HP OpenVMS Systems

HP Advanced Server V7.3B for OpenVMS
Release Notes

The first section to follow describes restrictions that apply to Windows 2000, Windows 2003 and Windows XP, the next section describes restrictions related to support of Windows 2000 only, and the third section describes restrictions related to Windows XP only. Other related restrictions are documented in Section 13.5.15, ADMINISTER Commands Cannot Act on Event Log Files of Remote Windows 2000 or Windows NT SP6 Servers, and Section 13.5.16, ADMINISTER SET PASSWORD Command Fails If the PDC is Windows 2000 or Windows XP.

13.6.1 Restrictions Applying to Windows 2000, Windows 2003 and Windows XP

This section describes restrictions that apply to both Windows 2000 and Windows XP.

13.6.1.1 Problem When Ports 137, 138 and 139 are Blocked

Problem:

When Windows clients connect to Advanced Server, an error similar to the following will be seen:

"The mapped network drive could not be created because the following error has
occurred:
The specified network name is no longer available."

There is a delay of 45-60 seconds before the error occurs.

This error occurs if a firewall is enabled on Windows clients and the ports 137, 138 and 139 are blocked.

Solution:

If you are using server based licenses only, then the uncomment the following line in SYS$STARTUP:PWRK$LICENSE_R_STARTUP.COM file:

$!  Define_sys  PWRK$Lr_Disable_Client_Ping   1       ! Disable Client
license checking

After uncommenting this line, save the file and restart Advanced Server.

If you are using client based licenses, then do not block the ports 137, 138 and 139 on windows clients. If you are using the windows firewall, you can check the box againist "File and Printer sharing" in exceptions section under windows firewall to enable these ports.

13.6.1.2 Unable to Establish Trust With Windows 2003 Domain

Problem:

On a Windows 2003 PDC emulator, when you try to establish a trust between a domain where Advanced Server is configured as PDC and an Active Directory domain with a Windows Server 2003 PDC emulator, following error might be encountered:

"The Local Security Authority is unable to obtain an RPC connection to the
domain controller <DCname>. Please check that the name can be resolved and
that the server is available."

The same error is reported by the Windows Server 2003 system when establishing a trust to a domain with an NT V4 PDC.

Solution:

Execute the following command at the DOS prompt on Windows server and then add the trust:

net use \\AdvSrv\ipc$ /user:"" ""

"AdvSrv" can be the computer name, fully qualified hostname, or IP address of the Advanced Server.

13.6.1.3 Unable to Establish Trust Using ADMINISTER ADD TRUST/TRUSTED <w2k3domainname> Command

Problem:

Using ADMINISTER command ADMINISTER ADD TRUST/TRUSTED <w2k3domainname> , when you try to establish trust between Advanced Server domain and a Windows 2003 domain, you will encounter the following error:

"%PWRK-E-ERRADDTRUST, error adding trust between domains "<W2K3DOMAIN
NAME>" and "<ASDOMAINNAME>"
-LM-E-ERROR_ACCESS_DE, insufficient privileges for attempted operation"

Solution:

First establish incoming trust on Windows 2003 PDC emulator and remember the password you supply while establishing the incoming trust. After this, on Advanced Server execute the command ADMINISTER ADD TRUST/TRUSTED <w2k3domainname> . When it prompts for password, supply the password you had provided while establishing incoming trust on Windows 2003 PDC emulator.

Another workaround is, on Windows 2003 PDC emulator, execute the following command at the DOS prompt and then restart the server:

net localgroup "pre-windows 2000 compatible access" "anonymous logon" /add

Problem:

A Windows 2000 or Windows XP client cannot rejoin the domain of the Advanced Server for OpenVMS unless you first delete the computer account for that client. You will see an "access denied" message.

Solution:

Either delete the computer account prior to having the client rejoin the domain, or manually create the computer account on the server.

13.6.2 Restrictions Applying to Windows 2000 Only

Problem:

The Windows 2000 Server does not allow trusts to be added from a non-Windows 2000 computer. Therefore, you cannot add a trust to a Windows 2000 domain by means of remote administration of that domain (such as after using the ADMINISTER SET ADMINISTRATION command to specify the Windows 2000 domain, or after logging on to the Windows 2000 domain, or using the /DOMAIN qualifier in the ADD TRUST command).

