Netware 4.11 Administration Reference Guide
By Andrew Mason
Printable Version

Tutorial Quick Links:
File System
Workstation Configuration

NetWare Directory Services(NDS)
NDS is the cloud above the network. It is responsible for looking after the network resources but not the file system. It is a complete database providing access & management in a hierarchical form. In many ways like a domain. Users login to NDS & resources reside in NDS as objects. Made up of three objects, [Root], Container Objects, and Leaf Objects. Follows X.500 Standards.

[Root] Object
Top of NDS structure. The NDS tree can only have one root, from where all other objects branch out. Similar to C:\

Container Objects
[Root] is a container objects but only one per tree is allowed, therefore there are another three objects to build the tree.
  • Country - Designates the country the organization is in.
  • Organization - The name of the Organization. (Similar to Directories)
  • Organizational Unit - Represents a department within an organization. (Similar to Sub-Directories)
Leaf Objects
Leaf objects are the actual resources such as Users, File Servers, Volumes and Directory Maps. There are 21 Leaf Objects.

NDS Naming Rules
All objects in NDS are accessed via their names. There are two types.

  • (Fully) Distinguished Names - Known as FDN
  • Relative Distinguished Names - Known as RDN
Fully Distinguished Names (FDN)
The Objects complete NDS path from the objects to the [Root]. No trailing periods are allowed. Leading periods are required. A name with a leading period is always a FDN such as .CN=Andrew.OU=IT.O=MasonTech

Relative Distinguished Names (RDN)
Incomplete name based on current context. Lists path from objects TO current context. No leading periods. Trailing periods are optional.
Context = .OU=IT.O=MasonTech so RDN would be CN=Andrew

Leading & Training Periods
A leading period indicates that the name is an FDN
Trailing periods are similar to the DOS "CD .." command but a single dot is parent, double is grandparent. These are used when an RDN is specified & the current context is not in the same container as the object.
When the Context = OU=Sales.O=Masontech to specify the Object Andrew you can use the FDN .CN=Andrew.OU=IT.O=MasonTech or the RDN CN=Andrew.OU=IT..
This makes the context O=MasonTech and then the RDN + Context = FDN

The context is like the NDS current directory. In DOS (With no path) if you are in "C:\" you cannot run "WIN.EXE" due to the file been in the windows directory (C:\Windows"). So in NDS it is not linked to the file system. If the current context is [Root] and a user is in the O=MasonTech container then the user cannot login without just be specifying his user name. He must supply either a FDN or RDN. If you changed the context to O=MasonTech then the user could login just specifying his short name ie Login Andrew.
The CX command is used to navigate & manage the context from a DOS prompt. The CX command resides in SYS:PUBLIC and supports the following switches.

  • /T - Tree, View all container objects below the current context, Like Dir. /S
  • /Cont - Container, Show all containers in the current context.
  • /A - All, Show all objects at or below current context.
  • /R - Root, Do whatever CX command is issued relative to the [Root]
  • /Ver - Version
  • /C - Continuos, Scroll output.
  • /? - Help.
Typefull & Typeless Naming
Typefull naming is when descriptors are used = .CN=Andrew.OU=IT.O=MasonTech
Typeless naming is when no descriptors are used = .Andrew.IT.MasonTech

Login.exe is in SYS:LOGIN which usually maps to the first network drive specified within net.cfg or windows 95 if client32. This drive is always mapped as part of the client install even before the client has been authenticated so it is important that care is taken as to this directories contents.
When logging in you have to specify who you are and where you are from relative to the current context. This can be done by entering a FDN or RDN in either typefull or typless format.

File System
Disks are organized into Volumes and then into directories.

The highest level in the NetWare file system. Volumes can be leaf objects in NDS. They act as a bridge between NDS and the file system. The first volume is always named SYS: an NDS leaf objects is also created caled %Servername_SYS. Volumes are fixed units of hard disk storage. They can span physical disks. NetWare can support 64 volumes and each volume can span 32 disks.

System Created Directories
When the server is installed SYS: is created and nine directories within SYS: are also created.

