Release Notes for Microsoft Services for NetWare 5.02 Service Pack 2

The fixes included in Microsoft® Services for NetWare 5.02 Service Pack 2 (SP2) provide additional migration and synchronization options and can improve the stability of synchronization sessions.

The fixes provided in SP2 apply to the following components:

Microsoft Directory Synchronization Services (MSDSS)
File Migration Utility (FMU)
File and Print Services for NetWare (FPNW)

Issues That Are Resolved in SP2

SP2 provides fixes for the following issues:

MSDSS incorrectly deletes a user account if a failure occurs while MSDSS is reading from a Novell Directory Service (NDS) globally unique identifier (GUID).
Group memberships are lost during a MSDSS multi-session migration.
FMU incorrectly reports that a forest is unavailable.
You receive an incorrect message that an FPNW access violation occurred in Nwssvc.exe during service startup.
An uninitialized structure element in the handling of the AccountExpires attribute in the CUSTMAP.DLL could lead to an access violation and terminate the service.
The New Session Wizard fails to validate the NDS schema when the Novell Client 4.9 is installed and the session is a two-way synchronization session. When the NDS read provider failed with an extended error, the error code returned to the session was not a properly formatted HRESULT, and MSDSS continued to try and process the objects.
Inherited ACLs on directories were not being properly calculated if there are Inherited Rights Filters. Every directory was not allowing any rights to be inherited, so all non-supervisor ACEs would be filtered out on each subdirectory. They would be properly applied to the directory on which they were granted, but not propagated to any subdirectories beyond any Inherited Rights Filters. As long as Inherited Rights Filters were not used, the ACEs would inherit through NTFS’s inheritance, but when we encountered an Inheritied Rights Filter in NetWare which filtered less than all rights, we have to block inheritance in NTFS and then propagate over the rights that were not filtered out.
A default configuration where the existing NTFS ACEs on the target root were merged into the migrated ACEs from NetWare, any ACEs coming from NDS, the Server object, or directories closer to the volume root than the source root directory (where the migration started) would not be included in the target root ACL when the migration completed.
FPNWSrv stops responding when you provide a path that exceeds 255 characters.
The Fpnwsrv.sys driver is blocked, and the FPNW service will not start after you upgrade to a Microsoft® Windows Server^TM 2003 family operating system with File and Print Services for NetWare installed. For more information, please visit the Microsoft Product Support Web site.

Known Issues in SP2

The following are known issues with Services for NetWare 5.02 SP2:

FPNW

Printer manager mishandles the forward slash (/) in printer names. When you are using the printer manager function in Server Manager to configure a printer, if there is a forward slash in the defined printer name, the Queues dialog box displays the error message, "File not found."
When you install FPNW, but lack adequate disk space to do so, you do not get a message warning you about this lack of disk space.
When you install FPNW, you are prompted for a Supervisor password. If this password does not meet the current password policies of the target system, no error is given, and the setup continues to install the service. During this process, several critical configuration steps are skipped, and the FPNW service, while started, is inoperable. To correct this, uninstall FPNW, and re-install it using passwords that conform to the current password policy of the target system.

MSDSS Help file

In the "User Objects (NDS and Active Directory)" table in the MSDSS Help file, the following mappings are incorrect regarding the Novell Directory Services (NDS) attribute. (All mappings are case sensitive.)
- Email Address incorrectly maps to mail. It should map to Internet EMail Address, and then to mail.
- Facsimile Telephone incorrectly maps to facsimileTelephoneNumber. It should map to Facsimile Telephone Number, and then to facsimileTelephoneNumber.
- Physical Deliver Office Name incorrectly maps to l.

Features That Have Changed in Services for Netware SP2

The following features are new in Service for Netware SP2:

Symbols are now included on the product CD for FPNW and MSDSS. The symbols are also available on the Microsoft public symbol server. More details can be found at http://www.microsoft.com/whdc/ddk/debugging/symbols.mspx
MSDSS is now able to synchronize the departmental attribute from NDS to Active Directory® directory service.
The white paper, "Migrating from NetWare to Windows Server 2003," is included in the DOCS directory of the Service Pack 2 CD.

