in the same manner as in 8.1, “Small
configuration” on page 173. Select the container that you want to allow access
rules. Right-click and select Details.
6. Select the BorderManager Access Rules button. In the rules area add a rule
to allow a VPN client and specify who or what groups and containers to be
enabled to use the VPN as a client.
7. The client must have Dial Up Networking (DUN) installed with an ISDN
accelerator patch. You can download this from:
http://www.microsoft.com/Windows/getisdn/
You will need the IP address of the VPN server and the location of the
Windows 95 CAB files and the NetWare client files. We found the required files
on the Client CD in the \PRODUCTS\WIN95\IBM_ENU directory.
8. When you install the patch, it will begin copying files. If you are installing an
ISDN card, you need to follow the manufacturer’s instructions.
9. To install the VPN client we used the files from the directory
SYS:\PUBLIC\FRDMGR\VPN on the VPN Client CD. In this directory there is a
setup that you run.
10.After the welcome screen you will see what information you need and what
needs to be configured (Figure 169).

Figure 169. VPN client installation information
11.The next screen lists the required items you will need for the installation and
where to get them.
12.The files will begin to be copied and if there are any conflicts with newer files
on the machine you will be prompted.
13.You will then be required to point the installation to the location of the NetWare
client files. We pointed to the \products\win95\ibm_enu directory.
14.When the installation is complete you get a message stating what the other
components are and what you need to configure. All three components are
configured by the installation process placing you in the required applications.
Select Next.
Figure 170. VPN client final message during installation
15.When you click Next you are placed into the DUN to make a new connection.

16.Double-click Make New Connection and enter the name of the dial-up entry
and select the modem. Select Next and enter the area code, phone number,
and country code.
17.Select Next > Finish to complete the dial-up entry.
18.The VPN client configuration (Figure 171) is displayed.
Figure 171. VPN client connection type.
19.If you are dialing through the ISP, then you need to enter the ISP’s DNS server
IP address. Select Next.
20.On the next screen choose the options that you want and select Finish . Your
machine will reboot.
21.After rebooting and double-clicking on the icon that is created during the
installation of the VPN client, you will see the client login tab.
Figure 172. VPN client login tab
22.This login is very similar to the NetWare login with the user name and the
context of that user. These are the user’s normal network credentials.

Figure 173. VPN client options tab
23.Click the Netware Options tab (Figure 174) to configure certain options for
Novell Client. We unchecked Enable IPX as we are running only IP. All other
options we left as the defaults.
Figure 174. VPN client Dial Up tab
24. Click the Dial Up tab to use your NetWare username and password and if you
have a RADIUS server in your network and the ISP has a RADIUS proxy
server. The proxy server then contacts the RADIUS server at the company site
and checks the credentials of the user.
25.Otherwise, use the user name and password that the ISP has given you. The
username and password will be saved upon successful login.
26.The other two tabs are the Launcher tab, which is used to launch an
application on successful login, and the VPN Status tab, which gives you
information on the status of your connections.
8.2.8 Cyber Patrol

You may take advantage of the 45 days of free use of Cyber Patrol to evaluate
this tool. You may then register the full copy and receive regular updates of the
CyberNot and CyberYes list of sites. Make sure you take note of the serial
number at the end of the installation. Cyber Patrol gives you the ability to ensure

that users cannot browse certain Web sites. Some companies have very strict
rules on the use of the Internet, and if a user visits the wrong site it can be cause
for dismissal. It is much better to ensure that they cannot go to these sites in the
first place.
1. Log in and have a drive mapping to SYS:
2. Go the SYS:\ETC\CPFILTER directory and run the CP_SETUP.EXE to begin
the installation. Click Proceed through the first two windows.
Note
Ensure that in the next step that you enter only the drive letter with no colons
after the letter (for example D rather than D:). The installation will fail if you use
colons.
3. You must enter the drive letter that is mapped to the SYS: volume that you
want to install Cyber Patrol to. Click Proceed .
4. The installation then begins copying files. Click Save settings and the
installation is complete.
5. The Cyber Patrol software relies on the NLM called CPFILTER, which must be
loaded at the bootup of the server to have the added facilities of Cyber Patrol.
6. So go into the INETCFG and select Manage configuration then edit
Autoexec.ncf. Enter the following command at the end of the file as it relies
on other NLMs being loaded:
LOAD SYS:\ETC\CPFILTER\CPFILTER.NLM
7. The next thing is to set up the rules to allow or disallow the type of sites that
we do not want. Go to NWAdmin and select the container and server where
the access rules reside. Double-click to bring up the details screen.
8. We then selected the BorderManager Access rules button and clicked Add.
This is the same as we did in 8.1.2.4, “Access rule allocation” on page 183. At
the top of the window we clicked on the Deny rule as we are using the
CyberNot list.
9. We then left the sources as any and selected Specify for the destination and
clicked Browse. If you have the cpfilter.nlm loaded you will see a drop down
CyberNot list, as shown in Figure 175.

Figure 175. CyberNot list window
10.Select the areas that you want to block users based on your company’s
security policies. When you click OK and OK again to get out of the
BorderManager Access rules window, this will update the ACLs and be time
stamped. This can be seen on the server console.
8.2.9 ZENworks
After the installation of ZENworks the first thing that had to be done was to
register the workstations. To enable this, you must first ensure that the client has
a connection to the Novell network via an NDS authentication. There are several
applications that are installed by default in the context of the server on which you
installed ZENworks. These are the administration applications and the
applications required to register workstations.
1. To enable the NDS to import the workstation objects you must create a policy
package. Open NWAdmin and select the container context where you want
the policy to be and select File -> Create. Choose the policy package object
and click OK.

Figure 176. ZENworks policy package types
2. A user policy package for each type of workstation operating system must be
created, since each policy has specific components and choices depending on
the operating system that will be accessing it. Select WinNT User Package
and click Next.
Figure 177. ZENworks policy package naming window
3. If you are creating more than one policy package, enter a name that you wish
or accept the default. The context of the package that will be created will be
filled in if you selected the correct context when creating this package. Click
Next.

Figure 178. ZENworks enabling workstation import policy
4. Figure 178 lets you enable certain policies. Put a checkbox in Workstation
Import Policy then click Details. Figure 179 appears.
Figure 179. ZENworks context for imported workstations tab.
5. Here you specify where the workstation object will be created. We have
accepted the default, User Container. If you have created a context for the
NDS users, choose that or the context of the policy. Select the Workstation
Naming tab.