    Available to users before they login to NDS. Contains LOGIN.EXE as well as CX, NLIST and MAP.
    Available only to administrators. Contains special administrative tools and utilities. Also contains som .NLM's.
    Available to all users. Contains user commands and utilities such as NWADMIN, NETADMIN, NWUSER, NETUSER, MAP, NLIST, NDIR, NCOPY, PCONSOLE ETC..
  • MAIL
    Provided for compatibility with Novel 3.x. Not really used in Novel 4.x.
  • NLS
    NetWare Language Support, each directory has an NLS subdirectory. Identifies the language used and contains messages in the language.
  • ETC
    Contains other files such as TCP/IP configuration files.
    Used by the Print Queue NDS object on any volume to hold print queues. The location is specified by the assignments within the Printer NDS object.
    Similar in principle to the recycle bin in 95/NT. Deleted files are placed in here to be "Salvaged". When a file is deleted is can be salvaged out of its parent directory, however if this directory gets deleted it then gets moved to the DELETED.SAV directory for salvaging or purging. Filer or NWAdmin can be used to salvage files.
  • DOC
    The Dynatext online electronic documents for NetWare.
Managing The File System
There are various utilities available for managing the file system. Below are the main utilities.

    A DOS based menu utility in SYS:PUBLIC. Can be used to manage directories and files, display volume information and salvage/purge deleted files.
  • FLAG
    Allows you to view or modify directory and file attributes (Level 5 in the security model). It can also be used to modify the owner of a directory or file and to view or modify the searchmode of executable files.
    Allows you to copy network files from one location to another. Similar to XCOPY. Will work on DOS and NetWare files. Protects NetWare attributes whilst copying.
  • NDIR
    Lets you view files once they have been copied. Also used to view a lot of info about volumes & directories. You cannot modify
    • /FO - Files only in current directory
    • /C - Continuos
    • /SUB - Directory and Subdirectories
    • /SORT - Sort the output
    • OW= - Owner, Displays only files owned by =
    • AC - Files accessed
    • /? - Help
    These can be used together so NDIR /FO /C OW=.Andrew.IT.MasonTech would display only files continuously that belong to me (.Andrew.IT.MasonTech)(note. this is a typeless FDN!!)
    NLIST is a new NetWare 4 utility which displays information about NDS objects and / or properties. Can display info on volumes as long as the volumes are represented by an NDS object.
    NWADMIN is the windows based application and NETADMIN is the DOS based application. These applications virtually carry out all of the above tasks as far as file management goes.
Drive Mapping
  • Network Drive Mappings
    F-Z for drives. F: is usually SYS:LOGIN and U: is usually the users home drive. Map to a directory to ease use.
  • Search Drive Mappings
    Similar to the PATH command. Can have 16 search drives. They start at Z and work backwards.
  • Directory Map Objects
    Uses an NDS object to map to a central logical resource.
Map Commands
  • MAP - Displays current drive mappings
  • MAP G:=LAPTOP\SYS:SHARED\FIN - Maps G: to SYS:SHARED\FIN on Laptop Server. Can also use an RDN or FDN typeless or typefull.
  • MAP NP - Overwrite a map without been prompted
  • MAP S1:= - Maps a Search Drive. S! would overwrite the first entry in the DOS PATH statement so MAP INS S1:= can be used instead to insert the search drive mapping into the first spot and shift the DOS search drives to the right.
  • MAP DEL G: - Deletes the G: Mapping
  • MAP ROOT - Creates a false root. CD .. doesn't have any effect.
  • MAP N - Map next available drive letter.
  • MAP C I: - Map Change, Changes the I: to also be a search drive. MAP C S1: would convert Search drive 1 to be a network drive.
  • MAP /? - Displays help for the MAP command
  • MAP /VER - Displays MAP version
NetWare 4 Security Model
Five layer security model

  1. Login, User & Password Authentication.
  2. Login Restrictions.
  3. NDS Security.
  4. File System Access Rights.
  5. Directory/File Attributes.
Layer 1 - Login / Password Authentication
The first layer checks the user account against the NDS database and then the password associated with the account. This is done from SYS:LOGIN.

Layer 2 - Login Restrictions
Once NDS has authenticated the logon credentials you can specify restriction to the user as in NT, User Manager. These are time allowed to logon, Workstation to logon from, Password expiration, Concurrent connections, Account disabled, etc.. These are entered from the users object in NWAdmin.

