Académique Documents
Professionnel Documents
Culture Documents
0 Integration Guide
www.redbooks.ibm.com
SG24-5847-00
SG24-5847-00
International Technical Support Organization
November 1999
Take Note!
Before using this information and the product it supports, be sure to read the general information in Appendix B,
“Special Notices” on page 245.
When you send information to IBM, you grant IBM a non-exclusive right to use or distribute the information in any way
it believes appropriate without incurring any obligation to you.
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
v
vi Novell NetWare 5.0 Integration Guide
Preface
This redbook describes how to install Novell NetWare 5.0 and its key
components. It will help you install and configure these products and integrate
them with Netfinity servers from IBM.
NetWare 5.0 is Novell’s latest version of one of the most widely used network
operating systems. It combines the maturity and reliability of the traditional
NetWare network with the global reach and open standards of the Internet.
This book is useful to anyone who wants to implement NetWare 5.0 on Netfinity
servers.
David Watts is an Advisory Specialist for Netfinity Servers at the ITSO Center in
Raleigh. He manages residencies and produces redbooks on IBM Netfinity
Servers. He has authored over a dozen publications, his most recent being the
third edition of Implementing Netfinity Disk Subsystems and the second edition of
Netfinity Server Management. He has a Bachelor of Engineering degree from the
University of Queensland (Australia) and has worked for IBM for over 10 years.
He is an IBM Professional Server Specialist.
This book uses material from Novell IntranetWare and BorderManager for IBM
Netfinity and IBM PC Servers, SG24-2145. Thanks go to the authors:
Kiran Sukhtankar, Senior Technical Executive, India
George Mobbs, LAN Consultant, Australia
Rufus Credle, Advisory Software Engineer, ITSO Raleigh
Tim Gray, Senior Software Specialist, USA
Finally, thanks to Pierluca’s wife, Silvia Colucci for her assistance with Italian to
English translations.
Comments Welcome
Your comments are important to us!
ix
x Novell NetWare 5.0 Integration Guide
Chapter 1. What’s new in NetWare 5
NetWare 5.0 has introduced many new features that make it one of the most
relevant software products in the networking field. In this chapter, we describe
these new features. We also compare the features of NetWare 5.0, IntranetWare
4.2 and NetWare 3.2 in Table 1 on page 12:
SRV_NW5_1:ncp addresses
SRV_NW5_1:
The NCP STATUS command shows the number of NCP requests worked out
through the OS engine since boot. For example, the numbers shown on the
left side of ProcessNCPPacket requests and ProcessNCPPacketWithLength
requests represent NCP requests (not in use at this moment) that have been
processed through IPX and IP protocols as well as through the CLIB. The
NCPPacketReceiveHandler enables developers to define the length of the
packet receive buffers. Finally, NCPPacketReceiveHandler only shows the
NCP requests have been processed through the IPX protocol.
The NCP TRACE command allows you to see the NCP requests in one file. The
NCP DUMP command enables you to see all the NCP requests.
• New architecture on memory managing, including support for virtual
memory
NetWare 5 includes support that enables you to use much more than the
physical memory in the file server through the use of virtual memory which
programs and NLM applications could be swapped inside and outside of the
memory and then saved on the hard disk.
By default, the virtual memory allocates a file of 2 MB saved in the root of the
volume SYS. From that point the swap file could either increase or decrease
according to the number of NLMs and to the server applications that are
working at that moment and according to the amount of memory the server
needs to maintain for the users and the applications.
Furthermore you can select a different volume to create the swap file. You
could have multiple swap files. NetWare 5 will utilize them the best to obtain
performance.
Example: swap
Example: swap add vol2
Example: swap add vol3 min = 5 max = 100 min free = 10
Example: swap delete vol3
Example: swap parameter vol2 min = 2 max = 1000 min free = 100
NW5_BM3:
There are three basic items inside the virtual memory model:
– Primary storage
– Secondary storage
– Swap file
The primary storage is the physical memory that the server has. Secondary
storage represents the possible applications existing inside the swap file at the
moment.
For more details about how the virtual memory is configured through the SET
parameters, enter the following command on the console:
MONITOR !H
In the window that appears, select Server then Memory. Here you will find an
online help screen with detailed information about the single options.
As for the memory, NetWare 5 has a list of options needed to address memory
spaces. If you enter PROTECTION, you will see a list of addresses correctly used
by the server, as well the NLMs that have been loaded in those spaces.
It is also possible to use the console command PROTECT to load the modules in
an .NCF file on a address of protected space using the command:
PROTECT [filename].NCF
• Use of NetWare Configuration file to maintain the server configuration
and SET parameters
NetWare 5 has a new method to keep track of the information saved on .NCF
files. The NetWare configuration file stores names and values inside the
hierarchical database tree structure consisting of branches, nodes and leaves.
ConsoleOne Included No No
Notes:
1. Available by downloading a patch
2. Available by adding a free downloadable product
2.1 BorderManager
With the advent of Internet-based applications such as e-mail, browsing and Web
serving, it has become imperative that companies connect and deal with the
Internet on a daily basis. This has led to security and performance concerns
when doing this. BorderManager is a suite of applications developed by Novell
over the past years to combat the issues of security and performance while
connecting to the public Internet. Connecting to the Internet normally requires
multiple products.
1. A firewall to ensure that security is not breached.
2. A proxy server to keep down the costs of the Internet access.
3. A gateway to convert the clients running old protocols or one that converts
internal IP addresses into valid public addresses.
4. Remote access software for clients.
All of these software applications and management of these are shared by some
applications or hardware, but none can handle all. This means that you will have
to learn multiple interfaces.
This new version of BorderManager is broken up into four distinct products. You
can purchase these separate products or you can purchase all of them in the
Enterprise Edition. The Enterprise Edition consists of all the separate products
that are listed below:
1. Firewall services
– Full access control
– Application proxy services
– Caching services
– Site-to-site virtual private networks (VPN)
– Gateways
– Network Address Translation (NAT)
– Packet filtering
2. Virtual private networks services
Apart from being a total solution for your network borders, BorderManager is fully
NDS compliant. This enables the administrator to control the access to the
Internet or configure VPNs from NWAdmin. With the ever-increasing need for
reducing cost of ownership and increasing productivity, NDS is a tool that can
help in all these aspects, as well as being a powerful tool to control the security of
your network.
Application VPN
Proxy Cache
Presentation VPN
Session VPN
Transport VPN
IP/IP gateway
IPX/IP gateway
Packet filtering
Network VPN
NAT
Packet filtering
As the technology moves up the OSI model the finer the detail and the more
secure the firewall technology becomes. With this greater security, the firewall
must look at more of the packets that are passing through. For this reason the
speed of the firewall applications further up the OSI model will not be as great as
a packet filter set at the data link layer.
The application proxy has the ability to enhance the security of the lower layer
firewall services and control down to the command level in the application. For
example, the FTP commands can be selectively allowed or stopped. For example,
the company may have a FTP server from which they allow users to download
documentation files but they do not want anyone placing anything on the server.
The administrator would configure the application proxy to allow FTP get
commands but disallow FTP put commands. One of the main difficulties with
application proxy servers is that there is a proxy server for each application,
making it an overhead in administration and configuration. The decision to use an
application proxy or to move down the layers of the OSI model depends on the
security that the company needs and the amount of time the administrator can
spend.
BorderManager Enterprise Edition III includes HTTP, FTP, Gopher, mail, Real
Audio/video and DNS application proxies. It also includes some generic UDP and
TCP proxy that give the companies the ability to configure other proxies, such as
LDAP.
Chapter 2. Products 17
2.1.1.2 Gateways
Looking at the OSI model, the gateways work at the middle layers and are
therefore faster than the upper layer firewall services. The two gateways are as
follows:
• SOCKS gateway: One of the major enhancements of the SOCKS server is the
support for WinSock Version 2. This means that an implementation of this
SOCKS server will not mean a revisit to workstations so that they can
communicate to this new server. The SOCKS server can also protect the
companies internal network or client, allowing the corporation to leave the
existing firewall in place and allow the BorderManager to act as a SOCKS
client and pass information through the existing firewall by authenticating to it
on behalf of the users.
• IPS/IP and IP/IP gateway: These gateways allow the users to connect to the
Internet even if they are not running the IP protocol. The user gateway
receives TCP/IP commands and then converts them to the appropriate IP
range and command set and passes them on the appropriate router.
Again these are configured using NDS to ensure that only users who are
authenticated are allowed to access these services.
Address translation in BorderManager has two modes: static and dynamic. The
dynamic mode is used in situations when a corporation has configured the clients
with a private addressing scheme and now wish these clients to connect to the
Internet. The choice is either to reconfigure all the clients with valid IP addresses
or to set up the dynamic address translation to specify any IP address from a
certain range to be mapped to either one or multiple valid IP addresses.
5847-00
Netfinity 5000
192.168.0.1
NetWare 5
BorderManager with NAT
dynamic-only mode
192.168.0.2 192.168.0.3
Firewall
Figure 5. Dynamic network address translation
Static NAT works in much the same way as dynamic NAT in that it changes IP
addresses from one to another. However, it does it for only one IP address to
another IP address, a one-to-one mapping where dynamic is a one-to-many.
Static NAT would be used if, for example, the company has a mail server that has
a valid IP address on the Internet and internally it has a corporate IP address
scheme.
Netfinity 5000
192.168.0.1
NetWare 5
BorderManager with NAT
dynamic and static mode
192.168.0.2 192.168.0.3
Firewall
Figure 6. Static and dynamic network address translation
Chapter 2. Products 19
automatically. The Stateful filter is slower, since it opens the port when it is
required and then closes it after the conversation has finished. This is slower
than the static filters but the ease of use and removal of user error are reason
enough for their use. The added security is a definite plus for the connection to
the Internet.
• ACK (Acknowledgement) bit filters. The ACK filter enables a higher level of
security for the packet filter. When a TCP session is begun it goes through a
handshaking process, as shown in Figure 7.
5847-00 Firewall
The initiating node can only start the conversation with the SYN bit set and no
ACK bit. The ACK filter enabled for port 21 (FTP) will allow the conversation to
begun only from the internal network. Any conversation begun from the public
side of the network will not have an ACK bit set and will therefore not be allowed.
5847-00
Firewall Firewall
Connecting users via VPNs is also becoming very popular. It allows the user to
connect to the ISP using a local phone number and then connect to the
company’s site. Again the costs of setting up the infrastructure is borne by the
ISP and the company does not have to worry about administration and ensuring
that the infrastructure is stable and running.
Other features of VPNs are that the encryption is done only on the information
that is being sent to the secure network so that the internal non-secure networks
continue to work at normal speeds. The encryption and compression are defined
in the Request for Comment (RFC) 1825-1828 and support RC2, RC5, DES and
3DES.
Since all the BorderManager services are fully integrated with NDS, the
administration of the VPN is done via the normal administration tools so that
individual users, groups or containers are able to be allowed or denied access to
the VPN.
Chapter 2. Products 21
RADIUS infrastructure and keeping the user management internal to the
company.
5847-00
ISP Internet
Netfinity 5000
ISP running NetWare 5
RADIUS Proxy Border Manager
services with RADIUS server
2.2 ManageWise
Novell's ManageWise is a network management application that has the ability to
manage NetWare and Windows NT servers, as well as user workstations. The
base product also includes traffic analysis, virus protection and inventory
management capabilities. In some instances the main administrator might not
want the full functionality of ManageWise available to certain users. For example,
it is possible to reduce the functionality available to the network operator on the
night shift, or restrict a junior operator's ability to access the routers and
reconfigure the backbone.
Chapter 2. Products 23
• ManageWise Console
The ManageWise Console is a Windows application that provides an
integrated interface for managing the NetWare networks. The ManageWise
Console provides a graphical user interface, a database of all network
information, an alarm management system, and NetExplorer Manager.
• NetExplorer
NetExplorer is a network discovery system, and is installed on a ManageWise
server and communicates with routers, NetWare servers, and the NetWare
LANalyzer Agent to discover the network segments, routers, servers, HMI
(hub management interface) hubs, and workstations. (A ManageWise server
running NetExplorer is referred to as a NetExplorer server.) NetExplorer
organizes the information it discovers and sends it to the ManageWise
Console. This forms most of the data in the ManageWise database. After an
initial installation of ManageWise, it has no information about the network.
NetExplorer is then used to gather the information that it needs to monitor and
manage the network.
Agents are typically assigned very specific tasks, such as keeping watch over a
specific NetWare server (NetWare Management Agent) or overseeing a network
segment (NetWare LANalyzer Agent). Agents that are available separately
include:
• NetWare Management Agent
The NetWare Management Agent provides real-time server performance data
and information about server alerts to the ManageWise Console. It should be
deployed on each server that is to be managed from the ManageWise
Console.
• NetWare LANalyzer Agent
The NetWare LANalyzer Agent enables a NetWare server to monitor all traffic
on Ethernet, token-ring or FDDI network segments to which the server is
attached. A single NetWare server running NetWare LANalyzer Agent can
monitor several network segments simultaneously.
• NetWare Hub Services Agent
NetWare Hub Services Agent enables both local and remote management of
server-based hubs that comply with the HMI specification. This agent also
enables the monitoring of hub performance, and monitoring of each node
attached to a hub, and enables or disables network access to nodes
connected to the hub.
Breaking down the objects on the network like this enables you to cut up the
directory structure and store it in different areas of your network. This was
extremely useful for sites spanning slow WAN links. Replicating the portion of the
tree that is across the WAN allowed the users to get to their resources locally
rather than across the WAN. For example, refer Figure 10:
NDS Tree
Company ROOT
O=Company
OU=Marketing OU=Sales
OU=Melbourne
The section of the tree that is circled has been copied: one copy is on the master
server based at the head office in London. Another copy of that portion of the tree
is based in the Australian office server. This allows users in Australia to be
authenticated to the local copy of the replica rather than connecting across the
WAN to the copy in London and still have access to all resources in the whole tree
to which they have security access.
One of the major advantages Novell has had over its competitors in the Intel
server area is the NDS. Novell’s endeavors seem to be leading to everything
being bigger, faster and better. To this end, Novell has released NDS 8, the latest
version of NDS that has added features and benefits. Most of these additions are
aimed at the larger businesses or ISPs that have thousands of objects in the tree.
Chapter 2. Products 25
small-to-medium sites that are currently running an older version will have no real
business need to upgrade to NDS 8. However, as they convert to NetWare 5 or
begin to use NDS for NT then a move to NDS 8 should definitely be considered as
a basis for the future growth and eto take advantage of enhancements that Novell
will release over the coming years.
In Figure 10, the OU and O objects are container objects (directories); any object
placed in these containers that have no object below them in the tree are called
leaf objects. Each leaf object is referred to by its common name. For example, if a
user object is named Jenni, then that is the object’s common name. Container
objects do not have common names, however.
NDS storage methods in the old version differ from those in NDS 8. The older
versions stored all the NDS data in four separate files and multiple streams files
in the SYS: volume. The four files were database files and each one contained
specific information about the NDS and the streams files were standard files that
were named using hexadecimal characters:
• PARTITIO.NDS — lists all the database partitions on the server.
Chapter 2. Products 27
– The inheritance of attributes down the tree to the level of properties.
– Control the areas of access, security and space for the NetWare files
system.
These new updates are only the beginning and as Novell releases more
patches, functionality of the ConsoleOne will improve. ConsoleOne has the
advantage over NWAdmin of not relying on the memory of the workstation as
the databases increase in size. Also, the allocation of rights has been
simplified into a more tabular system that most computer users are used to.
Since ConsoleOne is Java based, it can be ported to be accessible from a
Web browser.
The types of tasks that are performed by ConsoleOne and not NWAdmin are:
– Create LDAP containers in NDS.
– Browsing very large NDS trees.
– Searching allows up to 2000 objects, whereas NWAdmin shows only what
it can in the available memory.
– Able to create any object that the schema has in it, compared to NWAdmin,
which can only do the ones it has snapin for.
– Can handle dots in names.
– Change multiple objects in a single operation.
• Increased performance for LDAP. LDAP (Lightweight Directory Access
Protocol) in NDS 8 is compliant with LDAP Version 3 and therefore anything
written to that standard will be compatible with NDS 8 LDAP. The LDAP is
managed by ConsoleOne and has tighter integration with the NDS than past
versions. Another enhancement is the capability to search across other
servers if the object is not found on the local copy by using referrals.
• New DSrepair. DSrepair is a utility that has been available since the beginning
of the NDS era. DSrepair has enabled the administrator to fix sychronization
and database errors, but the users were not able to access the NDS during
this time. The new DSrepair allows the repair utility to be run while the NDS
database is open so that users are not affected. Some of the other features
included are:
– The database will be checked without the administrator having to start the
process manually.
– Can perform an index check.
– Free space can be reclaimed from the records that have been discarded.
• BulkLoad. BulkLoad is a utility for adding, deleting or modifying NDS objects
in batch mode. It is based on the LDAP data interchange format (LDIF) and
many of the e-mail packages can export in this format.
• Upgrade of current NDS. The ability to update the NDS simply and easily is
imperative. The installation procedure for NDS 8 does only one reboot. The
speed of the install depends on the amount of trustee rights on the volumes
and the number of NDS objects that must be updated. There are certain
prerequisites, which will be discussed in the installation instructions in the
Chapter 3, “Installing NetWare” on page 41.
• Replication and partitioning . In the older versions of NDS, there were
certain rules that needed to be followed, such as the amount of replicas on a
2.4 ZENworks
Total cost of ownership (TCO) is one of those grey areas that administrators are
asked to account for. Most companies really have little or no idea of the cost of
ownership in the IT infrastructure. As the IT departments are asked to cut down
the amount of administrators and increase the functionality and services offered
by the IT department, this total cost of ownership is becoming more relevant and
important every day. TCO has been rated as high as 80% of the IT budget by
companies that research and analyze IT company information. With a number as
high as this, companies are demanding that the TCO be decreased; to do this
means to decrease the amount of administration time needed to do adds, moves,
and changes to the user environment.
ZENworks developed by Novell is a tool designed to decrease the TCO. The aim
of ZENworks is to allow the administrator to add printers, lock down desktops,
allow users to move and keep their environment, and distribute applications.
There are many applications that do this; some are designed for very large
scenarios and others aimed at the smaller Intel-based-server customers. All of
these have similar or greater features; the power of ZENworks is that it leverages
and is totally integrated with NDS, making it fault tolerant, able to be replicated,
and present one administrative interface.
NDS is the key in making ZENworks a powerful and easily used tool. The NDS
has some new objects added to it for the use of ZENworks. These NDS objects
enable the administrator to control the features listed in 2.4.1, “Features” on page
29. A workstation object allows the importation of information from the machines
that are connected to the network. Policy packages are based on Microsoft’s
policies where they enable the control of the user’s desktop. The difference in
using NDS is that it is replicated and stored in the NDS rather that relying on files
and ensuring these files are stored and replicated if changes are made.
2.4.1 Features
ZENworks can run on NetWare 4.11 and NetWare 5 and can be leveraged the
same in both operating systems. NetWare 5 comes bundled with the ZENworks
Starter Pack. This is a subset of the full product that can be purchased from
Novell. In this section, we will discuss all features available to ZENworks and then
list those that are in the Starter Pack first and then the features available with the
full product.
Chapter 2. Products 29
2.4.1.1 Features available in the Starter Pack
The ZENworks Starter Pack shipped with NetWare 5 allows an administrator who
already has a remote management product implemented to enhance their
management capabilities by now having a tool that will control users’ desktops,
dispense applications, and import workstation information to the NDS.
