---------------------------------------------------------------------- NOV-NDS4.DOC -- 19970331 -- Email thread on NetWare Directory Services ---------------------------------------------------------------------- Feel free to add or edit this document and then email it back to faq@jelyon.com Date: Mon, 28 Oct 1996 17:47:08 +0200 From: Patrick Medhurst Subject: Re: SET DSTRACE= settings -Reply >>I always try this when applying the latest DS.NLM, but SET DSTRACE=* >>doesn't reload the DS.NLM !! Ensure that you are typing the period after the asterisk, i.e. SET DSTRACE=*. Doing this will also reset the DSTRACE view parameters back to the default. There must be a better way to remove the DSTRACE=ALL setting. Unfortunately, I don't know what it is either. --------- Date: Mon, 28 Oct 1996 17:04:18 +0000 From: Richard Letts Subject: Re: SET DSTRACE= settings -Reply >>> I always try this when applying the latest DS.NLM, but SET DSTRACE=* >>> doesn't reload the DS.NLM !! > >Ensure that you are typing the period after the asterisk, >i.e. SET DSTRACE=*. > >Doing this will also reset the DSTRACE view parameters back to the default. >There must be a better way to remove the DSTRACE=ALL setting. The one I most frequently look at is +sync set dstrace=+sync does an implict ON, but only sets the sync flag. However our tree is now wtoo big for this to be much use for anything but the grossest of problems. Running the Sync Status report in DSrepair gives me the same information in a tabular form. If you want a GUI then NDSMgr in the 4.11 beta gives you the same information with icons, and on-line help on how to fix any problems. --------- Date: Tue, 29 Oct 1996 09:51:05 +1100 From: Adrian Moore Subject: Re: SET DSTRACE= settings According to some notes I got from the "Understanding NetWare Directory Services" seminar, SET DSTRACE accepts quite a chunk of switches, and will even accept garbage (Like SET DSTRACE=FFFFFFFF ). You enable or disable filters, and can get back to "standard" sets of filters with: SET DSTRACE=AGENT Gives you these filters enabled: "ON, JANITOR, BACKLINK, RESNAME, DSAGENT, VCLIENT" SET DSTRACE=DEBUG Give you "ON, INIT, FRAGGER, MISC, STREAMS, LIMBER, JANITOR, BACKLINK, SKULKER, SCHEMA, INSPECTOR, ERRORS, PART, EMU, VCLIENT, RECMAN, REPAIR" SET DSTRACE=ALL Give you all "debug trace message filters". Documentation for SET DSTRACE=OFF says that it only disables the DSTrace debug screen and does not reset filters (what you are seeing) Documentation for SET DSTRACE=ON says that "the minimum debug level is turned on". This seems to be the case. Write an NCF which sets DSTRACE to have all the filters enabled that you require, like: TRACE.NCF: SET DSTRACE=ON SET DSTRACE=+J +BLINK I think that will initialise DSTRACE to only the standard filters plus the janitor and backlink filters (seems to work here). --------- Date: Tue, 29 Oct 1996 09:02:56 +1000 From: Mark Cramer Subject: Re: SET DSTRACE= settings -Reply >>>I always try this when applying the latest DS.NLM, but SET DSTRACE=* >>>doesn't reload the DS.NLM !! > >There must be a better way to remove the DSTRACE=ALL setting. >Unfortunately, I don't know what it is either. Hands up everyone who hasn't downloaded DsDoc2.Exe from Novell's site! Appendix Page 30-> Dstrace Commands Filters and Processes Page 36 +Min *Note To use correctly Set Dstrace=NoDebug then Set Dstrace=+Min. This is the same as unloading ds.nlm and reloading it to get back to the default of DsTrace. --------- Date: Tue, 29 Oct 1996 13:51:17 NZST+1200 From: Alister Leask Subject: DSTrace Commands A couple of weeks ago I found 2 TID's at the Novell site. One was entitled "DSTrace Commands, Filters and Processes" TID# 2909026, the second "Directory Services Trace Screen" TID#2909019. Not only do these answer the original question, but contain lots of info about other commands and the states the NDS database can be in when changes are made. Try DSTRACE=+MIN to reset all filters... ------------------------------ Date: Tue, 5 Nov 1996 10:35:15 GMT From: Paul Lees Subject: Re: A Directory Services Value Does not exist ? >Our Novell 4.1 Directory services have been giving us >problems. Every new server we add to our tree we cannot put a replica >to the [Root] partition. When we try to add the Replica of the >[Root], we get this error from partition manager: > >"An internal system error has occurred. A directory >Services value does not exist. Error code FDA6. Current operation >cannot be completed." What error are you seeing on the target server? You may see one of the following without an error code: 1. Error unable to communicate -- Look in DSTRACE for the object with the problem (SET DSTRACE=+SYNC). This is probably a problem with either the public key or the remote ID. Run DSREPAIR to verify remote server IDs. If errors appear there, run this same option once more to verify remote server IDs. If you get a -602 or -603 in DSREPAIR when verifying remote server IDs, call your Novell Authorized Service Center for support. Be aware, however, that a public key cannot be repaired unless there is at least one server in the tree authenticating without problems to the target server. The server authenticating OK to the target server must also have a real copy of the target server object, so it must have a replica (other than a subordinate reference) of the partition holding the target server object. If this is only a 2 server tree, the target server will need to be removed from the tree and reinstalled. 2. Error sending updates -- Look in DSTRACE for the object with the problem (SET DSTRACE=+SYNC) and try deleting the object. ------------------------------ Date: Thu, 7 Nov 1996 15:01:04 -0600 From: Joe Doupnik Subject: Re: Synthetic Time on Single Ref >>>Anyone shed any light on why my Single Ref time sourced 4.10 server would >>>issue synthetic time when all it's dependent on is the H/W clock??? >>---------- >> What would you deduce? The OTHER SERVERS disagree on time. >>How would one find out? After the standard rtfm advice, try dsrepair, >>carefully. >> Joe D. > >All servers _do_ agree on time, dsrepair lists them as in synch as does a >TIME command at each server. RTFM would be nice if it wasn't on CD. You'll >be happy to know I am reading the DS info printed out from whichever text >file is recommended reading on patlst.htm ... --------- Good man. What I would do next is shut down the master server and observe its hardware clock value. See if it is very close to network time. Repeat round the net once in a while to maintain consistency. Also, just in case, tell each server to be a secondary pointing specifically at that single standard server, to avoid stray boxes telling temporal fibs. Finally, I've found that even single standard boxes will proclaim synthetic time if they cannot NDS-sync to other servers (broken wire, all that jazz). I also sync the single time server to the real world via RDATE.NLM. Thanks to great foresight by Novell you will have to backdate TCP*.NLM to about Jan 96 to enable RDATE to run again. I do just that. What is needed from Novell for over 3 years now is an NTP.NLM (network time protocol, IP based) to avoid dependence on the crummy PC clocks. In my case RDATE goes to local machines which are the local time standard and which are sync'd via Unix version xntpd to national time standards. Btw, one can pull the docs onto a disk drive, if space is available. A bound version of the interesting parts of the manuals, plus commentary, is the oft-mentioned book "Novell's Guide to NetWare 4.1", Novell Press. Joe D. ------------------------------ Date: Fri, 8 Nov 1996 17:10:59 -0600 From: "Lindsay R. Johnson" Subject: Re: Synthetic Time on Single Ref ATTN: 4 Responses have been consolidated into a single thread here! Situation: 2 NDS Trees with a total of 3 - 4.10 servers. Live tree (SFMC_TREE) has 4.10 server set as type SINGLE reference. Other 2 servers are set as SECONDARY reference with their time source set to the SINGLE reference server. One of the SECONDARY servers is in the live tree, the other in the R&D tree. CONFIGURED SOURCES is set to ON on all 3 servers. Therefore, the SINGLE reference server gets its time from its internal hardware clock. Error message received follows: 11-07-96 10:27:27am DS - 5.1 - 12 Severity=1 Locus=17 Class=19 Synthetic Time is being issued on partition "SFMC_TREE" The above-mentioned partition's Master Replica resides on the SINGLE reference server. It's R/W Replica resides on the SECONDARY reference server in this same tree. This error has not recurred to date (16:27 11/08/96). Edited list discourse to-date: >>>How would one find out? After the standard rtfm advice, try dsrepair, >>>carefully. >>> Joe D. >>> >> >>All servers _do_ agree on time, dsrepair lists them as in synch as does a >>TIME command at each server. RTFM would be nice if it wasn't on CD. You'll >>be happy to know I am reading the DS info printed out from whichever text >>file is recommended reading on patlst.htm ... >> >>Lindsay >--------- > Good man. What I would do next is shut down the master server and >observe its hardware clock value. See if it is very close to network time. Server shutdown in our 24-hour, direct-patient-care network is not taken at all lightly... >Repeat round the net once in a while to maintain consistency. Also, just >in case, tell each server to be a secondary pointing specifically at that >single standard server, to avoid stray boxes telling temporal fibs. Finally, Defined as above since deployment months ago... >I've found that even single standard boxes will proclaim synthetic time if >they cannot NDS-sync to other servers (broken wire, all that jazz). Frame Relay between the SINGLE and SECONDARY in the same tree did not have a problem at that time (it did "go away" for 28 minutes overnight last night and the message has not recurred since the original message). > I also sync the single time server to the real world via RDATE.NLM. >Thanks to great foresight by Novell you will have to backdate TCP*.NLM to >about Jan 96 to enable RDATE to run again. I do just that. What is needed >from Novell for over 3 years now is an NTP.NLM (network time protocol, IP >based) to avoid dependence on the crummy PC clocks. In my case RDATE goes >to local machines which are the local time standard and which are sync'd via >Unix version xntpd to national time standards. We haven't gotten there yet but we understand we can get the time straight from our voice-line trunks from the telco. It will be interesting to see if it's feasible. >Hi, > >Did you down the server to DOS and start it again without rebooting? >Did you change the time settings? Does "TIME" display the correct >time? Again, downtime's NOT feasible unless there is a true outage. While this could escalate to there I'm working on alternatives! >Two case : >A change in the Hour occured voluntary : in this case you had to go on >the server wich hold the Master Replica