Figure 180. ZENworks workstation import naming tab
6. Figure 180 allows you to add or remove information to the name of the
workstation or remove some information, since often the name of the actual
workstation is not required by the IP address is. We added the name of the
user and in the drop-down box we selected the IP address rather than the IPX
address. Select the Workstation Groups tab.
Figure 181. ZENworks import policy workstation group tab
7. You can associate workstations with a group just as you would a group of
users. We prefer to use containers as our grouping of the workstations. If there
are enough workstations, we suggest you create an organizational unit for

them alone. Select OK, then Next. You’ll be prompted for the contxt. Click
Next.
8. You will be given a summary of the information. Click Finish.
9. Once this is done the workstation must be enabled to run an application called
WSREG32.EXE. Enable ZENworks by adding to the container login script the
following command:
#\\servername\sys\public\nalexpld.exe
Right click in NWAdmin on the container where we wanted the user
workstations to be registered and select Details.
Figure 182. ZENworks application distribution
Select Add and browse the default applications that were installed and select
the WReg application that runs the WSREG32.EXE. Select the force run so
that the workstation will run when you log in and run the new login script.
Place it on the desktop so that the users are able to run it if necessary. Select
OK when you have made the changes that are required.
10.From NWAdmin select Tools > Import Workstation .

Figure 183. ZENworks import workstation window
11.The window allows the importation of workstations. Check Include

subcontainers which is not the default. The Limit Policy Package allows you
to import only workstations that are associated to a specific policy package.
The Limit Addresses tab allows you to import based on IP address ranges with
the use of wild characters such as 192.168.0.*.
12.When the import is complete you will get a window showing how many
workstations have been imported and how many were read.
13.The import process can prove difficult. The problems we experienced may
have been due to the amount of installation and reinstallation we were doing
during this and other scenarios.
14.To troubleshoot problems, use the log file WSREG.LOG created in the root of
the C: drive of the workstation registering. You can unregister the workstation
by using a utility called UNREG32.EXE in the SYS:\PUBLIC directory. This
resets everything, including the registry.
15.To set other policies in ZENworks, double-click on the policy created and
enabled all available options. Select Details to configure them. The first was
Dynamic local user.

Figure 184. Dynamic local user window
16.As discussed in 2.5, “NDS for NT” on page 33, you may have to have domains
or an unmanageable amount of accounts created. Using ZENworks you can
dynamically create these users, then delete them or leave them, or use
existing accounts that have already been created. It also allows you to control
into which groups users are put on that workstation.
17.The next policy to enable is the Windows NT desktop preferences. See Figure
185.

Figure 185. Desktop policy window
This window allows you to control the location of the users’ profiles. In the
window above, we have specified a policy that we created. Refer to the
ZENworks documentation to find out how to create a mandatory policy with a
.MAN extension. This means that all users will get the same look and feel and
if they change anything they log in it will be back to the original when they log
in next time.
18.Click the Control Panel button to control the features of the desktop, such as
keyboard, DOS prompts, and wallpaper.
Figure 186. Printer policy window

19.Enable your printer policy using the window in Figure 186. After creating
printers, queues, and print servers according to the Novell documentation, you
may want to dynamically pass out the drivers for this printer. Click Add after
selecting the type of printer and a location for the files. Users associated with
the file will access that printer.
20.Enable the NT system policies as per Figure 187.
Figure 187. System policies
21.The boxes that are checked perform the tasks described next to it. We
disabled the run command from the start menu and restricted the display of
the control panel. There are numerous other items that can be changed and
you will have to make decisions according to your environment.
8.2.10 Remote access

The remote access software for NetWare 5 is based on the old NetWare connect.
1. At the server console type NIASCFG and select Remote Access. Press Enter.

Connect 4.00k NetWare Loadable Module
+---------------------------------------------------------------------------+
| Connect Object Installation Requirement |
|---------------------------------------------------------------------------|
| The NWCSU.NLM requires the directory schema for the user, organizational |
| unit, organization, locality and country classed to be extended, and the |
| CONNECT object to be installed in the Directory tree. To extend the |
| schema or (re)install the CONNECT object, you must log in using an object |
| name that has administrative rights. If you do not know an object |
| name/password combination with the required rights, press ESC to exit. |
+---------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
| Directory Services Login/Authentication |
|------------------------------------------------------------------------------|
|Connect Rights Level: [Root] |
|Administrator Name: Admin.IBMAU |
|Password: |
+------------------------------------------------------------------------------+
ESC=Abort F1=Help
2. The message explains the reasons why you must log in using the admin user
or equivalent. Enter the required information and press Enter.
3. You are given the option to see an explanation of the steps that are necessary
to have the remote access working. We selected No.
4. You will see a window explaining the availability of online help. Press Enter to
continue. You will see with the first selection screen of if you have any
synchronous communications boards such as X.25 we did not select this as
we are using a modem to connect.
5. The next window is similar to the installation of the I/O driver in 8.1.2.1,
“Creating an on-demand dial-out to the ISP” on page 174 and we selected the
serial port (com_x). Press Esc after entering on the type of I/O board you will
be prompted to save the configuration select Yes and press Enter.
6. You are then prompted to enter the board name. We entered COM1RAS. Also
you need to ensure that the correct I/O and interrupt are selected. The default
COM port addresses are:
– COM1: address 03F8, interrupt 4
– COM2: address 02F8, interrupt 3
– COM3: address 03E8, interrupt 4
– COM4: address 02E8, interrupt 3
7. Press Esc when all is entered and select Yes when prompted to save the
information.
8. You will be prompted if you need to load more I/O drivers. We selected No.
9. The next prompt is to ensure that your modem is powered on and connected,
as the software will try to detect the type of modem. If it does not find the

modem, you will have to give it one. If you are unsure, you can select Hayes
compatible if your modem complies with standards.
+------------------------------------------------------------------------------+
| Remote Access Configuration 4.1 NetWare Loadable Module |
| Context: [ROOT] |
+------------------------------------------------------------------------------+
+----------------------------------------------------------------------------+
| NIAS Remote Access is attempting to determine which ports have modems |
| attached |
| |
| Modem checking is complete |
| |
| Total Ports found: 1 |
| X.25: 0 ISDN: 0 TCP: 0 |
| |
| |
| Licensed Ports: 1 |
| Modems found on licensed ports: 1 |
+----------------------+--------------------------------+--------------------+
| Select next action |
|--------------------------------|
| |Continue With Automated Setup |
| |Try Modem Discovery Again |
+--------------------------------+
ENTER=Select F8=Instructions F1=Help
10.Once the modem was found we continued with the automated setup.
11.Next, choose the types of protocol communications that you want the remote
access to support. We selected only PPRNS the others that are supported are
Appletalk and NCS for dialing-out protocol.
12.After selecting PPRNS you will have the choice of IP and/or IPX. We selected
IP.