• Policies. Currently, if a company uses Windows NT clients for security,
stability and multitasking reasons, then the control of such an operating
system is based on policies that disable a user’s access to specific tasks such
as the RUN command in the Start menu or more importantly, disallows the user
to change settings in the Control Panel. To administer these, the user must
either be created as a user on the workstation, implement NT servers and the
domain structure, or use NDS with ZENworks. There are many different
policies; these policies are based on the operating system and the type of
policy whether it be workstation, users, printers or dynamic local users.
• Printers. This feature is also a policy but it enables the administrator to
associate a printer to a user; when this user logs on the printer configuration
and drivers are installed. There is no need to visit the workstation.
• Client configuration . Changing a NetWare client’s configuration to implement
a certain feature such as packet burst would mean a visit to each workstation
to enable this. Often the reason that this is being done is a problem with the
workstation that needs to be rectified immediately. With client configuration it
is possible to change these settings on all workstations in all areas of the NDS
tree on the next login.
• Location profiles. In a situation where printers are configured for the user
who is a sales manager and travels between the head office and his home
office on a weekly basis, the printer configured above would be of no use while
at the head office. The location profile allows the user to select the profile or
location where they are logging on, and a different printer will be configured
that is local to that site.
• Mandatory user profiles. Many sites wish that the look and feel of all
workstations were the same no matter which workstation that user logs in to in
the organization. Mandatory profiles allow the administrator to enforce the
same desktop every time that person or any person associated with the profile
logs in. If for some reason the files required for that mandatory profile are not
on the workstation that the user logs in to, ZENworks will automatically
download the required files.
• Dynamic local user. One of the advantages of Windows NT is the increased
security available as a desktop operating system. The disadvantage is that
you must have a user configured locally or a domain system to log in to. NDS
removes this need — as the user logs in to NDS, a user is created locally in
the Windows NT security database. That user can then be left or removed
when the user logs off the machine.
• Scheduled updates. Updating the desktop operating systems with the latest
patches or updates is a significant part of the TCO. The ability to install these
updates or patches at a predetermined trigger, such as activation of a screen
saver, or at a predetermined time is an excellent feature of ZENworks.
• Login restrictions. Login restriction is a feature that has been around for a
long time. The administrator configures that only specific users are allowed to
log on to specific machines based on MAC addresses. This is fairly limiting but
with ZENworks, the ability to allow users from a certain state to log on to only
Chapter 2. Products 31
purchased. Reports are also included, which can be viewed by the NLS
manager.
Check 2000 is an add-on that check Y2K readiness of the BIOS, workstation
operating systems, and applications. These results are stored in a predetermined
location and can be collated for viewing.
ZENworks is based on earlier Novell applications that have been collected into a
suite of applications covering application control, workstation look and feel and
remote management:
• Application control
– Associating the application object to the workstation allows the
administrator to control the use of the application based on the user that is
logged in to the machine at that time.
– Pre-install. This feature allows the installation of applications to a machine
that is on but that has no one logged in to (if you used IBM’s Wake-on-LAN
technology, the machine would not even need to be on). Then when a user
logs on, the installation finishes with the user-specific information.
– Pre and past distribution scripts. These scripts are run as part of a
distribution of a specific application and will not run if the distribution has
already been run.
– System requirements. Filters the installation of the application depending
on whether the machine has specific DLLs, registry settings and so on. It
allows the icon to be displayed even if the application was not available
because it did not meet system requirements.
– Prompted macros allow users to enter specific information during the
installation.
– Run applications as a Windows NT system user. Allows the installation of
applications based on a system user even if the person logged on has
rights as a normal user only .
– Force run/wait processing. The administrator is able to queue the installs
so that it will wait for another installation to finish prior to starting the next.
• Workstation Management
– Extensible desktop policies. The older desktop policies were unable to use
ADM policy files that applications such as Office 97 and Internet Explorer 4
and these new policies can be associated to user, group or container.
– Hardware inventory. The inventory is now stored in a database that is
ODBC compliant. A selection of items are still stored in the NDS.
– Software inventory. Again the information is stored in an ODBC database
and in-house applications can be added.
– Reporting. Creates pre-designed reports.
NCS is aimed at customers that need to reduce risks and costs deriving from
unexpected hardware and software failure. NCS supports Netfinity Fibre Channel
disk subsystems and work is in progress to fully support ServeRAID SCSI as
well.
Once the cluster has been configured, it is possible to create volumes and
resources that are always available to the network clients. Many NetWare 5
functions and services can be clustered, such as Web services, e-mail server,
Chapter 2. Products 33
databases and IP addresses. Other services that are part of Novell Directory
Services (NDS) are automatically fault-tolerant.
2.6.1 Features
NetWare Cluster Services has the following features:
• Support for the shared disk or local disk configuration.
• Up to eight active nodes in one cluster. Any NetWare server in the cluster can
run resources (applications, services, IP addressing and volumes) in the event
of a single or multinode failure.
• Administration from a single point through the graphical Java-based
ConsoleOne configuration and monitoring utility.
When you configure the NSS, a minimum of three partitions exists: one for the
NSS, one for the NWFS (NetWare File System) and one for DOS. According to
the number of hard disks being installed on the server, you can find one or more
NSS storage groups and NSS volumes in the NSS configuration. For this
particular NetWare 5 release, you are able to create a storage group for each
NSS volume.
When you create a NSS storage group, you can also have a NSS partition type 69
(a logical partition). When ownership of storage free space is requested, exactly
that space becomes a storage group and an NSS partition.
The physical partitions can only contain segments for four different operating
systems. In this way each area available as free space could be taken by the
NSS. For example, if three areas were located on the hard disk, one for DOS, one
for NetWare and another for a different operating system, only one more area
could be left for NSS. If the partition number exceeds four, an error message
appears.
Since the NSS gets free space from different devices, the NSS partition does not
depend on a particular device. This means that the NSS cannot just have the
ownership on the fourth physical hard disk partition but can also use free space in
another area and another partition that are grouped together within a storage
pool.
Since the NSS acknowledges non-partition, the different partitions are not listed
when some storage groups and NSS volumes are configured, as the NSS cannot
use them in the NSS volumes. The NSS acknowledges free space blocks rather
than separate partitions.
When you need a storage deposit, the storage groups can be created with their
NSS grouped volumes.
When the provider finds free space in a system, it also acknowledges a CD-ROM
and creates a storage group for that CD-ROM. This also applies to other devices
with which the NSS can do nothing.
The main difference between the NetWare volumes and the NSS volumes is that
the NSS volumes can contain bigger files and enable a greater number of larger
volumes. Furthermore in the NSS there are different ways to assign free space to
the NSS volumes. The storage groups and the NSS volumes are strictly grouped
when they are created. The storage group is a higher level grouping system that
contains a single identification number. For this release you can only create a
single storage group for each NSS volume.
Chapter 2. Products 35
2.7.1.3 NSS Consumer Services
If you choose that a consumer assigns the ownership of the available free space,
it will gather the whole free space that it has been given and initializes the NSS.
The NSS Consumer Services is the default consumer. This means that the free
space now belongs to the NSS partition. The chosen free space becomes a
storage deposit. You are able to choose the Loadable Storage Subsystem (LSS)
where you are locating the storage. If you wish to create more storage groups and
NSS volumes, we recommend that you let the NSS take possession of the whole
free space that is available.
In this redbook, we will be working only with the new version StandbyServer for
NetWare.
This software works like StandbyServer except that when any primary server
fails, the standby server takes over its role. At the time of publishing,
Many-to-One was not supported by NetWare 5.
2.8.2 Architecture
The following terms are used here:
• Primary role: the role of the primary server and the standby server when it is
working as primary server.
• Primary server: the name given to the server that is providing the services to
the network when all is working correctly.
• Standby server: the server that at a certain point works in standby. When all is
working well, this is the machine on which data is mirrored.
Chapter 2. Products 37
• Standby role: the role the standby machine has when it is working as the
primary server. The standby machine is always ready to automatically take the
primary role when the primary server fails.
StandbyServer uses the Novell mirroring feature through which all read and write
operations of data are at the same time carried out on the primary and standby
machine. The connection between the primary server and the standby machine is
monitored so as to assure access to the primary server. As soon as the primary
server is no longer reachable, the standby machine automatically takes the
primary role.
The failover operation takes place almost instantaneously. Since the volumes and
their data are mirrored, the bindery objects and the NDS are mirrored as well.
This means that the Novell and Microsoft clients can regain the connection, and
even automatically reconnect to the active servers.
NetWare 5 does not support mirroring with the last NSS (Novell Storage
Services) feature introduced on the volumes. See 2.8.5, “Using NSS with
StandbyServer” on page 39 for details about NSS.
When the standby machine will take on the primary role depends on the selected
configuration. If the AutoSwitch option as shown in Figure 119 on page 159 has
been enabled, the use of the standby machine will be automatically started up.
Otherwise, it can be started manually by sending out an alert that will warn the
administrator the failure that just occurred. The administrator will then take action
to bring the standby machine online or recover the primary machine.
With this feature, the standby server is used for both a fault-tolerant mirror of the
primary server and as an independent server running its own processes. This
configuration requires that an extra disk be available in the standby server to be
used as the local SYS: volume. This local SYS: volume is not mirrored and can be
used to run local utilities.
When the primary server fails and the standby server assumes the role of the
primary server, the local SYS: volume on the standby is renamed to
SYS_UTILITY: by the SYSSWAP.NLM program so that the mirrored SYS: volume
from the primary can be renamed to SYS: by StandbyServer.
In order to set up the dedicated link, it is necessary to load the following NLM
modules on each machine:
• VINCAIP.NLM
• VINCAIPX.NLM
• VNCIPX2.NLM
The dedicated link can be set only using specific Ethernet adapters that can
operate at 100 Mb connected together using a crossover cable. Figure 11 shows
the pinouts for a crossover cable.
8 1 White/Green
7 2 Green
Green 6 3 Orange
5 4
4 5
White/Green 3 6 White/Orange
White/Orange 2 7
Orange 1 8
RJ-45 RJ-45
Chapter 2. Products 39
40 Novell NetWare 5.0 Integration Guide
Chapter 3. Installing NetWare
This chapter discusses the three basic methods on installing NetWare 5 on IBM
Netfinity hardware.
1. Installing NetWare directly and manually creating the DOS boot partition
2. Installing NetWare using ServerGuide
3. Installing NetWare directly and letting the installation routine create the DOS
boot partition automatically.
The third installation method will not be discussed as the installation steps are the
same as all the others except that the installer boots the supplied NetWare 5
CD-ROM.
After the three methods have been explained, and the merits of each outlined, we
will continue with the installation of NetWare 5. This installation will install all the
add-ons that are available with NetWare 5, even those that may not be the most
appropriate for your installation. These methods of installation are applicable no
matter what hardware is used as long as the base requirements are met.
Prior to doing any of these installations you must ensure that your server is at the
latest BIOS level. This includes the system itself and your RAID card, if you have
one. You can get these files at
http://www.pc.ibm.com/support
The RAID configuration must also be complete prior to installation, unless you are
using SoftwareGuide. SoftwareGuide lets you configure the RAID subsystem
during installation. This can be accomplished by using the RAID configuration
diskette or CD-ROM that is supplied with the server or RAID controller.
Note: These requirements are the bare minimum and should only be used on a
test server, not a production server. To correctly size your server memory, refer to
the memory worksheet in A.1, “Memory calculations” on page 235.
See A.2, “Installing NetWare 5 worksheet” on page 236 for a complete list of
information required.
We recommend installing the full version of DOS so that you have all the utilities
at your disposal. There will be many times when you will need access to the DOS
utilities (such as the text editor to edit AUTOEXEC.BAT to comment out the server
With the purchase of a Netfinity server, you can receive an update to selected
ServerGuide CDs. Updates are shipped to you at no additional cost. For details,
go to:
http://www.pc.ibm.com/coupon/
At this point the server reboots and a DOS prompt asks you to insert the
NetWare 5 CD. The CD can be inserted as soon as the server starts to reboot.
The next part of the installation is continued in 3.4, “Continuing the NetWare 5
installation” on page 45.
This is the most important part of the installation, as it is the basis of your network
structure. If this is the first server it will be the basis for your whole network. If it is
an additional server in your existing network, then you must ensure that it is
placed correctly in the Novell Directory Services (NDS) tree.
To continue the installation, do the following. You will need the information you
gathered using the worksheet in A.2, “Installing NetWare 5 worksheet” on page
236.
1. Select the language that you wish to use during installation.
2. Read the license agreement by selecting Read License Agreement. Select
Accept License Agreement to continue the installation.
3. Modifications to the boot partition are the next set of questions. If you already
have created the size that you wish and formatted, select Continue; you
should now go to step 8. If you are using the bootable CDs, select Modify and
create the partitions that you require.
Note: Remember any repartitioning will destroy the existing data.
4. If you modify the boot partition, then the NetWare installation will give you the
default of 50 MB. This is generally too small, so select Modify and enter the
amount of disk space required for your installation. Select Continue.
5. You will then be prompted to ensure that you are making the right choice.
Select Continue.
6. The machine will then reboot after you press any key.
7. When the machine reboots it will then format the partition created in the
previous steps.
8. Select Continue unless you want to change the directory that NetWare is
installing to.
9. Select Modify or Continue, depending on your installation, for the country,
code page and keyboard.
10.Select Modify or Continue for mouse and video unless you have specific
hardware that requires a change to the default information.
11.The installation then copies the files required to the boot partition. Three areas
of information are required in the next screen:
a. Platform support module — If you have multiple processors or plan to
install multiple processors you should ensure that you have the correct
modules installed.
b. PCI Hot Plug support module — If the hardware supports this feature it will
be automatically detected.
c. Storage adapters — These are .HAM drivers used to connect to the hard
drive controllers. If you are installing NetWare on a server with a
ServeRAID adapter the AHA2940 on-board controller, drivers should be
deleted by selecting Modify unless of course you have hard drives
connected to them. Otherwise, select Continue.
Keystroke Action
Enter Select
Hold down Shift key with arrow keys Accelerate cursor movement
Server Properties
Server Name
SERVER1
16.Enter the name of the NetWare 5 server. Click Next. Figure 13 appears.
Volumes
SYS 599
+ SERVERS IP
NE2000_1
IP Address
123.45.67.89
Subnet Mask
255.255.255.0
Router (Gateway)
IPX
18.If your system has multiple network cards in it, you will have to configure each
one individually. Select the card that you wish to work on and then check
which protocols you wish to use.
When you have finished configuring all the boards that you require, click the
Next button. Figure 15 appears.
Time Zone
Time Zone
19.Select the appropriate time zone for where you are installing the NetWare 5
server. You select this by scrolling down the list. When you select the time
zone, the check box for daylight savings may or may not be checked
depending on where you live. Ensure that you standardize this setting
throughout your organization.
20.Once this is done, click Next to continue. You are then asked if you want to
install into an existing NDS tree or to create a new tree.
The configuration of the NDS tree is very important and will affect the future
simplicity and performance of the whole network. Ensure that you have the
right information. Select the type of NDS install this installation will be.
NDS Information
Tree Name
ACME
Administrator Login
Name (full NDS context)
Password
Selecting the option to create a new tree produces Figure 17, which requires
the following information:
• Tree name.
• Context for the server object.
• The new admin name.
• The admin context. The default will be the context for the server that you
just entered, so ensure the context is the one that you want.
• Password for the admin user.
NDS
NDS Information
Tree Name
ACME_INC
Administrator Information
Admin Name ADMIN
Password ******
Licenses
Insert the license diskette or enter the path to the license file
(*.nlf).
License Location:
A:\
Description
22.The location of the license file is required and you can either browse using the
mouse or type in the information. There is also a check box that enables the
installation without licenses if you want to install them at a later date.
Description
Select All
Deselect All
23.The other networking products that can be installed during the process are
now listed. You can select all, none, or just a few. The selection will depend on
what is required on your network.
If you select some products to be installed, you may see the following
windows:
Summary
Products to be installed:
Customize
Product Customization
Select a component to customize
Description
+ NetWare 5 NetWare 5
+ NetWare Operating System
File System
Protocols
NDS
Novell Distributed Print Services (NDPS)
Additional Products and Services Disk Space Required (MB): 261.62
Properties
Close Help
Notes:
• Know the location of the patch files.
• You no longer need to type LOAD before an NLM name.
• Ensure that no one is logged in with DLLs open because this may cause the
server to abend.
• Depending on what services are loaded (for example LDAP) you may be
required to log in during the patch installation. So don’t walk away expecting it
to finish on its own.
The window gives you three choices. These can be selected using the arrow
keys and the space bar:
a. Back up the files — make sure there is enough room on your SYS: volume
b. Install support pack
c. Install Tivoli Ready TMA
Select the ones that you require and press F10 to save and continue.
7. There are two warnings — press Enter at both of these.
8. During the installation, certain NLM windows will become unavailable during
the installation such as NWCONFIG. The copying of the files is a fast process.
Then it will take a few minutes to decompress all the files in the patch. When
the installation is finished, press Enter and Esc to exit NWCONFIG.
9. Reboot the server.
Note: When rebooting the machine after installation ensure that you do not
choose Restart Server as this will not upgrade SERVER.EXE.
Note: One thing listed in the README that could be a show stopper for the
upgrade is that some of the backup utilities use explicit IDs to reference the NDS.
NDS 8 has new explicit IDs. Therefore, the backup utility may not be able to back
up this new version of NDS. So ensure you check with the backup vendor prior to
proceeding with the upgrade.
Figure 23. System console error for security when upgrading NDS 8
10.Setting the cache size for the NDS increases the performance of NDS and
should be changed. The setting will based on the applications that are
installed on the server and the amount of cache required by the server for the
normal file and print functionality.
Therefore there will have to be some adjustment as to the cache size during
the first few weeks of the server’s run time to ensure optimum performance.
The basic rules for the cache are:
– If the machine is running other services the server should have enough
memory so that the cache can be set to 40% of the server memory.
– If the machine is running NDS only then set it as high as the cache will
allow, up to 80%.
Installation of ConsoleOne is based on Version 1.2. The older version is left intact
on the server, which can be a little confusing, because there are multiple
directories housing different versions of ConsoleOne. At present, it is not possible
to run ConsoleOne on the NetWare files server, but this is under development.
The workstation requirements are:
• 64 MB RAM
• 200 MHz
• NetWare 5 client software
Map a drive to this directory and run the setup program in that directory. The
workstation will need to be rebooted after the installation.
If you have not changed anything while NWCONFIG is loaded then you will not
need to update provider information. Select Assign ownership.
3. Select the areas of free space that you want ownership of.
4. Press Esc and then select the NSS volume options. You will be prompted to
log in as the administrator at this point. Make sure that you type in the correct
context. For example, .admin.au. Figure 26 appears.
+--------------------------------+
| Available NSS Volume Options |
|--------------------------------|
| Create |
| Modify |
| Delete |
| View volumes |
| Return to the previous menu |
+--------------------------------+
Figure 26. NSS volume options
6. Select Storage Group and select the free space that you previously wanted to
manage. This can be split into several groups or one big group.
7. Press Esc and select NSS Volumes you should see the pieces of free space
that you have selected previously. Select the free space that you want to make
a volume and press Enter.
If you have problems seeing the free space in the first place, select Update
Provider Information and enter of the two available providers. The NSS
providers will then go out and integrate the disk systems again.
There are certain choices that must be made and these tie in to choices made
earlier when we said that a solid NDS design will give you a solid and easily
managed network. ZENworks needs the same forethought and consideration
when installing and telling it what context to put items in.
1. Select English.
2. Select ZENworks.
3. Select Install ZENworks.
4. A warning message appears asking you to ensure that all clients are not
logged in, as the NDS schema must be added to. Click Next.
5. On the license agreement screen, click Yes.
6. Selecting the custom installation allows you to add or remove the components
that you want, as shown in Figure 28:
9. As can be seen from Figure 29 there are certain things that may be left
uninstalled. We suggest leaving the defaults as all these components are part
of the ZENworks package. Select Next.