Layer 3 - NDS Security
Once a user has been authenticated and any restrictions placed, NDS security is the next layer.
The ACL (Access Control List) is a property of every NDS object to determine who can access the object (Trustees) and what each trustee can do with the object (Trustee Rights).
NDS supports two types of access rights, Object and Property.

  • Object Rights
    Define an objects trustees and control what they can do with the object.
  • Property Rights
    Further refine NDS security by limiting access to only specific properties of the object.
Object Rights
Control what a trustee can do with an object.

  • Browse - See objects in tree
  • Create - Create new objects within Container (Only available in Container Objects)
  • Delete - Delete the object
  • Rename - Rename the object
  • Supervisor - All access privileges. Anyone with S rights to the object has S rights to all its properties. Can be blocked by an Inherited Rights Filter (IRF)
Remember the phrase BCDRS for Object rights.

Property Rights
Once you are a trustee you must be given property rights to access properties within the object.

  • Supervisor - Grants all rights to the property. (Can be blocked by an IRF)
  • Compare - Returns T/F against an input. Won't tell you but you can guess. Automatically set when Read is on
  • Read - Read the value of the property
  • Add Self - Add or Remove yourself as a value of a property. Only used where properties contain object names such as group membership lists. Automatically set when Write is on
  • Write - Add, Change or remove values of the property
Remember the phrase SCRAWL for property rights.
Property rights can either be added in NWAdmin by "All Properties" or "Selected Properties"

Default NDS Rights
  • Initial Installation
    [Root] and admin are created. Admin has S object rights to [Root] so he can administer the entire NDS tree. (Public) is also created. This is a special object. Every object in the NDS tree inherits the rights of (Public). Similar to the Everyone group in NT. (Public) is granted Browse objects rights to [Root] so all objects can browse the tree.
  • File Server Installation
    The creator is assigned S object right as is the server itself so it can carry out functions by itself.
  • User Creation
    Each user is granted 3 sets of property rights by default. Read to all properties and Read/Write to login script and print job configuration properties.
    [Root] is granted read to network address and group membership.
    (Public) is granted Read to default server so anyone can see the users default server.
Assigning Trustee Rights (Object)
Trustee assignments are granted using NWAdmin or NETADMIN.
NDS rights can be assigned in one of three ways.

  1. Trustee Assignments
  2. Inheritance
  3. Security Equivalence
Trustee Assignments
A Trustee is any object with rights to any other object. Trustees are tracked through the ACL property. Every object has an ACL property. There are two ways to assign trustee assignments.

  1. Rights To Other Objects - From the trustees point of view
  2. Trustees Of This Object - From the trusting objects point of view
In NWAdmin right click on the Object and choose either "Rights To Other Objects" or "Trustees Of This Object" and select the object from the NDS Tree.

A side effect of trustee assignments.
Trustees inherit the assignments for all containers and objects underneath the specified object. There are two ways to stop this.

  1. Assign a new trustee assignment lower down for the same object.
  2. Inherited Rights Filter, you indicate which rights to allow to be inherited.
Security Equivalence
Users Ancestral Inheritance, organization Role, Groups and Directory Maps to group people together to add the rights on the group and not the user. Same as group membership in NT.

Effective Rights
Effective Rights = Trustee Assignments - IRF + (Public) + Security Equivalence.

NDS Administration
You can administer NDS in two ways

  1. Central Administration
  2. Distributed Administration
Central Administration
Central administration is where you only have one admin user with S rights to the tree. This is default.

Distributed Administration
Distributed Administration allows you to designate users with supervisor rights to containers of the tree.

  • Admin
    • Name The Tree
    • Install First Server
    • Create Top Layers of the tree
    • Partition Management & Synchronization
    • Assigning Container Admins
  • Container Admins
    • Creating Accounts
    • Creating & Configuring Print Services
    • Backup & Restore
    • Assigning File System Trustees
    • Installing Additional servers
    • Creating Workgroup Managers
Layer 4 - File System Access Rights
NDS is above the server & file system is within the server on the same way as share level and file level security operate in NT.
NDS and file system rights are similar and are assigned in the same 3 ways, Trustee Assignments, Inheritance, and Security Equivalence.
However there are a few differences.