+------------------------------------------------------------------------------+
| PPP NCF Utility 4.1 NetWare Loadable Module |
+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
| Parameters for Loading Service |
|------------------------------------------------------------------------------|
| Local IP Address: 192.168.10.1 |
| Subnet Mask: 255.255.255.0 |
| |
| Use Header Compression: No |
| |
| Specify Client Address Range: No |
| |
| |
| |
| |
| |
| |
| |
+------------------------------------------------------------------------------+
+------------------------------------------+
ESC=Back F1=Help
13.You need to enter an IP address that is for this interface only and then you
also have to ensure that the IP subnet has addresses for the users that will be
connecting to the LAN.
14.We then pressed Esc and selected Yes when prompted to save the
configuration. We chose the IPX protocol as well and entered another unique
address for this. Pressed Esc and answered Yes to save the changes.
15.You will then see a warning screen.

+------------------------------------------------------------------------------+
| PPP NCF Utility 4.1 NetWare Loadable Module |
+------------------------------------------------------------------------------+
+--------------------------------------------------------------------+
| This screen lets you select the protocols used by the PPP service. |
+------------------------------------------------------------------------+
| The current configuration will be activated. This will cause all |
| active connections to be lost. The screen will be switched to the |
| system console screen to view the results. |
| If you do not want the current configuration activated at this time, |
| press F7. You will then have to issue a Reinitialize System command or |
| restart your server at some later time to activate the configuration. |
| |
| <Press ENTER to continue> |
| <Press CANCEL (F7) to abort> |
+------------------------------------------------------------------------+
|| |
+------------------------------------------+
Enter=Activate configuration F7=Postpone activation F1=Help
16.Since we had no users connected we pressed Enter on this screen. The next
screen is a summary of the configuration.
+------------------------------------------------------------------------------+
| Context: [ROOT] |
+------------------------------------------------------------------------------+
+------------------------------------------------------+
| Congratulations! You have completed the installation |
| and basic configuration to run NIAS Remote Access. |
| |
| The basic configuration has the following features: |
| |
| -- all users can access all ports |
| -- all users can access all services |
| -- all services can access all ports |
| -- all users have unlimited connection time |
| |
| <Press ENTER to continue> |
+------------------------------------------------------+
ENTER=Continue F8=Instructions F1=Help

17.The default configuration lets all users connect through all ports and services,
but we wanted only the administrator to connect using this modem. After
pressing Enter, the main configuration window appears.
+------------------------------------------------------------------------------+
| Context: [ROOT] |
+------------------------------------------------------------------------------+
+-----------------------------------+
| Remote Access Options |
|-----------------------------------|
| |Configure Ports |
| |Configure Port Groups |
| |Configure Synchronous Interfaces |
| |Configure Security |
| |Configure Services |
| |Set Up ... |
| |Generate Configuration Report |
+-----------------------------------+
Change port names, modem types, and data rates

ENTER=Select ESC=Back F1=Help
18.From this screen we chose Configure Security and then selected Restrict
service by user and pressed Enter on the PPRNS entry.

+------------------------------------------------------------------------------+
| Context: [ROOT] |
+------------------------------------------------------------------------------+
+-----------------------------------+
| Remote Access Options |
+------------------------++------------------------+
| Remote Access Services || Authorized Users |
|------------------------||------------------------|--+
| |PPPRNS || |admin.IBMAU | |
|| || | |--|
|| || | | |
|| || | | |
|| || | | |
|| || | | |
|| || | | |
|| || | | |
|| || | |s |
+------------------------++------------------------+--+
Description: PPP Remote Node Service
Function: Provides Remote Node access for DOS/UNIX/Windows computers
F5/DEL=Remove INS=See Others F4=Copy From F6=Copy To ESC=Back F1=Help
19.On this screen, replace the default <any user> by pressing Insert and
selecting admin from the context. This ensures that only the admin users can
get access to the PPRNS service.
20.To verify your configuration, select Generate Configuration Report.
21.You can also set up some of the items that are available in the main remote
access screen in NWAdmin. Right-click a container, select Details (see Figure
188), then the Remote Access button.

Figure 188. Remote access configuration for container object
22.If you double-click a user, you get two Remote Access buttons. See Figure
189.
Figure 189. Remote access for user object
23.All the information here is self explanatory. If more information is needed,

review the NetWare 5 documentation.

8.2.11 Using Catalog services for contextless login
Catalog services can gather information independent of the context of the items
or the users.
Users can log in in and get their information from the login prompt without
worrying about context-only part of their name and the password. This
information is based on the TID 2940793.
1. Ensure that DSCAT.NLM is loaded on the server.
2. Run NWAdmin.
3. Select the context that you want and create a NDSCAT:Master Catalog object.
Make sure the name is no longer than 8 characters as Novell has made
mention that it can have problems with one that has more.
4. Double-click the object.
Figure 190. Catalog services window
5. From this window, select the server that is running the DSCAT.NLM and place
it in the Host Server field. Select a security equivalent that is able to browse
the tree. You may wish to set up a specific user for this, so that no one can
delete it and that it has only the rights required for this job.
6. Select primary and secondary labels for the catalog. These are used by
applications and administrators.
7. Click the Filter button.

Figure 191. Catalog filter section
8. In Figure 191, you specify the information that you want imported. For more
information on this, click the Attributes / Indexes button and select
Attributes.
9. Since we want only the user objects for our login purposes, we enter "Object
Class" = "User" and ensure that the Search Subtree is set.
10.Select the Schedule button to set the periods that you want the dredger to run
and get updates. This can be done manually or set to run every night or
whenever you want.
11.Click on the Attributes/Indexes button.

Figure 192. Catalog Attributes/Indexes
12.Click the Select Attributes button and then choose Full Name. Then choose
Select Indexes and add the attributes that you have just selected. You can
choose to catalog and index all the attributes.
13.Click OK to save the settings. Do not update now, to allow the catalog object
time to read and browse the NDS tree.
14.Right-click the [ROOT] object and select Trustees of this Object. You will see
Figure 191.
Figure 193. Adding trustees to the [ROOT] object
15.Select the Add Trustee button and add the [Public] and [ROOT] objects and
give them Browse, Read and Compare rights. These are given by default
when you add the object.

16.Go back to the Master catalog that you created before and select the
Schedule button. Select the Update Now button. Swap to the DSCAT screen
on the server to see the information, or click the Log button.
17.To change some of the client login properties, select the Novell Schedule
button on the bottom right hand side of the task bar and then select Client
properties.
Figure 194. Novell client properties
18.Select the Contextless Login tab and check Enable if you wish to enable the
user of wild cards. Next enter in the tree and the catalog name. The catalog
name must be fully distinguished name and start with a period. Make sure you
click on Add when finished entering the information.
19.Reboot the workstation.
20.To ensure that it works type in the name of the user and hit the tab button it will
then show you a list of all the names that match the one that you typed and
there contexts. If yours is the only one then they will show only that one.
8.2.12 Using LDAP server and client

The use of LDAP services is the ability of an LDAP client to get information from a
directory based service. Such a use is to enable a client such as Netscape to
query and LDAP server for information that it holds in its directory database. This
way the client does not need a Novell client to get such information as the
Internet address of the client.
1. You need to have users configured with the information that you want so that
something is there to put in the LDAP server.
2. Create a user called LDAP_Proxy and enter the details of the user. Select the
Password restrictions button and uncheck the box Allow user to change
password . Do not allocate a password for this user.