for each replica that stored >this Server. Use Dsrepair.NLM, advanced options, Replica & partion >option, select the replica, choose Repair Time Stamps and declare a >new epoch >Second case : the hour change unvunlontary : so the first procedure >will solve the problem but you have to find the cause and perhaps set >up an external clock I'll tuck this one away - it is the procedure I figured I should try should I need to start in NDS. With no additional Synthetic Time messages I'll let sleeping dogs lie for now. And, yes, we will be implementing a dependable external time source - just a matter of when! >Synthetic time actually has nothing to do with time synchronization. When a >server gives a synthetic time message, it means that an object in the NDS >has a creation/modification date/time that is in the future. This could >happen if someone logged in with the date set in the future and then changed >something in the NDS. The error will go away when the present date is equal >to or greater than the date that was used to modify the NDS. There's a >pretty good article explaining how to fix it on http://support.novell.com, >use the Search option and search for Synthetic Time. I think you can use >one of the Advanced Options in DSRepair to fix it. The article has step by >step instructions. > >Jason Lester >Washington County Schools Jason - I think you've hit on my most likely scenario. I understood it had to do with stamping in the NDS but it didn't make sense until you mentioned someone changing something in the NDS. If I'm not mistaken, Last Login date and time hit the NDS at login for each station. If a station is not configured to get it's time from the server this seems inevitable! This sounds like a liability to NDS at first blush! I assume this information comes from the server itself, though. Counting on station info for this seems like an auditing/accounting/security risk. Most likely is one of my (very few) administrators' clock is slipping, or is not configured to get it's time from the server. This would be easy enough to replicate I would think. I'll give this a shot on our R&D tree. Thanks all for your input! Any more discussion is quite welcome! I'll post progress as I am able. Regards, Lindsay ------------------------------ Date: Fri, 15 Nov 96 01:42:12 -0800 From: Randy Grein To: "NetWare 4 list" Subject: Re: Loooong wait in NWAdmin >In one of our contexts in our NDS tree, we have an alias for every >user on our network. We did this so that people from different >contexts can log in without dealing with contexts. But ... whenever >we go into that contexts using NWadmin, we have to wait about a >minute for the spinning icon to go away. This is a HUGE pain. Does >anyone have any ideas on how to fix this? Several other people have suggested either faster machines or segmenting things by breaking the users into more Organizational Units. I would suggest removing the alias's and reworking the structure to handle logins better. You might consider defining a default context if each user stays in one place; the trick also be used if you make the default 1 OU below the users and let NDS search up. For example, make the default context: context=Acme while the users are in the groups: marketing.acme engineering.acme admin.acme accounting.acme warehouse.acme BTW, I've seen your current system used effectively for 2,000 users. Could it be that you've got some sluggish response because you're pulling information across a bottleneck, or maybe the server (or workstation) is too slow? ------------------------------ Date: Sun, 24 Nov 1996 23:56:35 +0100 From: "Arthur B." To: Subject: Re: Tree walking Win95 client >The problem is that a user will travel and can use machines at multiple >sites, the context set in the net.cfg will be for the site, not for the >user. Maybe that leaves three options open: 1. Find a software package that will do the job for you. I don't know one. 2. Make use of [Menu] in CONFIG.SYS and let the user make the choise. You'll have to tailor-fit AUTOEXEC.BAT and several NET.CFG's. 3. Not sure about this one. Should work but there's always the real world. But suppose each site has only one fileserver that responds to GNS requests. Also suppose that all of these sides are connected to a WAN. Then, if you can filter out GNS-requests at the routers *and* don't use PREFFERED SERVER neither NAME CONTEXT in NET.CFG *and* make User Objects at the right container everywhere, maybe all mobile users can log in without scratching there heads. This way users will authenticate to the first server that responds to their GNS request without running the risk of authenticating over the WAN. --------- Date: Sun, 24 Nov 1996 18:20:01 -0500 From: Jeff Brooks To: netw4-l@bgu.edu Subject: Re: Tree walking Win95 client Your third option would mean that the servers would have to be in bindery emulation mode. We have thought about GNS calls only being answered by the local server and having the routers filter out all other GNS answers. The problem with that is that we need the user to authenticate to the tree even if the local file server is down. Sure they wouldn't be able to get to their files on the server, but we would appease management by letting them know that the users can still do some work. I think there is a product call SFLogin that will do this with Win95, but I was hoping that I could get a native client to perform this function, oh well guess I'll be talking to client product managers from Novell and Microsoft tomorrow. What we are trying to achieve is a name service, something like Banyan Vines uses or 3COM, why can't Novell make it easy for users to login from anywhere in the network without having to know their context or without many headaches for the network administrators trying to modify net.cfg or config.sys. Would it be too much to ask Novell to develop something like this? Our goal is username + password = magic. It should be quite easy for Novell to develop a name service for Netware or just incorporate a search engine into login.exe. Does anyone know if Novell has this in the plans for the future? --------- Date: Sun, 24 Nov 1996 18:31:21 -0600 From: Darwin Collins To: netw4-l@bgu.edu Subject: Re: Tree walking Win95 client I understand your problem. I have sent a few messages off to Novell, but, haven't received any response. My situation sounds similar to yours. Basically, I have about 1100 users scattered over about 8 different containers. We are just now starting to make the rollout to Windows95. Under Client32, I can either set the 'context' to the user's home context or at the Org level. If I set it to the Org level, then everyone needs to remember (almost) their distinguished name. Eg: DCOLLINS.MERCURY.HQ If I set the 'context' to the user's home context, then, they can use the username of DCOLLINS to login. But, if anyone else trys to login, then, they have to use the 'full' distinguished name: Eg: .JSMITH.PLUTO.SI.DART Of course, JSMITH will need to get at least one initial dialog of 'Jsmith is not in this context', in order for JSmith to know to type in their distinguished name. I do not have the resources to go around and set the context on everyone's computer, based on who is using it. That's silly anyway. So, instead, we are teaching everyone what their distinguished name is. With the DOS/Windows3x workstations, we are using NLOGIN (its a freebee but less capable than SFLOGIN), the users just need their common name. The users would like to keep on using it. For now, they are using their distinguished name. I am hoping that Novell gets the Client32 login scheme fixed. If they do, it would be one more reason why folks should use Client32 over the MSNDS. --------- Date: Sun, 24 Nov 1996 19:40:33 -0600 From: Darwin Collins To: netw4-l@bgu.edu Subject: Re: Tree walking Win95 client Jeff, it looks like Netoria is getting close to releasing their SFLogin product for Windows 95 / NT: http://www.netoria.com/products/sfloginw.htm "SFLOGIN for Windows 95 is scheduled to ship during November 1996. The NT version will be available shortly afterwards. Please contact Netoria if you would like to be placed on our mailing list to receive information on the progress." ------------------------------ Date: Sat, 7 Dec 96 00:36:13 -0000 From: Randy Grein To: "NetWare 4 list" Subject: Re: The quest to kill the 'bad' partition. >In short we have a partition called "BU" that contains the server and >works fine, we also have a partition call "BM" that thinks the server >is still there and cannot in any way be accessed i.e. no objects just >a -626 when you click on it... > >It can't be merged, deleted, fixed or accessed... Hmm. When you say that you couldn't fix it did you use the advanced functions ins dsrepair? I'd remove the server from DS and see if you can delete the partition, then re-insert the server. Failing that there IS a fail-safe solution; use DS Standard to suck in the current directory. It'll choke on the corrupted pieces but import the rest. Delete DS from ALL the servers and use DS Standard to install the now clean DS. Of course, this is a last ditch, all else fails method. FIRST I'd escalate the issue with Novell. ------------------------------ Date: Mon, 9 Dec 1996 20:46:29 -0500 From: "Martin C. Mueller" Subject: Re: Moving volume between drives >>last weekend I moved the volume VOL: of my fully patched 4.10 server to >>another harddrive. Explicitly, what I did, was: >>1.) back up the volume via SBACKUP >>2.) dismount and rename it >>3.) create a new volume VOL: on the destination drive >>4.) restore via SBACKUP >> >>I didn't change anything in NDS, neither via INSTALL.NLM nor NETADMIN, >>because I dont want to lose all the references to the volume object in >>the processe (users' homedirs most noticably, print queue spool dirs and >>what-do-I-know-else). In preparation I checked with DSVIEW that the >>volume object in NDS only references the name of the volume, not any >>server-centric IDs or such. >> >>Everything went smooth so far -- but there's just one little disturbing >>detail: when one maps a drive to the volume, the response is not >> >>Drive R: = SERVER_VOL:\ >> >>but >> >>Drive R: = SERVER\VOL:\ >> >>That happens exclusively with VOL: not with any other volume which has >>a NDS object. > > That's interesting. Did you put the volume back into the NDS tree >rather than leaving it as a bindery-emulation-only thing? That's the usual >Load Install then pick Directory Services option stuff to do quickly. > Normally I would have thought the NDS volume object ident number >would be new and references to the old number would be invalid. But that's >just head scratching here rather than a good live test. > Joe D. Well, I think I got it figured out now: Scenario: existing volume VOL: gets renamed to VOL_OLD: and a new volume VOL: is created via INSTALL.NLM. - during finalization of the volume operation install wants you to log into