The following feature has changed in Services for Netware SP2:

After you install File and Print Services for NetWare on your Windows Server 2003 family operating system, the FPNW icon no longer appears in Control Panel. To access FPNW, click Start, click Program Files, click Administrative Tools, and then click Server Manager.

Operating Systems Services for Netware SP2 Supports

SP2 supports the following Windows operating systems:

Microsoft Windows® 2000 Server family
Windows Server 2003 family

SP2 supports Administrative Tools for the following Windows operating systems:

Microsoft Windows 2000 Professional
Microsoft Windows XP Professional

SP2 supports the following Novell NetWare operating systems:

Novell NetWare 3.x (Bindery)
Novell NetWare 4.x
Novell NetWare 5.x
Novell NetWare 6.0 with Service Pack 2

Microsoft Directory Synchronization Service (MSDSS) requires the use of Novell's Client for Windows. If you perform a clean installation of either a Windows 2000 Server family operating system or a Windows Server 2003 family operating system, you must download and install Novell's Client for Windows before you install Services for NetWare MSDSS.

To install MSDSS, from a computer running a Windows 2000 Server family operating system, or from a server or domain controller running a Windows Server 2003 family operating system:

Install the latest version of Novell's Client for Windows.
Install MSDSS.
Open My Computer.
Right-click the drive where the Services for NetWare CD-ROM is located, click Explore, and then double-click the MSDSS folder.
In the details pane, double-click msdss.msi.
Restart the computer.
To manage MSDSS after you have installed it, open Administrative Tools, and then click Directory Synchronization.

Note

For more information, see the product documentation in Help.

To uninstall MSDSS:

Click Start, point to Settings, click Control Panel, double-click Add/Remove Programs or Add or Remove Programs, and then follow the instructions for removing a program.

File and Print Services for NetWare

To install File and Print Services for NetWare, from a computer running Windows 2000 Server, or from a server or domain controller running a Windows Server 2003 family operating system:

On your desktop, right-click My Network Places, and then click Properties.
Right-click Local Area Connection, and then click Properties.
Click Install.
Select Service, click Add, and then click Have Disk.
Important
- If File and Print Services for NetWare appears in the Network Service list, do not click it; instead, click Have Disk.
Insert the Services for NetWare 5.02 Service Pack 2 CD into the computer’s CD-ROM drive.
Type the following path:
drive:\FPNW

(where drive is the drive letter of the CD-ROM drive), and then click OK.
Select File and Print Services for NetWare, and then click OK.
In the Install File and Print Services dialog box, provide the requested information.
Note
- For more information about this dialog box, click Help.
If you are installing File and Print Services for NetWare in a domain, you are prompted to enter a password for the FPNW Service Account. If you install File and Print Services for NetWare on multiple domain controllers in a domain, you must specify the same password for each account on domain controllers where you install the service.
When you have completed this process, click Close.

Performing an upgrade

To perform an upgrade from either Microsoft Windows NT® with File and Print Services for NetWare 4.0 installed or Windows 2000 with File and Print Services for NetWare 5.0 installed:

Uninstall File and Print Services for NetWare.
Depending on your operating system, perform your upgrade to a Windows 2000 Server family operating system or Windows Server 2003 family operating system.
Install File and Print Services for NetWare.

Installing File and Print Services for NetWare for Administrative Tools only

To install File and Print Services for NetWare Administrative Tools only:

Insert the Services for NetWare 5.02 Service Pack 2 CD in the computer’s CD-ROM drive.
Right-click Start, and then click Explore.
In Folders, double-click the CD-ROM drive, double-click FPNW, and then do one of the following:
- For a Windows 2000 Server family operating system or Windows Server 2003 family operating system, in the details pane, right-click netsfntsrv.inf, and then click Install.
- For Windows 2000 Professional or Windows XP Professional, in the details pane, right-click netsfntpro.inf, and then click Install.

