---------------------------------------------------------------------- Microsoft Directory Synchronization Services (MSDSS) and File Migration Utility (FMU) Service Pack 1.0 February 2002 (c) Microsoft Corporation, 2002. All rights reserved. RELEASE NOTES ---------------------------------------------------------------------- Information in this document, including URL and other Internet Web site references, is subject to change without notice and is provided for informational purposes only. The entire risk of the use or results of the use of this document remains with the user, and Microsoft Corporation makes no warranties, either express or implied. Unless otherwise noted, the example companies, organizations, products, people and events depicted herein are fictitious and no association with any real company, organization, product, person or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. (c) 1985-2002 Microsoft Corporation. All rights reserved. Active Directory, Microsoft, Windows, and Windows 2000 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. ---------------------------------------------------------------------- Overview ---------------------------------------------------------------------- This Service Pack (SP1) is a set of fixes to Microsoft Directory Synchronization Services (MSDSS) and File Migration Utility (FMU) available in the Microsoft Windows Services For Netware 5.0 software product. These fixes provide improved stability and more migration and synchronization options. This document contains: a list of fixes and new features in MSDSS and FMU a list of files that will be updated installation instructions a table of new registry values ---------------------------------------------------------------------- Resolved issues ---------------------------------------------------------------------- Issues that have been fixed in SP1: * Migration fails if multiple naming attributes are present for an object * Migration does not migrate all of Novell Directory Services (NDS) group members * Initial migration of users from NDS might not finish successfully if Postal Address attribute in NDS is blank * Two-way synchronization deletes Active Directory Exchange e-mail address if NDS e-mail address is blank * Fails to set LoginDisabled when creating new user in NDS * File migration fails when directory name contains upper ASCII character * FMU cannot find NDS trees in pure IP environments * Sessions appear multiple times in session list when there are more than 20 sessions New features added in SP1: * Option to migrate NDS Group members based on Member attribute * Option to synchronize logon name for new users created in Active Directory * Support for migrating Macintosh files (that is, resource fork, Finder data, and file name) * Major improvement in file migration performance * Option to perform incremental file migrations * Options supporting offline file migrations * Migrated file permissions use the NTFS file system access control list (ACL) inheritance * Option to treat migrating Active Directory account as Supervisor of migrated files The following files are updated when you install SP1: ADSNWNDS.DLL ADREAD.DLL CUSTMAP.DLL MSDSSMGR.DLL NDSREAD.DLL NDSWRITE.DLL OBJMAP.DLL FILEMIG.EXE ---------------------------------------------------------------------- Installation instructions ---------------------------------------------------------------------- Note: You must properly install the MSDSS service prior to installing SP1. You must stop the MSDSS service prior to installing SP1. To stop the service: 1. Click Start, point to Settings, and then click Control Panel. 2. Double-click Administrative Tools, and then double-click Services. 3. Right-click the MSDSS service, and then click Stop. To download and install the Service Pack: 1. Save the Service Pack file (q316094_W2K_spl_X86_EN.exe) to a directory on the local hard drive. 2. In Windows Explorer, open the directory in which you saved q316094_W2K_spl_X86_EN.exe. Double-click the file to start installing SP1. 3. After you have installed SP1, click Start, point to Settings, and then click Control Panel. 4. Double-click Administrative Tools, and then double-click Services. 5. Right-click the MSDSS service, and then click Start. ---------------------------------------------------------------------- New registry settings for File Migration Utility (FMU) ---------------------------------------------------------------------- New options in the File Migration Utility are set in the registry as DWORD values in the HKLM\SYSTEM\CurrentControlSet\Services\MSDSS \Parameters\File migrate Options key. The value names, default settings, and descriptions are listed below. Value name: FileACLs Default value: 1 Description: This value determines whether FMU migrates ACLs for each file when they are migrated from NetWare to Windows 2000. By setting the value to 0, you speed up the migration session by skipping the file-level ACL migration. The migrated files then inherit inheritable ACLs from their parent directory. Value name: DirectoryACLs Default value: 1 Description: This value determines whether FMU migrates ACLs for each directory when it is migrated from NetWare to Windows 2000. By setting the value to 0, you speed up the migration session by skipping the directory level ACL migration. This is not recommended. Value name: FilesInheritAlways Default value: 0 Description: This value determines whether the "allow inheritable permissions from parent to propagate to this object" flag is set to on for all files. By setting the value to 1, you override the effect of the inherited rights filters on files on the NetWare server. Note: The way that FMU handles ACL inheritance has changed with the application of this Service Pack (SP1). Previously, FMU stamped