NDS. - If you do this, INSTALL renames the volume object SERVER_VOL to SERVER_VOL_OLD and a NEW SERVER_VOL is created - all references go now to SERVER_VOL_OLD - not what you wanted at all - If you reject it, everything appears fine - besides that little anomaly in the output of the map command - not quite satisfactory - BUT, if you now "Upgrade mounted volumes into the Directory" from within the "Directory options"-menu of INSTALL.NLM, you only get offered VOL:. After this operation, references point to SERVER_VOL and SERVER_VOL means the new VOL:. Most interesting: during the second course of operations the attributes of SERVER_VOL (as seen via DSVIEW.NLM) don't change a bit - neither the "Entry ID", nor the revision attribute (not even the modification timestamp). Actually I don't know from where the server knows that there's been some change concerning VOL: (he even knows after a reboot). Just another NDS riddle I presume, MCM P.S.: BTW, deleting the volume instead of renaming works, too, IF you don't let install "save the volume changes" into NDS. In this case all your precious references are perdu. P.P.S.: I tested this on one server one time... ------------------------------ Date: Tue, 17 Dec 1996 22:09:25 +1300 From: "Baird, John" Subject: Re: SLIST displays server twice (2 names /same internal ipx inte >I have a Netware V4.1 server that was recently patched. At one point a >poorly behaving NLM caused the server to crash (CPAVNET - Central Point Anti >Virus). I booted from floppy, ran server -na and when prompted for a file >server name I just typed in some letters, say ABCABC. Loaded install and >remarked out the line loading the offending NLM; saved the file and rebooted >the server as always. > >Here is my problem: When I log in to the file server and do an SLIST or >NLIST SERVER/B, both names show up, i.e., the original file server name and >the temp name ABCABC. Both names show the same address. (i.e., IPX internal >network number). > >If I log in to a different server and run slist ABCABC does not display; >if I then map a drive to the V4.1 server ABCABC appears again. We created a similar problem during an upgrade from 3.11 when one of the team used 'server -na', entered a temporary name, then downed it. We were unaware of the problem until we tried to get printing working and none of the print servers would connect. I haven't figured exactly what happened, but somehow the temporary name sticks and after a full reboot, both the temporary and 'normal' names are advertised. After an hour of reading NW 4.1 docs, Hughes and Thomas, Henderson et al and other NW 4 texts, none of which covered this situation, we decided the obvious solution was to fix the problem the same way we created it i.e. down the server, start it using 'server -na', enter the usual name, down it then do a full reboot. It worked. ------------------------------ From: "Garry J Scobie, Ext 3360" Organization: Computing Service To: floyd@direct.ca Date: Mon, 6 Jan 1997 13:33:59 +0000 Subject: A userful book A very useful book I've just read is Novell's Four Principles of NDS Design by Jeffrey F. Hughes & Blair W. Thomas. This is from Novell Press and the ISBN number is 0-7645-4522-1 This should be required reading for anyone involved with designing or maintaining NDS. ------------------------------ Date: Thu, 02 Jan 1997 22:00:37 -0600 From: Darwin Collins To: netw4-l@bgu.edu Subject: Re: NDS backup without tape device ?? >Does anyone know if there is a way to backup the NDS properties of >NetWare 4.x, that is comparable to the bindfix program from NetWare 3.x? Peter Kuo has an utility that may help: http://ourworld.compuserve.com/homepages/dreamlan/ndsdir.htm --------- Date: Fri, 03 Jan 1997 08:29:39 -0500 From: Sherri Colon To: netw4-l@bgu.edu Subject: NDS backup without tape device ?? -Reply There is a backup program used in the Netware 3 to 4 upgrade class called EMMIF. It allows you to backup NDS to a file by making the file look like a tape drive. --------- Date: Fri, 3 Jan 1997 08:03:32 -0800 From: "Jay A. McSweeney" To: Subject: Re: NDS backup without tape device ?? -Reply I seem to recall that EMMIF worked well, but that it's a really unstable NLM. I don't believe I can recommend that for a production environment. --------- Date: Fri, 3 Jan 1997 10:07:51 -0500 From: RBall84213@aol.com To: netw4-l@bgu.edu Subject: Re: NDS backup without tape device ?? >Does anyone know if there is a way to backup the NDS >properties of NetWare 4.x, that is comparable to the bindfix >program from NetWare 3.x? Download the JCMD utility (jcmd.zip?) from ftp://netlab1.usu.edu/. This utility creates a readable copy of subdirectory sys:_netware that you then can copy to diskette. ftp://netlab2.usu.edu/sys/anonftp/apps/jcmd_135.zip --------- Date: Sun, 05 Jan 1997 11:51:34 -0600 From: Darwin Collins To: netw4-l@bgu.edu Subject: Re: NDS backup without tape device ?? >>>>Does anyone know if there is a way to backup the NDS >>>>properties of NetWare 4.x, that is comparable to the bindfix >>>>program from NetWare 3.x??? > >>>Download the JCMD utility (jcmd.zip?) from ftp://netlab1.usu.edu/. >>>This utility creates a readable copy of subdirectory sys:_netware >>>that you then can copy to diskette. > >>I couldn't find it. Please provide some more hints. > >It's at ftp://netlab2.usu.edu/sys/anonftp/apps/jcmd_135.zip Thanks for the info. This utility (method) would not be able to backup/ restore trustee definitions, but, it could be very usefull. IMHO, its really to bad, that SBACKUP does not have the ability to 'write' to a disk file. I used NBACKUP alot with 3.x for 'quicky' stuff. ------------------------------ Date: Fri, 3 Jan 1997 16:27:36 -0500 From: "Brien K. Meehan" Subject: Re: Unknown objects in NW4.1 >Recently replaced the harddrive in our NW4.1 server. Old one died. >Restored the system via BACKUPEXEC to a new disk. > >*Most* of the process appears to have worked. :-) The system is up >and running but I have several print queues that show up as "unknown >objects." According to the documentation, these objects can simply >be deleted and recreated. NOT SO! Ran DSREPAIR but the problem >remains. > >Can someone tell me how to get these objects out of the NDS? This sounds familiar. I remember having similar trouble while repairing the NDS tree I inherited. I think I succeeded when I did these things: Check your time stamps! Especially after a server has been down. It's "Repair time stamps and declare a new epoch" or something, in Replica and Partition operations. Try deleting more than one object at a time, using NWAdmin. For some reason deleting one never worked, but deleting two usually worked. Delete the print servers serving the print queues. Especially if they're JetDirect cards. I don't know why, but that worked for me. In DSREPAIR, use the Check for Invalid Trustees option (it's in there somewhere). Then try cleaning unknown objects with DSREPAIR (even if you already did from NWAdmin). ------------------------------ Date: Tue, 7 Jan 1997 10:25:31 EST From: "Robert L. Herron" To: netw4-l@bgu.edu Subject: Re: without NDS >Does anyone know how to install netware 4.1 without NDS? Two ways: 1. Follow standard installation procedures and abort when it askes you for NDS names, etc. 2. Have server on its own loop (connecting to nothing). Install NetWare like normal. Once finish, uninstall/remove NDS using INSTALL.NLM. --------- Date: Tue, 7 Jan 1997 09:55:25 -0600 From: "Mike Avery" To: netw4-l@bgu.edu Subject: Re: without NDS >Thanks, but when installing without NDS, will the server allow anyone to >login? I have tried removing NDS but I cannot login as Admin or any user. Once NDS is removed, there won't be an ADMIN account. I'd try logging in as SUPERVISOR with the same password you initially gave the ADMIN account. --------- Date: Tue, 7 Jan 1997 10:59:23 EST From: "Robert L. Herron" To: netw4-l@bgu.edu Subject: Re: without NDS >I have tried remove the NDS but I cannot login as Admin or any users. Without the NDS installed, there is no directory or bindery against which user can be authenticated. You can install the server OS, but it is incomplete without the NDS. The main purpose for install a server without NDS (initially) or removing the NDS is to add the server into a tree later. For example, a system integrator wants to setup the server at his/her shop before delivering to the customer. They could install the server with a barebone NDS structure to get the server up and running. Once all patches are applied and they are happy, then the integrator can remove the NDS, deliver the server to the customer's site, connect the server to the network, and add the server to the customer's existing NDS tree. ------------------------------ Date: Wed, 8 Jan 1997 15:08:19 -0600 From: Joe Doupnik Subject: Re: Re-Installing a 4.1 server >There is an easier way. You can change the NDS Partitions so that server >2 contains the master copy of the partition. You can then follow the >proper procedure for removing server 1 from the tree. Then you can >reformat the server and reinstall Netware. Just insert the server back >into the tree where ever you want it. That would probably be easier and >safer than playing with DSMAINT. Just make sure that you follow the >proper procedures for removing the server from the tree. Some good points above, and let me pick up on one. When a sys: disk drive is replaced it loses its NDS magic number. Putting it back into the tree without it is problematic. That is one reason to use DSMAINT. How does this occur? The NDS volume name also has an NDS object ident number which the rest of the tree knows. Recreating an NDS object also creates new, fresh, numbers (unless one uses NW 4.11 SMS compliant tape restores). That means the old number is the "real" one and the new number is an "imposter" as far as the tree is concerned. The way around this I have used, if the drive has failed without notice, is to rebuild the server into a dummy tree, use Load Install to remove NDS, then while there Add NDS and specify the old server ident. To be successful one normally needs to remove the old volume object first with a management workstation so old id is gone and a new number is accepted. It's easy to shoot one's tree in the foot here. The dummy tree is needed to complete the fresh installation and then load up tape restore programs and whatnot. In any case, never zap a server holding a Master copy of a database. Move mastership to another server (DSREPAIR), remove the server from the replica ring (so that NDS updates can proceed without it), and then tinker. Finally, before tinkering please bring all NW 4 servers up to the very latest level of DS.NLM (5.01 for NW 4.10 servers, 5.73 for NW 4.11). Less is not good, mixtures of less is probably worse. Joe D. ------------------------------ Date: Sun, 12 Jan 1997 12:41:01 +1300 From: "Baird, John" Subject: Re: 2nd class group membership? >We got us