  • NDS has 10 rights and the file system has 8 access rights
  • Rights DO NOT flow from NDS to the file system except in one special instance - Supervisor object rights to the server object. This grants the Trustee supervisor file rights to the root of all of the servers volumes.
  • The Supervisor NDS right can be blocked by the IRF. The supervisor file system right CANNOT be blocked by the IRF.
File System Access Rights
There are 8 file system access rights.

  • Write - Open and Change the contents of files and directories
  • Read - Open and Read contents or run applications
  • Modify - Change name or attributes of a file or directory
  • File Scan - See files and directories (Same as List in NT)
  • Access Control - Change the trustee assignments and IRF
  • Create - Create new files and sub-directories
  • Erase - Delete a directory, file or sub-directory (Delete in NT)
  • Supervisor - Grants all rights to a directory and its files and subdirectories. Cannot be blocked by an IRF
Remember the phrase WoRMFACES for File System Access Rights.

Default Rights
  • User - WRMFCE to user directory = All - S, A.
  • Supervisor - Admin is granted S to all roots.
  • Creator - Who created the NDS server gets S to all its roots. This can be blocked by filtering the IRF on the object(NDS) but not on the file system access rights.
Layer 5 - File/Directory Attributes
Like DOS attributes. Can be modified using the FLAG command line utility or NETADMIN / NWAdmin.
Split into

  • Security Attributes - Files & Directory alterations such as copy inhibit.
  • Feature Attributes - Archive needed, purge and transactional.
  • Disk Attributes - Compression etc..
Workstation Configuration
Client 32 for Windows 95
32 bit protected mode NetWare client for 2.2, 3.1x, and 4.x. Integrates with Windows Explorer and Network Neighborhood.

  • Loads Client32 at startup.
  • No NET.CFG, instead configuration settings are saved in the registry.
  • Tool to update 3.x to 95 and Client32 in a one step batch install.
Load Order and Files
Client32 initializes by loading the following files in the following order.

  • NIOS.VXD - Core Client32 component running as a VXD
  • LSLC32.NLM - Link Support Layer
  • CMSM.NLM - Media Support in ODI architecture
  • ETHERTSM - Or Other Topology Support Module (TSM)
  • 3C5X9.LAN - Or Other LAN Driver
  • IPX.NLM - Communications Protocol
  • CLIENT32.NLM - Module for Client32 Services.
These files are stored in the C:\NOVELL\CLIENT32 directory.

Installed using the Setup.EXE command from the appropriate directory. Differences with 95&3.1x is NIOS.VXD and NIOS.EXE. Also 95 uses the registry whereas 3.1x uses the NET.CFG file.
MSBATCH automatically upgrades Windows 3.1x to Windows 95 and installs Client32.

Client 32 for DOS / Windows 3.1x
Works in a similar way to the 4.1 client. Integrates into File Manager. During installation client files are put into C:\NOVELL\CLIENT32.

Load Order and Files
Client32 initializes by loading the following files in the following order.

  • NIOS.EXE - Core Client32 component running as an .EXE
  • LSLC32.NLM - Link Support Layer
  • CMSM.NLM - Media Support in ODI architecture
  • ETHERTSM - Or Other Topology Support Module (TSM)
  • 3C5X9.LAN - Or Other LAN Driver
  • IPX.NLM - Communications Protocol
  • CLIENT32.NLM - Module for Client32 Services.
These files are stored in the C:\NOVELL\CLIENT32 directory.

Installed using the INSTALL.EXE command from the appropriate directory. This modifies the AUTOEXEC.BAT and CONFIG.SYS and creates NET.CFG which should be checked after the install.

Login Scripts
Four types of login scripts in load order.
  • Container Login Scripts
    Property of O & OU containers. They enable you to set a script for all users in a container.
    They are NOT Inherited
  • Profile Login Scripts
    Property of the profile object. Used to group uncommon users together by specifying a profile in the users script page. Only one profile can be specified per user.
  • User Login Scripts
    Property of the user object. Executed after Container and Profile scripts.
  • Default Login Scripts
    Where users don't have a user script. Contains simple mappings and Comspec. NO_DEFAULT in the container script stops people from running the default script.
Container login scripts cannot be inherited. They only apply to users in that specific container.

Login Script Commands
There are a specific set of commands that will run in Login Scripts, such as Write, Map, Fire Phasers. Variables can also be used such as %Login_name.