10.The server that you are connected to will appear in the list of servers that you
wish to install ZENworks on to. If you are authenticated to multiple servers
then all servers will show on the list. Select the servers that you wish to install
ZENworks on and select Next.
11.Select the language that you wish installed. Depending on the CD that you
have, you may have one or many choices. Select Next.
12.A summary window is displayed. Select Next.
13.Figure 30 appears where you specify the rights for the workstation object.
There are specific rights that workstation need to right information to the NDS.
The installation is based on the Java ConsoleOne and must therefore be installed
from the Novell server console. This installation is based on NetWare 5 with the
latest service pack installed but not NDS 8. (For information on installing NetWare
5 and the service pack refer to Chapter 3, “Installing NetWare” on page 41.) The
reason for this was all the literature that was available to us was based on
NetWare 5. The install was tested with NDS 8 and the install and configuration
worked the same.
.
Note
It is a good idea to ensure that you have all the TCP/IP communication set up,
tested and working prior to installing BorderManager, since when the filters are
set up you may find it difficult to know what is failing; the filters that you set up
or the IP configurations.
Also ensure that you have run INETCFG once prior to installing BorderManager.
The information that you will require prior to starting the install is:
• Version of BorderManager that is being installed, such as the proxy firewall
services, or the full Enterprise edition.
• CD-ROM support loaded on the Novell server, with the BorderManager CD
inserted and mounted as a volume.
• Decision on which of the Network interfaces will be public or private. Also if
you want them secure or if you want it to have the proxy services loaded for
the private interfaces.
• TCP/IP configuration information.
• A security policy from the company so that you know what to allow in and out.
3.7.1 Installing
1. Make sure that the BorderManager CD is in the CD carrier and that you have
loaded the CD-ROM NLM by typing CDROM at the server console. With NetWare
5 the CD will mount automatically and will not index as in the past versions
+------------------------------------------+
| Filter Configuration Available Options |
|------------------------------------------|
| Configure TCP/IP Filters |
| Configure IPX Filters |
| Configure AppleTalk Filters |
| Configure Source Route Bridge Filters |
| Save Filters To A Text File |
| Configure Interface Options |
+------------------------------------------+
+-------------------------------------------------------------+
| TCP/IP |
|-------------------------------------------------------------|
| |Global IP Logging Disabled |
| |Outgoing RIP Filters Enabled |
| |Incoming RIP Filters Enabled |
| |Outgoing EGP Filters Enabled |
| |Incoming EGP Filters Enabled |
| |OSPF External Route Filters Enabled |
| |Packet Forwarding Filters Enabled |
+-------------------------------------------------------------+
+-------------------------------------------------+
| Packet Forwarding Filters |
|-------------------------------------------------|
| Status: Enabled |
| |
| Action: Deny Packets in Filter List |
| (Permit Packets Not in Filter List) |
| |
| Filters: (List of Denied Packets) |
| Exceptions: (List of Packets Always Permitted) |
+-------------------------------------------------+
Figure 33. Packet forwarding filters
If you install the 40-bit patch on a 128-bit system, the VPN security will be
downgraded.
Note: you should know the location of the patch files before you start.
1. Start NWCONFIG from the console.
2. Select the Product option.
3. Select I nstall a product not listed and press Enter.
4. Press F3 to specify a path to the where the patch files are located.
5. Type in the path to the patch, ensuring you have included the volume in the
information, and press Enter.
6. You should then see the Welcome screen. Press Enter.
7. You will then see Figure 34, warning you about installing older versions of files
due to patches already installed.
8. Press Enter and the file copy process begins. If there are existing files of the
same name you will see Figure 35.
+---------------------------------------+
| Select an action: |
|---------------------------------------|
| |Continue and overwrite file PROXY.MSG|
| |Do not overwrite the file |
| |Always overwrite newer files |
| |Never overwrite newer files |
| |Abort copying |
+---------------------------------------+
+------------------------------------------------------------------------+
| |
| Novell BorderManager 3.0 patch installation is complete. |
| This patch includes new NLMs, VPN client and snapin files. |
| Please restart the server, then run BorderManager snapin setup again. |
| If you use VPN client, please reinstall VPN client. |
| |
| Press <Enter> to continue. |
| |
+------------------------------------------------------------------------+
11.Ensure that you reinstall the snapin file if you have already done so. The VPN
clients installed will also need to be reinstalled with the latest version of the
client.
12.Reboot the server.
4. Ensure that you select the drive that you mapped to the SYS: drive; in our
case it was the H: drive. If you do not have one mapped, click Network and do
so.
5. We selected the custom install. Figure 38 appears.
8. If you click Post-Install Setup, you will be shown the tasks that you need to do
to complete the different components available in ManageWise.
9. From there you are prompted to update the configuration files. These files are
changed by the ManageWise installation to enable you to run the required
options on the NetWare server.
10.Finally we copied the ManageWise files to the other server that we wanted to
manage and edited the AUTOEXEC.NCF file to add the same command that
was added by the ManageWise installation. This was to start MW_AUTO.NCF.
This NCF loads the USER.NLM and the LDISCAN.NLM. The LDISCAN refers
to a file to determine what the server name is and where it should put some
information. You must edit MW_AUTO.NCF and ensure that the server name is
correct after the load statement of the LDISCAN. For more information the
ManageWise CD has all the documentation in PDF format.
3.9.2 Objects
File and directory rights must be based on the object’s rights to the files and
directories. The different types of objects will depend on the type of rights that are
given to the files. Objects that contain many user and group objects, such as a
container, should not be given supervisor rights to everything as the rights flow
down, so all other objects inside the container will also have supervisor rights.
If a user is given specific rights at one level of the file tree then the rights flow
down to the subdirectories and files. The only way this can be done is via an
inherited rights filter (IRF).
[RW F ]
5847-00
User
object
[RW F ]
[RW F ]
Volume
[R F ] Subirectory 1 Subirectory 1 [R F ]
Files [R F ]
Following Figure 40 above, the user has been given read, write and file scan
rights [RWF] at the volume level. Therefore the rights flow down and the user has
the same rights at Directory 1 and 2. However, at Directory 2 there is an IRF set
that stops the [W] from passing through. Therefore they only get the [RF] rights
and this flows down to all subdirectories and files.
4.1 Introduction
Netfinity Manager operates in a peer-to-peer mode that minimizes the need for
expensive system management hardware. All that is required is the presence of a
physical network or a serial link. Netfinity Manager has its own interprocess
communication (IPC) system that is used for communication between Netfinity
Manager modules and services, locally and when operating remotely over a
network. It has a very flexible modular design that allows for a variety of
system-specific installations and plug-in options to be used.
Netfinity Manager is included with every IBM Netfinity system. One license of the
manager code and 10 licenses of the Client Services are included.
Note: NetWare 5 requires Netfinity Manager 5.20.3 or later. You can download
the latest version of Netfinity Manager from:
http://www.pc.ibm.com/us/netfinity/smtools2.html
Go to http://www.pc.ibm.com/support
Select Server from the Select a server pull-down
Click Downloadable files
Click Netfinity Manager
IBM Netfinity Manager and Client Services for Netfinity Manager (Client Services)
are both split into two components:
1. Base program, comprised of a group of base services
2. User interface, comprised of a group of matching GUI components
During the installation of Netfinity Manager, all of the base services are installed.
At the same time some optional plug-in modules are also installable. These are:
• Advanced System Management Support
• Capacity Manager
Each icon in the user interface has a corresponding base service. Each of these
base/GUI combinations is explained in 4.4, “Functions” on page 82.
During the installation of Client Services, only the base services necessary to
control the installed hardware are installed. Depending on the type of client you
request, the matching GUI components are also installed.
Note: All services will be installed if you are installing the Netfinity Manager
regardless of whether the system has a DMI Service Layer, ECC Memory, a
System Partition, a RAID adapter, or a PFA-enabled disk drive. This enables a
network administrator to remotely access these services on other systems within
the network.
We now discuss the two flavors of Netfinity Manager: Netfinity Manager and
Client Services. In 4.4, “Functions” on page 82, we go into detail about each of
the functions.
Netfinity Manager is used for managing remote systems as well as the server or
workstation it is installed on. As a result, a Netfinity Manager installation includes
the code for all Netfinity functions and communications drivers to enable
management of all other machines with Netfinity installed. As well as having all
the base services locally, it can include the following extra functions if they are
chosen at install time:
• Advanced System Management Support
• Capacity Manager
• Remote Workstation Control
• Update Connector Manager
• World Wide Web Enhancement
For further details on all the Netfinity Manager functions, see 4.4, “Functions” on
page 82.
Client Services for Netfinity Manager runs on the following operating systems:
• NetWare 3.12, 4.1, 4.11 and 5.0 (NetWare 5 requires V5.20.3 or later)
• Windows 95 and 98
• Windows NT 3.51 and 4.0
• OS/2 Warp V3.0, and later
• OS/2 Warp Server (including the SMP version)
• Windows 3.x
• SCO UnixWare 7
Note: For information on the revisions of network stacks supported, see Chapter
2 of Netfinity Manager Quick Beginnings, 10L9272.
Warning : Make sure you create a new user ID first before you delete
<PUBLIC> access. Otherwise, you will lose all access to the server from
Netfinity Manager.
Note: If you need to re-configure Client Services from your server console, issue
the command NFCONFIG.
Note: If you need to re-configure Client Services from your server console, issue
the command NFCONFIG.
Insert the CD-ROM and the first window lets you choose a language for displayed
messages. The next screen is the main installation window (Figure 43). Select the
option according to your operating system and click the Install button in the lower
left corner.
For more information about these and other functions of Netfinity Manager, see
Chapter 2 in Netfinity Server Management, SG24-5208.
Save your settings by clicking Save and then exit by clicking Exit. Netfinity
Manager is now installed.
4.2.3.1 Security
Once installation is complete, one user ID will be defined in the Security
Manager, with all accesses granted. Since this user ID is the <PUBLIC> user ID,
it means that everyone has access to your system.
The first step after installation and reboot should be to open the Security
Manager, and remove all accesses from the <PUBLIC> user.
If you do not change the security settings, any Netfinity Manager system will be
able to access every function on your system. This can lead to disastrous
results.
Don't forget to uncheck the box that authorizes Security Manager access. If this
box remains checked, <PUBLIC> users (that is, those users not having a user ID
and password) will still have the ability to change their security access to all other
functions.
From the Windows workstation, click the Netfinity Service Manager icon from
the Netfinity program group. The main Netfinity Manager window appears:
4.4 Functions
The Netfinity Manager main window consists of a set of icons that constitutes the
user interface component of Netfinity Manager and provide an interface to the
base services that perform all the interactions with the hardware and
communications drivers.
The functions that are available in a standard installation are briefly discussed
below. Complete instructions on how to use each of these services can be found
in the online help provided with the product or the Netfinity Manager Command
Reference, 10L9270, which is available either as a PDF on the CD-ROM or in
hardcopy if Netfinity Manager is purchased separately.
A full list of alerts generated by the base Netfinity Manager functions can be
found in Appendix J “Netfinity Alerts” of the Netfinity Manager User’s Guide,
10L9271. A full list of alerts generated by the Advanced System Management PCI
Adapter and Advanced System Management Processor can be found in Appendix
A of the redbook Netfinity Server Management, SG24-5208.
The base service that is at the heart of the alerting function is Alert Manager – all
alerts that are generated by Netfinity base services are sent to it. Alert Manager
matches an incoming alert against one of its default and user-definable filters
(called profiles) and then if, matching, carries out the appropriate action.
Alerts can be the result of informational, warning, or error messages and can
originate from a variety of sources. In fact, there is a constant stream of these
messages being generated. You would normally only want to be made aware of a
subset of these. You do this by defining an alert action.
The key concept to understand about Capacity Manager is that the data is always
being gathered. Unlike Performance Monitor, you do not have to start the logging
of data. With Capacity Manager, you simply specify what data you want retrieved
from the servers and workstations in your network and it is gathered up and
displayed graphically for you. Up to one month’s worth of data is automatically
saved by every system running Netfinity Manager 5.1 or later.
Resource utilizations over time are collected from network systems and merged
into a single report that can be viewed graphically or exported into a spreadsheet
for further analysis. These reports show at a glance potential capacity
bottlenecks within the selected systems. Your analysis and ability to predict
bottlenecks is critical when planning for future upgrades. Capacity Manager gives
you the ability to plan the allocation of hardware upgrades for the systems that
really need them before a capacity bottleneck occurs.
For more information see Chapter 6 of the redbook Netfinity Server Management,
SG24-5208.
NDS for NT V2.0 is the latest release of a product that Novell has developed to
enable administrators to control a Windows NT domain structure using NWAdmin.
This means that the administrator is able to control the whole network from one
central point. NDS for NT enables the administrator to either work with the
existing domain structure or control all new Windows NT servers with NDS.
5.1 Features
• Ability to add users to multiple domains. If a customer has a multidomain
Windows NT configuration, and a user on one domain needs to access
another domain, then there must be a trust relationship enabled. If this is a
two-way trust, then the administrators from both domains now have full access
to the other domain. Alternatively, you can create a master domain model,
where all users in a domain are controlled centrally and local administrators
have control of the resources in that domain only.
NDS for NT allows the administrator to put the same user in multiple domains
without the necessity for a trust relationship, or taking note of all the users
rights and then recreating them in the domain they wish access to.
• Includes NWAdmin. The same interface that Novell administrators are used
to is available on the Windows NT server and must be installed separately.
The NWAdmin utility has the ability for the administrator to view access
privileges for the user across separate domains. With Windows NT’s User
Manager, the administrator must go to each separate domain. If the company
is currently running an NT domain structure or the company takes over a site
that has the NT domain structure, it is necessary for the NT administrators to
learn the NWAdmin tool as they can still administer the domain with the
current NT tools, and the information will be transferred between the NDS and
NT domain structure.
• Local replica for Windows NT. It is now possible with V2 to have a site that
only contains Windows NT servers without having to communicate across the
WAN back to a NetWare replica. The NDS can be partitioned as discussed in
6.2.2, “Partition and replication” on page 122.
The ability to place a partition on a Windows NT primary domain controller
(PDC) or the backup domain controller (BDC) enables the administrator to
control a site across the WAN that runs Windows NT only and still achieve
good performance and control using NDS for NT. Novell suggests that the
Windows NT replica should only be a read/write replica and that another
replica should be kept on a NetWare server so that some of the NetWare-only
utilities can be used to keep the replica at its optimum, such as DSRepair. The
replica can only be installed on to a PDC or BDC that has been installed with
the NTFS file system.
The installation first installs the files and configures the server to work as a Novell
client. On a number of occasions, we have found that the addition of another
component on a live application server caused instability, failure, or slowing down
of the application services on the server. So, you should run a pilot installation
first prior to a production installation. Our recommendation is to install the NDS
for NT on dedicated PDC and BDC servers that are not running any applications.
When installing on these servers ensure that the PDC has a backup domain
controller and that you also have tested these installations.
These recommendations are based on past experience, and the release of the
latest NDS for NT with the latest client may have alleviated some of these
problems. Installing NDS for NT on the servers that we used during writing this
5.2.2 Installing
The following are steps in the installation of NDS for NT:
1. Ensure that you are logged in to the server as administrator equivalent.
2. Select NDS for NT.
3. Agree to the license agreement after reading or do not agree and you will
exited out of the installation.
4. The installation begins copying the files for the client portion of the installation.
5. The machine reboots and you are prompted to log in to the Novell NDS and
the server. Ensure that you are logging in as an administrator for the NT server
domain and admin equivalent for the Novell network since you need to update
the NDS and the NT server.
6. The server will then autorun a domain wizard.
7. The welcome wizard that is started is the same as the one that is installed with
the management utilities. Iit gives you some added features that you will not
use during this first installation. Click Next.
8. You are then asked to select the tree that you will be installing into. This is why
that you must install using the admin equivalent for NetWare.
Figure 52. Selecting context of the NT domain object and the context for users
10.Figure 52 has two sections. The actual context of the NDS domain object in
the tree must be carefully planned, since with all NDS tree items the design
will be the basis for an easy and secure network. The other is the default
context for the users that will be created.
11.Once these two contexts have been selected you must select if you want NDS
for NT to force synchronization of passwords. We think this is a good idea,
because users often find it difficult with more than one password. Selecting
this option will ensure that the passwords stay the same no matter which of the
password utilities they use. Select Next.
12.You will then be prompted if you want to search for users in the NDS tree that
you would like to match to the NT domain users.
13.If you choose to skip the search then you will only be given the option to create
new users rather than associating the users with existing NDS users. So
depending on the choice, you will either be put into the selection of the NDS
tree that you wish to search, or the final results so we will go through the
search method.
14.The next window asks for the default action for the users when you get to the
importing screen.
15.The default method for the handling of users allows the administrator to cover
the majority of the users that are being imported. So planning and getting the
right information before the installation is imperative. Select Next.
16.Selecting the context of the tree that you wish to search allows the
administrator to search the whole tree or only the section of the tree that is
relevant to the users of that domain’s geographical area.
19.This summary of users and workstations allows you to select each user and
workstaiton independently and ensure that they are being handled in the
appropriate way. The need for proper planning for the NDS is imperative, since
the incorporation of all these users and workstations must be in the correct
context, one that will still allow easy management of all the NDS objects.
Select Next when all the objects will be handled according to your
configuration plans.
20.The next screen is a summary of what you have already done. Click Move and
the process will begin. When the process is complete, click Next.
21.You are then given an option to view the log files now or at a later date. They
are kept in the SYSTEMROOT%system32\ directory and the file is called
MOVE.LOG. If not all the user or workstation objects have been moved you
will be asked to start the search again or to go on with the installation.
22.The other option that is given in this window is to install a replica on the local
NT server. If there is no NetWare server in the location and the only Novell
server is across a WAN link, then a replica should be placed on the local
server to allow speed in accessing the NDS resources. We will not place a
replica at this time but will install one separately later in this chapter.
23.When this is complete, you will be asked to reboot the machine. Reboot and
you are now ready to install the administration applications. Installing these
you use the same CD. Select Admin Utilities.
24.At the welcome screen, click Next.
25.Agree to the license agreements by selecting Yes.
26.Read the screen showing all the latest information available and select Next.
27.You are then given the option to install the applications locally on the Windows
NT server or to place them on a Novell server. We found that doing the install
to the Novell server did not place all the utilities there and did not create the
shortcuts required. So to alleviate this we installed them to both the NT server
and the NetWare server in two separate installations.
28.The last few screens are the normal install shield screens asking for the
directory that you would like to install into and the program folder you wish to
use.
29.Once this is done you will be given three applications that you can use:
– Domain object wizard
– NetWare administrator
– NDS manager
We will now look at the installation of a replica of the NDS database on the
Windows NT server. This will be done using the Domain Object Wizard, which is
4. The screen has three areas to complete: the actual user, the NDS context, and
the password for this information. Fill in the information and select Next.
5. The next screen gives you a default server name for the server that it is about
to create.
6. The server name is the default of the domain object created in the NDS during
the installation with a -NT on the end. The other information is the NDS
context of this new server that will be created. This context can not be
changed because it is based on the context of the domain object that was
created during the installation of NDS for NT.
7. Figure 60 from the partition manager shows that there are two NT servers now
in the NDS. It looks like you have two servers for the one NT server.
Remember one of the server objects acts similar to a group, and the second
one is created is for the replica only.
8. Once you have chosen the server name and clicked Next, you will then be
prompted where to put the NDS files. These can only be put on an NTFS
The removal of the replica and the removal of NDS for NT is also done by the
same domain wizard. When the wizard is run and it finds a replica on the local
copy you get prompted to remove the local copy. Once this is completed you then
get the choice of removing the NDS or just finishing and closing the wizard. Once
you have made the decision to remove NDS for NT then you will have another
decision that needs to be made. See Figure 61.