3. Make the user a trust of the container that you want the LDAP services to be
able to read. Give the user the Browse, Read and Compare rights as in the
catalog service trustee assignments.
4. In the LDAP group object, open the properties. Figure 195 appears.
Figure 195. LDAP group object
5. Next to the Proxy Username field click on Browse button ( ) and select the
user that you configured to have the correct rights for the container that you
wish.
6. Then select the Browse button next to the Suffix window and select a
container. This will limit the user to be able to access this container only.
7. Click the Server List button and ensure that the server that is running the
LDAP services is in the list. If not browse and select the server.
8. Now go to the client and use the Netscape browser to make some LDAP
requests.
9. Select the address book icon in the bottom right hand corner.
10.Right -lick he address items and select a new directory.

Figure 196. LDAP Netscape client
11.Place any name that you wish in the Description field. In the LDAP Server
field, enter the DNS name or IP address of the server that you have just
configured. In the Search Root field, enter the distinguished name for the NDS
container where the LDAP should start its search. The rest you can leave as
default.

Appendix A. Installation worksheets
A.1 Memory calculations

The worksheet is based on Novell’s server memory worksheet.
Table 7. Memory calculations
Steps Gather and calculate the following information Result
A1 The total amount of disk space connected to the server, not the amount of disk
space being used. Note: 1=1MB 1024=1GB MB
A2 Calculate the megabytes of usable disk space connected to the server. For
duplexing or mirroring, use the formula A1x0.5 or just copy A1. MB
A3 Servers block size (4,8,16,32,64)

MB
A4 Calculate the number of disk blocks per MB (divide 1024 by A3) MB
A5 Calculate the total number of disk blocks (multiply A2xA4) Blocks
A6 The maximum number of users connected to the servers. MB
A7 The maximum number of files on the server. [Maximum number of files for storage Files
= A2 x 1042 / average file size.]
Individual memory calculations
1 The minimum amount of memory for the server’s operating system (NetWare 5 KB
minimum is 64,000 KB).
2 Memory requirement for media manager (A1*0.1). KB
3 If file compression is enabled, enter 250. Otherwise, enter 0. KB
4 Memory required for the directory tables (a7x0.006, or if suballocation is set, KB

A7x0.011).
5 Cache requirements for the FAT (A5x0.008). KB
6 Cache requirements for the files:

Less than 100 users: A6x400
100-250 users: 40,000+((A6-100)x200)
250-500 users: 70,000+((A6-250)x100)
500-1000 users: 95,000+((A6-500)x50) KB
7 Memory required for supporting NLMs requirements (2000 KB total for betreive, KB
CLIB, install and Pserver)
8 Memory requirements for installed services (refer to the minimum memory for the KB
application).
Total memory requirements
9 Total of lines 1 to 8 in KB. KB
Divide the number of KB in Step 9 by 1024. MB
The average file size can be calculated by dividing the total bytes backed up by
the total number of files backed up.

A.2 Installing NetWare 5 worksheet
Table 8. NetWare installation
Required information Enter information in this area
BIOS update for server Version: (For example, 4.11a 12/4/99)

and RAID card, etc.
DOS boot partition For example, 50+500=550MB

size (50 MB + server
memory)
Total server hard disk For example, 3 x 9 GB, 2 mirrored 1 hot spare = 9 GB
local
Language
Country/code
page/keyboard
Mouse/video
Platform support
module
PCI hot plug module Yes No Other:
Storage adapters Name: Driver: Version:

For example, For example, For example,
ServeRAID-3H IPSRAID.HAM 4.0 7/12/99
Storage devices IDECD SCSIHD Other:
Network cards Name/MAC address: IBM Driver: Version:

TOKEN PCI/000629B320BB For example, For example,
IBMTTRPO.LAN 2.4.3 13/6/99
Extra NLM needed

Install volume Name: Size: Type:

information For example, For example, For example,
SYS: 1.5 GB standard
Hot Fix Size: for example,

4.1 MB
Server Name
File System and Name: Size: Type:

volumes: For example, For example, For example,
VOL1 8 GB NSS
Card protocol Name: Protocol: Address:

information For example, For example, For example,
IBMTOK_TSP_1 TCPIP 192.168.0.1
Time zone information Subtract 5.00 for US and Canada Eastern time Adjust daylight
savings:
Yes No
NDS information Tree Name: For example, IBMAU
Admin: For example, .admin.melb.ibmau
Password:
Container for server: For example, .melb.ibmau
License information Path:
Serial number:
Appendix A. Installation worksheets 237

Additional products Novell distributed Print services

LDAP services
installed
NDS catalog services

WAN traffic manager
Secure authentication manager services
Novell PKI service
Novell Internet access server
Storage management services
Novell DNS/DHCP services
If catalog services are Catalog on this server? Search catalog services exclusively
installed Yes Search NDS if requested attributes not in
No catalog
If DNS/DHCP services Local object NDS context:

installed
Group object NDS context:
Rootsvr zone context:
Patch information Path: For example, File: For example, Version: For
sys:\system\patch\ver2 nw5sp2a.exe example, patch 2a
NDS 8 information Path: For example, File: Version:

sys:\system\nds8
Comments:

A.3 Installing BorderManager worksheet
Table 9. BorderManager installation
Required Information Enter information here
Type of Enterprise Edition Firewall services

BorderManager VPN services
services Authentication services
FastCache services
Path to BorderManager For example, NBMEE3_128 :
CD
License information Path : Serial no.: File name:

For Example, :A: For example, For example,
400046545 bmfee31.nlf
Card information Type: private/public/both Address:

For example, 192.168.0.1
Secure all public interfaces Enable HTTP for all private interfaces
Yes Yes
No No
DNS information DNS Domain: For example, ral.itso.ibm.com
DNS servers: For example, 192.168.0.1

1.
2.
3.
Patch information Path: File: Version:

For example, For example, For example,
sys:\patch bm3sp1.exe 1A

Required Information Enter information here
Access rules Action deny/allow Source Access Destination
Example line ------------- Allow Any admin group any
Note
Make sure that you make a backup of the FILTER.CFG file in the SYS:\ETC
directory. Print this file and attach it to this worksheet.