Solution:

To add a trust to a Windows 2000 domain, do the operations required on the Windows 2000 domain directly from a Windows 2000 Server in that domain. For the operations required on the Advanced Server domain to establish the trust, you can still use the ADD TRUST command, directly or remotely.

For example, assume users of your Advanced Server domain LANDOFOZ want to access resources in Windows 2000 domain TOPEKA. To set up a trust relationship so that TOPEKA trusts LANDOFOZ domain users:

1. Log on to domain LANDOFOZ and enter the following command to add TOPEKA to the list of domains permitted to trust LANDOFOZ:

   LANDOFOZ\\TINMAN> ADD TRUST TOPEKA/PERMITTED

2. Then, use the Windows 2000 facilities to make LANDOFOZ a trusted domain for TOPEKA.

Problem:

When a Windows 2000 Server has the registry value for RestrictAnonymous set to 2, it will not validate authentication requests from domain controllers in another domain trusted by the Windows 2000 server's domain. In other words, when a user with an account in the Windows 2000 domain attempts to log in, using external authentication, to the OpenVMS system in a domain trusted by the Windows 2000 Server, the Advanced Server for OpenVMS or PATHWORKS for OpenVMS (Advanced Server) server running on that OpenVMS system requests the Windows 2000 Server to authenticate that user, but the Windows 2000 Server will fail to do so. Additional limitations will result, such as the SET PASSWORD command at the OpenVMS DCL prompt failing to work for an externally authenticated user when that command is sent to the Windows 2000 Server. However, the Advanced Server ADMINISTER SET PASSWORD command will work.

The RestrictAnonymous value in the registry appears as follows:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
Value Name: RestrictAnonymous
Data Type: REG_DWORD
Value: 2

Solution:

If acceptable for your security environment, enable anonymous access at the Windows 2000 Server (registry value of RestrictAnonymous set to 0). You can avoid the restriction described in this note by setting the registry value of RestrictAnonymous to 1. Note that for the new value (or any other new registry value) to take effect, the PDC needs to be rebooted.

For more information on the restriction when RestrictAnonymous is set to 2, see the Microsoft article at the following location:

http://support.microsoft.com/support/kb/articles/q246/2/61.asp

This section describes restrictions related specifically to support of Windows XP.

13.6.3.1 Enabling a Windows XP Client to Join and Log On to a Domain

Problem:

In some situations a Windows XP client is unable to join the server's domain, or a Windows XP user cannot log on to the domain.

Solution:

To enable a Windows XP client to join the server's domain, or a Windows XP user to log on to the domain:

1. Disable the client's certificate autoenrollment policy
2. Set the client's REQUIRESIGNORSEAL registry value to 0
3. Reboot the client

Problem:

After a Windows XP client is removed from the domain of the Advanced Server for OpenVMS, the ADMINISTER SHOW COMPUTERS command still lists the client as available to the network. For example, if you issue the SHOW COMPUTERS command after removing the Windows XP client TOTOXP, the computer type display symbol still indicates the computer is available to the network; that is, the [WS] symbol is shown in uppercase as in the following example:

Computer        Type                              Description
--------------  ---------------------------       ----------------------
[WS] TOTOXP     Windows NT 5.1 Workstation
[PD] TINTIN     OpenVMS (NT 4.0) Primary          Advanced Server for
                                                  OpenVMS
  Total of 2 computers

The [WS] symbol displayed should be lowercase, indicating the computer is not available to the network.

13.7 Printing/Print Management Restrictions

Problem:

OpenVMS queue names support any uppercase and lowercase letters, digits, the underscore (_), and dollar sign ($)). When you create a print share on the Advanced Server, specifying Unicode characters other than the above-listed supported characters (specified in the format ^Uxxxx, where xxxx is the 16-bit code for the character), or specifying other characters that OpenVMS does not support for queue names, the Advanced Server creates an OpenVMS queue using the standard ODS-2 format for these characters: __XX, where XX is the 8-bit code in the server character set.

Solution:

OpenVMS restricts the length of queue names to 31 characters. Because the Advanced Server must use the standard ODS-2 four-character substitution in the queue name for each unsupported character in the print share name, restrict the length of Advanced Server print share names accordingly. For example, seven characters is the maximum length for a print share name consisting entirely of unsupported characters.

13.7.2 Cannot Rename Print Share or Print Queue

Problem:

You cannot rename a print share or print queue that is located on the Advanced Server. If you use Windows NT to try to rename a shared printer that is defined on the Advanced Server, the printer name will revert to the original name. No error messages are displayed. Likewise, the Advanced Server ADMINISTER command-line interface as well as OpenVMS do not allow renaming of print shares or print queues.