These choices allow you to ensure that the information that you have put in to the
NDS is migrated to the domain or not. You also have the choice to update all the
passwords that have been changed from NDS to the domain so that users do not
need old passwords. The final option is to leave the domain as it is and remove
NDS for NT. When we did this it removed NDS but we had to manually delete the
domain object.
Once the installation is complete, you will be able to administer the NT domain
through the NDS, which means adding users to domains, allows users access to
multiple domains, viewing access rights in one place, NT files share
administration and then controlling permissions to these.
NDSCON.EXE gives some valuable information and also shows what modules
are loaded. It is installed in the directory that you specified during the NDS for NT
installation process. NDSCON.EXE is in the I386\NDSSRV directory. When you
run this application you get the following screen.
This is a utility that allows you to see what modules for NDS are running on the
server. Figure 63 indicates that the server has both NDS and bindery mode
running. If you click the Load Module button, you get Figure 64.
This window shows what other modules can be loaded on this screen. By
highlighting the DSTRACE module and clicking Load , the module will load and
show you information about what the NDS is doing.
Figure 65 shows information on what the NDS on the server is doing and is a
good place to begin if you need to troubleshoot. There are many optiosn as to
what you can see on this screen. By selecting Edit > Options you are given the
options that can be viewed on this screen, as shown in Figure 66:
Another module that can be loaded from this NDSCON is the monitor.
The monitor window shows you the connection information in regards to the NDS.
It shows the IP port information and the IP address of the server that it is
communicating with.
The next area to discuss is the additional NDS objects that will be created as part
of the installation and the guidelines for placing these objects in the NDS tree.
The same rules that apply for normal NDS partitioning and replication and NDS
design still apply and these have been discussed in 6.2.1, “NDS design” on page
119. The guidelines for the objects created depend on how your network is
designed. If for example you are going to have only an NT server and the rest of
the network is across WAN links, then you will place the replica on the local
NetWare, like other operating systems on the market, is self tuning and allocates
resources over time to the needed areas. As the server is up and running for a
period of time, the server becomes more tuned to its environment. If the server is
brought down and then restarted, the tuning process begins all over again.
6.1 Server
The central point of the network is the server and we will therefore start with its
tuning. One thing must be stressed: there are no straight do-this type answers
when it comes to tuning — each server has different applications loaded and
different demands placed on it by the network to which it is connected.
We often see when working on servers where technicians have tried to optimize
systems by entering many set commands without really ensuring this has the
effect they wanted. The only way that you can ensure that the optimizing is
working is to have some form of baseline to start with.
To this end we suggest that you install IBM Netfinity Manager. See 4.2, “Installing
Netfinity Manager” on page 73 for details. Alternatively, use ManageWise or the
STAT.NLM utility from Novell.
The STAT.NLM utility allows you to gather information about the memory, LAN
and disk communications plus a few others. The most important thing is that it
gathers information over a period of time and then can be converted in to a format
readable by database applications to give you trends and a benchmark.
Once the information has been gathered, it gives you an understanding of busy
and slow times and this will then be a baseline to verify that any changes you
make actually result in better performance. Part of the benchmarking should also
be based on copying, opening and saving files to the server. The other
information that should be covered and gathered is via MONITOR.NLM, as shown
in Figure 68.
The monitor screen has numerous selections allowing you to set parameters to
view disk, LAN driver, and memory information. This information should be
gathered after the server has been up for a couple of weeks. Over time, the
server will allocate resources; to gather the information immediately after the
server has come online is useless unless you wish to compare changes from day
one.
The areas that should be looked at and documented are the directory cache
buffers and the current service processes.
These first two values will change over time. The rule of thumb is to set the
minimum at 80% of the figure reached after a few weeks of operation.
The reason for 80% is that during the time that the server has been up there have
been peak times and resources have been allocated that are no longer needed.
By setting it to 80%, enough resources will be allocated to these areas and the
clients will not notice a slowdown until the server has allocated the required
resources. Obviously if this has not gone above the minimum then you may even
wish to go lower and have resources for other areas, though this will most likely
not be the case.
To find the minimum, type SET at the server console and a number-based menu
system will be displayed that will enable you to select the area that you are
interested in. The other method is to use Monitor and select the server
parameters.
Once you have benchmarked your server and you wish to know when the cache
buffers goes below a certain limit, then it is possible to set these under the server
parameters in Monitor. Select file caching and for Minimum File Cache Report
Threshold, enter the figure that you would like to be notified at.
6.1.1 Memory
The most common server memory rule is that the addition of more memory will
improve performance. Although sometimes the addition of memory will not help
because memory is not the bottleneck, memory is one of the major contributors to
speed and performance to a file server.
To get information on the swap command type HELP SWAP at the server console. It
is possible to create, delete, and set specific parameters on each swap file.
Remember to keep them across server boots, the parameters must be entered in
the AUTOEXEC.NCF startup file. A general rule for swap files is that multiple
volumes are better than just one and creating them on a non-system volume is
also good so that you can keep the SYS volume as static as possible.
The LRU sitting time is based on the most recently used (MRU) and least recently
used (LRU) algorithms. It works so that as the MRU cache buffers are used again
and again they are put at the top of the list. As they are used less and less, the
LRU cache buffers are finally removed from the list all together as more often
used items are placed above them. If there is not enough memory then the LRU
sitting time drops and drops. Novell recommends that the LRU sitting time should
not go below 12 minutes. This number should be viewed at the busy times of the
As can be seen in Figure 69, our server is a test server and therefore has a very
high LRU sitting time. However, we have witnessed some servers having LRU
sitting times of seconds rather than minutes.
The other value to look at this screen is the percentage of long term cache hits.
These are the amount of disk blocks that were in cache when requested. As this
value decreases, the server must go to disk to get the information, which is much
slower. If this figure drops below 90%, extra memory may be needed.
To speed up the allocation of these processes during the time when you are
benchmarking and waiting for the server to reach an optimum performance level,
you can set the new service process wait time to 0.3 seconds (the default is 2.2
seconds).
The minimum setting should be set at 2-3 buffers per connection. While setting
the benchmarks, you can set the time for the allocation of these resources to 0.5
seconds rather than the default of 2.2 seconds.
Name spaces increase the need for handling the allocation of the file locations.
As each name space is added, increment the multiplication by one. So if you have
one name, space multiply by one, two multiply by three and so on.
6.1.2 Disk
This area of tuning will cover the areas of the file and disk subsystems. As the
server writes to or reads from the hard drives, the process and the size of the disk
blocks that it can receive will affect the performance of the server. For example,
the IBM ServeRAID controller has two modes for writing to the disk: write through
(WT) or write back (WB). The WB mode allows the RAID controller to say that has
written to disk when it is holding it in its cache. The server operating system then
does not have to wait for the RAID controller to write to the physical disk. To
prevent data loss, the RAID controller should be installed with a battery backup in
case of power failure.
For more information on this and other IBM disk subsystems see Implementing
Netfinity Disk Subsystems: ServeRAID SCSI, Fibre Channel and SSA,
SG24-2098.
One method to improve performance is to categorize you users. That is, they may
make many more writes than reads or vice versa. To improve the performance for
either of these, you can use the following settings as a guideline. All of these
settings can be set in the relevant areas in the monitor server parameters screen.
These setting will allow some more allocation of resources and should be
monitored when these changes are made. If the values after a time still do not go
down to zero, then the disk subsystem that you have is not capable of handling
the workload.
A method of improving performance is using RAID with multiple disks so that the
writes can be to multiple disks rather than one. Also remember that your SCSI
bus will only operate at the speed of the slowest SCSI device; if you have some
drives that are SCSI F/W and the others are straight SCSI, then they will all
operate at the slower SCSI speed. Separate the disks or purchase more and
create multiple volumes so that users are spread across the drives.
6.1.2.2 Suballocation
Suballocation has enabled the retrieval of space from the older systems running
NetWare 3.x. As the older versions were unable to suballocate a file was written
to the disk, if it wrote some of the file to one disk block and was unable to fit it,
then the rest would be written to another block and no other files were able to use
that block. With suballocation, the files can be written in 512 bytes enabling
numerous files or parts of files to be written to one sector. With suballocation, it is
possible to always set the block size to the larger 65 KB block size and allow
suballocation to handle the smaller files and file ends. With today’s information
and applications the files are ever increasing in size.
NetWare defaults to a 64 KB volume block size for NetWare volumes greater than
2 GB. A lot of Novell documentation recommends not deviating from the defaults
but the 64 KB block size will only be optimized for large files such as imaging,
multimedia, and other workloads involving streaming data. If most of the files
transferred are small, a smaller block size would be more appropriate. Also,
knowing the request size(s) the application uses is important in determining the
volume block size and stripe unit size. We set the stripe unit size to match the
request size. You can also set the stripe unit size to be the next size higher than
the request size.
The Netfinity Performance Lab in Research Triangle Park, North Carolina runs
the Ziff-Davis NetBench and Bluecurve Dynameasure applications to benchmark
the NetWare operating system. For these environments, optimal performance is
obtained by setting the NetWare volume block size and the ServeRAID stripe unit
size to 16 KB. Performance is better when these two parameters are the same
size.
With controllers like the ServeRAID adapter, the Hot Fix blocks are often made
redundant because the hardware does it faster and more efficiently. When setting
up the volume, set the value to zero so that there are no hot fixes set. This
enables you to look at Monitor and see if the hot fix is increasing and if the drives
are starting to fail. Again the new drives have warning systems, using PFA and
SMART, that will tell you if a drive is beginning to fail.
If you are having trouble with compression or are unsure what the server is doing
with compression, use the command:
set compress screen = on
The other command that is useful here is the minimum file delete wait time,
because if the value is too high the server will not delete files fast enough and as
the server fills up you may get the error compressed files are not being
committed. This can be alleviated using the command:
set decompress percent disk space free to allow commit = x
6.1.2.5 Network
The other bottleneck is often the connection to the network. An older method for
improving this is to add a card to the server and split the network and split the
load that way. This is fine in small networks, but in larger networks, the use of
switches is by far the method most used today and will improve performance.
Another problem that often occurs in a NetWare server when the buffer size is
equal to the size set in the maximum packet receive packet size. In NetWare the
default size is 4224 bytes, but the actual largest size for Ethernet is 1514 bytes.
To work out how many packet receive buffers you may require, use the rule of one
packet receive buffer per connecting user and 10 per LAN card listed in Monitor.
The other value of note that can be found in Monitor is the number of packets
queued for transmission. If this is too high, it may mean that the network adapter
may not be fast enough for the server.
One problem with this is that the LIP packet can cause high utilization on the
server if the client cannot negotiate the size correctly. You can disable or
troubleshoot with the command:
set allow LIP = on
6.1.3 Application
Support for processes for handling applications and also for monitoring NetWare
5 has been improved. In some instances, however, this has made troubleshooting
and tuning more difficult.
6.1.3.1 Prioritizing
The new kernel in NetWare 5 allows certain applications to have a higher priority
than the processor which increases performance for those specified applications.
This is done from Monitor by selecting the kernel, choosing the application and
The important thing to remember here is that the share value is relative to the
base system. That is, if we set an application to have a value of 200 and the other
application stays at the default, the new application will have twice as many
processing resources.
It is possible to create applications from the applications that Novell has already
installed. For example, if you want DHCPSRVR to become an application with a
high share value, use the command:
load -A=newdhcpsrvr dhcpsrvr.nlm
For NetWare there are certain components that have been programmed to be
SMP-aware. Some of these are Open Data-link Interface (ODI), memory and the
direct file system.
You can set the threshold that the server will use to swap to the other processor if
the first is busy. This value is set in Monitor under the SMP selection. This area of
4. From the drop-down list at the top select the type of policy that you want to
import. See the application help for information about the policies. Also, see
TID 2942079 and the NetWare 5 documentation.
5. Once you have selected the policy, press the Load Group button to display
the information. All should be OK with no errors.
6. Click Advanced. Figure 73 appears.
7. This is where you can then remove the items that you do not want. In this
window, we had loaded two policies: the NDSTtype and one of the time
policies. In this window, we could delete everything except for the 7 am - 6 pm
entry so that it is the only time WAN traffic would flow. If you click Edit you can
change the times.
What we have done here is to give you a very rough guide to what to use. We set
up our two servers and removed as many unnecessary functions as possible. We
wanted two Novell servers with only NetWare and BorderManager installed. We
then disabled and removed the BorderManager services and installed the
ManageWise components that were required to see monitor BorderManager. See
3.8, “Installing ManageWise” on page 65 for ManageWise installation information.
1. We started the ManageWise console and ensured that the servers were
manageable. To do this we selected View > All NetWare File Servers as
shown in Figure 74:
4. Among the trends that can be selected, we were interested in the amount of
traffic in KB coming in and out. We used both servers to see if they generate
the same or different amount of data.
5. Choosing the items shown in Figure 75 gave us information from both servers
(Figure 76 and Figure 77):
6. This shows the information that we had gathered so far and they both seem to
be pretty close. Rather that relying on viewing the information on the screen,
we exported the information using the export function ( ).
7. We then analyzed the data using a spreadsheet package.
8. The graph displayed activity at 15-minute intervals from 11pm to 8am. The
export of the data gave us a figure for transmitted and received. We added
these two together as shown in Figure 78.
700
600
500
KBytes
400
300
200
100
0
Time in 15 minute blocks Total Syd01
Total NW5_BM3
9. This graph shows the total amount of KB sent and received for each card.
These servers have both IP and IPX bound; to determine the amount of each,
a protocol analyzer would be needed. The other way is to put two cards in the
machine and bind one protocol to each card and determine the traffic
requirements this way.
10.The average of both servers came to about 527 KB per minute.
11.To determine bandwidth out per second, divide the 527 by 60 = 8.78 KBps,
indicating the link traffic for straight NDS traffic and heartbeat information is
minimal.
12.The final step is to work out what other traffic will be going across the
connection.
6.2 NDS
The NetWare network is based on the NDS and the importance of a good design
cannot be overstated. With forethought and planning, it is possible to have a
flexible, solid and easily administered NDS tree that will service your network for
many years.
The first part of the NDS creation phase is designing the NDS tree. This process
is the basis for your network, so enough time must be spent on the design phase.
Obviously the amount of time spent on designing will depend on the size of your
network. A company that has one site and one server will not have to spend a lot
of time on design, but you will still need to make sure that the design is flexible
and that the naming conventions are easily understood. The same principle will
also be relevant for a large network which will required a lot more time on the
NDS design, partition/replication and time synchronization strategies.
Naming conventions don’t really come under the heading of tuning and
optimization but, as a user or administrator, if you have ever tried to type paths
and connect to server names that made no sense, you could understand why
these are important. Naming conventions are based on the individual network,
the location of the server, what the server does, and so on. For example, a server
located in the Melbourne head office in Australia, running BorderManager only
and is the second one of its type in that office is named AUHOBM02. Unless you
know what the acronyms mean (such as HO for head office), it will not make a lot
of sense. If you know what they all mean and they are easy to pick up, you will
quickly know where the server is located and what it does.
There are some basic rules when creating an NDS tree. With the introduction of
NDS 8 the rules have changed some. As mentioned previously, we recommend
that with any new NDS tree that NDS 8 be implemented, and existing NDS trees
should be implemented with the guidelines set down by Novell. For more
information please go to:
http://www.novell.com/products/nds/
The rules on the size of replicas and number of objects per replica and
organization units no longer apply or have been increased. Where this is the case
we will note it for the current version of NDS. The other rules were made to
decrease the amount of WAN traffic and to ensure that the required resources are
located as close to the users as possible.
1. Design the tree in a triangular fashion (wide section at the bottom of the tree).
2. Design the top of the tree based on the WAN infrastructure.
3. Design the bottom of the tree based on your network’s resource organization.
The NDS tree consists of containers and objects as discussed in 2.3.1, “How to
refer to objects in the NDS tree” on page 26. These container objects and the
placement of leaf objects is the design of the tree.
EL Segundo T1 ELS
Webster T1 WBS
Marseilles 64 MRS
Bonn 64 BON
Melbourne 56 MEL
Manila 56 MAN
Seoul 56 SEO
This information is enough to design a tree that resembles the WAN topology and
includes the following departments:
• Accounting (AC)
• Sales (SA)
• Information systems(IS)
• International sales (IL)
• Domain Marketing (DM)
O=AU
OU=NA SA EU PR
BR
PLD ELS SDG FRW DNV TLH NWK MRB RCR WBS RIO HFD BON MRS MOS TAV CRO OSA SEO BAN MEL MAN
IS IS IS IS IS IS IS IS IS IS IS IS IS IS IS IS
2 2 4 4 2 4 3 15 3 3 2 2 4 1 3 4 2 1 1 1 1
5170-01
HR IS SP AC PR IL DM
4 11 8 3 11 12 11
As can be seen by the construction of the tree in Figure 79, we have broken up
the tree into geographical regions and therefore do not have more than 10
organization units (OU) per level. We recommend that you keep the number of
OUs per level to between 10-15. When creating such a tree, keep in mind the
replication of the partitions and stick to the rules for NDS partitioning and
replications.
The country container is used primarily for connecting to public directory services
that are X.500 compliant; in most cases a country container only adds another
level that is not necessary and can be done by an organizational unit. When
naming the tree ensure that you do not use the same name for the organization
(O) object, because when troubleshooting it makes more difficult to differentiate
where the problem lies.
Place the master copy where the support team is so that if any NDS design
changes need to be made, it needs to be done on a server that holds the master
replica. The speed in which support can respond to a server going down is much
faster and hence the master will be up much faster.
O=AU
OU=NA SA EU PR
PLD ELS SDG FRW DNV TLH NWK MRB RCR WBS RIO HFD BON MRS MOS TAV CRO OSA SEO BAN MEL MAN
IS IS IS IS IS IS IS IS IS IS IS IS IS IS IS IS
2 2 4 4 2 4 3 15 3 3 2 2 4 1 3 4 2 1 1 1 1
5170-01
HR IS SP AC PR IL DM
4 11 8 3 11 12 11
Some of this may seem a bit unusual, especially partitioning root and global in
partitions of their own when they will have few objects and noone accessing the
resources. This decreases the amount of subordinate references. By using the
Replica worksheet in Appendix A.4, “Replica planning worksheet” on page 241
and removing this level of partitioning, you will see the number of references
actually increases. This can be done manually as we have done it here. However,
there are some applications that will do this for you. One of these you can find at:
http://www.netwarefiles.com
We suggest replicate manually at first and then use these applications to check
your calculations. Our worksheet ended up as follows (Table 5):
The worksheet shows where all the replicas will sit and what type of replica they
will be. All the masters are placed on the servers at Rochester, where all the IS
support team is based. The servers they have been placed on are all running a
high availability and fault-tolerant configuration such as Vinca StandbyServer,
SFT III or NetWare Cluster Services (NCS).
The best way to design a tree is to follow our guidelines and create your own so
that you know where all the links and servers are. While there is no right or wrong
answer to the NDS design question, some answers are more right than others.
The time provider group is set up when you have multiple WAN connections or
over 30 servers, since the default configuration will prove to be inefficient and
create too much WAN traffic. The time provider consists of a reference server and
up to seven primary servers.
Reference
Reference
Primary
Primary
Primary Primary
Primary Primary
Primary
Primary
In our example, there were over 30 servers in the Rochester area, which had to
span WAN links, so we created multiple time provider groups.In our configuration,
the sites with the fastest links in each geographical region became reference
servers, which communicated with an external atomic clock so that they were
synchronized. The servers with the next fastest links became primary servers and
all others became secondary. The configuration of these groups can be based on
SAP or on configured lists; we chose configured lists and ensured there was
redundancy in these lists. With configured lists, traffic is reduced but
administrative overhead is increased.