the effective set of rights specifically on each file. With the application of SP1, FMU uses Windows 2000 NTFS ACL inheritance to achieve the same privilege without stamping every file. If you would like to override this and reset FMU to its previous behavior, set the following four registry values to 0: FilesInheritAlways, FilesInheritUnlessIRF, DirectoriesInheritAlways, and DirectoriesInheritUnlessIRF. Value name: FilesInheritUnlessIRF Default value: 1 Description: This value determines whether the "allow inheritable permissions from parent to propagate to this object" flag is set to on for all files, except when the file on the NetWare server has an inherited rights filter or grant of lesser privileges than a grant closer to the volume root. If both FilesInheritAlways and FilesInheritUnlessIRF are set to 1, FilesInheritUnlessIRF is applied. Value name: DirectoriesInheritAlways Default value: 0 Description: This value determines whether the "allow inheritable permissions from parent to propagate to this object" flag is set to on for all directories. By setting the value to 1, you override the effect of inherited rights filters on directories on the NetWare server. Value name: DirectoriesInheritUnlessIRF Default value: 1 Description: This value determines whether the "allow inheritable permissions from parent to propagate to this object" flag is set to on for all directories, except when the directory on the NetWare server has an inherited rights filter or grant of lesser privileges than a grant closer to the volume root. If both DirectoriesInheritAlways and DirectoriesInheritUnlessIRF are set to 1, DirectoriesInheritUnlessIRF is applied. Value name: MacFileData Default value: 1 Description: This value determines whether Macintosh files on the NetWare server will have the data fork copied to the destination. If the value is set to 0, Macintosh files are skipped. Used in conjunction with MacFilesOnly, these options enable you to perform two-pass migrations that separate Macintosh files from non-Macintosh files. Value name: MacFileResource Default value: 1 Description: This value determines whether Macintosh files on the NetWare server will have the resource fork and Finder data copied to the destination for use with Services for Macintosh. By setting the value to 0, you do not copy the resource fork and Finder data. Note: In order for Services for Macintosh to recognize the migrated Macintosh files, the destination must be created as a Macintosh file share point AFTER the migration is completed. Value name: MacFileName Default value: 1 Description: By setting this value to 1, Macintosh files are renamed on Windows to use the file name from NetWare's Macintosh namespace. By setting the value to 0, you ensure that you use the file name from the default namespace (Long or DOS). Value name: MacFilesOnly Default value: 0 Description: By setting the value to 1, you cause FMU to skip non-Macintosh files during the migration. This option is useful for the second pass in a two-pass migration to separate Macintosh files in cases where Services for Macintosh are loaded on only selected servers. Value name: IgnoreNetWareOwner Default value: 0 Description: This value determines whether the "owner" property on migrated files is set to the migrator user or Administrators group. In NetWare, the "owner" property is merely informational, carrying no security significance. In NTFS, the "owner" property has significant security implications. By setting this value to 1, you set the "owner" property, with its security implications, to the administrators group. Value name: ReplaceNTFSRootACL Default value: 0 Description: The default setting merges the existing ACL on the NTFS target root directory with the migrated ACL. The existing ACEs apply to the root directory and any files/subdirectories until an IRF or rights reduction causes the "allow inheritable permissions from parent to propagate to this object" flag to be cleared. By setting the value to 1, you replace the existing ACL on the target directory with the ACL migrated from NetWare. Value name: SetMigratorAsSupervisor Default value: 0 Description: Setting this value to 1 effectively adds the Windows user account used for the migration as a "Supervisor" to the root of each volume. This means that the migrating user has Full Access rights to everything migrated during and after the migration. By treating the user as "Supervisor", this access control entry (ACE) survives all IRFs and rights reductions in NetWare. Value name: ResetArchiveFlag Default value: 0 Description: This value determines whether the archive flag is cleared on files and directories in the NetWare file system as each file is migrated. This option is used in conjunction with the MigrateOnlyIfArchive option to perform an initial full migration followed by subsequent incremental migrations. Set this option to 1 during the initial full migration and during subsequent incremental migrations. Value name: MigrateOnlyIfArchive Default value: 0 Description: This value determines whether NetWare files that have the archive flag cleared are migrated. The default value migrates all files, regardless of the setting of the archive bit. When used in combination with the ResetArchiveFlag option, you can perform an initial full migration (this option is set to 0 for full migration), followed by subsequent incremental migrations (this option is set to 1 for incremental sync) to migrate only the files that have changed since the last migration. Note: Incremental migrations use the file archive flag to determine whether the file has been changed and, therefore, should be included in the incremental migration session. File backup systems often modify the archive flag on files as they are backed up. To avoid interference