A.4 Replica planning worksheet
Table 10. Replica planning worksheet
Server Partitions

A.5 Installing NDS for NT
Use this table when installing NDS for NT.
Table 11. Installing NDS for NT
Parameter
Tree name
Contexts Domain Object:
Users:
Force password synchronization Yes

No
Default method for handling users Create users
Don’t move users
Search context
NDS domain object name
Replica Yes
No
Server name

A.6 Parameter settings worksheet
These figures and adjustments must be made after a suitable amount of run time
has elapsed, approximately two weeks.
Table 12. Parameter settings
Setting Current figure New setting
Original cache buffers N/A
Total cache buffers
Long term cache hits N/A
Packet receive buffers
Directory cache buffers
Service process
LRU sitting time (minimum value)
Garbage collection (tested according to Chapter 6,

“Optimizing and tuning” on page 105)
Compression time set to

A.7 NDS health check table
Fill out this table in conjunction with 6.2.5, “NDS health checking” on page 128.
Table 13. NDS health check
Required information Information Current information (for example,

retrieved versions, replica depth and servers that
need to be removed)
Is time in synch? Yes

No
NDS versions (are they the Yes
latest available) No
Are there any servers listed Yes
that have been removed No
from the network?
Check the replica depths: Yes

are they correct? No
Is there at least one time Yes
provider? No
Are all the servers in synch? Yes
No

Appendix B. Special Notices
This publication is intended to help customers, business partners and IBM
employees to install Novell NetWare 5 and its ancillary products on Netfinity
servers. The information in this publication is not intended as the specification of
any programming interfaces that are provided by Netfinity servers. See the
Programming Announcements for Netfinity for more information about what
publications are considered to be product documentation.
References in this publication to IBM products, programs or services do not imply

that IBM intends to make these available in all countries in which IBM operates.
Any reference to an IBM product, program, or service is not intended to state or
imply that only IBM's product, program, or service may be used. Any functionally
equivalent program that does not infringe any of IBM's intellectual property rights
may be used instead of the IBM product, program or service.
Information in this book was developed in conjunction with use of the equipment
specified, and is limited in application to those specific hardware and software
products and levels.
IBM may have patents or pending patent applications covering subject matter in
this document. The furnishing of this document does not give you any license to
these patents. You can send license inquiries, in writing, to the IBM Director of
Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact IBM Corporation, Dept.
600A, Mail Drop 1329, Somers, NY 10589 USA.
Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.
The information contained in this document has not been submitted to any formal
IBM test and is distributed AS IS. The information about non-IBM ("vendor")
products in this manual has been supplied by the vendor and IBM assumes no
responsibility for its accuracy or completeness. The use of this information or the
implementation of any of these techniques is a customer responsibility and
depends on the customer's ability to evaluate and integrate them into the
customer's operational environment. While each item may have been reviewed by
IBM for accuracy in a specific situation, there is no guarantee that the same or
similar results will be obtained elsewhere. Customers attempting to adapt these
techniques to their own environments do so at their own risk.
Any pointers in this publication to external Web sites are provided for
convenience only and do not in any manner serve as an endorsement of these
Web sites.
The following terms are trademarks of the International Business Machines

Corporation in the United States and/or other countries:

The following terms are trademarks of other companies:
IBM Micro Channel
Netfinity Netfinity Manager
OS/2 Predictive Failure Analysis
ServeRAID
C-bus is a trademark of Corollary, Inc. in the United States and/or other countries.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Sun Microsystems, Inc. in the United States and/or other countries.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States and/or other countries.
PC Direct is a trademark of Ziff Communications Company in the United States

and/or other countries and is used by IBM Corporation under license.
ActionMedia, LANDesk, MMX, Pentium and ProShare are trademarks of Intel

Corporation in the United States and/or other countries. (For a complete list of
Intel trademarks see www.intel.com/tradmarx.htm)
UNIX is a registered trademark in the United States and/or other countries

licensed exclusively through X/Open Company Limited.
SET and the SET logo are trademarks owned by SET Secure Electronic
Transaction LLC.
Other company, product, and service names may be trademarks or service marks
of others.

Appendix C. Related publications
The publications listed in this section are considered particularly suitable for a
more detailed discussion of the topics covered in this redbook.
C.1 International Technical Support Organization publications

For information on ordering these ITSO publications see “How to get IBM
Redbooks” on page 249.
• Novell IntranetWare and BorderManager for IBM Netfinity and IBM PC
Servers, SG24-2145
• Netfinity Server Management, SG24-5208
• Implementing Netfinity Disk Subsystems: ServeRAID SCSI, Fibre Channel
and SSA, SG24-2098
• Netfinity Clustering Planning Guide, SG24-5845
C.2 Redbooks on CD-ROMs

Redbooks are also available on the following CD-ROMs. Click the CD-ROMs
button at http://www.redbooks.ibm.com/ for information about all the CD-ROMs
offered, updates and formats.
CD-ROM Title Collection Kit
Number
System/390 Redbooks Collection SK2T-2177
Networking and Systems Management Redbooks Collection SK2T-6022
Transaction Processing and Data Management Redbooks Collection SK2T-8038
Lotus Redbooks Collection SK2T-8039
Tivoli Redbooks Collection SK2T-8044
AS/400 Redbooks Collection SK2T-2849
Netfinity Hardware and Software Redbooks Collection SK2T-8046
RS/6000 Redbooks Collection (BkMgr Format) SK2T-8040
RS/6000 Redbooks Collection (PDF Format) SK2T-8043
Application Development Redbooks Collection SK2T-8037
IBM Enterprise Storage and Systems Management Solutions SK3T-3694
C.3 Other publications

These publications are also relevant as further information sources:
• Three Ways to Deliver Cache Performance to Your Intranet and Internet Users
available from http://www.novell.com/bordermanager/appnotes.html
• A Quick Guide to Web Acceleration, available from
• Netfinity Manager User’s Guide, 10L9271 available from
http://www.pc.ibm.com/support and with your server on ServerGuide
• Netfinity Manager Command Reference, 10L9270 available from
• Netfinity Manager Quick Beginnings, 10L9272 available from

C.4 Referenced Web sites
http://www.redbooks.ibm.com
http://www.pc.ibm.com/support
http://www.umich.edu/~dirsvcs/ldap/ldap.html
http://www.critical-angle.com/ldapworld/index.html
http://developer.novell.com/netware5
http://www.pc.ibm.com/us/server/sguide
http://www.pc.ibm.com/coupon
http://www.support.novell.com
http://www.novell.com/catalog/catindex.html
http://support.novell.com/search/ff_index.htm
http://ez.ic3.com/pages/novell_ez/templates/nicius.htm?novell_ez+870-000317-001
http://www.novell.com/coolsolutions/zenworks/downloadables.html
http://www.pc.ibm.com/us/netfinity/smtools2.html
http://www.novell.com/products/nds
http://www.netwarefiles.com
http://www.itlab.orst.edu/download/default.htm
http://www.pc.ibm.com/us/netfinity/serverproven
http://www.support.novell.com/misc/patlst.htm#nw
http://www.novell.com/download
http://www.microsoft.com/Windows/getisdn/
http://w3.itso.ibm.com
http://w3.ibm.com
http://www.elink.ibmlink.ibm.com/pbl/pbl