Configuring the time source type and the basic setting is done in Monitor under
Server Parameters. To enable the configured lists, go to the same area and set
Time sync configured sources to On and then select Timesync > Add time
sources and enter the IP address of the servers. For more information see the
NetWare 5 documentation or TID 2930686. This TID is based on NetWare 4.11
but the parameters are the same. The main difference is it is all done with
SERVMAN not Monitor.
A few new objects are added when ZENworks is installed. Since the NDS schema
is being increased and with the addition of all these objects, you must plan for the
/****************************************************************************/
Netware 5.00 Directory Services Repair 5.14 , DS 7.30
Log file for server ".NW5_BM3.MELB.IBMAU" in tree "IBM"
Time synchronization and server status information
Start: Wednesday, July 7, 1999 9:11:07 am Local Time
3. This log gives you information about the version of the DS.NLM that you have
loaded on all your servers. Ensure that they are all on the latest version
possible for each server’s NOS version.
4. Check in the left-hand column to ensure that only servers that are up and
running are listed. If a server has been removed from the network and has not
been removed from the NDS then follow the procedures listed in TID 2908056.
If a server has crashed and you want to retain all links and for the time being
enable the remaining servers to synchronize properly and then enable the
server to be placed back in NDS, follow TID 2920601.
5. The second column reports the replica depth. If the server is holding a copy of
the [ROOT] then they will be listed as having a depth of 0. If a server shows a
replica depth of -1 then that means that they do not hold a replica. So if you
have a server that holds a replica and it shows up as -1 it often means that it is
in a transitional state or that it is having problems getting the replica. A server
that holds a replica of an organization unit and not at the organization or root
would have a depth of 2.
6. The time source shows the type of time server. In this column you must ensure
there is a time provider; otherwise, no server will be able to get their time.
Refer back to 6.2.3, “Time synchronization” on page 125 on information about
the type of providers.
7. Check that the time is synchronized on all the servers. If not, you will have to
ensure that the communication channels are open and if all this checks out
you may need to tune some of the parameters. Refer to TID 2908867.
Table 6 has been reproduced from the June 1996 Appnote “Managing Novell
Directory Service Traffic Across a WAN: Part 1”. It shows the actual traffic
generators for the NDS, how often the occur, and how to view and force them.
Table 6. Traffic generators
Immediate Synchronize critical 10 seconds after event set dstrace = on Create and object
sync changes set dstace=+sync or change attribute
set dstrace=+in
Slow sync Synchronize noncritical 22 minutes after event set dstrace = on login in or out
changes set dstace=+sync
set dstrace=+in
Scheme Sync Ensures schema 240 minutes configurable or set dstace=+schema set dstrace=*ss
consistency when scheme changes
Limber Checks server object 180 minutes or when name set dstrace=+limber set dstrace=*l
for changes of server is changed
Backlink External reference 780 minutes configurable set dstrace=+blink set dstrace=*b
consistency
The same benchmarking and tuning principles that have been discussed in the
normal NetWare 5 tuning can be applied here. Set your level after the server has
been up and running awhile. The main difference is that you will set a few more
parameters to begin with to ensure that the BorderManager server works fast
straight away.
The following configuration settings are designed for a server running only
BorderManager, because the setting that we will be using will make our file and
print server run at less than its optimum.
1. Disk:
– Create volumes that are used only for cache. These volumes should be set
up with a block size of 8 KB. Then monitor and determine the average size
of your files by using the calculations in A.1, “Memory calculations” on
page 235 and adjust accordingly. Then you will want to make sure that your
RAID controller is also set up with the same strip size.
– Use only 8.3 DOS file names.
– Disable compression and suballocation. These are CPU intensive and if
suballocation is set and you need to purge the file, the server must then go
to the whole block and work out which part of it must be purged.
– Ensure that the files are purged immediately.
– NSS volumes must have the amount of cache buffers that NSS will allocate
for caching. The setting should be around 60%. You can go higher but NSS
requires an amount of space left for its normal functions. Use the set
command:
load NSS /cachebalance=60
– Set the maximum number of file locks = 100000
2. Communications
This means that the client is isolated and protected from changes to the physical
hardware, which yields a number of benefits. Perhaps the most important of these
benefits is high availability. Resources on clustered servers act as highly
available versions of unclustered resources.
Buying a large symmetric multiprocessing (SMP) machine and just adding central
processing units (CPUs) and memory as demand increases is not a viable
long-term solution for scalability. An SMP machine scales very poorly when the
number of CPUs increases beyond a certain point. The primary bottleneck is the
bandwidth available to access the system. As the CPU count increases, so does
the amount of traffic on the memory bus, which eventually limits system
throughput. In contrast, a well-implemented cluster can scale almost linearly.
In an ideal cluster, users would never notice node failures and administrators
could add or change nodes at will. Unfortunately, this is not the case today.
Current Intel-based clusters provide many of the features and functions of an
idealized cluster but fall short in some areas as we will discuss in this chapter.
For more information about clustering see the redbook Netfinity Clustering
Planning Guide, SG24-5845.
Currently, the clustering solutions available to NetWare users from IBM use the
shared nothing clustering model. The solutions are based on one of two typical
configurations:
• Shared disk clustering configuration
In this configuration, the data is stored in external disk enclosures that are
connected to all servers in the cluster. Only one copy of the data is stored, and
should any server fail, the other remaining servers in the cluster take over the
failing system’s processes and data I/O.
An example of a shared-disk configuration is shown in Figure 82.
Client access
Dedicated link
5847-00
Internal Internal
Shared
disks disks
disks
Primary Standby
Dedicated link
5847-00
SYS SYS
Internal
DATA DATA disks
Mirrored
disks
At the time of publication, these two solutions had been tested and certified on
the Netfinity 5500 and Netfinity 7000 M10. For the latest information, see
http://www.pc.ibm.com/us/netfinity/serverproven
This option disables the IP forwarding. If the forwarding has been enabled, the
automatic reconnection of the client, in case of failure, will not work and the
users will not be able to reconnect to another cluster server after the failover.
• Another parameter to be verified in case you are using the NSS feature of the
volumes is the following:
NSS /AUTODEACTIVATE VOLUME=ALL
The NCS automatically mounts all cluster volumes on the servers in the
cluster. This command ensures that the cluster volumes have not been
mounted, even if by chance, on different cluster servers. In fact, this could
cause a data corruption. If you don't use this command, the command MOUNT
ALL could be typed on each server console and every server could try to mount
a volume that could be mounted on another cluster server.
• Novell patches and software:
– NW5SP2A.EXE — Support patch kit 2a for NetWare 5
– W95302.EXE — Client v. 3.0.2 for Win95 /98
– WNT46E.EXE — Client v. 4.5.819 for Microsoft NT 4.0
All these products are be available from: http://www.novell.com/download/
• Microsoft software: You will need to install Service Pack 4 or later for Windows
NT clients.
• IBM software — use these versions or later versions
– 37L6140.EXE — IBM ServeRAID BIOS Firmware Update Diskette V3.11b
– 00N9003.EXE — IBM Hot Plug PCI System Bus Driver for Novell NetWare
4.11, 4.2 and 5.0 diskette V1.03
– 33l3938.EXE — IBM ServeRAID DOS Configuration Diskette V3.10
– NET2100.ZIP — Netfinity Fibre Channel PCI Adapter NetWare Driver
V2.09 (QL2100 driver)
These are available from http://www.pc.ibm.com/support
To install the device driver for the IBM Netfinity Fibre Channel PCI Adapter, you
should use the driver in the NET2100.ZIP file downloaded from the IBM site as
described above (the QL2100 driver):
1. Start NWCONFIG
2. Select Driver Options
3. Select Configure disk and storage device drivers
4. Select Load an additional driver
5. You will then see a list of the available drivers. Press the Insert key and enter
the directory where the QL2100 driver is located.
6. Select the QL2100.HAM driver as shown in Figure 85.
NetWare Configuration
+----------------------------------------------------------------------------+
| Select a driver to install: |
|----------------------------------------------------------------------------|
| |QL2100.HAM | QLogic QLA2100/QLA2100F FC PCI Host Adapter Module |
|| |
|| |
|| |
|| |
+----------------------------------------------------------------------------+
+----------------------------------------------------------------------------+
+-----------------------------------------------------+
| "QL2100.HAM" Help |
| |
| This HAM driver is for the QLogic QLA2100 and |
| QLA2100F Fibre Channel PCI host bus adapters. |
| (QLA2100 is copper, QLA2100F is optical). |
+-----------(To scroll, <F7>-up <F8>-down)------------+
9. If the driver is installed correctly, the QL2100 driver will appear in the installed
driver list as shown in Figure 87.
NetWare Configuration
+--------------------------------------+
| Additional Driver Actions |
|--------------------------------------|
| |Discover and load additional drivers|
| |Select an additional driver |
| |Deselect a selected driver |
| |Return to previous menu |
+--------------------------------------+
Help <F1> Previous screen <Esc> Change Lists <Tab> Abort <Alt><F10>
Figure 87. Driver successfully installed
Figure 90. Installing NCS — selecting the NDS tree and context
5. Select the tree and then the context that you require. In our example, this
yields Figure 91.
6. Click Next. Figure 92 appears where you select the servers that are to join the
cluster.
7. Click to select the servers as shown in Figure 93, then click Add to
Cluster. Repeat for each server that will participate in the cluster.
Each time you click Add to Cluster, the name and IP address of the server is
added to the list as shown in Figure 94.
If the shared media exists but it is not automatically selected, make sure that:
– Support for NSS volumes has been loaded on all nodes
– The shared volumes can be accessed from each server in the cluster.
Verify this by entering the VOLUMES command on the console of each node.
You can also mirror the Cluster Partition to add fault tolerance to the cluster.
Since we have configure the shared disks for RAID-1 or RAID-5, this is not
necessary.
8. Select the options you want, then click Next. Figure 96 appears. Here you can
specify if you want the servers to be rebooted automatically upon completion
of the installation.
10.If you did select the servers to be automatically rebooted, this now occurs.
Once the servers are rebooted, the NCS status window will be available showing
you the status of the nodes, similar to Figure 99.
00 - UP - 6-15-99 1:35:19
(01) - UP - 6-15-99 1:35:19
Note: Some applications do not require that the NetWare clients access the
shared volumes, so cluster enabling may not be necessary.
1. Start ConsoleOne. A new version was installed as part of NCS.
2. Select the cluster object.
3. Click File > New > Cluster > Cluster Volume. Figure 101 appears.
Figure 102 shows the new cluster resource CLUSTER_VOL created. It also
shows the status of the servers and the shared resources.
8. To put the new resource online, click the cluster resource name in the table.
Figure 103 appears where you can set its state to online.
9. This will set the resource’s state to Running, as shown in Figure 104.
To create the template resources from ConsoleOne, click File > New > Cluster >
Cluster Resources. Figure 105 appears.
If you choose to create a resource template, you may use one of the templates
shown in Figure 106.
If you checked Defined Additional Properties in Figure 105, then Figure 107
appears where you can do so. Here you may change the node assignments for
the selected resource template. From other tabs in the properties window, you
can also configure the scripts for load and unload operations and configure the
failover and failback modes.
From ConsoleOne, select the cluster object then click File > New > Cluster >
Cluster Resource then check Create Resource Template as shown in Figure
105 on page 148.
A load script is required for each resource, service or volume in the cluster. The
load script gives the commands necessary to start up the resource or service or
to mount the volume on a server. You can use any command that you would use
in an NCF file.
For the application or the cluster resource you can add an unload script in order
to specify how the application or the resource should end. It is not necessary for
all applications or resources; however, it can guarantee that during a failback or a
manual migration, a resource unloads before it reloads on another node.
Use manual failover if you want to be able to intervene when a failure occurs and
before the resource is moved onto another server. To configure the failover mode
into manual gives you time to bring up failed nodes or to migrate the resources
onto another node after having enabled the resource to move.
The manual failback works as a manual failover. You need to use the manual
failback in order to avoid a resource comes back to its preferred node after it is
brought back online.
Migrating the resources lets you balance the load across the cluster and to
balance the applications among the servers. To do this for a resource click its
name in ConsoleOne’s Cluster State view (Figure 102 on page 146). Since the
resource is currently running, Figure 109 appears where you can click Migrate to
migrate the resource to the specified migration target (if you only have two nodes
in your cluster, then the partner server will be listed as the target).
Within a few seconds the state of the resource will change as follows:
• Unloading from the current node
• Loading on the preferred node
• Running on the preferred node
The Cluster State view in ConsoleOne lists the status of the servers and cluster
resources. The servers and resources are displayed in different colors depending
on their operating status.
The number of
times the cluster
state has
changed
Master server
(yellow circle)
The epoch number is the number of times the cluster state has changed. This
changes every time the state a server enters or leaves the cluster.
Physically, a NetWare partition consists of a large data store area and another
small area named hot fix. The hot fix area is where NetWare rewrites bad blocks
where it detects a disk fault. NetWare mirrors only the partition that contains data
and not the hot fix area.
Note: For ServeRAID and Fibre Channel implementations, the hot fix area is not
used because the respective RAID controllers handle all remapping of failed
sectors.
The Hot Fix partition contains a mirror table which NetWare uses to define if the
mirror is carried out and if it is synchronized with other parts of the mirror set.
Take into consideration that the logical partitions are mirrored, not the volumes. A
volume can be built onto multiple disks. This will increase the response time but
at the same time the number of failures. The best way to enhance the volume size
and therefore the partitions is to use RAID arrays.
It is necessary that inside the two servers, the RAID configuration is identical in
each part.
Notes:
• Mirroring is performed between the NetWare partitions. Not the volumes or
files.
• Avoid using any disk repair utility like VREPAIR on the mirrored drive set. It is
always a good practice to break the mirror set and then run VREPAIR on the
removed part of mirrored set.This gives a better chance of recovering from any
damage done by the repair utility itself.
• NetWare 5 supports disk mirroring only on the traditional NWFS volume
configuration. NetWare 5 does not yet support mirroring on NSS
implementation.
where:
• N=number of requested minutes
• DS=disk size that has to be mirrored in bytes
• RQ=4096 bytes
• AR/Ss=average of requests/sec that can be displayed on the standby server
screen by pressing M.
For example:
8,589,934,592/(4096*60*400) = 87 minutes
8 1 White/Green
7 2 Green
Green 6 3 Orange
5 4
4 5
White/Green 3 6 White/Orange
White/Orange 2 7
Orange 1 8
RJ-45 RJ-45
• At least one disk must be dedicated to the primary server to contain the SYS
volume. Make sure the standby machine has enough space in the NetWare
partition to hold the mirror of the primary server.
• Adjust the amount of RAM installed based upon calculations provided by the
Novell documentation or by the free tools such as NRAME.ZIP from:
http://www.itlab.orst.edu/download/default.htm
• If you are using the ServeRAID controller, make sure that the write policy is
set to write-back. This configuration will enhance dramatically the mirroring
functions. (Note, however, that changing the write policy with destroy all data.)
• Also for NetWare 5, as with other Novell versions, you need to configure the
DOS file CONFIG.SYS with:
FILES=40
BUFFERS=15
• Do not use the console commands REMOVE DOS or SECURE CONSOLE as this
impacts the use of StandbyServer.
Note: the installation is performed from the standby machine, not the primary.
1. Start NetWare on both the primary server and the standby machine.
2. Load VINSTALL.NLM from the standby machine at the console prompt (after
having loaded the CD-ROM support) by typing the following:
LOAD VINCA:\NW\SBS50\VINSTALL
3. After reviewing and accepting the license, Figure 112 appears.
+------------------------------------------------------------------------------+
¦ VInstall v5.00 for StandbyServer NetWare Loadable Module ¦
+------------------------------------------------------------------------------+
+---------------------+
¦ ¦
¦ Welcome to VInstall ¦
¦ ¦
+---------------------+
+-------------------------------------------------------------------+
¦ Installation Options ¦
¦-------------------------------------------------------------------¦
¦ ¦Install StandbyServer. ¦
¦ ¦Update StandbyServer files. ¦
¦ ¦Add a vault machine to the StandbyServer configuration. ¦
¦ ¦Edit .NCF files on this machine only. ¦
¦ ¦Edit all StandbyServer .NCF files. ¦
¦ ¦Create product configuration file. ¦
¦ ¦Uninstall StandbyServer. ¦
¦ ¦Exit VInstall. ¦
+-------------------------------------------------------------------+
Press ESC to exit. Use arrow keys and Enter to select an option.
Press ALT+F10 to abort VInstall.
Figure 112. StandbyServer installation — main menu
4. Select the first option Install StandbyServer and the installation of the
product will start. If all preinstallation requirements have been met,
StandbyServer will search for the network servers that could belong to the
cluster and presents you with a list of servers as shown in Figure 113.
+-------------------------------+
¦ Select Primary Server ¦
¦-------------------------------¦
¦ ¦SRV-NW5-1 ¦
¦¦ ¦
¦¦ ¦
¦¦ ¦
¦¦ ¦
¦¦ ¦
¦¦ ¦
¦¦ ¦
+-------------------------------+
5. Select the server you want to be the primary. Figure 114 now appears.
+------------------------------------------------------------------------------+
¦ VInstall v5.00 for StandbyServer NetWare Loadable Module ¦
+------------------------------------------------------------------------------+
+--------------------------------------------------+
¦ Login to server SRV-NW5-1 ¦
¦--------------------------------------------------¦
¦ User Name: ADMIN ¦
¦ Password: ¦
+--------------------------------------------------+
+------------------------------------------------------------------------------+
¦ VInstall v5.00 for StandbyServer NetWare Loadable Module ¦
+------------------------------------------------------------------------------+
+-------------------------------------------------------------------+
¦ Login to file server SRV-NW5-1 was unsuccessful. Error:[fffffda7] ¦
¦ Make sure your user name and password are correct. ¦
¦ You may try using a distinguished user name (like .admin.novell). ¦
¦ Make sure the bindery context is properly set on both the Primary ¦
¦ and Standby machines. To try logging in again, select no when ¦
¦ prompted to manually setup. ¦
¦ <Press ENTER to continue> ¦
+-------------------------------------------------------------------+
+----------------------------------------------------------------------+
¦ Manually setup VInstall communications on the Primary Server? ¦
¦ (requires loading an NLM off the install disk on the Primary Server) ¦
+----------------------------------------------------------------------+
+------+
¦ ¦No ¦
¦ ¦Yes ¦
+------+
8. Select Yes and press Enter. The installation continues and you enter the
communications parameters manually.
+------------------------------------------------------------------------------+
¦ VInstall v5.00 for StandbyServer NetWare Loadable Module ¦
+------------------------------------------------------------------------------+
+-----------------------------------------------------------------+
¦ IPX and IP protocols are installed on this server (SRV-NW5-2). ¦
¦ Select the protocol that VInstall and StandbyServer should use. ¦
+-----------------------------------------------------------------+
+----------------------------------------------------+
¦ Select a protocol to continue ¦
¦----------------------------------------------------¦
¦ ¦IPX ¦
¦ ¦IP ¦
+----------------------------------------------------+
Choose IPX or IP protocol for this primary server. Press ESC to cancel.
Press ALT+F10 to abort VInstall.
+------------------------------------------------------------------------------+
¦ VInstall v5.00 for StandbyServer NetWare Loadable Module ¦
+------------------------------------------------------------------------------+
+--------------------------------------------------+
¦ Manually setup communications modules: ¦
¦ ¦
¦ Waiting for remote...take disk to SRV-NW5-1 and ¦
¦ type "load SYS:CLUSTER\NSBS\vload vincaip app=1" ¦
¦ and press Enter on the console of SRV-NW5-1. ¦
+--------------------------------------------------+
10.From the primary system enter the command listed in Figure 118 on the
standby system. The command specified depends on the protocol selected in
step 9.