here a strange problem regarding group membership under NW >4.10. Some members of certain groups are "not taken for full" in the >sense that they appear in the member list but they are nor granted the >rights which are results from the trustee positions the group has and >the "IF MEMBER OF" statement in login scripts doesn't evaluate true for >them. > >Upon closer inspection (via DSVIEW.NLM) it turns out, that these members >show up as values of attribute "member" but neither "reference" nor >"equivalent to me", where both of the last don't appear in nlist or >netadmin. Apparently only more recently acquired members have the "full" >status, presumably the ones added after the upgrade to 4.10. Adding a user to a group under NDS in NW 4.10 and 4.11 involves 4 steps 1. Adding the group to the user's "Group membership" attribute 2. Adding the group to the user's "Security equals" attribute 3. Adding the user to the group's "Members" attribute 4. Adding the user to the group's "Equivalent to me" attribute. My understanding is that the last step did not exist under 4.0, 4.01 and 4.02 so it may be missing for users added to groups under these versions which have subsequently been upgraded to 4.10 and 4.11. If you add a user to a group via bindery based tools, only the first 3 steps are completed. I am not aware of any circumstance under which the contents of the group's "Equivalent to me" attribute are checked, and group membership seems to work as expected when the user is not added to this attribute. LOGIN.EXE v4.13 when executing "if member of" checks the user's "Group membership" attribute which explains your results if indeed the user has only been added to the group's "Members" attribute. The "Reference" attribute provides back links and is maintained by NDS itself. >Only cure known to me rn is to delete all "challanged" members and put >them back in, a task I'm not too eager of performing :-) It appears you have used a dodgy application in the past for adding members to groups and it was only adding the user to the group's "Members" attribute. I don't know if NETADMIN and NWADMIN will complete the missing steps - I suspect not as SYSCON won't. However, if you use the NDS version of JRButils GRPADD, it will complete any missing steps without having to remove the user from the group first. The bindery version in JRB300A.ZIP will also do this in bindery mode, but will ignore the "Equivalent to me" attribute. I suppose I should check if this attribute is visible in bindery mode - til now I've just assumed it isn't. ------------------------------ Date: Wed, 15 Jan 1997 08:02:23 -0500 (EST) From: Steve Stanley To: netw4-l@bgu.edu Subject: Re: Can't delete NDS object or use partition manager We had a similar problem. After searching novell's site with the error message, we found TID 2909092 which lists all the switches for DSREPAIR. In it we found a switch -MR which removes all move inhibit obituaries. After we did this we were able to move partitions and delete objects. There is another document which specifically addresses this issue but we can't find our copy of it. ------------------------------ Date: Fri, 17 Jan 1997 14:16:04 -0500 (EST) From: JLRYDER@aol.com To: netw4-l@bgu.edu Subject: Re: Can't delete NDS object or use partition manager >I created a print queue in an empty container. Now I can't delete it. When >I try to do so I receive the message, "[queue name] could not be deleted >because Directory Services has not finished moving it or one of its >subordinate objects." I did try moving it (last week!) but it didn't move. > >Now I can't work with partition manager either, aparently for the same >reason. All of my 4.x servers are up and running. Dsrepair yeilds zero >errors on all of them. I don't know what to do next. I eventually solved this with a tip I found on CIS. I ran DSrepair -M and then DSrepair -MR. I'm told that this should not be run if there are any valid object moves active. I didn't have any active at the time and it did fix my problem. ------------------------------ Date: Fri, 24 Jan 1997 14:29:41 +0000 From: Richard Letts Subject: Re: Bindfix ... how often >>it that every other week or monthly is the right thing to do. >>I ran it this AM, watched the screen, and fielded calls from Early >>Birds about 'Supervisor has locked the bindery, or something'. >>Interestingly enough, ndir net$*.* upon completion showed no >>difference in file sizes. Que Publications 'Using NetWare 3.12' >>suggests that bindfix is seldom if ever needed.." bindery files can >>become damaged if the server loses power or stops operating at the >>precise moment you are updating or adding user or group information" >>Red Books don't recommend a regular schedule either. > >I would like to ask the same question concerning DSRepair. Is it advisable >to run in on a regular basis, eg: once a week, or only when you are having >problems? Thanks! I'm something of an iconoclast, I always want to know 'WHY' something is so, and if there is no convincing reason I try doing the opposite of conventional wisdom. With bindfix we'd run it two or three times a *YEAR* before and after major bindery operations (adding new first years, removing old final years). if the routines accessing the bindery aren't properly written we'd have had alot of corruption. (lasthope.nlm was written for a department that had a flakey server, and no backup whatsoever) With DSrepair we're running it more frequently, about once a week ON AVERAGE, or about 5 times a term, in bursts as doing major things upsets the tree. The self-repairing features of later revsions of DS.NLM improvd the stability of the tree enormously. [We recently merged two trees with dissimilar schema which fialed to sync. dsrepair was needed to force a schema sync before [root] would settle down. HOWEVER, I would reccomend running the 'Check Syncronisation status' part of dsrepair DAILY. this will tell you where (if any) there are sync problems for the whole treeand all servers in it.if you have no problems it runs quickly, if there are sync problems or down servers it takes a while. I'd really like a windows version of this part of dsrepair. NDSMGR in 4.11 is neat, but will only display a partition, it won't give you an overall picture of the tree. I have a dream.... I do not like running user interfaces on fileservers; I'd much prefer a windows interface that created the configurations in the NDS, and servers only had to authenticate to the NDS for the configuration to be instantiated. new/rebuilt servers would require one to authenticate to the NDS as admin so they could extract their initial configuration information after that they'd store their credentials and configuration locally. Server based configuration tools, just say no! ------------------------------ Date: Mon, 27 Jan 1997 08:13:52 +0200 From: Patrick Medhurst Subject: IntraNetWare Partition/Replica Documentation Below are NetBasic scripts to document the current partitions and replicas in your NDS tree. Copy the files NDSPARTS.BAS and NDSPART2.BAS into SYS:NETBASIC/WEB Use the URL "http://your_server/netbasic/ndsparts" to run the script Note that there is no error checking and if there are servers that are unreachable the script may find less partitions than actually exist. ---NDSPARTS.BAS--- #include "html.h" Sub Main DOC:Heading ("NDS Partitions") DOC:Body (DOC_WHITE,DOC_BLACK) DOC:Print ("

NDS Partitions


") DOC:Print ("Enter the Admin (or an Admin equivalent) username and password.") DOC:Form:Begin ("ndspart2.bas") DOC:Form:Input:Text ("Username", "", "Username: ") DOC:Print ("e.g. .patrick.nw.dis.cvc") DOC:Print ("
") DOC:Form:Input:Password ("Password", "", "Password: ") DOC:Print ("

") DOC:Form:Input:Submit ("Show Partitions") DOC:Form:Input:Reset ("Clear Values") DOC:Form:End End Sub ---NDSPART2.BAS--- #include "html.h" Sub Main DOC:Heading ("NDS Partitions") DOC:Body (DOC_WHITE,DOC_BLACK) DOC:Print ("

NDS Partitions


") NDS:Session:Login (DOC:Var("Username"),DOC:Var("Password")) NDS:Context:Path:Change ("[root]") partitions = NDS:Search ("[root]",2,FALSE,"Object Class","=","Partition") partition = NDS:First ShowPartitionReplicas partloop = 1 do while partloop <= partitions partition = NDS:Next ShowPartitionReplicas partloop = partloop + 1 enddo DOC:Print ("

",partitions," partitions found


") NDS:Session:Logout End Sub Sub ShowPartitionReplicas DOC:Print ("

",partition,"

") replicas = NDS:Replica:Locate (partition) server = NDS:Replica:First DOC:Print ("
")
   reploop = 1
   do while reploop <= replicas
      rtype = NDS:Replica:Type
	    if rtype = 0; reptype = "Master     "
      else; if rtype = 1; reptype = "Read/Write "
      else; if rtype = 2; reptype = "Read Only  "
      else; if rtype = 3; reptype = "Subordinate"
      else;               reptype = " "
      endif; endif; endif; endif
      DOC:Print (reptype,"   ",server,"
") server = NDS:Replica:Next reploop = reploop + 1 enddo DOC:Print ("
") Return End Sub ------------------------------ Date: Tue, 28 Jan 1997 13:17:50 +1300 From: "Baird, John" Subject: Re: NETSYNC LOG in NW4.1 >I noticed this morning the following entries in my NETSYNC.LOG: > > 1/22/97 18:07:46 Directory Event > VALADD: Name = HILDE Prop=SECURITY_EQUALS > > > > 1/22/97 18:07:46 Directory Event > VALADD: Name = HILDE Prop=GROUPS_I'M_IN > >Can somebody please explain to me where the "Prop=GROUPS_I'M_IN" >comes from and what it means? "GROUPS_I'M_IN" is a bindery property of user objects and holds the object IDs of groups which the user belongs to. These entries would result from you being assigned membership of a group at 18:07:46 on 1/22/97. There should be a 3rd entry with the same timestamp giving the group name and "Prop=GROUP_MEMBERS". ------------------------------ Date: Tue, 28 Jan 97 15:29:00 PST From: "Dinkel, Jason /CORP IT" To: netw4-l Subject: RE: Replica type???? >I found this replica on our server. It is unknown. I go into >DSrepair and I look under "Replicas stored on this server". It has >a Replica type of "Subordinate". I cannot for the life of me figure >out how to delete this rotten thing. This replica has absolutly no >reference to any servers. I've tried merging it from NWADMIN and I get >"All referals to a server, neccessary to perform >this function, has failed". I've tried partmgr,and netadmin, and >still nothing. Can someone help me delete this replica Straight out of course 525: ==== Subordinate References Subordinate references are very different from other replica types. They do not contain object data, but they point to the replica that does. Subordinate references are maintained by NDS, not by the administrator. NDS uses the subordinate reference replica type to facilitate tree connectivity ("walking" the tree). A subordinate reference is created automatically on a server when the server contains a replica of a partition but not of that partition's child. Stated another way, subordinate references are