Solution:

To rename a shared printer or a print queue, you need to delete it and create it again with the new name.

13.7.3 Cannot Move Print Job Position In Queue from Client

Problem:

If the user of a client computer attempts to use the Print Manager to move a print job to a different position in the print queue, the operation fails.

Solution:

Use the ADMINISTER command SET PRINT JOB to move the print job within the print queue.

13.7.4 ADMINISTER REMOVE PRINT QUEUE Fails to Delete a Routing Print Queue

If you attempt to delete an Advanced Server print queue using the ADMINISTER command REMOVE PRINT QUEUE, the command fails with the following error message:

%PWRK-E-QUEGENERR, error removing print queue "queue-name"
at server "\server-name"

%PWRK-I-QUENOTPW, This queue may not have been created by Advanced
Server

The second message is misleading --- the print queue may have been created using the Advanced Server. The routing queue is not deleted if it has been defined to print to a print queue that is set up to print to a virtual port (such as an LTA device).

Solution:

Use the OpenVMS DCL command DELETE/QUEUE to delete the print queue.

13.7.5 Client Cannot Purge Print Queues

Problem:

Client platforms, such as Windows NT and Windows 95, include a function to purge the print queue of print jobs in their print manager. This function fails to purge the print jobs in the queue on an Advanced Server file server. If a client user logged on with sufficient privileges to purge the print queue (full or manage documents privilege) attempts to purge the print queue, an error message is returned indicating insufficient privileges to perform the operation.

Solution:

The client user can remove the jobs from the queue by selecting with the mouse all of the jobs in the queue and then using the delete key.

13.7.6 Cannot See Print Job Name from Client

Problem:

Client computers do not display print job names.

Print jobs submitted from client computers are not displayed from the Print Manager with the print job name.

Solution:

This is a restriction of the Advanced Server. By enabling and using Windows NT-style printer management, this restriction is removed.

13.7.7 Windows NT Print Manager Fails to Display Advanced Server Printers

Problem:

When you attempt to display the printers on the Advanced Server from the Windows NT server administration Print Manager, using the Server Viewer, you will not see the printers offered by the Advanced Server.

Solution:

Display the list of printers using the Advanced Server ADMINISTER command SHOW PRINTERS, or enable Windows NT-style printer management.

13.7.8 Windows NT Printer Management Restrictions

The following restrictions apply to the Windows NT management of Advanced Server shared printers:

• With Windows NT printer management enabled, HP recommends managing printers defined on the Advanced Server only from Windows NT. In specific, do not use the following ADMINISTER commands:
  • ADD SHARE/PRINT
  • REMOVE PRINT QUEUE
  • SET PRINT QUEUE
  
  You can still use the following ADMINISTER commands, and all other ADMINISTER commands not related directly to printer management:

  ADD PRINT QUEUE
  CONTINUE PRINT QUEUE
  PAUSE PRINT QUEUE
  SHOW PRINT QUEUES

• Depending on the processor upon which your Advanced Server runs, the number of printers managed might affect performance of Windows NT printer management actions. HP recommends enabling Windows NT printer management only on servers with fewer than 100 printers. HP has found that with 100 or more printers, actions that require enumerating the printers could take a long time. (Note that for some actions, printer enumeration is not obvious.) Windows NT fails to indicate (with a symbol such as an hourglass) the server is working or busy, causing the printer management window to appear hung.
• If you choose to ignore HP's recommended limit for the number of printers for Windows NT printer management, and your server has approximately 1000 or more printers defined, see Section 3.25, Windows NT Printer Management of Large Numbers of Printers.
• Once you enable Windows NT printing, HP recommends that you do not attempt to disable it (returning to the server's local management style for printers --- the ADMINISTER command interface). If you do, the printers will be unusable. You will have to delete all printers and re-add them to make them functional again.
• The length of the name of a Windows NT manageable printer must not exceed 12 characters.
• Advanced Server shared printers cannot be renamed from Windows NT. For more information, see Section 13.7.2, Cannot Rename Print Share or Print Queue.
• To view changes to print jobs, you must select the Refresh item from the View menu for the print queue.
• From a Windows 2000 client, the "Always available" property is not usable for print jobs. Even if you disable this property (under the Advanced tab in the printer properties window), the print job properties will still show the job as always available.
• You cannot adjust the priority setting of Advanced Server printers. This property is normally accessed from the printer's Properties window, under the the Scheduling tab (Windows NT) or under the Advanced tab (Windows 2000 and Windows XP).
• You cannot set the Take Ownership security property (see Section 13.7.9, Ownership/Access Restrictions to Print Share with Group Everyone Set for No Access).
• Upgraded printers (that is, printers or print shares that were already defined on an Advanced Server when Windows NT print management was enabled) cannot be managed with all the management functionality available for printers that were added to the server by Windows NT print services. Note, for example, that you cannot use Windows NT to add an upgraded server shared printer to another workstation.
  To gain full Windows NT printer management functionality for these printers, delete their associated queues and shares, and add the printers using Windows NT print services.
• If you set up printer pooling, the name of the printer cannot be the same as the name of any of the OpenVMS print queues (ports) you select as part of the pool.
• From a Windows XP client, you cannot add users to audit. On attempting to do so, you will get the following error message:
  