Figure 119 now appears on the primary console.
Figure 119 lets you configure different StandbyServer settings. The four
options at the bottom of the window are as follows:
– AutoSwitch: When AutoSwitch is enabled (the default), the standby server
automatically fails over and assumes the primary role if the primary server
fails. If it is disabled, failover is performed manually by the administrator.
– Disk Read Blocker: When enabled, disk reads only go to the disks in the
primary server. When disabled (the default), disk reads are serviced by
whichever side of the mirror is faster to respond.
– SNMP Support: When enabled, VMAN.NLM is loaded on the standby
server, which issues SNMP traps when the primary server fails over.
– Utility Server: When enabled, the standby server is automatically
configured to function as a utility server. When disabled, no configuration
changes are made.
Note: All these parameters are customized and changeable after the
installation.
11.Once you have finished selecting the options, press F10 to continue. The file
copy process then begins.
12.Once the file copy is completed, new AUTOEXEC.NCF and STARTUP.NCF
files will be created and you are asked if you wish to view or edit them (Figure
120):
+-------------------------------------------------------+
¦ VInstall has created new STARTUP.NCF and AUTOEXEC.NCF ¦
¦ files for the primary and standby machines. ¦
+-------------------------------------------------------+
+-----------------------------------+
¦ View/Edit new .NCF files? ¦
¦-----------------------------------¦
¦ ¦No ¦
¦ ¦Yes ¦
+-----------------------------------+
13.If you select Yes, Figure 121 appears letting you select files to edit.
+------------------------------------------------------------------------------+
¦ VInstall v5.00 for StandbyServer NetWare Loadable Module ¦
+------------------------------------------------------------------------------+
+--------------------------------------------------------------+
¦ Edit new SRV-NW5-2 and SRV-NW5-1 NCF files. ¦
¦--------------------------------------------------------------¦
¦ ¦New SRV-NW5-2/C:\NWSERVER\STARTUP.NCF ¦
¦ ¦New SRV-NW5-2/C:\NWSERVER\AUTOEXEC.NCF ¦
¦ ¦New SRV-NW5-2/C:\STANDBY\STARTUP.NCF ¦
¦ ¦New SRV-NW5-2/C:\STANDBY\AUTOEXEC.NCF ¦
¦ ¦Edit another file on SRV-NW5-2 ¦
¦ ¦New SRV-NW5-1/C:\NWSERVER\STARTUP.NCF ¦
¦ ¦New SRV-NW5-1/C:\NWSERVER\AUTOEXEC.NCF ¦
¦ ¦New SRV-NW5-1/C:\STANDBY\STARTUP.NCF ¦
¦ ¦New SRV-NW5-1/C:\STANDBY\AUTOEXEC.NCF ¦
¦ ¦Edit another file on SRV-NW5-1 ¦
¦ ¦Continue Installation ¦
+--------------------------------------------------------------+
Press ESC to exit. Use arrow keys and Enter to select a file to edit.
Press ALT+F10 to abort VInstall.
+------------------------------------------------------------------------------+
¦ VInstall v5.00 for StandbyServer NetWare Loadable Module ¦
+------------------------------------------------------------------------------+
+----------------------------------------------------------------------------+
¦FINISH STEPS: ¦
¦1. Remove Directory Services on SRV-NW5-2 using NetWare install. ¦
¦2. Remove SYS volume on SRV-NW5-2 using NetWare install. ¦
¦3. Down SRV-NW5-1. ¦
¦4. Down SRV-NW5-2. ¦
¦5. Type standby<Enter> in the SRV-NW5-2/C:\STANDBY directory. ¦
¦6. Type server<Enter> in the SRV-NW5-1/C:\NWSERVER directory. ¦
¦7. Use NetWare install on SRV-NW5-1 to begin mirroring. ¦
¦NOTE: These steps are also saved in the file FINISH.TXT in all ¦
¦ StandbyServer directories. ¦
+----------------------------------------------------------------------------+
+---------------------------+
¦ Install Complete ¦
¦ <Press ENTER to continue> ¦
+---------------------------+
Use arrow keys and Enter to select an option. Press ESC to backup.
Press ALT+F10 to abort VInstall.
This window shows the steps you need to perform once VINSTALL exits.
When you press Enter, VINSTALL closes and the list of steps are repeated on
the NetWare console as shown in Figure 123.
FINISH STEPS:
1. Remove Directory Services on SRV-NW5-2 using NetWare install.
2. Remove SYS volume on SRV-NW5-2 using NetWare install.
3. Down SRV-NW5-1.
4. Down SRV-NW5-2.
5. Type standby<Enter> in the SRV-NW5-2/C:\STANDBY directory.
6. Type server<Enter> in the SRV-NW5-1/C:\NWSERVER directory.
7. Use NetWare install on SRV-NW5-1 to begin mirroring.
NOTE: These steps are also saved in the file FINISH.TXT in all
StandbyServer directories.
*****LOAD INSTALL NOW, REMOVE D.S. AND REMOVE SYS!*****
SRV-NW5-2:
Note that there are two additional steps listed in Figure 123. You must first
remove Directory Services and any volumes created on the standby server.
NetWare Configuration
+---------------------------------------------------------------+
¦ Configuration Options ¦
¦---------------------------------------------------------------¦
¦ ¦Driver Options (load/unload disk and network drivers)¦
¦ ¦Standard Disk Options (configure NetWare partitions/volumes)¦
¦ ¦NSS Disk Options (configure NSS storage and volumes) ¦
¦ ¦License Options (install or remove licenses) ¦
¦ ¦Copy Files Options (install NetWare system files) ¦
¦ ¦Directory Options (install NDS) ¦
¦ ¦NCF files Options (create/edit server startup files) ¦
¦ ¦Multi CPU Options (install/uninstall SMP) ¦
¦ ¦Product Options (other optional installation items) ¦
¦ ¦Exit ¦
+---------------------------------------------------------------+
If you have enabled AutoSwitch, Figure 126 will also appear in the console list.
From the AutoSwitch console, you can check the connection between the servers
through both the dedicated link and the network link. These are both listed as
CONNECTED. We can also notice that the autoswitch is listed as ARMED, meaning that
it is ready to automatically take over the operations of the primary server without
any human intervention.
3. Select Modify disk partitions and Hot Fix. A window similar to Figure 128
appears.
+-----+-----------------------------------------------------------------+
¦ ¦ Disk Partition Type Logical ID Size ¦
¦---+-+-----------------------------------------------------------------¦
¦ ¦D¦ ¦ Big DOS; OS/2; Win95 Partition 0x8 54.7 MB ¦
¦ ¦S¦-¦ NetWare Partition 0xC 484.4 MB ¦
¦ ¦N¦ ¦ Free Space 8133.8 MB ¦
¦ ¦L¦ ¦ ¦
¦ ¦C¦ ¦ ¦
¦ ¦D¦ ¦ ¦
¦ ¦N¦ ¦ ¦
¦ ¦M¦ ¦ ¦
¦ ¦P+-¦ ¦
¦ ¦Exi+-----------------------------------------------------------------+
+---------------------+-------------------------------+---------+
¦ Disk Options ¦
¦-------------------------------¦
¦ ¦Change Hot Fix ¦
¦ ¦Create NetWare disk partition¦
¦ ¦Delete any disk partition ¦
¦ ¦Return to previous menu ¦
+-------------------------------+
4. Then check the drives one by one; a partition must exist and the partitions
must have the same size as the ones will be mirrored. Take note of the drive
labels (for example "0xF ->Device: 0x5" in Figure 129) to be able to follow the
mirror procedure more carefully.
5. From the Available Disk Options window (Figure 127), select Mirror/Unmirror
disk partitions. Figure 129 appears showing a list of the disk partitions on the
primary server and the standby server. Currently, none are mirrored.
+---------------------------------------------------+
| Available Devices |
|---------------------------------------------------|
| |Device #5 [V2D1-A3-D8:0] IBM RAID rev:1 |
| |Device #6 [V2D1-A3-D9:0] IBM RAID rev:1 |
| |Device #E [V5E0-A4-D0:0] STANDBY 0 IBM RAID rev |
| |Device #F [V5E0-A4-D0:1] STANDBY 1 IBM RAID rev |
+---------------------------------------------------+
Figure 129. NWCONFIG — mirroring disk partitions
6. Take note of what appears on the screen, taking into consideration that if there
is no partition on a specific drive, it will not be shown in the window and
therefore it will not be available for the mirror operations.
Warning
Pay particular attention to this operation because a mistake could cause the
total erasure of the volumes of the primary server and consequently require
you to reinstall the whole environment.
NetWare Configuration
+---------------------------------------------------------------+
¦ Configuration Options ¦
¦---+----------------------------------------+------------------¦
¦ ¦D¦ Available Disk Options ¦d network drivers)¦
¦ ¦S¦----------------------------------------¦artitions/volumes)¦
¦ ¦N¦ ¦Modify disk partitions and Hot Fix ¦ge and volumes) ¦
+------------------------------------------------------------------+
¦ Disk Partition Mirroring Status ¦
+----------------------------------------------------------------------------+
¦ Mirrored Disk Partitions (Logical Partition #12) ¦
¦----------------------------------------------------------------------------¦
¦ ¦In Sync - Device #5 [V2D1-A3-D8:0] IBM RAID rev:1 ¦
¦¦ ¦
+----------------------------------------------------------------------------+
8. Press the Insert key. The available drives will appear as shown in Figure 131.
+---------------------------------------------------------------+
¦ Configuration Options ¦
¦---+----------------------------------------+------------------¦
¦ ¦D¦ Available Disk Options ¦d network drivers)¦
+---------------------------------------------------------------+
¦ Available Disk Partitions ¦
¦---------------------------------------------------------------¦--+
¦ ¦Logical Partition 0x15 [V5E0-A4-D0:0] STANDBY 0 IBM RAID rev ¦ ¦
¦¦ ¦------------+
¦¦ ¦ ¦
¦¦ ¦------------¦
+---------------------------------------------------------------+ ¦
¦¦ ¦
+----------------------------------------------------------------------------+
Figure 131. NWCONFIG — selecting the disk partition to add to the mirrored set
9. Select the corresponding drive that must contain that specific volume on the
standby server. It will have the “standby” label. Press Enter.
NetWare Configuration
+---------------------------------------------------------------+
¦ Configuration Options ¦
¦---+----------------------------------------+------------------¦
¦ ¦D¦ Available Disk Options ¦d network drivers)¦
¦ ¦S¦----------------------------------------¦artitions/volumes)¦
¦ ¦N¦ ¦Modify disk partitions and Hot Fix ¦ge and volumes) ¦
+------------------------------------------------------------------+
¦ Disk Partition Mirroring Status ¦
+----------------------------------------------------------------------------+
¦ Mirrored Disk Partitions (Logical Partition #12) ¦
¦----------------------------------------------------------------------------¦
¦ ¦In Sync - Device #5 [V2D1-A3-D8:0] IBM RAID rev:1 ¦
¦ ¦Out Of Sync - Device #E [V5E0-A4-D0:0] STANDBY 0 IBM RAID rev ¦
+----------------------------------------------------------------------------+
Figure 132. NWCONFIG — mirrored set complete but the standby disk is out of sync
NetWare Configuration
+---------------------------------------------------------------+
¦ Configuration Options ¦
¦---+----------------------------------------+------------------¦
¦ ¦D¦ Available Disk Options ¦d network drivers)¦
¦ ¦S¦----------------------------------------¦artitions/volumes)¦
¦ ¦N¦ ¦Modify disk partitions and Hot Fix ¦ge and volumes) ¦
+-----------------------------------------------------------------+
¦ Disk Partition Mirroring Status ¦
¦-----------------------------------------------------------------¦
¦ ¦Remirroring (20% done): Logical Partition: 0xC ->Device: 0x5 ¦
¦¦ ¦
¦¦ ¦
¦¦ ¦
+-----------------------------------------------------------------+
12.Repeat these steps for other drives that are to be set up as mirrors.
You must add these changes to all the AUTOEXEC.NCF and STARTUP.NCF files
of both the file servers.
In the case of a partial interruption, keeping in mind that the mirroring and the
communication between the servers is controlled by the StandbyServer software,
it is sufficient to unload the AutoSwitch function and exit the StandbyServer
software on the primary server. To do this, on both machines, simply press Esc on
both the AutoSwitch screen and the StandbyServer screen and confirm the exit.
In the case of total interruption, you can test this by bringing down the primary
server, or turn off the power to the primary server. After 40 seconds (a modifiable
delay - see the StandbyServer documentation), the standby server will recognize
the primary server’s failure and start the failover process. After the new primary
server comes up, Figure 134 will be displayed until the message is removed by
pressing Esc. The users and the network administrator will receive a window
similar to Figure 135.
The clients will see a momentary interruption of the network services. If your
clients have the following settings, they will not be forced to re-log in with their
own username and password.
• For Windows 95/98 with the IntranetWare client Version 3.0.2.0 or later:
– Auto Reconnect Level = 3
– Handle Net Errors = ON
– Name Cache Level = 0
– Net Status Timeout = 60
– NetWare Protocol = NDS
• For Microsoft NT client with the IntranetWare client Version 4.50.819 or later:
– Advance Settings menu: Auto Reconnect = ON
– Protocol Preferences menu: Preferred Network Protocol = IP
– Protocol Preferences menu: Protocol Component Settings = NDS
If the failure was real, you can now perform diagnostics on the failed primary
servers. You should restart StandbyServer on the new primary server by running
STANDBY from the C:\STANDBY directory. This will cause mirror synchronization to
begin immediately and it is advisable to let this finish before undertaking other
operations.
Note: We are not promoting all products put on the market or existing in the
technology field. We are only trying to make a comparison between
telecommunications services to be used to implement a mirroring environment
with a WAN and a short summary about the setting of a few parameters that can
be useful within this environment. We suggest the reader study
telecommunications and other documentation on the topic.
The effect resulting from the bandwidth reduction due to the write latency can
be reduced once more by configuring different options of the StandbyServer
NLM modules. When the WAN connection is reliable (for example, if it is
implemented over Fibre Channel), the write acknowledgment can be turned off
by configuring the “noacks” option inside the VINCAIPX.DSK module. The
latency can also be reduced by lowering the requests number allowed in a
WAN connection and reducing the buffers option=n where n is 1-10, defaulting
to 5. The data packet size should be increased to the maximum extension
possible for the physical media. For example, if the servers are connected to
an external WAN router via an Ethernet connection, the packet size of the
VINCAIPX.DSK should be equal to a packetsize=1492.
• Network outages
WANs are susceptible to different outages such as cable cuts and switching
equipment failures. In order to protect the mirror from these interruptions, it is
advisable to increase the StandbyServer time-outs beyond the default value
so that the mirrored servers do not disconnect during this short time.
• Bit error rate
The communication channels are often liable to errors due to external
interference. For the channel’s high BER it is recommended that you enable
the “checksum” of VINCAIPX.NLM and VINCAIP.NLM.
As this is not a live network with users connecting, the ability to configure and
ensure all aspects have been covered is not possible. The main aim is to create
the basis of the network and leave the user-based configurations such as login
scripts, security, etc.
The scenarios are based on two separate companies, each with special
requirements as to size, amount of users expected and the amount of fault
redundancy/tolerance required. We start off with a small company with one server
consisting of 50 users and wishing to connect to the Internet. As we go from one
scenario to the next, the size of the company increases and therefore the
complexity.
Here are some rules we use to size the links required for browsing. These are
only rules of thumb to give you a starting point; they are not definitive answers.
• Start with 16 Kbps per user for browsing.
• Approximately one third of users use the Internet at one time.
• Multiply 16 Kbps by the number of users (16 x 8 = 128).
• If you use the one third rule, then 8 x 3 gives you 24 users for a 128 Kbps
line.
• Proxy servers over time provide a 50% increase in performance due to
caching.
• Therefore, multiplying 24 users x 2 means that 128 Kbps should service 48
users.
5847-00
NetWare 5
Border Manager
- Proxy
- Firewall
- IPX to IP Gateway
- Access control
+------------------------------------------------------------------------------+
| Internetworking Configuration 3.32 NetWare Loadable Module |
+------------------------------------------------------------------------------+
+-------------------------------+
| Internetworking Configuration |
|-------------------------------|
| |Boards |
| |Network Interfaces |
| |WAN Call Directory |
| |Backup Call Associations |
| |Protocols |
| |Bindings |
| |Manage Configuration |
| |View Configuration |
| |Reinitialize System |
| |Go To Fast Setup |
+-------------------------------+
2. Once in the above, select Boards. Press the Insert key and enter an
appropriate name and press Enter. Next, select the board that you are using
and press Enter; in our case we are using the WHSMAIO board.
+-------------------------------+
| Internetworking Configuration |
|-+--------------------------------------------------------------------------+
|| Configured Boards |
| |------+---------------------------------------------------+---------------|
| | Boar| WHSMAIO Board Configuration | Comment |
| | |E100|---------------------------------------------------| Transfe... |
| | |IBMT| WHSMAIO Board Name: COM_1 | Transfe... |
| | |VPTU| AIO Board Name: unknown | - |
||| | AIO Driver: unknown | |
| +------| |---------------+
| |Reinit| AIO Board Options: <Select to View> |
| |Go To | |
+--------| First AIO Port Number: 0 |
| Number of AIO Ports: 0 |
| Driver-Specific Configuration: |
+---------------------------------------------------+
3. You are automatically placed in the AIO Board Options window. Press Enter.
Once in the next window we selected the type of board that we were using
(AIOCOMX) and then selected COM_1. Press Esc and save the changes.
4. Return to the INETCFG screen and next select Network Interfaces and select
COM_1 created in the previous steps. You will be prompted to select the type
of communication (we selected PPP the only choice we were given). Press
Enter.
5. The window highlighted the Modem/DCE Type. Press Enter and select the
type of modem. If yours is not listed and it is a standard compatible modem,
select the Hayes compatible modem. Ensure that you have RS-232 and
ASYNC in the Physical Type and Framing Type fields respectively. Click
Modem/DCE Options and ensure that you have AT set. These should all be
set by default. Press Esc until you are prompted to save.
6. Return to the INETCFG screen and select WAN Call Directory and press
Enter. Then press the Insert key and type a name that you would like and
press Enter. You will be prompted to select the type of communication. We
selected PPP (the only choice we were given). Press Enter.
7. Select the type as On Demand and enter the other information as given to
you by the ISP, such as user ID, password and number. Press Esc, save your
changes and return to the INETCFG screen.
8. Select Bindings and press the Insert key. Select Interface and select the
COM_1 that we created in the previous steps.
9. Select whether your IP address will be dynamically allocated or not. This will
depend on your ISP but generally you will be allocated an IP address as you
will have SMTP traffic set. For our example we chose dynamic.
10.You can also click Expert TCP/IP Bind Options and set up NAT as described
in 8.2.3, “Configuring NAT” on page 191. Next select the WAN Call
Destination and press Enter and the Insert key.
11.Press Enter on the WAN call destination that you have created. In our case we
only had one call IGN, so we selected that WAN call.
12.In this window ensure that the Type is Automatic and then press Esc until
prompted to save the database. Keep pressing Esc until prompted to save the
TCP/IP information. Exit INETCFG.
13.You must restart the server, because you have created a new board.
Reinitializing the system that is a choice in the INETCFG is not enough. Once
you have rebooted and the board has loaded and you have changed
information, then you can use the command to reinitialize the system.