created on servers "where the parent is, but the child is not." If you add a replica of that child partition to the server, the subordinate reference is automatically removed. Subordinate references do not support user authentication or viewing or managing objects in the partition. Instead, they refer to the read/write or master replica that can support these services. ------------------------------ Date: Thu, 30 Jan 1997 01:16:34 +0100 From: "Arthur B." To: Subject: Re: tree vs. server >When would be better to have the user login to the tree vs. server.? Interesting question. One advantage is that the admin can change the 'preferred server' using NWADMIN and thus move home directories from server to server without visiting the workstation. As you know one container can hold several servers. >I guess if they login to the tree then they can readily use multiple >servers. Doesn't matter. As long as the login occurs under NDS mode users can authenticate to every server as long as rights permit. Under BINDERY mode users need to type in passwords when they attach. >What are some of the advantages/disadvantages ------------------------------ Date: Thu, 30 Jan 1997 13:49:53 -0500 From: Debbie Becker Subject: Re: Users still connected after logout >How are your partition replicas? How's timesync? I wonder if they're >trying to authenticate via a read-only replica, and it's out of sync with >the master replica. Come to think of it, it wouldn't even have to be out >of sync - just "waiting" for the master to replicate the changes. Just a FYI -- you can't authenticate via a read-only replica. If you're attached to a server containing a read-only replica, you'll be referred to a writeable (master or read/write) replica in order to authenticate. >I would make sure time synchronization is correct (one SINGLE and one >SECONDARY type), Time sync hasn't any effect on replica synchronization. >and I would make any read-only replicas read-write. >Read-only is worthless, especially on a small network. I agree. Not much reason to place read-only replicas at this time (and they just make the replica ring bigger). ------------------------------ Date: Wed, 5 Feb 1997 09:52:40 -0600 From: Joe Doupnik Subject: Re: NDS....What price the WAN ??? >Now, based on my own experience, CNE4 training and all currently published >literature (i.e. Novell's 4 Principles of NDS Design, New Riders NDS >Troubleshooting, Novell's Guide to IntranetWare Networks, recent NDS >articles in the NUI's NetWare Connection magazine etc.), this is wrong!! > >The upper layers should map to the WAN topology. > >My new colleagues tell me that a techie from Novell UK has seen and >ratified their design, and told them that Novell are now saying that >company organisational designs are OK for large multi-site organisations >that have good WAN links. They are quoting the system recently >implemented by VOLVO as an example. > >I cannot find any reference to this approach in any Novell literature that >I have access to, and as a CNE representing Novell, I feel that I should >be aware of any change in Novell's recommendations. >Steve Hardy ------------ You might wish to attend the Brainshare presentations yearly to learn what's new. Did I see you at last summer's UK "Brainshare" in Manchester (I gave a presentation there)? Many of us critised the company organizational plan as the basis of tree design. We said network traffic was THE concern, and even Novell said traffic was THE worry. So last year, finally, Novell emphasised traffic/topology over politics. It helps to keep in mind the undershooting of intelligence in many Novell recommendations. They are targeting folks who do not understand the technical details nor wish to become involved with them. Simplicity is a virtue for such people. Novell docs etc are directed at that audience, which happens to be a good chunk of the market. To deal with the technical issues requires us to work and think and scratch heads a lot; digging out reality from cover stories isn't easy. Breaking habits of believing what others say is not easy either (witness the never-ending fresh installations of Ethernet_802.3 frames). Novell does provide some hard details on NDS traffic, but you have to know where to look to find them. Some show up in the technical white papers, more show up in Brainshare presentations. Even more is revealed by button holing Novell developers in the hallways. The rest is revealed by local testing. A start is to snag the Novell Press book "NW 4.." by two guys (my copy is on loan, sorry) which is written by the NDS Tiger team (traveling crew putting right large corporate NDS designs, $$$), but again don't believe all advice without a critical review. My approach is to read these things, talk to the individuals, run lots of local experiments, and question assumptions. I'm a science type and nothing is taken at face value, not even and especially accepted dogma. Joe D. --------- Date: Wed, 5 Feb 1997 10:04:38 -0600 From: Joe Doupnik Subject: Re: NDS...What price the WAN? I should have added: Folks on the right side of the pond may wish to contact Novell's European Support division (HQ'd in the UK). A good bunch and tell them I sent you. Large corporate customers may wish to contact the Novell Consulting team (tigers be within) which can be reached by clicking that button on Novell's www home page. Your local Novell representative has all the contact names, numbers, and ice breaking equipment. Basically, don't depend on email to design a large system. Joe D. --------- Date: Wed, 5 Feb 1997 18:27:25 +0000 From: Richard Letts Subject: Re: NDS...What price the WAN? On Wed, 5 Feb 1997, Joe Doupnik wrote: > I should have added: > Folks on the right side of the pond may wish to contact Novell's >European Support division (HQ'd in the UK). A good bunch and tell them Novell's European Support Division is based in Dusseldorf [Germany] Novell's Consulting Services are distributed across Europe. >I sent you. Large corporate customers may wish to contact the Novell >Consulting team (tigers be within) which can be reached by clicking that >button on Novell's www home page. Your local Novell representative has >all the contact names, numbers, and ice breaking equipment. Returing to the original question: "What do you consider a good WAN?" Personally I regard 2Mbps and UP as good enough not to worry about replication traffic over, in which case you don't need to woory about geographical splits in the tree design. A 2Mbps leased line is ~= 1 ethernet, and if you can't replicate over ethernet due to the traffic, then you've more problems anyway.... If you've only 64kbps circuits then you definately want to keep as many partitions as you can in one location with as few off-site replicas as you're comfortable with. you want to keep [root] virtually empty, with possibly one replica at major location. Partitions is what are replicated. hence: o=Ajax +---------------|------------------+ ou=Chicago ou=Hartford | | +---+------+ +---+------+ ou=sales ou=claims ou=sales ou=claims could have the chicago partition only replicated on chicago servers and the Hartford partition only replicated on servers in hartford. Converting the tree to a structural one.... o=Ajax +---------------|------------------+ ou=sales ou=claims | | +---+------+ +---+------+ ou=chicago ou=hartford ou=chicago ou=hartford If you replicate the ou=sales and ou=claims as monolithic partitions then you're going to have the replication traffic going through a WAN between the two cities. However if you have smaller partitions eg ou=chicago.ou=sales then you'll be able to constrain these to one physical location. But then you'll have lots of partitions. Bear in mind two people will need to USE this structure: - the admins trying to give someone access rights - the user trying to login. If your tree is functional down to the person, then you might want to modify the design... o=Ajax +---------------|------------------+ ou=sales ou=claims | | +---+------+ +---+------+ ou=buildings ou=workers-comp ou=buildings ou=workers-comp | +---+------+ chicago Hartford ------------------------------ Date: Wed, 19 Feb 1997 18:42:49 +0000 From: Richard Letts Subject: Re: federated partitions >So, what is a federated partition? Given what this is I too was amazed to find nothing on it on novell's web site (hence my initial reaction to try looking for it) , even though the sessions on it at brainshare were packed out lastyear. Federated partitions allow the administartors of two NDS trees to create a soft link between the two trees. the foreign tree is then mounted as an OU under your local tree. this means that I could (for example) grant access rights to a file in my filestore to a user registered in another tree. Why is this important? Suppose you want to share data with another company, you can email it, ftp it, etc but the technology for doing virus-scanning on the fly isn't that common (at least for PINE based systems like I'm using here) With Netware you could setup a fileserver and allow your authenticated partners to copy the files off the server without having to muck around with nasty things like extranets/hypernets. This is probably going to be of most interest to Telecom operators who are offering NCS services, eg AT&T, NYNEX, etc Who's doing this? No one yet (publically), it's going to be part of the Moab relases of Netware (at least according to the online references I could find. I know more, but then these non-disclosure agrements I keep signing seem to carry some rather stiff penalties. Moab, like Green River, is a place in Utah. there's another code-name 'Arches' floating around. either arches or moab's been dropped as half the functionality is in green-river [4.11/INW] and the other half will be in the next product. why not call it Netware'97? In some private email someone said that they were considering it to cut down on instability in their tree. I replied that you might be able to use it to do this, but I'm not seing instability, except on two fronts: - opertaions involving the [ROOT] which seem fragile - serious NDS programming where you have little [no] control over which replica you're accessing and occasionally I end up talking to a new replica that has no data, making many users disappear.. I'd fix the instability, as I don't personally think federated partiions will be out before summer. [we did have major stability problems with the original DS in the 4.01/4.10 release, Novell spent three days patching the tree back together, and DS patches have really stableised it since 4.89C (a landmark release in terms of DS stability IMHO)] ------------------------------ Date: Thu, 20 Feb 1997 14:23:33 -0500 From: Ian Peckman To: netw4-l@ecnet.net Subject: Re: Whoami - Answer >Well, there are some misunderstandings somewhere. There is a limit >to the number of bindery a contexts a particular server can support, >16 I think. To actually