  Multiple connections to a server by the same user using more than one username is not allowed.

• The printer comment string (in the printer Properties window) is limited to 48 characters.
• Restrictions for ownership/access to a print share with group Everyone set for No Access are documented in Section 13.7.9, Ownership/Access Restrictions to Print Share with Group Everyone Set for No Access.

Problem:

If you add an Advanced Server shared printer to your local Windows NT workstation, and then use Windows NT to give the printer's built-in group Everyone the No Access permission, you should be able (as the Administrator or owner) to access the printer to change the permissions. However, when you click on the Permissions button in the printer properties window, access is denied. You get the following error message:

 Operation could not be completed. Access is denied.

This also happens when managing network printers in a pure Windows NT environment.

In addition, you cannot take ownership of the Advanced Server shared printer. If you click on the Ownership button, you receive a message that you do not have permission to view the current owner but you can overwrite the owner. When you choose to overwrite the owner, you receive the following message:

 Windows NT error 0xc002002e occurred.

Because Advanced Server ADMINISTER commands are disabled when Windows NT printer management is enabled, you cannot change the permissions of an Advanced Server shared printer.

For a related restriction, see Section 13.11.2.

Solution:

Delete the shared printer from your local Windows NT workstation. Now, when you access the Permissions button, you get the following message:

 You do not have access to this printer; only the security tab
 will be displayed.

You can then change the access permissions of the printer from a Windows NT Server that serves the printer's domain, and then add the printer again to your local workstation.

So, to prevent this problem from occurring with network printers that you plan to manage from your local Windows NT workstation, make sure these printers are not added to that workstation.

13.8 Event Logging Restrictions

This section describes restrictions in the event logging and auditing functions of the Advanced Server.

13.8.1 Event Log Files Fail to Overwrite When Full

Problem:

The server does not support overwriting event messages when the event log files become full. However, the server generates an Alert message indicating the log file is full.

Solution:

You must manually clear the event log files using the ADMINISTER CLEAR EVENTS command.

13.8.2 Unable to Set the Event Logging Setting

Problem:

When you use Windows NT Administration tools to alter the event logging setting, and you choose the option "Do Not Overwrite Events (Clear Log Manually)," the server incorrectly reflects the setting as "overwrite events older than 365 days."

13.9 Browser Restrictions

This section describes restrictions related to the Browser service.

13.9.1 Browser State Is Not Distributed on an OpenVMS Cluster

Problem:

Performing an ADMINISTER STOP SERVICE BROWSER command on one node in an OpenVMS cluster should stop browsers on all nodes of a cluster. However, it only stops the browser service on the node where the command was issued.

Solution:

To stop the browser service on a cluster, issue the STOP SERVICE BROWSER command on each node of the cluster.

13.9.2 Browser Service Stays in START PENDING State

Problem:

If the server that acts as a master browser in your network segment is hidden, the browser service on other Advanced Server for OpenVMS systems (which would act as backup browsers) stays in START PENDING state. A Windows server can be hidden with the registry key "Hidden". Advanced Server for OpenVMS uses the registry key "SRVHIDDEN".

Solution:

Disable the registry key "SRVHIDDEN" or "Hidden" on the master browser. To do this, use: NET CONFIG SERVER /HIDDEN:NO on a Windows system and $ REGUTL SET PARAM *SRVHIDDEN NO on an Advanced Server for OpenVMS system.