How to get IBM Redbooks
This section explains how both customers and IBM employees can find out about ITSO redbooks, redpieces, and
CD-ROMs. A form for ordering books and CD-ROMs by fax or e-mail is also provided.
• Redbooks Web Site http://www.redbooks.ibm.com/
Search for, view, download, or order hardcopy/CD-ROM redbooks from the redbooks Web site. Also read
redpieces and download additional materials (code samples or diskette/CD-ROM images) from this redbooks site.
Redpieces are redbooks in progress; not all redbooks become redpieces and sometimes just a few chapters will
be published this way. The intent is to get the information out much quicker than the formal publishing process
allows.
• E-mail Orders
Send orders by e-mail including information from the redbooks fax order form to:
e-mail address
In United States usib6fpl@ibmmail.com
Outside North America Contact information is in the “How to Order” section at this site:
http://www.elink.ibmlink.ibm.com/pbl/pbl/
• Telephone Orders
United States (toll free) 1-800-879-2755
Canada (toll free) 1-800-IBM-4YOU
Outside North America Country coordinator phone number is in the “How to Order” section at
this site:
• Fax Orders
United States (toll free) 1-800-445-9269
Canada 1-403-267-4455
Outside North America Fax phone number is in the “How to Order” section at this site:
This information was current at the time of publication, but is continually subject to change. The latest information
may be found at the redbooks Web site.
IBM Intranet for Employees

IBM employees may register for information on workshops, residencies, and redbooks by accessing the IBM
Intranet Web site at http://w3.itso.ibm.com/ and clicking the ITSO Mailing List button. Look in the Materials
repository for workshops, presentations, papers, and Web pages developed and written by the ITSO technical
professionals; click the Additional Materials button. Employees may access MyNews at http://w3.ibm.com/ for
redbook, residency, and workshop announcements.

IBM Redbooks fax order form
Please send me the following:
Title Order Number Quantity
First name Last name
Company
Address
City Postal code Country
Telephone number Telefax number VAT number
Invoice to customer number
Credit card number
Credit card expiration date Card issued to Signature
We accept American Express, Diners, Eurocard, Master Card, and Visa. Payment by credit card not
available in all countries. Signature mandatory for credit card payment.

List of abbreviations
ACK acknowledgment HTTP Hypertext Transfer Protocol
ACL access control list ICMP Internet control message protocol
AIO asynchronous I/O IDE integrated drive electronics
APC American Power Conversion, Inc. IPC interprocess communications
ARPA Advanced Research Projects Agency IPX Internetwork Packet eXchange
ATM Asynchronous Transfer Mode IRF inherited rights filter
BDC backup domain controller IRQ interrupt request
BER bit error rate ISDN Integrated Services Digital Network
BIOS basic input/output system ISP Internet service provider
BM BorderManager LAN local area network
BMAS BorderManager Authentication Services LCGI local common gateway interface
CAB cabinet LDAP Lightweight Directory Access Protocol
CD-ROM compact disk-read only memory LDIF LDAP Data Interchange Format
CDM Custom Device Module LIP large internet packet
CHAP Challenge Handshake Authentication LRU least recently used
Protocol
LSL Link Support Layer
CPU central processing unit
LSS loadable storage subsystem
DAP Directory Access Protocol
MAC medium access control
DCE data communication equipment
MPK multiprocessor kernel
DDNS dynamic domain name system
MRU most recently used
DES data encryption standard
NAT Network Address Translation
DHCP Dynamic Host Configuration Protocol
NCP NetWare Core Protocol
DLL dynamic load library
NCS NetWare Cluster Services
DMI desktop management interface
NDPS Novell Distributed Print Services
DNS domain name system
NDS Novell Directory Services
DUN dial-up networking
NFS Network File System
DVD Digital Video Disc
NHAS Novell High Availability Server
ECB event control block
NIAS Novell Internet Access Server
ECC error correction code
NIC network interface card
EGP Exterior Gateway Protocol
NICI Novell International Cryptographic
F/W fast/wide Infrastructure
FAT file allocation table NLM NetWare Loadable Module
FC Fibre Channel NLS Novell License Services
FDDI fiber distributed data interface NMI non-maskable interrupt
FTP File Transfer Protocol NOS network operating system
GUI graphical user interface NSS Novell Storage Services
HAM Host Adapter Module NTFS NT File System
HFS hierarchical file system NWFS NetWare File System
HMI hub management interface NWPA NetWare Peripheral Architecture
HSM Hierarchical Storage Management ODBC open database connectivity

ODI Open Data-link Interface TTS Transaction Tracking System
OSI Open Systems Interconnection UBR unspecified bit rate
OSPF open shortest path first UDF universal disk format
PAP Password Authentication Protocol UDP user datagram protocol
PCI peripheral component interconnect UPS uninterruptible power supply
PDC primary domain controller URL universal resource locator
PFA Predictive Failure Analysis UTC Universal Time Coordinated
PKI public key infrastructure UUCP UNIX To UNIX Copy Protocol
POST power on self test VPN virtual private networks
PPP Point-to-Point Protocol WAN wide area network
PPRNS Point-to-Point Remote Node Services WB write back
RAD rapid application development WT write through
RADIUS Remote Authentication Dial-In User Service WTM WAN Traffic Manager
RAID redundant array of independent devices
RAM random access memory
RFC Request For Comment
RIP Routing Information Protocol
RTDM Real Time Data Migration
RWC Remote Workstation Control
SAP Service Advertising Protocol
SAS Secure Authentication Services
SBS StandbyServer
SCF service configuration file
SCSI small computer system interface
SFT System Fault Tolerant
SLP Service Location Protocol
SMART self-monitoring analysis and reporting
technology
SMDS Switched Multimegabit Data Service
SMP symmetric multiprocessors
SMTP simple mail transfer protocol
SNA systems network architecture
SNMP simple network management protocol
SONET Synchronous Optical NETwork
SSL Secure Sockets Layer
SWG SMART Working Group
SYN synchronize
TCO total cost of ownership
TCP/IP Transmission Control Protocol/Internet
Protocol
TID technical information document
TMA Tivoli Management Architecture