clarify, there is no limit as to the number of bindery contexts' set on a 4.x file serrver, just a limit as to the length of the bindery context string a server may have. The limit of 255 characters is imposed on the 4.1x server console and the SERVMAN.NLM utility. You can theoretically set 100+ contexts in a 255 byte string. --------- Date: Thu, 20 Feb 1997 14:33:40 EST From: seanstanton@juno.com (Sean M Stanton) To: netw4-l@ecnet.net Subject: Re: Whoami - Answer The functionality of the ATTACH.EXE command line executeable was actually incorporated into the LOGIN.EXE executeable in NW4.x. To perform the exact same function in 4.x from the command line that you previously peformed by executing: ATTACH SERVER/USER you should use the command LOGIN /NS /B SERVER/USER The /NS parameter tells LOGIN.EXE to not execute any login scripts, which also forces it to not detach or log you out af any current bindery based server attachments or any NDS authentications, and the /B parameter tells LOGIN.EXE to create a bindery based attachment, as opposed to an NDS authentication. ------------------------------ Date: Sat, 22 Feb 1997 03:37:39 -0800 (PST) From: Michael Wallendahl To: netw4-l@ecnet.net Subject: NwAdmin and Home Directory Creation Delays! Just upgraded to Intranetware and the new NwAdmin for Win95. With the old NwAdmin, one could put lines in the nwadmin.ini file to force it to use the Master Parition for user creation. The lines are: [User Creation] use master = true This sped up home directory creation for us immensely, since the server with the master partition was also the server housing the home directories. We didn't have to wait for the tree to sync across servers before the home directory could be created. Where is this functionality in the new NwAdmin? I can't see it in the help files nor on support.novell.com. ------------------------------ Date: Sat, 22 Feb 1997 04:08:03 -0800 (PST) From: Michael Wallendahl To: netw4-l@ecnet.net Subject: Client32 for Win95 2.11 Login Problems? After "up"grading to the 2.11 version of Client32, I've come across an interesting and frustrating problem: On my NDS tree, users are located... Here--let me try to draw a map: SCS -- |- Users (All user accounts are under this OU) | |- Labs | |-Lab1 | | |--Users (Alias to .users.scs) | | | |-Lab2 | |--Users (Alias to .users.scs) | |- Servers The lab machines are set with a default context of "users.lab1.labs.scs". Upon properly logging in, they run a login profile that is located in the lab1.labs.scs OU. This allows each lab to have a different login script. My problem is that when students type in an incorrect password, the client switches over to the .users.scs context and stays there. Correcting the mistyped password and hitting enter logs the user into the tree, but since the context was switched (WHY?) they don't run the lab login profile and drives aren't mapped and printers aren't captured, etc. I don't understand why Novell changed their client's behavior--our setup worked great last year with VLM's, and even through the very first release of Client32, but not since then. It's very frustrating to have to reboot a machine because of a mistyped password (rebooting is the only way to get the machine back into the correct context--else they always log in under the .users.scs context). Has anyone else run across this problem? Or do I have a very non-standard tree design? Having all 3500 student accounts under one OU though makes assigning rights a breeze. :) Also, what's the easiest way to tell what version of Client32 a computer has? The "easiest" way I've found so far is to run NAL, go to Help:About NAL and look at the "Requester" field, but it reports 2.2.0 when I'm running the 2.11 client! (Maybe because I loaded the w95it2 patch?). --------- Date: Sat, 22 Feb 1997 13:36:49 -0700 From: Shawn To: netw4-l@ecnet.net Subject: Re: Client32 for Win95 2.11 Login Problems? >of Client32, but not since then. It's very frustrating to have to reboot >a machine because of a mistyped password (rebooting is the only way to get >the machine back into the correct context--Else they always log in under >the .users.scs context). Well, I know it shouldn't be necessary, but how about teaching them how to switch their context with the CX command. Or, even easier, write a simple batch file (say, LOGON.BAT) to switch them to their proper context and then log them in. That way, they only have to "learn" one new command for use when they type the wrong password. ------------------------------ Date: Wed, 26 Feb 1997 18:12:21 -0600 From: Joe Doupnik Subject: Re: Deleting Partitions From Netware 4.1 NDS >We are having trouble deleting partitions from our tree. Our current >Partition Manager is shown below. We started out with 1 netware 4.1 server >which was called Main_Office-3. We named our tree MSD. At this point no >problems. Then we added a second Netware 4.1 server called >Main_Office-4(OU=3DMO4) and still no problems. Then we decided to add 3 >more NW 4.1 servers that were going to be located over a WAN Link for >Beargrass, NightinGale and PondCreek. We began looking at the Partion >Manager and determine that MO4 and PondCreek were R/W Replica and blah >and blah2 were subordinates. We also upgraded another 3.12 server... > ----------- I think most of us get totally lost with a dense run-on paragraph filled with configuration details. That is similar to any discussion of NDS, which seems to be a wild collection of poorly defined terms all interacting in nasty ways to eat us up. Don't panic, as they say. The situation seems to be NDS can't settle down because there is a missing subordinate reference object (a missing server). Yawn, I have had them too. They went away with INW 4.11 NDS, but might with the latest NW 4.10 NDS stuff too. First, ensure you are using the very latest NDS material. Second, try to remove the lost server from replica rings. That lets the surviors synchronize. Please don't manipulate stuff until those servers do synchronize. If these steps fail after waiting a decent interval I suggest you call Novell forthwith (that means with US$200 in hand) and let them try to recover with the NDS material as-is. If you use too much DSREPAIR the NDS material can be made worse without hope of recovery, so use restraint. A decent reference book is Novell Press "NetWare 4.1 Networks" by Huges and Thomas, US$60 and not a ripoff. I presume you do have thorough backups of "everything" (NDS included) before touching the system. If it makes you feel better I am running emergency backups at this moment to rescue a INW 4.11 machine which is losing its hard disk (bearings are going fast today); Arcada BackupExec, backs up "everything". Joe D. ------------------------------ Date: Thu, 27 Feb 1997 19:15:30 +1300 From: "Baird, John" Subject: How to make bindery values consistent with NDS? >If I change a user's Full Name on the 4.1 server using NWAdmin, then >then any bindery utilities (SYSCON, JRB's GETREST) will report the new, >changed name -- just as expected. HOWEVER, if I change the user's name using >UIMPORT, then bindery-based utilities don't see the change -- they continue >to report the original, unchanged name. So, two questions: > >1. Is there a way to make the bindery values consistent with NDS after >making changes through UIMPORT? Can I force the bindery services value for >Full Name to take on the NDS Full Name? The bindery is always consistent with NDS (subject to replica synchronisation) as there is no separate bindery database. 'Bindery' information is retrieved from NDS. I'm not familiar with the quirks of uimport but if changes to the full name do not subsequently show in nwadmin or in bindery based tools, then uimport is not changing the full name. Are you saying above that the changes show in nwadmin but not in bindery tools, or that the changes dont show in either? >2. Out of curiosity, where is the original Full Name being stored such that >bindery services still sees it even after it has been changed in NDS? Not surprizingly its stored in an attribute named "Full name". However, that wasn't a silly question as for example, the field named "Department" by netadmin/nwadmin is stored in an attribute named "OU". ------------------------------ Date: Tue, 4 Mar 1997 15:28:19 -0500 From: Debbie Becker Subject: Re: Adding Servers in NDS >I am currently working on my CNA out of the Novell Press Study Guide >and I have come across something confusing. I am told to add a server >to a certain container but I get an error saying that server can't be found. >Can you just add server objects wherever you want? Then when they >tell me to create a volume it doesn't appear that simple either. Aren't >these things you create only at installation? When you create a NetWare server object, NDS looks for a physical server with the same name. When it can't find one, you get the error message. Same thing for volumes -- wants to match the object with an actual volume mounted on a server. By and large, you let these be created automatically at installation. ------------------------------ Date: Wed, 5 Mar 1997 09:13:07 -0800 From: "David J. Nelson" Subject: Re: Too many Simultaneous connection?? >>I'm having a real problem with my 4.1 network (2 server). >>Users are resetting (or machines are crashing) with a 'proper' >>logout. What is left behind is a Not-Logged-In on either or bother >>servers they are connected to before the machine goes down. They >>need to be able to log in again immediately, but Netware won't let >>them (too many simultaneous connections ). I don't want to allow >>more than 1 connection. What is (technically) happening and ow can I >>sole the problem. > >I've had this problem somewhere and just granted everybody 2 simultaneous >connections max without thinking further. >In the long run this solved more problems then it created. > >Guess NDS needs time to update its inner accounting records. >Wander what happens if your users wait a while longer (say 5 minutes). > >* Arthur B. There is a program on Novell's web site called REMADDR which addresses this issue. REMADDR goes out to NDS and wipes out the network addresses for the username you specify. It's all spelled out in the documentation that comes in the archive. ------------------------------ Date: Tue, 11 Mar 1997 12:32:04 -0700 From: Shawn Subject: Re: Replica Synchronization >The servers initiate a syncronization every 30 minutes (by default). This is true only for users logging in. This is done to update DS User object properties like Last Login Time and Network Address. However, whenever an object is changed by a user, the updates are sent 10 seconds after the change is made. There's an excellent article in the March issue of NetWare Connection which covers this exact topic. You can read it at: http://www.novell.com/nwc/mar.97/sync37/index.html ------------------------------ Date: Tue, 11 Mar 1997 21:48:09 -0600 From: Joe