14.If for some reason it does not work, you can load CONLOG.NLM on the server
console in the AUTOEXEC.NCF (this can be done in the INETCFG by clicking
Manage Configuration) and then reboot the server. After rebooting use the
command load edit etc\console.log and this will show a list of commands as
they were run during the server initialization. When you reinitialize the system,
this will also be in the CONSOLE.LOG file.
When the server object details appear, click the BorderManager Setup button on
the right and you will see Figure 138. Select the Gateway tab and check the box
next to the IP/IPX Gateway.
2. Next select the Transparent Proxy tab. Figure 139 appears.
Figure 140. Control Panel of NT 4.0 Workstation with Novell IP gateway installed
3. During the installation of the NetWare client, if you selected custom and then
checked IP gateway you should have the protocol Novell IP Gateway installed
as above. If not, go no further and install the client with those options as
discussed in 8.1.1, “Installing the configuration” on page 174. Double-click
Novell IP Gateway or highlight it and click Properties.
4. Check Enable Gateway and then enter the name of the server that you
installed BorderManager on and then enabled using NWAdmin in the previous
section. Ensure that the syntax is either a relative or a distinguished name. We
suggest that you use the fully distinguished name, because it does not rely on
the context of the user. After the name you must use -gw as shown in Figure
141.
5. Next enter the preferred tree and click OK.
6. You will need to reboot the workstation.
7. To ensure that you are connected, follow the same steps as above and ensure
that the fields under Current Gateway Status are filled in.
3. The default rules for the container is to deny all users everything. If you wish to
enable someone to browse the Internet using the HTTP proxy then you would
have to create a rule to enable it. Select OK and then click the button (next
to the red cross icon).
4. Select the type of access that the users will require and the sources and
destination and click OK . Then the rule is added in to the list of access rules in
this scenario. As this is installed in the default configuration, no more needs to
be done.
5. Wait for a few minutes until the NDS is updated.
3. On the screen above is a list of all the rules that will be allowed to pass
through the packet filter. Select the www-http entry and press Enter.
4. This window is the configuration of the rule for HTTP traffic that passes
through the firewall. Select Packet Type and press Enter.
5. Select www-http-st which is the preconfigured packet type for http traffic with
stateful filtering. Press Enter and then press Esc until you are prompted to
save the filter list. Select Yes and you now have a stateful filter for HTTP
traffic.
We experimented with the filters, access, and transparent proxy and found that
the transparent proxy made no difference to our IPX client, but all the rest allowed
or disallowed access as we configured them. We also downloaded some port
scanners and other tools that allow us to look at firewalls and if they are secure or
not. The BorderManager firewall seemed to stop all traffic that was expected and
allowed what we had allowed.
When we tried running Netscape Navigator or Microsoft Internet Explorer the first
time, they came back with errors immediately. When we tried again, the IP
gateway passed the information on extremely quickly.
The problems that face this client is that there is only one administrator based in
the head office and he must ensure rapid deployment of applications, and
support, decrease TCO, and increase end-user productivity.
ISP/Internet
Netfinity 5000
Netware 5, BorderManager
Proxy, Firewall, NAT, Access
Netfinity 5500 M10 control, VPN
Windows NT 4.0
Notes 4.61
Note: These two filters have the public interface as the destination allowing the
DNS information and the ICMP packet through the firewall. Because we used
+------------------------------------------------------------------------------+
| Internetworking Configuration 3.32 NetWare Loadable Module |
+------------------------------------------------------------------------------+
+-------------------------------+
| Internetworking Configuration |
+------------------------------------------------------------------------------+
| Protocol To Interface/Group Bindings |
|-----+-----+-----------------------------------------------------------------++
| Pro| | Expert TCP/IP LAN Options ||
| |IPX|-----|--+-------------+--------------------+----------------------------+
| |TCP| Netw| N| | Status: |translation |
| |TCP| | F|-------------|--------------------|----------------------------|
| | | Loca| | Network Inte| |Disabled | IBMTRPO_1 |
| | | Subn| U| Interface Gr| |Dynamic Only | |
+-----| | B| | |Static and Dynamic| |
| Go| RIP | M| Status: | |Static Only | Disabled |
+----| OSPF| | Network Addr+--------------------+ (Select to View or Modify) |
| Expe| F+---------------------------------------------------------------+
+-----| Router Discovery Options: (Select to View or Modify) |+
| |
| Network Address Translation: (Select to View or Modify) |
+-----------------------------------------------------------------+
Network Address Translation Status. Choose from the menu
ENTER=Select ESC=Previous Menu F1=Help
5. You now have the option of setting the mode of the NAT server, we will be
selecting the static mode for the reason already described. If you are selecting
the dynamic only then there is no more configuration to do, so press Esc and
answer yes to the prompt about saving the information.
+------------------------------------------------------------------------------+
| Internetworking Configuration 3.32 NetWare Loadable Module |
+------------------------------------------------------------------------------+
+-------------------------------+
| Internetworking Configuration |
+------------------------------------------------------------------------------+
| Protocol To Interface/Group Bindings |
|-----+-----+-----------------------------------------------------------------++
| Pro| | Expert TCP/IP LAN Options ||
| |IPX|-----|--+---------------------------------------------------------------+
| |TCP| Netw| N| Network Address Translation |
| |TCP| | F|-----+-------------------------------------------------+-------|
| | | Loca| | Netw| Network Address Translation Table | |
| | | Subn| U| Inte|-----+-----------------------------------+-------| |
+-----| | B| | Pub| Network Address Translation Entry | | |
| |Go| RIP | M| Stat| |<Em|-----------------------------------| | |
+----| OSPF| | Netw| | | Public Address: | |odify) |
Expe| F+-----| | | Private Address: | |-------+
+-----| Router | | +-----------------------------------+ | |+
| +-------------------------------------------------+ |
| Network Address Translation: (Select to View or Modify) |
+-----------------------------------------------------------------+
Network Address Translation Public Address
ENTER=Select ESC=Previous Menu F1=Help
8. This screen will allow you to enter the public IP address that your ISP has
given you for the SMTP mail server. The ISP must also enter this as a MX
record in to the DNS database. In the private address field enter the IP
address that you have manually configured on the SMTP mail server.
9. Press Esc until you are prompted to save the information where you select
Yes. Make sure that the BorderManager is filtering the RIP packets so that the
internal addresses are not displayed to the outside world.
10.There are some limitations as to what ICMP packets NAT will handle for this
information. Go to http://www.support.novell.com and search on 2928309.
This is the number of a Technical Information Document (TID).
1. Set up a DNS server in the local location so that the clients do not have to go
out across the WAN to get the DNS information. Click (the create button)
to select the DNS server. Select the server and click OK.
2. To enable the DNS service on the server we entered the LOAD NAMED command
into AUTOEXEC.NCF.
3. Once this is done create a zone for the customer’s DNS setup, and set up a
secondary zone to download the DNS information from the ISP DNS server.
4. Figure 149 shows where you configure primary and secondary IN-ADDR
ARPA zones. The information will be supplied by the ISP or you will have the
information already.
5. Next, configure the DHCP services. To install a DHCP server, select the DHCP
tab and then click the Create button ( )
.
6. Select the DHCP server and click OK. Then, select the server that you wish to
be the DHCP server.
7. To run the DHCP server, add the DHCPSRV command to the AUTOEXEC.NCF
file.
8. Next, configure the global options for all the DHCP clients. Click the Global
Preferences button . Figure 151 appears.
10.Select the global option that you require, such as DNS server or default router,
then add those o the right-hand box. By highlighting the global options and
then clicking Add at the bottom you can set the number of the IP address to
the actual name server.
11.Next, set a DHCP zone or zones for clients using this DHCP server. By
clicking the server at the bottom of the DHCP tab and selecting the Create
button you can create the zone.
12.Figure 153 shows all the information required to create a subnet, including
context, default server and the name of the subnet. Once this is completed,
highlight the subnet that has been created and click Create. Select Create
Subnet Range.
13.The window shown in Figure 155 allows you to create an address range for
DHCP requests. Once the range has been created you can then specify which
address that you want to exclude by selecting the subnet and clicking the
Create button and highlighting the IP address. There are two default
addresses that are already set aside: 0 and 255.
14.Entering the IP address stops the DHCP server from allocating this to a client,
so servers with an IP address manually configured will not get a conflict. The
method above is the automatic mode. If you change the Assignment Type and
select Manual, you will see the window in Figure 156.
15.The window in Figure 156 allows you to be more specific and allocate an IP
address.
16.Reboot and the workstations are ready to use DHCP.
If you have any problems in either the TCP/IP configuration or the server, you can
use the TCP/IP debug command, which provides a lot of information. However,
with CONLOG loaded ( type CONLOG at the server console) you will be able to edit
the file SYS:\ETC\CONSOLE.LOG and see the information. To set TCP/IP debug,
type
set tcpip debug = 1
Configuring the filter was the same as all the others that allowed incoming traffic,
except this time we specified the source IP address, which is the IP address of
the SMTP host the ISP has.
When BorderManager was installed, one of the cards was made a public
interface. This card was the interface to the outside world and was therefore
secured by the BorderManager installation. As part of the setup, exceptions were
defined for VPN use as shown in Figure 157.
Figure 157 shows there are three exceptions that have been set up to allow the
VPN to function over the public interface. If you have trouble communicating over
the VPN you can get information on the filter’s exceptions. In the BorderManager
documentation under Prerequisites, see the table showing these for site-to-site
and site-to-client communication.
The first area that we will configure is the master VPN. This is all done at the
server console.
1. At the server console type NIASCFG. The first time NIASCFG is run you will be
prompted that all information will be moved into the NETINFO.CFG file. You
can then continue and configure what you want and reboot or press Esc and
reboot.
2. Select Configure NIAS -> Virtual private network -> Master server
configurations. You will be prompted that only one master VPN is allowed per
VPN. Select Continue and press Enter.
3. Select Configure IP address and press Enter.
+--------------------------------------+
| VPN Server Configuration |
|-----+-----------------------------------------+
| |Mas| Master Server Configuration |
| |Sla|------+---------------------------------------------+
| |Upd| |Conf| Configure IP Addresses |
| |Dis| |Gene|---------------------------------------------|
| |Rem| |Copy| Public IP Address: Not Configured |
+-----| |Auth| Public IP Mask: Not Configured |
+------| |
| VPN Tunnel IP Address: Not Configured |
| VPN Tunnel IP Mask: Not Configured |
+---------------------------------------------+
4. The screen allows you to enter the Public address of the VPN. This can be the
address of the Internet or a private address that you wish to secure inside your
own network. The information required is the IP address of the interface that
you wish to secure and the IP address that the VPN tunnel will use. This can
be any IP address that you wish to use. The main constraint is that all VPN
slaves must also be on the same subnet.
5. Fill the information that you want in the required fields and press Esc and you
will be prompted to save the information.
6. Next, select Generate encryption information and press Enter.
7. You will be prompted to enter a random seed. This is a random set of
alphanumeric characters that the VPN will use to create the encryption
information. This information does not need to be recorded in any way and you
can enter up to 255 characters. Press Enter when complete.
8. The information will then be entered in the NDS and when this is complete
press Enter.
9. Next select Copy encryption information . A file will be sent to the slave
server to be used for its encryption information, so here you need to type the
path where you want MINFO.VPN saved. The default is a:\ but you can save it
to any volume or location. Press Enter.
10.The file will be copied and upon creation you will be prompted and can press
Enter.
11.From here press Esc until you are out of NIASCFG.
Next we will configure the slave VPN server. There can be multiple slave servers
but as stated previously they must all communicate via their IP addresses and
+------------------------------------------------------------------------------+
| VPN Server Configurator Ver 4.50 NetWare Loadable Module |
+------------------------------------------------------------------------------+
+--------------------------------------+
| VPN Server Configuration |
|-----+----------------------------------------+
| |Mas| Slave Server Configuration |
| |Sla|------+--------------------------------------------------+
| |Upd| |Conf| Message Digest for Authentication |
| |Dis| |Gene+--------------------------------------------------|
|Rem| |Copy| 82 A2 01 FA 09 E5 0E 6C AF 99 EB AF 8B 76 82 A2 |
+-----| |Auth+--------------------------------------------------+
+-+------------------------------------------------------------+
| Does the message digest authenticate to the master server? |
|------------------------------------------------------------|
| |No |
| |Yes |
+------------------------------------------------------------+
8. On this screen you can either just answer yes or for added security ensure that
this information matches the digest information from the master VPN server.
9. From NIASCFG, select Virtual private network -> Master server
configurations -> Authentication encryption information. Compare the
values shown here with those on the master VPN server. If they are not the
same, someone has tampered with the file.
Next, using NWAdmin, we will configure NDS to allow access to the VPN.
1. Open NWAdmin ensuring that you have updated the snapins since installing
the patches.
2. Click BorderManager Setup and then select the VPN tab.
4. This window lists only the master server at present. Click the (add) button
and you will be prompted with the path of the SINFO.VPN file that was created
during the installation of the slave server. Press Enter once you have entered
the path to the SINFO.VPN file.
5. This is the digest information for the slave. Compare it to the server console or
use RCONSOLE and select Virtual private network > Slave server
configurations > Authentication encryption information . Compare the
numbers: If they are not the same someone has tampered with the file. Select
Yes to continue.
6. You will then be prompted to enter information about protected networks or
workstations. Because we are only protecting one network and that is done
automatically, select No.
7. Click the Status button in Figure 159. Now there should be two servers listed.
8. Click the Synchronize All button and ensure that each entry is up to date. We
will return to this screen later to check the status of the VPN. Click OK.
9. Click Control Options (Figure 159) to modify the control of the VPN
connections.
10.Both protocols are enabled. We will disable IPX as we only require IP in our
scenario. If you disable both of the protocols you will be prompted that VPN
communication will cease to work. This is a good way to stop any
communication over the VPN with out unload or removing the VPN.
11.The next section is for the information on how the calls will be initiated. If you
know that the calls are always going to come from one end then you can select
One Side communication. However, in our case the communication will be
initiated from both ends, so we will enable Both sides.
12.The other section is the design of the topology. We decided to leave the
default as we have only two sides. The topologies are as follows:
– Full Mesh (default) — All servers are interconnected to form a web or
mesh, with only one hop to any VPN member. There is communication
between every member in the VPN. This topology is the most fault-tolerant.
However, it requires more WAN traffic to pass. If a VPN member goes
down, only the connection to that VPN’s network is lost. Once the
14. We left all of these at the defaults but it is possible to allocate other networks
or clients to be protected. Also the different types of encryption can be
configured here. One important area is the methodology for allowing static or
dynamic IP RIP. We chose static as we only had two networks and for the
added security. For more information refer to “Designing and Planning a VPN”
and “Options for Determining Which Private Networks are Protected by the
VPN” in the BorderManager user manual.
15.When you click OK and you exit out of the VPN configuration the server loads
certain NLMs depending on what server you are working on. Figure 164
shows some of the console information that is shown at this time.
8-100-1
6-30-1999 5:51:58 pm: BRDSRV-2.4-11
Timestamp synchronization of IPXIPGW.NLM is completed.
NW5_BM3:
We now have a working VPN. Or do we? The first and most basic test is to see if
we can ping the other server’s VPN IP address. Make sure that your filters are set
correctly. If this works, you can then check the status information on the VPN.
1. Return to the VPN master screen and select Status. Select a server and click
Activity.
4. You can get digest information or specify whether to encrypt all or some of the
networks that the client is connecting to. Click OK if any selections have been
made, or Cancel to accept the defaults.
5. The access rules must be set in the same manner as in 8.1, “Small
configuration” on page 173. Select the container that you want to allow access
rules. Right-click and select Details.
6. Select the BorderManager Access Rules button. In the rules area add a rule
to allow a VPN client and specify who or what groups and containers to be
enabled to use the VPN as a client.
7. The client must have Dial Up Networking (DUN) installed with an ISDN
accelerator patch. You can download this from:
http://www.microsoft.com/Windows/getisdn/
You will need the IP address of the VPN server and the location of the
Windows 95 CAB files and the NetWare client files. We found the required files
on the Client CD in the \PRODUCTS\WIN95\IBM_ENU directory.
8. When you install the patch, it will begin copying files. If you are installing an
ISDN card, you need to follow the manufacturer’s instructions.
9. To install the VPN client we used the files from the directory
SYS:\PUBLIC\FRDMGR\VPN on the VPN Client CD. In this directory there is a
setup that you run.
10.After the welcome screen you will see what information you need and what
needs to be configured (Figure 169).
11.The next screen lists the required items you will need for the installation and
where to get them.
12.The files will begin to be copied and if there are any conflicts with newer files
on the machine you will be prompted.
13.You will then be required to point the installation to the location of the NetWare
client files. We pointed to the \products\win95\ibm_enu directory.
14.When the installation is complete you get a message stating what the other
components are and what you need to configure. All three components are
configured by the installation process placing you in the required applications.
Select Next.
15.When you click Next you are placed into the DUN to make a new connection.
19.If you are dialing through the ISP, then you need to enter the ISP’s DNS server
IP address. Select Next.
20.On the next screen choose the options that you want and select Finish . Your
machine will reboot.
21.After rebooting and double-clicking on the icon that is created during the
installation of the VPN client, you will see the client login tab.
22.This login is very similar to the NetWare login with the user name and the
context of that user. These are the user’s normal network credentials.
23.Click the Netware Options tab (Figure 174) to configure certain options for
Novell Client. We unchecked Enable IPX as we are running only IP. All other
options we left as the defaults.
24. Click the Dial Up tab to use your NetWare username and password and if you
have a RADIUS server in your network and the ISP has a RADIUS proxy
server. The proxy server then contacts the RADIUS server at the company site
and checks the credentials of the user.
25.Otherwise, use the user name and password that the ISP has given you. The
username and password will be saved upon successful login.
26.The other two tabs are the Launcher tab, which is used to launch an
application on successful login, and the VPN Status tab, which gives you
information on the status of your connections.
Note
Ensure that in the next step that you enter only the drive letter with no colons
after the letter (for example D rather than D:). The installation will fail if you use
colons.
3. You must enter the drive letter that is mapped to the SYS: volume that you
want to install Cyber Patrol to. Click Proceed .
4. The installation then begins copying files. Click Save settings and the
installation is complete.
5. The Cyber Patrol software relies on the NLM called CPFILTER, which must be
loaded at the bootup of the server to have the added facilities of Cyber Patrol.
6. So go into the INETCFG and select Manage configuration then edit
Autoexec.ncf. Enter the following command at the end of the file as it relies
on other NLMs being loaded:
LOAD SYS:\ETC\CPFILTER\CPFILTER.NLM
7. The next thing is to set up the rules to allow or disallow the type of sites that
we do not want. Go to NWAdmin and select the container and server where
the access rules reside. Double-click to bring up the details screen.
8. We then selected the BorderManager Access rules button and clicked Add.
This is the same as we did in 8.1.2.4, “Access rule allocation” on page 183. At
the top of the window we clicked on the Deny rule as we are using the
CyberNot list.
9. We then left the sources as any and selected Specify for the destination and
clicked Browse. If you have the cpfilter.nlm loaded you will see a drop down
CyberNot list, as shown in Figure 175.
10.Select the areas that you want to block users based on your company’s
security policies. When you click OK and OK again to get out of the
BorderManager Access rules window, this will update the ACLs and be time
stamped. This can be seen on the server console.
8.2.9 ZENworks
After the installation of ZENworks the first thing that had to be done was to
register the workstations. To enable this, you must first ensure that the client has
a connection to the Novell network via an NDS authentication. There are several
applications that are installed by default in the context of the server on which you
installed ZENworks. These are the administration applications and the
applications required to register workstations.
1. To enable the NDS to import the workstation objects you must create a policy
package. Open NWAdmin and select the container context where you want
the policy to be and select File -> Create. Choose the policy package object
and click OK.