Uninstalling File and Print Services for NetWare

To uninstall File and Print Services for NetWare:

On the desktop, right-click My Network Places, and then click Properties.
Right-click Local Area Connection, and then click Properties.
Select File and Print Services for NetWare, and then click Uninstall.

New Registry Settings for File Migration Utility (FMU)

New options in File Migration Utility (FMU) are set in the registry as DWORD values in the following key:

HKLM\SYSTEM\CurrentControlSet\Services\MSDSS \Parameters\FilemigrateOptions

The following table provides the value names, default values, and descriptions of the new options in FMU.

Value name	Default value	Description
FileACLs	1	Determines whether File Migration Utility (FMU) migrates ACLs for each file when they are migrated from NetWare to Windows 2000. If you set the value to 0, you hasten the migration session by causing it to skip the file-level ACL migration. The migrated files then inherit inheritable ACLs from their parent directory.
DirectoryACLs	1	Determines whether FMU migrates ACLs for each directory when it is migrated from NetWare to Windows 2000. If you set the value to 0, you hasten the migration session by causing it to skip the directory-level ACL migration. We do not recommend this practice.
FilesInheritAlways	0	Determines whether the flag, "allow inheritable permissions from parent to propagate to this object," is set to "on" for all files. If you set the value to 1, you override the effect of the inherited rights filters on files on the NetWare server. Note Previously, FMU stamped the effective set of rights specifically on each file. With SP1, FMU began to use Windows 2000 NTFS file system ACL inheritance to achieve the same permissions without stamping every file. To override this and reset FMU to its previous behavior, set the following four registry values to 0: FilesInheritAlways, FilesInheritUnlessIRF, DirectoriesInheritAlways, and DirectoriesInheritUnlessIRF.
FilesInheritUnlessIRF	1	Determines whether the flag, "allow inheritable permissions from parent to propagate to this object," is set to "on" for all files, except when the file on the NetWare server has an inherited rights filter or grant of lesser permissions than a grant closer to the volume root. If both FilesInheritAlways and FilesInheritUnlessIRF are set to 1, FilesInheritUnlessIRF is applied.
DirectoriesInheritAlways	0	Determines whether the flag, "allow inheritable permissions from parent to propagate to this object," is set to "on" for all directories. If you set the value to 1, you override the effect of inherited rights filters on directories on the NetWare server.
DirectoriesInheritUnlessIRF	1	Determines whether the flag, "allow inheritable permissions from parent to propagate to this object," is set to "on" for all directories, except when the directory on the NetWare server has an inherited rights filter or a grant of lesser permissions than a grant closer to the volume root. If both DirectoriesInheritAlways and DirectoriesInheritUnlessIRF are set to 1, DirectoriesInheritUnlessIRF is applied.
MacFileData	1	Determines whether Macintosh files on the NetWare server will have the data fork copied to the destination. If the value is set to 0, Macintosh files are skipped. You can use these options in conjunction with MacFilesOnly to perform two-pass migrations that separate Macintosh files from non-Macintosh files.
MacFileResource	1	Determines whether Macintosh files on the NetWare server will have the resource fork and Finder data copied to the destination for use with Services for Macintosh. If you set the value to 0, you do not copy the resource fork and Finder data. Note In order for Services for Macintosh to recognize the migrated Macintosh files, the destination must be created as a Macintosh file share point AFTER the migration has been completed.