Doupnik Subject: Re: Size of the NDS database ? >Are there any utilities that will tell you how big NDS database is or >what is the size of all files in SYS:_NETWARE subdirectory. I know, I can >use RCONSOLE, but trouble is, only on some file servers. Other file >servers are giving me error message on RCONSOLE screen: > The system could not allocate additional memory. > CreatePortal returned error 254. >probably because they hold a lot of partition replicas (some of them >5-6) so there are a number of files (I suppose?) ---------- Look at the logs of your tape backup program. Joe D. --------- Date: Wed, 12 Mar 1997 08:49:18 -0500 From: Debbie Becker Subject: Re: Size of the NDS database? >Are there any utilities that will tell you how big NDS database is or >what is the size of all files in SYS:_NETWARE subdirectory. Rough estimate -- each object takes up 3-5K of space. ------------------------------ Date: Wed, 12 Mar 1997 17:37:23 -0600 From: Joe Doupnik Subject: Re: Switching SYS volume on a 4.10 server -Reply -Reply >Thanks for the information. I have the latest DSMAINT and the "Prepare NDS >for a hardware upgrade" option will allow me to rebuild the SYS volume and >keep the object IDs the same. This works for planned maintenance to the >SYS volume, but what can you do if the drive fails and must be replaced? >Is Novell addressing the problem of Object IDs changing after a SYS volume >failure? ---------- A free piece of advice is this. Before touching the server please sit down and re-read the dsmaint docs very carefully. Then visit a local book seller and obtain a copy of "NW 4.10 Networks" by Hughes and Thomas, Novell Press. Read the appropriate sections in that a few times too. The reason is what you are doing is dangerous to the entire tree and ought not be done unless really positively necessary, and only after taking precautions. Tinkering with NDS is playing with fire. I think it is not too far off the mark to say that NDS boggles the mind and logical deductions are difficult at best. Thus proceed slowly and do as little as possible. While on server names etc, you may profit from reading the Utah Standard on IPX names and numbers. Netlab2.usu.edu, cd misc, utahstd.txt. Alternative: netlab1.usu.edu via web browser, pub/mirror/misc. It works fine with NW 4 and trees, by original design. Joe D. ------------------------------ Date: Fri, 14 Mar 1997 09:04:28 NZST From: Craig Manson Subject: NW4.1x SYS volume The following are some general guidelines for sys volumes and partition operations recommended to us by a Novell support person while he was looking around our system. - There should be a minimum of 10-15% free space on sys at all times. - There should be an absolute minimum of a 1000 free blocks on sys at all times - No compression on SYS - No suballocation on SYS - No print queues on SYS - No user home directories on SYS - No mail on SYS - Store only static data on SYS Before any partition operation - no users logged in - all unnecessary application NLMs unloaded - plenty of free space on SYS - plenty of free blocks on SYS - take it easy and wait for NDS for fully synchronize - use advanced DSTRACE operations to track synchronization - use advanced DSTRACE operations to manage synchronization - use NWADMIN for all partition operations - try to avoid destructive DSREPAIR operations ------------------------------ Date: Fri, 14 Mar 1997 09:27:27 PST From: Dave Pacheco Subject: Re: Persistant Obituary >While trying to add a server to the NDS tree the message > >" Internal error occured. DSI can not add a partition replica. >Error description: previous move in progress DSI-4.10-32" > >appears. > >I found a document describing this situation in the Novell's >Knowledgebase. I run 'dsrepair -m', as it suggested, and >I found a number of obituaries > >Found OBI_INHIBIT_MOVE > >related to a failed user move operation conducted a few weeks ago >and to the server, which I am trying to add so labouriously. > >The objects, detected by dsrepair, are NOT visible via netadmin. >>>>> From Novell's TID database (TID 2909604): "To find the cause of the stuck obituaries you can do the following DStrace commands: Set dstrace=on Set dstrace=a0000001 Set dstrace=+S Set dstrace=+J Set dstrace=+blink Set dstrace=+part Set dstrace=+misc Set TTF=on Set dstrace=*R Set dstrace=*F Set dstrace=*B Set dstrace=*H Watch the trace until you have captured your errors. Or you get a red All processed=NO Set TTF=OFF When you view dstrace.dbg from the SYSTEM directory and look for any 601-699 error to any server that might be causing the partition to not process and fix those errors." <<<<< Alternately, running a DSREPAIR -MR and then running a "Database Repair" from the Advanced Options should remove the problem. I would prefer doing the first option (DSTRACE and checking DSTRACE.DBG) first, to see if you can resolve it that way... you may find other issues in your tree that you want to resolve before doing anything else. If you do run DSREPAIR -MR, make sure that you are running this from a Master copy of the replica, which obviously means check to make sure that there *is* a Master... this problem has been seen on replica rings that have no Master. Make sure that the MOVE INHIBITS are only on things like users and print queues/servers, or on objects that you definitely know can be deleted. I'm pretty positive that as of last week there was a TID that mentioned this parameter, but now I can't seem to find it. If you can, please read it, as it includes more information about this problem. As a last point, always make sure that your replica rings are healthy *before* attempting to insert/delete anything into the tree, or make any major modifications to it. The synchronization checking options in DSREPAIR are your friends. And all of the above notes should be accompanied with big bold-letter text that says "your mileage may vary", and "backup, backup, backup and patience." ------------------------------ Date: Sat, 15 Mar 1997 07:34:59 -0500 From: barb Lewis Subject: Re: NDS, Netware Registry Editor, DLLs... You can register these snapin with your user object in nds but for the application (NWADMIN)to use them you must launch it with the /n command line switch. No matter what, the .DLLs must be accessable to the program. I have noticed that you will have to manually add the snapin view .DLL file with the registry editor button. The object .DLLs usually place themselves properly. This works with the 16-bit or 32-bit version of NWADMIN. ------------------------------ Date: Mon, 17 Mar 1997 16:51:25 -0800 From: Wilson Mattos Subject: Re: Removing NW4.11 Server from NDS tree >If you are simply removing a NW4.11 server from the NDS tree, you should >not have to remove DS. I think this is very dangerous. > >Here is what I do to remove a NW4.11 server: > >a. Down the Server >b. Delete Server Object from NDS using NDS Manager (NDSMGR for Win95) >c. Delete Volume Object from NDS using NWADMN95 > >That should be all that is needed to get the server off the NDS tree. >You should also make sure that if the server belongs to a replica ring >that after this operation, it does not appear in the replica ring. No way! Do not use the Delete Server object option in NDS Manager unless you have no other choice. This should ONLY be done when the server has crashed and will not come back up for you to properly remove it from the tree. You should Load Install, DS Options, and Remove DS from this server. This will cleanly remove all references to the server you want to remove from the tree, including removing the server from all replica rings. Make sure this is not the Master replica server for any partitions (you should move Master replicas first), and that other replicas of the partitions this server may contain are up. You also have an option of leaving "space holders" for the volume objects in case you ever plan to reinstall this server in NDS. ------------------------------ Date: Tue, 18 Mar 1997 10:17:44 -0500 From: "Brien K. Meehan" Subject: Re: NDS Concerns >As of yesterday morning, we lost an ATM link which serves to connect >2 halves of our campus. Parts are on the way, but it may be that our >network has a huge gap in it for 2 full days. I have notified all >administrators not to add users, printers, etc. Not unwise. >We have 1 tree spread out across both sides of the break in our >backbone. Our server with all partion master replicas on it can >communicate with about half of the servers. > >What I am wondering is what could potentailly happen, and what >course of action we should take. Right now we are considering >changing some read-write replicas to master on the stranded side of >the network. Will this work? That would probably do a lot more harm than good. You want to avoid making major changes to partitions, and this would be one. If I were certain, 100%, that the link would be restored within 3 days, I would just let it run. The local partitions can handle the day-to-day changes, and send updates to the replicas when the link is restored. 2 days is not a big deal (IMHO). If a server were to come down in the meantime, though, I would consider leaving it down. The servers will do OK on their internal clocks, but if you have to reset one, time stamps might get mixed up. --------- Date: Tue, 18 Mar 1997 08:42:17 -0600 From: Joe Doupnik Subject: Re: NDS Concerns >[responding to the same message as the previous emailer...] -------- As others remark, this is not a good situation and please do not tinker with NDS during the outage. Any change to NDS must be agreed to by all holders of replicas, else it clogs up and becomes very tempermental. Thus make no changes. Alas, even logging in constitutes a change. I would recommend creating a temporary NW server with boards joining the currently isolated networks. That way at least IPX (and even IP) can traverse the network and keep matters going. The extra traffic will just have to be accepted, versus no-comms. The server needs a license count of only one to work, with only Admin logging in to maintain it, and that means you can bring up say INW 4.11 without a license diskette. Joe D. --------- Date: Tue, 18 Mar 1997 15:59:03 +0000 From: Richard Letts Subject: Re: NDS Concerns >[responding to the same message as the previous two emailers...] 