2. A user policy package for each type of workstation operating system must be
created, since each policy has specific components and choices depending on
the operating system that will be accessing it. Select WinNT User Package
and click Next.
3. If you are creating more than one policy package, enter a name that you wish
or accept the default. The context of the package that will be created will be
filled in if you selected the correct context when creating this package. Click
Next.
4. Figure 178 lets you enable certain policies. Put a checkbox in Workstation
Import Policy then click Details. Figure 179 appears.
5. Here you specify where the workstation object will be created. We have
accepted the default, User Container. If you have created a context for the
NDS users, choose that or the context of the policy. Select the Workstation
Naming tab.
6. Figure 180 allows you to add or remove information to the name of the
workstation or remove some information, since often the name of the actual
workstation is not required by the IP address is. We added the name of the
user and in the drop-down box we selected the IP address rather than the IPX
address. Select the Workstation Groups tab.
7. You can associate workstations with a group just as you would a group of
users. We prefer to use containers as our grouping of the workstations. If there
are enough workstations, we suggest you create an organizational unit for
Select Add and browse the default applications that were installed and select
the WReg application that runs the WSREG32.EXE. Select the force run so
that the workstation will run when you log in and run the new login script.
Place it on the desktop so that the users are able to run it if necessary. Select
OK when you have made the changes that are required.
10.From NWAdmin select Tools > Import Workstation .
16.As discussed in 2.5, “NDS for NT” on page 33, you may have to have domains
or an unmanageable amount of accounts created. Using ZENworks you can
dynamically create these users, then delete them or leave them, or use
existing accounts that have already been created. It also allows you to control
into which groups users are put on that workstation.
17.The next policy to enable is the Windows NT desktop preferences. See Figure
185.
This window allows you to control the location of the users’ profiles. In the
window above, we have specified a policy that we created. Refer to the
ZENworks documentation to find out how to create a mandatory policy with a
.MAN extension. This means that all users will get the same look and feel and
if they change anything they log in it will be back to the original when they log
in next time.
18.Click the Control Panel button to control the features of the desktop, such as
keyboard, DOS prompts, and wallpaper.
21.The boxes that are checked perform the tasks described next to it. We
disabled the run command from the start menu and restricted the display of
the control panel. There are numerous other items that can be changed and
you will have to make decisions according to your environment.
+------------------------------------------------------------------------------+
| Directory Services Login/Authentication |
|------------------------------------------------------------------------------|
|Connect Rights Level: [Root] |
|Administrator Name: Admin.IBMAU |
|Password: |
+------------------------------------------------------------------------------+
ESC=Abort F1=Help
2. The message explains the reasons why you must log in using the admin user
or equivalent. Enter the required information and press Enter.
3. You are given the option to see an explanation of the steps that are necessary
to have the remote access working. We selected No.
4. You will see a window explaining the availability of online help. Press Enter to
continue. You will see with the first selection screen of if you have any
synchronous communications boards such as X.25 we did not select this as
we are using a modem to connect.
5. The next window is similar to the installation of the I/O driver in 8.1.2.1,
“Creating an on-demand dial-out to the ISP” on page 174 and we selected the
serial port (com_x). Press Esc after entering on the type of I/O board you will
be prompted to save the configuration select Yes and press Enter.
6. You are then prompted to enter the board name. We entered COM1RAS. Also
you need to ensure that the correct I/O and interrupt are selected. The default
COM port addresses are:
– COM1: address 03F8, interrupt 4
– COM2: address 02F8, interrupt 3
– COM3: address 03E8, interrupt 4
– COM4: address 02E8, interrupt 3
7. Press Esc when all is entered and select Yes when prompted to save the
information.
8. You will be prompted if you need to load more I/O drivers. We selected No.
9. The next prompt is to ensure that your modem is powered on and connected,
as the software will try to detect the type of modem. If it does not find the
+------------------------------------------------------------------------------+
| Remote Access Configuration 4.1 NetWare Loadable Module |
| Context: [ROOT] |
+------------------------------------------------------------------------------+
+----------------------------------------------------------------------------+
| NIAS Remote Access is attempting to determine which ports have modems |
| attached |
| |
| Modem checking is complete |
| |
| Total Ports found: 1 |
| X.25: 0 ISDN: 0 TCP: 0 |
| |
| |
| Licensed Ports: 1 |
| Modems found on licensed ports: 1 |
+----------------------+--------------------------------+--------------------+
| Select next action |
|--------------------------------|
| |Continue With Automated Setup |
| |Try Modem Discovery Again |
+--------------------------------+
10.Once the modem was found we continued with the automated setup.
11.Next, choose the types of protocol communications that you want the remote
access to support. We selected only PPRNS the others that are supported are
Appletalk and NCS for dialing-out protocol.
12.After selecting PPRNS you will have the choice of IP and/or IPX. We selected
IP.
+------------------------------------------------------------------------------+
| Parameters for Loading Service |
|------------------------------------------------------------------------------|
| Local IP Address: 192.168.10.1 |
| Subnet Mask: 255.255.255.0 |
| |
| Use Header Compression: No |
| |
| Specify Client Address Range: No |
| |
| |
| |
| |
| |
| |
| |
+------------------------------------------------------------------------------+
+------------------------------------------+
ESC=Back F1=Help
13.You need to enter an IP address that is for this interface only and then you
also have to ensure that the IP subnet has addresses for the users that will be
connecting to the LAN.
14.We then pressed Esc and selected Yes when prompted to save the
configuration. We chose the IPX protocol as well and entered another unique
address for this. Pressed Esc and answered Yes to save the changes.
15.You will then see a warning screen.
+--------------------------------------------------------------------+
| This screen lets you select the protocols used by the PPP service. |
+------------------------------------------------------------------------+
| The current configuration will be activated. This will cause all |
| active connections to be lost. The screen will be switched to the |
| system console screen to view the results. |
| If you do not want the current configuration activated at this time, |
| press F7. You will then have to issue a Reinitialize System command or |
| restart your server at some later time to activate the configuration. |
| |
| <Press ENTER to continue> |
| <Press CANCEL (F7) to abort> |
+------------------------------------------------------------------------+
|| |
+------------------------------------------+
16.Since we had no users connected we pressed Enter on this screen. The next
screen is a summary of the configuration.
+------------------------------------------------------------------------------+
| Remote Access Configuration 4.1 NetWare Loadable Module |
| Context: [ROOT] |
+------------------------------------------------------------------------------+
+------------------------------------------------------+
| Congratulations! You have completed the installation |
| and basic configuration to run NIAS Remote Access. |
| |
| The basic configuration has the following features: |
| |
| -- all users can access all ports |
| -- all users can access all services |
| -- all services can access all ports |
| -- all users have unlimited connection time |
| |
| <Press ENTER to continue> |
+------------------------------------------------------+
+------------------------------------------------------------------------------+
| Remote Access Configuration 4.1 NetWare Loadable Module |
| Context: [ROOT] |
+------------------------------------------------------------------------------+
+-----------------------------------+
| Remote Access Options |
|-----------------------------------|
| |Configure Ports |
| |Configure Port Groups |
| |Configure Synchronous Interfaces |
| |Configure Security |
| |Configure Services |
| |Set Up ... |
| |Generate Configuration Report |
+-----------------------------------+
18.From this screen we chose Configure Security and then selected Restrict
service by user and pressed Enter on the PPRNS entry.
+-----------------------------------+
| Remote Access Options |
+------------------------++------------------------+
| Remote Access Services || Authorized Users |
|------------------------||------------------------|--+
| |PPPRNS || |admin.IBMAU | |
|| || | |--|
|| || | | |
|| || | | |
|| || | | |
|| || | | |
|| || | | |
|| || | | |
|| || | |s |
+------------------------++------------------------+--+
Description: PPP Remote Node Service
Function: Provides Remote Node access for DOS/UNIX/Windows computers
19.On this screen, replace the default <any user> by pressing Insert and
selecting admin from the context. This ensures that only the admin users can
get access to the PPRNS service.
20.To verify your configuration, select Generate Configuration Report.
21.You can also set up some of the items that are available in the main remote
access screen in NWAdmin. Right-click a container, select Details (see Figure
188), then the Remote Access button.
22.If you double-click a user, you get two Remote Access buttons. See Figure
189.
Users can log in in and get their information from the login prompt without
worrying about context-only part of their name and the password. This
information is based on the TID 2940793.
1. Ensure that DSCAT.NLM is loaded on the server.
2. Run NWAdmin.
3. Select the context that you want and create a NDSCAT:Master Catalog object.
Make sure the name is no longer than 8 characters as Novell has made
mention that it can have problems with one that has more.
4. Double-click the object.
5. From this window, select the server that is running the DSCAT.NLM and place
it in the Host Server field. Select a security equivalent that is able to browse
the tree. You may wish to set up a specific user for this, so that no one can
delete it and that it has only the rights required for this job.
6. Select primary and secondary labels for the catalog. These are used by
applications and administrators.
7. Click the Filter button.
8. In Figure 191, you specify the information that you want imported. For more
information on this, click the Attributes / Indexes button and select
Attributes.
9. Since we want only the user objects for our login purposes, we enter "Object
Class" = "User" and ensure that the Search Subtree is set.
10.Select the Schedule button to set the periods that you want the dredger to run
and get updates. This can be done manually or set to run every night or
whenever you want.
11.Click on the Attributes/Indexes button.
12.Click the Select Attributes button and then choose Full Name. Then choose
Select Indexes and add the attributes that you have just selected. You can
choose to catalog and index all the attributes.
13.Click OK to save the settings. Do not update now, to allow the catalog object
time to read and browse the NDS tree.
14.Right-click the [ROOT] object and select Trustees of this Object. You will see
Figure 191.
15.Select the Add Trustee button and add the [Public] and [ROOT] objects and
give them Browse, Read and Compare rights. These are given by default
when you add the object.
18.Select the Contextless Login tab and check Enable if you wish to enable the
user of wild cards. Next enter in the tree and the catalog name. The catalog
name must be fully distinguished name and start with a period. Make sure you
click on Add when finished entering the information.
19.Reboot the workstation.
20.To ensure that it works type in the name of the user and hit the tab button it will
then show you a list of all the names that match the one that you typed and
there contexts. If yours is the only one then they will show only that one.
5. Next to the Proxy Username field click on Browse button ( ) and select the
user that you configured to have the correct rights for the container that you
wish.
6. Then select the Browse button next to the Suffix window and select a
container. This will limit the user to be able to access this container only.
7. Click the Server List button and ensure that the server that is running the
LDAP services is in the list. If not browse and select the server.
8. Now go to the client and use the Netscape browser to make some LDAP
requests.
9. Select the address book icon in the bottom right hand corner.
10.Right -lick he address items and select a new directory.
11.Place any name that you wish in the Description field. In the LDAP Server
field, enter the DNS name or IP address of the server that you have just
configured. In the Search Root field, enter the distinguished name for the NDS
container where the LDAP should start its search. The rest you can leave as
default.
A1 The total amount of disk space connected to the server, not the amount of disk
space being used. Note: 1=1MB 1024=1GB MB
A2 Calculate the megabytes of usable disk space connected to the server. For
duplexing or mirroring, use the formula A1x0.5 or just copy A1. MB
A7 The maximum number of files on the server. [Maximum number of files for storage Files
= A2 x 1042 / average file size.]
1 The minimum amount of memory for the server’s operating system (NetWare 5 KB
minimum is 64,000 KB).
7 Memory required for supporting NLMs requirements (2000 KB total for betreive, KB
CLIB, install and Pserver)
8 Memory requirements for installed services (refer to the minimum memory for the KB
application).
The average file size can be calculated by dividing the total bytes backed up by
the total number of files backed up.
Total server hard disk For example, 3 x 9 GB, 2 mirrored 1 hot spare = 9 GB
local
Language
Country/code
page/keyboard
Mouse/video
Platform support
module
Server Name
Time zone information Subtract 5.00 for US and Canada Eastern time Adjust daylight
savings:
Yes No
NDS information Tree Name: For example, IBMAU
Password:
Serial number:
Patch information Path: For example, File: For example, Version: For
sys:\system\patch\ver2 nw5sp2a.exe example, patch 2a
Comments:
Secure all public interfaces Enable HTTP for all private interfaces
Yes Yes
No No
DNS information DNS Domain: For example, ral.itso.ibm.com
2.
3.
Note
Make sure that you make a backup of the FILTER.CFG file in the SYS:\ETC
directory. Print this file and attach it to this worksheet.
Server Partitions
Parameter
Tree name
Users:
Replica Yes
No
Server name
Service process
Information in this book was developed in conjunction with use of the equipment
specified, and is limited in application to those specific hardware and software
products and levels.
IBM may have patents or pending patent applications covering subject matter in
this document. The furnishing of this document does not give you any license to
these patents. You can send license inquiries, in writing, to the IBM Director of
Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact IBM Corporation, Dept.
600A, Mail Drop 1329, Somers, NY 10589 USA.
The information contained in this document has not been submitted to any formal
IBM test and is distributed AS IS. The information about non-IBM ("vendor")
products in this manual has been supplied by the vendor and IBM assumes no
responsibility for its accuracy or completeness. The use of this information or the
implementation of any of these techniques is a customer responsibility and
depends on the customer's ability to evaluate and integrate them into the
customer's operational environment. While each item may have been reviewed by
IBM for accuracy in a specific situation, there is no guarantee that the same or
similar results will be obtained elsewhere. Customers attempting to adapt these
techniques to their own environments do so at their own risk.
Any pointers in this publication to external Web sites are provided for
convenience only and do not in any manner serve as an endorsement of these
Web sites.
C-bus is a trademark of Corollary, Inc. in the United States and/or other countries.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Sun Microsystems, Inc. in the United States and/or other countries.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States and/or other countries.
SET and the SET logo are trademarks owned by SET Secure Electronic
Transaction LLC.
Other company, product, and service names may be trademarks or service marks
of others.
This information was current at the time of publication, but is continually subject to change. The latest information
may be found at the redbooks Web site.
Company
Address
We accept American Express, Diners, Eurocard, Master Card, and Visa. Payment by credit card not
available in all countries. Signature mandatory for credit card payment.
H M
Hierarchical Storage Management 9 ManageWise 23, 116
Hot Fix blocks 111 agents 24
hot plug PCI 10 console 24
installing 65
LANalyzer Agent 24
I NetExplorer 24
I2 O 11 Master Catalog object 229
INETCFG command 175 maximum concurrent directory cache buffers 110
installing maximum concurrent directory cache writes 110
additional products 50 maximum concurrent disk cache writes 110
BorderManager 60 maximum hot unreferenced time 131
BorderManager snapin 65 maximum packet receive buffers 131
CONFIG.SYS 43 maximum packet receive packet size 112
ConsoleOne 56 maximum service processes 131
Cyber Patrol 211 memory 41, 107
DNS/DHCP services 51 memory management 3
file system 47 worksheet 235
Java install screens 46 Microsoft Exchange 90
keyboard equivalents 46 migration gateway 7
LDAP 51, 232 Minimum File Cache Report Threshold 106
license file 50 minimum packet receive buffers 131
ManageWise 65 minimum service processes 131
NDS 8 53 MONITOR command 4
NDS for NT 90 MONITOR.NLM 105
NDS tree 48 MRU cache buffers 107
Netfinity Manager 73 multiprocessor kernel 8
NetWare 41
direct 42
ServerGuide 43 N
network adapters 46 naming conventions 120
network protocols 48 NAT (Network Address Translation) 16, 191
patches 52 NCP 2
BorderManager 63 NCP packet signature 113
PCI Hot Plug support 45 NCS 33
preparation 41 ConsoleOne 34
storage devices 46 features 34
SYS volume 46 NHAS, compared with 33
time zone 48 NDPS (Novell Distributed Print Services) 9
VPN client 207 broker 10
worksheets 235 manager 10
ZENworks 58 NDS 1, 25
integration with Windows NT 89 authentication 25
IPS/IP gateway 18 BulkLoad 28
IPX changes in Version 8 26
gateway 180 ConsoleOne 27
migration gateway 7 containers 120
designing the NDS tree 119
distinguished names 26
L DSrepair 28
LANalyzer Agent 24 features 1
LDAP 7, 232 health checking 128
LIP packet 113 installing NS 8 53
Loadable Storage Subsystem 9 introduction 25
255
parameters (continued) SMART 85
service processes 106 SMP support 114
patches, installing 52 SMTP 197
PCI hot plug 10 SOCKS gateway 18
performance Software Inventory 86
See tuning StandbyServer 36
Policy Package Wizard 213 automatic failover 37
Predictive Failure Analysis 84 dedicated link 39
printer agent 10 Entry-Level 37
printer gateway 10 failover operation 38
priority levels 113 Many-to-One 36
Process Manager 85 NSS, use with 39
property rights 70 primary server 37
PROTECT command 4 products 36
protocols standby server 37
RADIUS 21 utility server 38
Service Location Protocol 6 STAT.NLM 105
TCP/IP 6 static address translation 19
provider (NSS) 35 storage group (NSS) 35, 36
proxy caching services 22 storage objects (NSS) 35
PURGE command 110 stripe size 111
suballocation 110
subordinate reference 123
R supervisor right 68
RADIUS 21 SWAP command 4
RAID Manager 85 swap file 3
RCONSOLE 85 synchronization of replicas 1
Real Time Data Migration 9 System Information Tool 86
Remote Session 85 System Monitor 86
Remote System Manager 85 System Partition Access 87
Remote Workstation Control 85 System Profile 87
replication
synchronization 1
tuning 122 T
worksheet 241 TCP/IP
requirements 41 core protocol 6
RESOLVE.CFG 131 migration gateway 7
reverse proxy 23 WinSock 2 11
TCPADDR.DSC 82
time servers 125
S time synchronization 105, 125
SBACKUP command 6 Transaction Tracking System 9, 27
scenarios 173 transitive vector 1
Screen View 86 transparent proxy 181
security 67 TTS (Transaction Tracking System) 9, 27
encryption 200 tuning 105
Netfinity Manager 73, 81 applications 113
Security Manager 86 BorderManager 130
Serial Connection Control 86 disk 109
SERVCFG.000 file 5 memory 107
server synchronization 129 NDS 119
ServeRAID partitioning 122
tuning 109, 111 replication 122
ServerGuide 44 WAN traffic 115
Netfinity Manager 74 worksheet 243
Service Configuration Manager 86 ZENworks 126
Service Location Protocol 6
service processes 106, 108
settings U
See parameters user object 68
SLP 6
W
WAN Traffic Manager 5, 115
Web Manager 87
Web server acceleration 23
what’s new 1
Windows NT
integrating with NetWare 89
WinSock 2 11
worksheets
memory 235
NDS for NT 242
NDS health check 244
NetWare 236
replication 241
tuning 243
WTM (WAN Traffic Manager) 115
X
X.500 7
Z
ZENworks 5, 29
design considerations 126
desktop preferences 219
Dynamic local user 218
example 189
installing 58
Policy Package Wizard 213
register workstations 213
Starter Pack 29
version 2.0 32
Workstation Import Policy 215
257
258 Novell NetWare 5.0 Integration Guide
IBM Redbooks evaluation
Novell NetWare 5.0 Integration Guide
SG24-5847-00
Your feedback is very important to help us maintain the quality of ITSO redbooks. Please complete this
questionnaire and return it using one of the following methods:
• Use the online evaluation form found at http://www.redbooks.ibm.com/
• Fax this form to: USA International Access Code + 1 914 432 8264
• Send your comments in an Internet note to redbook@us.ibm.com
Please rate your overall satisfaction with this book using the scale:
(1 = very good, 2 = good, 3 = average, 4 = poor, 5 = very poor)
Was this redbook published in time for your needs? Yes___ No___