MacFileName	1	If you set the value to 1, Macintosh files are renamed on Windows to use the file name from NetWare's Macintosh namespace. Setting the value to 0 ensures that you use the file name from the default namespace (Long or DOS).
MacFilesOnly	0	If you set the value to 1, you cause FMU to skip non-Macintosh files during the migration. This option is useful for the second pass in a two-pass migration to separate Macintosh files in cases where Services for Macintosh are loaded on only selected servers.
IgnoreNetWareOwner	0	Determines whether the "owner" property on migrated files is set to the migrator user or Administrators group. In NetWare, the "owner" property is merely informational, carrying no security significance. In NTFS, the "owner" property has significant security implications. If you set this value to 1, you set the "owner" property, with its security implications, to the Administrators group.
ReplaceNTFSRootACL	0	The default setting merges the existing ACL on the NTFS target root directory with the migrated ACL. The existing access control entries (ACEs) apply to the root directory and any files or subdirectories until an inherited rights filter (IRF) or rights reduction causes the flag, "allow inheritable permissions from parent to propagate to this object," to be cleared. If you set the value to 1, you replace the existing ACL on the target directory with the ACL migrated from NetWare.
SetMigratorAsSupervisor	0	Setting this value to 1 effectively adds the Windows user account used for the migration as a "supervisor" to the root of each volume. This means that the migrating user has Full-Access rights to everything migrated during and after the migration. By treating the user as "supervisor," this ACE survives all IRFs and rights reductions in NetWare.
ResetArchiveFlag	0	Determines whether the archive flag is cleared on files and directories in the NetWare file system as each file is migrated. You can use this option in conjunction with the MigrateOnlyIfArchive option to perform an initial full migration that is followed by subsequent incremental migrations. Set this option to 1 during the initial full migration and during subsequent incremental migrations.
MigrateOnlyIfArchive	0	Determines whether NetWare files that have the archive flag cleared are migrated. The default value migrates all files regardless of the setting of the archive bit. When you use this option in combination with the ResetArchiveFlag option, you can perform an initial full migration (this option is set to 0 for full migration), followed by subsequent incremental migrations (this option is set to 1 for incremental synchronization). This migrates only the files that have changed since the last migration. Note Incremental migrations use the file archive flag to determine whether the file has been changed and should therefore be included in the incremental migration session. File backup systems often modify the archive flag on files as they are backed up. To avoid interference between the backup system and FMU, perform a full backup prior to the initial full migration, and then set the backup system to perform incremental backups without clearing the archive flag for all subsequent backup sessions of the target NetWare volumes. After you have done this, you can run an incremental migration with the ClearArchiveFlag option following each backup session.
MigrateACLsOnly	0	If you set this value to 1, you can set just the ACLs on files that have been copied from NetWare to Windows 2000 by some external method such as RoboCopy or a backup\restore process.
MigrateDirsOnly	0	Set this value to 1 to migrate only the directory structure and directory-level ACLs. You can then copy the file data into the directory structure by an external method such as RoboCopy or a backup\restore process. Files copied into the directory structure inherit ACLs from the parent directory.