Index
commands (continued)
A NCP 3
access rules 183 new commands 11
address translation 18 PROTECT 4
Advanced System Management service 83 PURGE 110
Alert Manager 83, 87 SBACKUP 6
application proxy service 17 SWAP 4
application tuning 113 comparing versions of NetWare 12
CONFIG.SYS 43
ConsoleOne 5
B installing 56
backup utility 6 NCS 34
benchmarking 106 container opject 68
BMAS 21 contextless login 229
BorderManager 15 Critical File Monitor 83
access rules 183, 184 current disk requests 110
address translation 18 current gateway status 183
administrator snapin 65 Cyber Patrol 211
application proxy service 17
authentication services 16, 21
components 15 D
current gateway status 183 DHCP 5, 192
example 188 directory cache buffer non-referenced delay 110
FastCache services 16 directory cache buffers 106, 109
filter configuration 61 directory rights 68
Firewall services 15, 16 dirty cache buffers 110
installing 60 dirty cache delay time 110
IPS/IP gateway 18 dirty directory cache delay time 110
IPX gateway 180 dirty disk cache delay time 110
network address translation 18 disk cache writes 110
packet filters 19, 185 disk mirroring 9
packet forwarding 62, 185 disk requirements 41
patches 63 disk tuning 109
proxy caching services 22 DMI Browser 84
reverse proxy 23 DNS 5, 192
scenarios 173 domain controllers 89
SOCKS gateway 18 Domain Object Wizard 97
transparent proxy 181 DOS 41, 42
tuning 130 DSrepair 28, 128
VPN client 207 DSTRACE 101
VPN services 15 duplexing 9
Web server acceleration 23 dynamic address translation 18
bottlenecks 107 Dynamic Connection Manager 84
BulkLoad 28
E
C encryption 200
cache buffers 108 Event Scheduler 84
cache delay time 110 examples 173
Capacity Manager 83, 88
catalog services 5, 229
Cluster Administrator 83
F
features 1
clustering
file compression 111
NetWare Cluster Services 33
file rights 68
StandbyServer 36
File Transfer 84
commands
FILTCFG command 61, 189
DISPLAY INTERRUPTS 8
filter configuration 61
FILTCFG 61
Firewall services 16
MONITOR 4

G loader changes 2
garbage collection 109 login, contextless 229
interval 131 long term cache hits 108
gateway filtering 16 LRU sitting time 107
group object 68 LSS (Loadable Storage Subsystem) 9
H M
Hierarchical Storage Management 9 ManageWise 23, 116
Hot Fix blocks 111 agents 24
hot plug PCI 10 console 24
installing 65
LANalyzer Agent 24
I NetExplorer 24
I2 O 11 Master Catalog object 229
INETCFG command 175 maximum concurrent directory cache buffers 110
installing maximum concurrent directory cache writes 110
additional products 50 maximum concurrent disk cache writes 110
BorderManager 60 maximum hot unreferenced time 131
BorderManager snapin 65 maximum packet receive buffers 131
CONFIG.SYS 43 maximum packet receive packet size 112
ConsoleOne 56 maximum service processes 131
Cyber Patrol 211 memory 41, 107
DNS/DHCP services 51 memory management 3
file system 47 worksheet 235
Java install screens 46 Microsoft Exchange 90
keyboard equivalents 46 migration gateway 7
LDAP 51, 232 Minimum File Cache Report Threshold 106
license file 50 minimum packet receive buffers 131
ManageWise 65 minimum service processes 131
NDS 8 53 MONITOR command 4
NDS for NT 90 MONITOR.NLM 105
NDS tree 48 MRU cache buffers 107
Netfinity Manager 73 multiprocessor kernel 8
NetWare 41
direct 42
ServerGuide 43 N
network adapters 46 naming conventions 120
network protocols 48 NAT (Network Address Translation) 16, 191
patches 52 NCP 2
BorderManager 63 NCP packet signature 113
PCI Hot Plug support 45 NCS 33
preparation 41 ConsoleOne 34
storage devices 46 features 34
SYS volume 46 NHAS, compared with 33
time zone 48 NDPS (Novell Distributed Print Services) 9
VPN client 207 broker 10
worksheets 235 manager 10
ZENworks 58 NDS 1, 25
integration with Windows NT 89 authentication 25
IPS/IP gateway 18 BulkLoad 28
IPX changes in Version 8 26
gateway 180 ConsoleOne 27
migration gateway 7 containers 120
designing the NDS tree 119
distinguished names 26
L DSrepair 28
LANalyzer Agent 24 features 1
LDAP 7, 232 health checking 128
LIP packet 113 installing NS 8 53
Loadable Storage Subsystem 9 introduction 25

NDS (continued) NetWare Cluster Services
LDAP performance 28 See NCS
LDAP services for NDS 7 NetWare Core Protocol 2
naming conventions 120 NetWare Peripheral Architecture 10
NDS partition manager 99 network address translation 16, 18, 191
NDS Server Connection Monitor 103 network bottlenecks 112
NDS Server Console 101 Network File System 9
object rights 70 network traffic 116
objects 26, 67, 68, 120 new features 1
optimization 119 new packet receive buffer wait time 131
partitioning 28, 121, 122 NFS (Network File System) 9
property rights 70 NIAS (Novell Internet Access Server) 174
replication 25, 28, 121, 122 NIASCFG 199, 221
rules for replication and partitioning 123 no ECB count 112
scenarios 173 Novell Application Launcher 29
security 67, 69 Novell Distributed Print Services 9
server synchronization 129 Novell Internet Access Server 174
subordinate reference 123 Novell Storage Services 8, 34
time servers 125 NSS (Novell Storage Services) 8, 34
time synchronization 121, 125 creating NSS volumes 56
tuning 119 NSS Consumer Services 36
typeless names 26 NWPA (NetWare Peripheral Architecture) 10
upgrading to v8 54
version 8 25
worksheet 244 O
NDS for NT 6, 33, 89 object rights 70
Domain Object Wizard 97 optimization 105
features 89 OSI model 16
installing 90
worksheet 242 P
NDSCON 101 packet filters 16, 19
NetExplorer 24 packet receive buffers 112
NETFBASE 75 parameters
Netfinity Manager 71 cache buffers 108
Alert Manager 87 current disk requests 110
Capacity Manager 88 directory cache buffer non-referenced delay 110
Client Services 72 directory cache buffers 106, 109
downloading 71 dirty cache buffers 110
driver configuration 78 dirty cache delay time 110
example 188 dirty directory cache delay time 110
functions 82 dirty disk cache delay time 110
installing 73 garbage collection interval 131
NetWare 5 support 71 LIP packet 113
network driver configuration 78 long term cache hits 108
protocols supported 73 LRU sitting time 107
security 73, 81 maximum concurrent directory cache buffers 110
SeverGuide 74 maximum concurrent directory cache writes 110
supported platforms 73 maximum concurrent disk cache writes 110
user interface 81 maximum hot unreferenced time 131
using 81 maximum number of file locks 130
Windows clients 76 maximum packet receive buffers 131
Netscape FastTrack Server 7 maximum packet receive packet size 112
NetWare maximum service processes 131
comparing versions 12 minimum packet receive buffers 131
features 1 minimum service processes 131
installing 41 MRU cache buffers 107
loader 2 NCP packet signature 113
scenarios 173 new packet receive buffer wait time 131
Windows NT, integration with 89 no ECB count 112
worksheet 236 packet receive buffers 112
255
parameters (continued) SMART 85
service processes 106 SMP support 114
patches, installing 52 SMTP 197
PCI hot plug 10 SOCKS gateway 18
performance Software Inventory 86
See tuning StandbyServer 36
Policy Package Wizard 213 automatic failover 37
Predictive Failure Analysis 84 dedicated link 39
printer agent 10 Entry-Level 37
printer gateway 10 failover operation 38
priority levels 113 Many-to-One 36
Process Manager 85 NSS, use with 39
property rights 70 primary server 37
PROTECT command 4 products 36
protocols standby server 37
RADIUS 21 utility server 38
Service Location Protocol 6 STAT.NLM 105
TCP/IP 6 static address translation 19
provider (NSS) 35 storage group (NSS) 35, 36
proxy caching services 22 storage objects (NSS) 35
PURGE command 110 stripe size 111
suballocation 110
subordinate reference 123
R supervisor right 68
RADIUS 21 SWAP command 4
RAID Manager 85 swap file 3
RCONSOLE 85 synchronization of replicas 1
Real Time Data Migration 9 System Information Tool 86
Remote Session 85 System Monitor 86
Remote System Manager 85 System Partition Access 87
Remote Workstation Control 85 System Profile 87
replication
synchronization 1
tuning 122 T
worksheet 241 TCP/IP
requirements 41 core protocol 6
RESOLVE.CFG 131 migration gateway 7
reverse proxy 23 WinSock 2 11
TCPADDR.DSC 82
time servers 125
S time synchronization 105, 125
SBACKUP command 6 Transaction Tracking System 9, 27
scenarios 173 transitive vector 1
Screen View 86 transparent proxy 181
security 67 TTS (Transaction Tracking System) 9, 27
encryption 200 tuning 105
Netfinity Manager 73, 81 applications 113
Security Manager 86 BorderManager 130
Serial Connection Control 86 disk 109
SERVCFG.000 file 5 memory 107
server synchronization 129 NDS 119
ServeRAID partitioning 122
tuning 109, 111 replication 122
ServerGuide 44 WAN traffic 115
Netfinity Manager 74 worksheet 243
Service Configuration Manager 86 ZENworks 126
Service Location Protocol 6
service processes 106, 108
settings U
See parameters user object 68
SLP 6