  • REMARK - Same as REM in DOS
  • # - Run a command not supported in Login Scripts such as #CLS
  • IF THEN & ELSE - Can be used to structure the script
  • NO_DEFAULT - No Default login script. Only available in Container Scripts
  • MAP - All Map switches can be used
Menu System
A set of DOS like commands to display a simple Bar menu that runs commands.
Split into

  • Organizational Commands - Providing the Menus look and feel
    • Menu - Identifies the beginning of each menu screen & provides a title
    • Item - Defines the options that appear within the menu and includes a variety of built in options
  • Control Commands - Doing the work
    • EXEC - Executes internal or external program
    • SHOW - Branches to another menu, submenu
    • LOAD - Branches to another external menu (*.DAT)
    • GETO - Supports optional user input
    • GETR - Supports required user input
    • GETP - Assigns user input to a variable
Menu Execution
Use a text editor to create a file with a .SRC extension. Use MENUMAKE.EXE to compile the menu (.SRC) to a .DAT extension. The menu is executed from NMENU.BAT which is in SYS:PUBLIC.
Read & File Scan are required to the .DAT files


Integrated platform called MHS (Message Handling Service)
Stores & Forwards

3 Key Components

  1. Messaging Server - NetWare 4 Server with MHS installed
  2. User Mailboxes - Physically located on the Messaging Server
  3. MHS Applications - Front end application. FirstMail is included in SYS:PUBLIC
Install by using INSTALL.NLM on the server and select "Product Options"
MHS is started by typing LOAD MHS this should be placed in the AUTOEXEC.NCF to automatically load on Server boot.

Server Management
Server Management consists of three components

  1. Server Protection - Keep users away from the server console
  2. Console Commands - Keep the server running at peak performance
  3. NLM's - Everything else
1 - Server Protection
  1. Restrict physical access to the server
  2. Use MONITOR.NLM to lock the console
  3. Load secure console to ensure that NLM's can only be loaded from SYS:SYSTEM
  4. Load REMOTE.NLM to allow only remote access to the server
2 - Console Commands
These are internal system tools similar to DOS internal commands. Built into SERVER.EXE.

  • BIND - Bind a protocol
  • BROADCAST - Send a network message, same as NET SEND
  • CLEAR STATION - Disconnect a workstation
  • CONFIG - Hardware Diagnostics
  • DOWN - Shuts down Server activity
  • DSTRACE - Manages synchronization
  • ENABLE / DISABLE LOGIN - Logon on server. Like disabling the Server Service
  • EXIT - Returns to DOS after the server has been DOWN(ed)
  • HELP - Console Command Help
  • LOAD / UNLOAD - Loads / Unloads an NLM
  • MODULES - Displays loaded NLM's
  • MOUNT - Mounts Volumes
  • REMOVE DOS - Bind a protocol
  • RESTART SERVER - Restarts the Server Services
  • TRACK ON - Relating to RIP
3 - NetWare Loadable Modules
NetWare loadable modules are applications which attach to the core OS and provide added functionality. Similar to Services under NT.

  • INSTALL.NLM - To install, manage & troubleshoot the NetWare server
  • MONITOR.NLM - "Mother of all server utilities" Contains info as to users, open files, utilization. A mix between Server manager and Performance Monitor in NT
  • SERVMAN.NLM - Server Manager, all info about the server
  • DSREPAIR.NLM - Repairs & adjusts the NDS database
Storage Management Services(SMS)
Built in Novell Backup
Three main components:
  1. Device Drivers
    These lie at the bottom of the SMS model. These are installed during the installation of the server and control the backup media hardware. these are TAPEDAI.DSK etc... All have *.DSK extensions.
    This is the backup application which is run as an NLM on the server.
  3. Target Service Agents (TSA)
    Clients of SBackup must have a TSA installed for Sbackup to recognize them.
    • NetWare 4 Server - TSA410 or TSA400
    • NetWare 3 Server - TSA312 or TSA311
    • NDS Database - TSANDS
    To backup the host server SBackup must be installed as well as TSA410 and TSANDS. The backup procedure uses Full, Incremental and Differential backup methods as in NTBackup.
Remote Management
The console can be remotely administered. LOAD REMOTE on the server then LOAD RSPX or RS232 to enable the communications. REMOTE requires a password. This has to be entered in clear text into AUTOEXEC.NCF. Consider using LDREMOTE instead, which encrypts the password.
On the client you must use RCONSOLE.EXE from SYS:SYSTEM. You must specify a connection type (SPX or RS232) and then the application will scan for servers running REMOTE.NLM and the selected communication method. You must then enter the REMOTE password. Control is then duplicated to the Server Console and any server command can be run as if you were sat at the server console.