1. Absolutely do not modify partitions on the NDS. don't change their state notr which servers hold replicas nor attempt schema operations. (eg installing new NDS aware software) 2. Ensure you have TIME sources both sides of the break; this is a situation where on a large network having a single reference is a bad thing. large sites should run configured-lists and time-provider groups. this allows for redundancy if the single reference goes down. 3. You can add users, printers, etc if you still have timesync; changes will propogate when the link comes back, though you should probably keep changes to a minimum. ------------------------------ Date: Fri, 21 Mar 1997 11:57:00 -0500 From: "Brien K. Meehan" Subject: Should NDS do this??? >Both servers had deleted all objects, except print related objects, that had >been on the servers when they were partitioned, but not those created since. >The NDS database from the replica was also dumped into the master database. > >Fortunately we had good backups of the NDS databases on both machines from >about an hour earlier. These restored OK so no real damage was done. > >Does anybody have any theories what caused this?? Is it possible that someone deleted all the entries on server A that weren't on server B? And vice versa? That would CERTAINLY do it, because the replica on A would update the replica on B by deleting the objects too. Or, I've been told, if a server can't resolve an external reference for a certain period of time, it figures that the external reference has "died" and takes it out of the tree. I'm not really clear on this topic - you should look into it. NDS experts? Debbie? Would this apply? That would do it if so. >What did I do wrong?? You designed and implemented a tree that had poor communications between servers (effectively, a severed link). A more appropriate design would have included separate trees, and a plan to merge them after communications had been established. >Does anybody have ideas as to the best way to proceed with linking the two >servers back togther?? Am I looking at reinstalling NDS on the replica and >recreating the new accounts (this would not be a major task)?? I would rename one of the trees, and make both trees healthy and able to stand alone. Establish the link, and merge the trees. ------------------------------ Date: Sat, 22 Mar 1997 11:34:52 -0300 From: Pablo Esteban Colazurdo Subject: Re: Should NDS do this??? I'm not sure if what happend is right or it's not but some steps at your process are not recommended and in some cases, prohibited. First, you can't set a Server on a NDS tree and then stop the communication between them. Some settings on the NDS parameters normally remove the Server not communicated from the NDS, including the Objects associated with it. And if the server is on the Replica Ring you may be in big troubles. Second, you must confirm the Time Settings on both Servers. I think your problem is related with some strange lost time synchronization and the objects were deleted due to the mismatches from the NDS information on both server when you reconnect them. One Server delete each other on its own Replica and when you connect them together the Result was the deletion of Both OU's objects. If you want to set the Server Rights Now you must recreate one of them from one backup, delete the information of the other on the NDS with NWADMIN and Partition Manager, setup the WAN Link and then reinstall NDS on the remote Server. If you want to setup them without the WAN Link, you must install them on different Trees, and when you set up the LINK between them you can run a DSMigrate to set them on a Single Tree. ------------------------------ Date: Thu, 27 Mar 1997 11:17:07 +0800 From: Brett Looney Subject: Re: NDS corruption - caused by NDSMGR32?? >I've been having problems with a 4.11 server's NDS database >DSREPAIR-4.10-009: Directory Services remains locked, error -618 >DSREPAIR-4.10-010: Process completed I have seen this before (once) - but I can't tell you why it happens, and in your case why (at least from my interpretation of your post) why it keeps happening. My information is that this error says the DS on disk and the DS in memory are different. ie. one is corrupt. By doing a "set dstrace=*." (where the . is very important) everything fixes itself. This command forces DS to be restarted (by reloading it) thereby forcing the copy in memory to be the same as the copy on disk. But, if this isn't the problem, I have no idea... --------- Date: Thu, 27 Mar 1997 09:34:06 +0000 From: Steve Cargill Subject: Re: NDS corruption - caused by NDSMGR32?? >I have seen this before (once) - but I can't tell you why it happens, and >in your case why (at least from my interpretation of your post) why it >keeps happening. > >My information is that this error says the DS on disk and the DS in memory >are different. ie. one is corrupt. By doing a "set dstrace=*." (where the . >is very important) everything fixes itself. This command forces DS to be >restarted (by reloading it) thereby forcing the copy in memory to be the >same as the copy on disk. I tried the set dstrace=*. and I can't remember the result, but it didn't fix it. I tried UNLOAD DS the LOAD DS, that couldn't open the database as it was corrupt, the same as restarting the server. Using INSTALL, I couldn't delete the directory as it couldn't be opened, "try dsrepair". The thing that annoyed me is I couln't find a way ( I'm sure there must be, I just couldn't find it ) of doing a cold install of DS from this position. >But, if this isn't the problem, I have no idea... Well, it hasn't happend for a couple of days now and nothing on that server has changed other that I haven't run the Win95 NDS manager, everything from the console execpt NWADMIN95. ------------------------------ Date: Mon, 31 Mar 1997 14:12:15 -0500 From: Loren Carter To: netw4-l@ecnet.net Subject: Directory Map Object -Reply I use them here. Recently the Archives underwent their latest reorganization. Rather than continuing to change the naming scheme of the NDS tree to keep up with the ever changing reorgs here (they've had three reorganizations in the past 9 months, everyone here logs in with as an ALIAS object. That object is linked to their real account in their "old" organizational unit. All of these ALIAS objects are now in the same container, and the name context in all of the net.cfg files are pointing to that container. Now when users desire to re-map drives, they would have to climb up and down the NDS tree to find the volumes. Instead I added directory map objects (that point to the real ones since they are no longer in the same container) to the container where the user ALIAS' now are. Now, as users need or desire to change their drive mappings, they launch NETUSER or NWUSER and can pick their desired NetWare volume from the list of map objects. This way they don't have to climb up and down the NDS tree to find them. That was a real problem for most of my users who aren't computer literate and certainly don't understand NDS. This entire evolution was driven by the need for users from both buildings (separated by a T1 line in different containers) wanting to be able to log in no matter where they were at the time (and without all the dots, OU and O names....they're users and like old dogs can't be taught anything new (mostly for political reasons)) ------------------------------ Date: Wed, 2 Apr 1997 08:25:41 -0500 From: Dennis Large Subject: Re: Scaling NDS >We are discussing a project that will greatly increase the size of >our current NDS. What are the practical upper limits as to the >number of objects in a single NDS tree?. We are thinking of merging >several community college trees and the result would be on the order >of 50,000 objects. > >I would like to hear from Administrators who handle large NDS >systems. Could you please tell me how many objects your trees are >currently holding, and any special configurations/problems. You'll certainly get other more authoritative answers, but I'll throw in the guidelines I'm using as my tree grows. (Doubt that we'll ever get to 50K, but half that is a possibility.) 1) KISS 2) I'm sticking 3K objects per OU. I believe that's Novell's current rule of thumb. 3) Have a predefined plan will probably be the best thing. 3a) Have the full tree designed. Mine has many more empty OUs than populated ones, but I know where objects go as we add. 3b) Partition and replica design. A little harder to do since they are setup largely on the basis of the usage of the tree and server availability, but you should at least be able to make some intelligent guesses. Fortunately, this can all be done and changed dynamically as the need arises. 4) Keep your comm situation in mind with the above items. Weak links need a little special handling, but most things can be accomodated. --------- Date: Thu, 3 Apr 1997 13:05:48 -0600 From: John Bezy Subject: Scaling NDS A good reference is the book by Jeff Hughes and Blair Thomas, two of the Novell NDS gurus, titled 'Four Principles of NDS Design', published by Novell Press/IDG.... While published in 1996, most everything still applies. There were very few differences presented at BrainShare last week by them. ------------------------------ Date: Fri, 4 Apr 1997 10:08:22 +0100 From: Richard Letts Subject: Re: NDS Tree Merges >I am soon going to be working on a project to merge together several >seperate NDS trees into one. All servers in the various trees are NW >4.1. My question/concern has to do with the number of objects in each >tree. Several of the trees contain in excess of 600-700 leaf objects. >Having never done a merge of this size, I am curious about the time >factor involved to do the actual merge. Here's my opinion (having observed a tree-merge) 1. Establish timesync between all of the servers in all of the trees do this as soon as possible, use configured lists, use time-provider groups. do not proceed beyond step 1 until you have timesync established. 2. Check timesync is established. if it isn't go back to 1 [I hope readers get the idea that timesync is really very important!] 3. Make the root partitions as small as possible [this is a Good Idea in any case] as when you merge the tress everyone who has a replica of the original [root] in each tree with get a replica of the new [root] ie with 20 trees and 3 replicas you'll end up with 30 [root] replicas. 4. Merge a tree at a time, don't attempt to merge the lot in one go; you'll have too much happening with one merge to know where a problem is if you do more than one at once. run dsrepair on each [root] replica to make sure there's no junk in that partition. 5. Merge the schemas of treeA into tree B and vice versa. otherwise you'll end up with attribute problems when objects in the [root] are merged. This can be done later, but you might as well make sure the schemas are merged. 6. Merge the trees 7. Wait, check [root] is syncronised between all replicas, ensure the schema is replicated everywhere, and users can login who were on both former trees. 8. Write down what you did, goto 2, and repeat your success. We took-over a nursing college and merged their tree into ours. Not realising what a tree-merge does we didn't partition the users in the original tree out of [root] making the merge more fraught than it needed to be. this needlessly replicated their user's into the [root] partition in our tree. Given they only had the one server having more than one partition in the original would have been pointless. ------------------------------