between the backup system and FMU, perform a full backup prior to the initial full migration, and then set the backup system to perform incremental backups without clearing the archive flag for all following backup sessions of the target NetWare volumes. After you have done this, you can run an incremental migration with the ClearArchiveFlag option following each backup session. Value name: MigrateACLsOnly Default value: 0 Description: By setting this value to 1, you can set just the ACLs on files that have been copied from NetWare to Windows 2000 by some external method such as RoboCopy or a backup\restore process. Value name: MigrateDirsOnly Default value: 0 Description: Set this value to 1 to migrate only the directory structure and directory level ACLs. Then, you can copy the file data into the directory structure by an external method such as RoboCopy or a backup\restore process. Files copied into the directory structure inherit ACLs from the parent directory. ---------------------------------------------------------------------- New registry settings for Microsoft Directory Synchronization Services ---------------------------------------------------------------------- New options in MSDSS are set in the registry as DWORD values in the HKLM\System\CurrentControlSet\Services\MSDSS\Parameters key. The value names, default settings, and descriptions are listed below. Value name: UseMemberAttribute Default value: 0 Description: Set this value to 1 to migrate group memberships using the "member" attribute of the group object. By setting the value to 0, you use the "security equal to me" attribute. When migrating groups from NDS to Active Directory, MSDSS by default reads the "security equal to me" attribute and migrates those group members to Active Directory. Some NetWare administration tools (particularly those that operate in Bindery mode) only add members to the "member" attribute, which causes a discrepancy between the group memberships as displayed in NDS and Active Directory after some migrations. If you have experienced this, set the value to 1 to allow NDS group members that are not marked as "security equal to me" to be migrated to Active Directory. Value name: SamRename Default value: 0 Description: Set this value to 1 to rename the relative distinguished name (also known as RDN) of a new user created in Active Directory to match the samAccountName property when the user is synchronized to NDS. If the value is set to 0, the user is created in NDS by using the existing RDN. Active Directory and Novell Directory Services (NDS) handle logon names differently. Active Directory provides separate attributes for logon name (samAccountName) and object naming in the directory hierarchy (that is, the relative distinguished name or RDN), while NDS uses the same attribute (that is, CN) for both purposes. The initial release of MSDSS synchronizes the directory object name (that is, the RDN maps to the CN), but does not synchronize the logon names. This update to MSDSS provides an option for synchronizing logon names between Active Directory and NDS. Setting the value to 1 enables MSDSS to keep both the samAccountName and RDN attributes of a user object in Active Directory synchronized with the CN attribute of the corresponding NDS user object. (Note: the session must be a two-way synchronization session in order to synchronize changes in NDS to Active Directory). The following scenarios apply: - Creating a new user object in NDS: When a new user is created in NDS and synchronized to Active Directory, the samAccountName and RDN of the new Active Directory user object is set to the CN of the new NDS user, thereby synchronizing the logon names. - Renaming the user object in NDS: When a user object is renamed in NDS (that is, when the CN attribute is modified), the new object name is copied to both the samAccountName and the RDN of the Active Directory user object during the next synchronization, thereby ensuring that the logon names match. - Creating a new user object in Active Directory: When a new user is created in Active Directory it is often created with different values for the RDN and the samAccountName. Due to internal synchronization processing, this is handled in two steps. First, a new user is created in NDS with the CN set to the Active Directory user's original RDN. At the same time, the RDN of the Active Directory object is changed to match the samAccountName. At the next Active Directory->NDS synchronization, the Active Directory object rename is synchronized to NDS, resulting in both user objects having the samAccountName as their logon name. - Renaming the user object in Active Directory: When a user object is renamed in Active Directory (that is, when the samAccountName attribute is modified), that change is first copied to the Active Directory user's RDN attribute. This occurs on the first Active Directory->NDS synchronization after the change (nothing is actually copied to NDS at this point). On the next Active Directory->NDS synchronization, the user object's new RDN is copied to the NDS user's CN attribute, completing the synchronization of the name change. When the logon name synchronization option is enabled, administrators should avoid changing the RDN of Active Directory user objects without also changing the samAccountName. If you do not change the samAccountName too, you will not receive errors, but you will not achieve the intended results. When such a change is made, the new RDN is synchronized to NDS, but at the same time, because the samAccountName and RDN do not match, the RDN is changed to match the samAccountName. On the next Active Directory->NDS synchronization, the new rename (back to the samAccountName) is synchronized to NDS, effectively negating the name change.