Printing on Novell consists of four processes.
  1. Capturing - Redirecting the print job to the printer
  2. Moving to the Queue - Waiting
  3. Print Server - Poll the Queue. Send to the printer
  4. Printer - The Physical printer
1 - Capturing
Capturing is Novellís way of redirecting a local port to a print server. It is the same as NET USE LPT1: in WindowsNT. NetWare uses MAP for drives and CAPTURE for printers. In DOS this is done via the CAPTURE commands whereas windows uses the NWUSER program.
  • CAPTURE /? - Help on The CAPTURE Command
  • /SH - Shows all connections
  • /S - Specify the print server (not needed in NetWare 4)
  • /Q - Specify the print queue. Either RDN or FDN
  • /AU - Auto End Cap, allows the application to decide if the user has finished sending data
  • /TI - Timeout
  • /K - Tells the shell to keep the printed output if flow is interrupted
  • /C - Number of copies
  • /B - Banner, Enabled by default
  • /NB - No Banner
  • /L=n - Local port number, L=1 would be lpt1
  • /F - Form
  • /CR - Print to a file
  • /NOTI - Notify the user when printed
  • /EC - End Capture, Return output to the local port. Same as Net Use LPT1 /d
  • Sample - CAPTURE /NB /L=2 /Q=HP.MTECH
    You always point to a queue and not a print server or printer
    PC----->Print Queue------------>Print Server----------->Printer
    NWUSER has a GUI interface to scan for queues.
2 - The Print Queue
The capture command redirects output to a queue. The queue is an NDS object. You must specify a name on a volume for the queue. A "QUEUES" directory is created on the volume to store the queue information. Operators and Users can be added to the Queue. The queue stores the print jobs in order and the info appertaining to the job such as the creator, number of copies etc..
No Assignments are added to a Print Queue

3 - The Print Server
The print server polls the queue and sends its info to the printer. The print server must be activated by typing LOAD PSERVER on the console then choosing the print server to load. Operators and users can be added.
You add printer assignments to a Print Server

4 - The Printer
You set up a printer and tell it where it is in relation to the print server. The printer actually sits of the print server on a local port or anywhere on the network if the printer is equipped with a third party interface such as Jet Direct by HP. Notification can be set but no users or operators are assigned as this is handled by the print queue or print server. You add queue assignments to a Printer

Printing Set-up
To set up printing:
  1. Create the print queue
  2. Create the printer and point at the print queue
  3. Create the print server and point at the printer
  4. Activate the print server by using "LOAD PSERVER"
Print Forms
These are custom page layouts that can be created with PRINTDEF and specified using PRINTCON or NWADMIN??

Printing Management
There are 5 key printing management applications these are:
    Used to manage printing. Stored in SYS:PUBLIC. a DOS menu based utility encompassing most of the queue and print server creation and management functions as follows:
    • Deleting jobs from a queue
    • Submitting a new job (Not available in NWAdmin)
    • Placing holds on jobs
    • Stopping and starting printers
    • Aborting print jobs
    • You can check for printers, Print Queues and Servers.
      NOTE: you have to be in the correct context first. Quick setup is used to quickly set up a new printer & print queue. This is only available in PCONSOLE.
    Various admin tasks such as stop/start printers, holding jobs, unloading servers and deleting jobs can be done from NWAdmin. This is all done from the NDS object.
    NOTE: print jobs cannot be added from NWAdmin only PCONSOLE.
    Printcon is used to configure print jobs. It lives in SYS:PUBLIC. It was used before graphical print utilities such as NWUSER were available and it basically creates print job configurations to use with the CAPTURE command. eg..
    CAPTURE J=(Job Configuration)
    PrintDef is used to customize print devices and forms. In SYS:PUBLIC. You can import/export print devices and create/edit print forms.
  • NETUSER (DOS version of NWUSER)
    Netuser is used for printing. In SYS:PUBLIC. You can capture ports as in NWUSER but you cannot make these permanent as in NWUSER.