V
versions, comparing 12
virtual memory 3, 107
virtual private network 16, 20, 188, 198
volume block size 111
volumes, NSS 35
VPN 188, 198
VPN client 207
W
WAN Traffic Manager 5, 115
Web Manager 87
Web server acceleration 23
what’s new 1
Windows NT
integrating with NetWare 89
WinSock 2 11
worksheets
memory 235
NDS for NT 242
NDS health check 244
NetWare 236
replication 241
tuning 243
WTM (WAN Traffic Manager) 115
X
X.500 7
Z
ZENworks 5, 29
design considerations 126
desktop preferences 219
Dynamic local user 218
example 189
installing 58
Policy Package Wizard 213
register workstations 213
Starter Pack 29
version 2.0 32
Workstation Import Policy 215
257
IBM Redbooks evaluation
Novell NetWare 5.0 Integration Guide
SG24-5847-00
Your feedback is very important to help us maintain the quality of ITSO redbooks. Please complete this
questionnaire and return it using one of the following methods:
• Use the online evaluation form found at http://www.redbooks.ibm.com/
• Fax this form to: USA International Access Code + 1 914 432 8264
• Send your comments in an Internet note to redbook@us.ibm.com
Which of the following best describes you?

_ Customer _ Business Partner _ Solution Developer _ IBM employee
_ None of the above
Please rate your overall satisfaction with this book using the scale:
(1 = very good, 2 = good, 3 = average, 4 = poor, 5 = very poor)
Overall Satisfaction __________
Please answer the following questions:
Was this redbook published in time for your needs? Yes___ No___
If no, please explain:
What other redbooks would you like to see published?
Comments/Suggestions: (THANK YOU FOR YOUR FEEDBACK!)

Novell NetWare 5.0 Integration Guide SG24-5847-00
Printed in the U.S.A.
SG24-5847-00

SG 245847

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

SG 245847

Transféré par

Droits d'auteur :

Formats disponibles

Novell NetWare 5.

David Watts, Roy Solterbeck, Pierluca Zampardi

International Technical Support Organization

Novell NetWare 5.0 Integration Guide

First Edition (November 1999)

This edition applies to the following products:

Comments may be addressed to:

© Copyright International Business Machines Corporation 1999. All rights reserved.

Chapter 1. What’s new in NetWare 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

Chapter 2. Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .15

Chapter 3. Installing NetWare. . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. . . . .41

© Copyright IBM Corp. 1999 iii

Chapter 4. Netfinity Manager . . . . . . . . . . . . . . . .. . . . .. . . . . .. . . . . .. . 71

Chapter 5. Integrating Windows NT with NetWare 5 . . . . . . . . .. . . . . .. . 89

Chapter 6. Optimizing and tuning . . . . . . .. . . . . .. . . . .. . . . . .. . . . . .. 105

Chapter 7. Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . .. 133

iv Novell NetWare 5.0 Integration Guide

Appendix A. Installation worksheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Appendix B. Special Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Appendix C. Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

How to get IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249

List of abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251

IBM Redbooks evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259

As well as explaining how to install NetWare and BorderManager, the redbook

The team that wrote this redbook

Roy Solterbeck is a LAN/WAN specialist in Australia. He holds an Advanced

Pierluca Zampardi is an Advisory IT Specialist in the architecture department of

© Copyright IBM Corp. 1999 vii

Thanks to the following people from the International Technical Support

Thanks to the following people from IBM:

Thanks to the following people from Novell:

viii Novell NetWare 5.0 Integration Guide

We want our redbooks to be as helpful as possible. Please send us your

The features we discuss in this chapter are:

1.1 New Features

© Copyright IBM Corp. 1999 1

Known NCP NetWork Service Addresses (Network Order):

Figure 2. NCP ADDRESSES command

It is possible to change the loading order of the protocols. To do this:

2 Novell NetWare 5.0 Integration Guide

Figure 3. Changing the order that the protocols load

Chapter 1. What’s new in NetWare 5 3

SWAP [ADD|DELETE volume_name]

ALL VALUES ARE IN MILLIONS OF BYTES

Figure 4. HELP SWAP console command

4 Novell NetWare 5.0 Integration Guide

Chapter 1. What’s new in NetWare 5 5

6 Novell NetWare 5.0 Integration Guide

Chapter 1. What’s new in NetWare 5 7

8 Novell NetWare 5.0 Integration Guide

Chapter 1. What’s new in NetWare 5 9

10 Novell NetWare 5.0 Integration Guide

Chapter 1. What’s new in NetWare 5 11

1.2 Comparison between versions

Options NetWare 5.0 IntranetWare 4.2 NetWare 3.2

Novell Directory Services Included Included No

ZENworks Included Included No

NDS for NT Included Included No

NDS Version 8 Included No No

IP Protocol Included NetWare/IP NetWare/IP

Netscape FastTrack Server Included Included No

DHCP support Included Included No