New Registry Settings for Microsoft Directory Synchronization Services (MSDSS)

New options in MSDSS are set in the registry as DWORD values in the following key:

HKLM\System\CurrentControlSet\Services\MSDSS\Parameters

The following table provides the value names, default values, and descriptions of the new options in MSDSS.

Value name	Default value	Description
UseMemberAttribute	0	Set this value to 1 to migrate group memberships using the "member" attribute of the group object. If you set the value to 0, you use the "security equal to me" attribute. When migrating groups from Novell Directory Services (NDS) to Active Directory, by default MSDSS reads the "security equal to me" attribute and migrates those group members to Active Directory. Some NetWare administration tools (particularly those that operate in Bindery mode) only add members to the "member" attribute. This causes a discrepancy between the group memberships as displayed in NDS and Active Directory after some migrations. If you experience this, set the value to 1 to allow NDS group members that are not marked as "security equal to me" to be migrated to Active Directory.
SyncEmailAddress	0	In the Help file, the "Mapping Tables" topic lists the "Email Address" attribute in NDS as one that is being synchronized with "mail" attribute in Active Directory. It is actually the "Internet Email Address" attribute in NDS that is synchronized with the "mail" attribute in Active Directory. You can disable the "mail" attribute synchronization by creating the following registry key and setting the DWORD value to 0: HKLM\System\CurrentControlSet\Services\MSDSS\Parameters\SyncEmailAddress
DebugLogLevel	0	To troubleshoot synchronization issues when using the MSDSS tool, you can enable debug logging to capture detailed information about the synchronization process. Changing the data value to 1 enables detailed debug logging. The logging information is placed in the %Systemroot%\System32\Directory Synchronization\Session Logs folder. The log files are labeled as "Session#-#.log". You must stop and start the MSDSS service before this setting will function.
IgnoreDeletesFromNDS	0	This setting prevents the deletion of mapped objects on Active Directory when the object has been deleted on NDS.
SamRename	0	Active Directory and NDS handle logon names differently. Active Directory provides separate attributes for logon name (samAccountName) and object naming in the directory hierarchy (that is, the relative distinguished name. NDS uses the same attribute (that is, CN) for both purposes. The initial release of MSDSS synchronizes the directory object name (that is, the relative distinguished name maps to the CN), but does not synchronize the logon names. This update to MSDSS provides an option for synchronizing logon names between Active Directory and NDS. Setting the value to 1 enables MSDSS to keep both the samAccountName and relative distinguished name attributes of a user object in Active Directory synchronized with the CN attribute of the corresponding NDS user object. (Note: The session must be a two-way synchronization session in order to synchronize changes in NDS to Active Directory). The following scenarios apply: Creating a new user object in NDS When a new user is created in NDS and synchronized to Active Directory, the samAccountName and relative distinguished name of the new Active Directory user object is set to the CN of the new NDS user, thereby synchronizing the logon names. Renaming the user object in NDS When a user object is renamed in NDS (that is, when the CN attribute is modified), the new object name is copied to both the samAccountName and the relative distinguished name of the Active Directory user object during the next synchronization. This ensures that the logon names match. Creating a new user object in Active Directory When a new user is created in Active Directory it is often created with different values for the relative distinguished name and the samAccountName. Due to internal synchronization processing, this is handled in two steps. First, a new user is created in NDS with the CN set to the Active Directory user's original relative distinguished name. At the same time, the relative distinguished name of the Active Directory object is changed to match the samAccountName. At the next Active Directory-to-NDS synchronization, the rename of the Active Directory object is synchronized to NDS. As a result, both user objects have the samAccountName as their logon name. Renaming the user object in Active Directory When a user object is renamed in Active Directory (that is, when the samAccountName attribute is modified), that change is first copied to the Active Directory user's relative distinguished name attribute. This occurs on the first Active Directory-to-NDS synchronization after the change. Nothing is actually copied to NDS at this point. On the next Active Directory-to-NDS synchronization, the user object's new relative distinguished name is copied to the NDS user's CN attribute. This completes the synchronization of the name change. When the logon name synchronization option is enabled, administrators should avoid changing the relative distinguished name of Active Directory user objects without also changing the samAccountName. If you do not also change the samAccountName, you will not receive errors, but you will not achieve the intended results. When such a change is made, the new relative distinguished name is synchronized to NDS, but at the same time, because the samAccountName and relative distinguished name do not match, the relative distinguished name is changed to match the samAccountName. On the next Active Directory-to-NDS synchronization, the new rename (back to the samAccountName) is synchronized to NDS. This effectively negates the name change.

Copyright

These notes support a release of a software program that bears the name Microsoft Services for NetWare 5.02 Service Pack 2.

Information in this document, including URL and other Internet Web site references, is subject to change without notice and is provided for informational purposes only. The entire risk of the use or results of the use of this document remains with the user, and Microsoft Corporation makes no warranties, either express or implied. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, MS-DOS, Windows, Windows NT, Windows Server, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.