|
HP OpenVMS Systems |
|
HP Advanced Server V7.3B for OpenVMS
|
| Previous | Contents | Index |
This section describes restrictions in managing domains and servers in
domains.
13.10.1 A BDC Cannot Be Removed from the Domain If It Has Been Promoted To Be a PDC in Another Domain
Problem:
If you reconfigure a backup domain controller (BDC) from one domain to become a primary domain controller (PDC) of another domain, you cannot remove the computer name from the original domain.
Solution:
Delete the computer name in the original domain database during
scheduled downtime of the new PDC.
13.10.2 Additions or Deletions of Trusts on One Cluster Node Are Unknown to the Other Cluster Nodes Until NetLogon Restart
Problem:
If a trust relationship is added or deleted on a cluster node, it will not be known to the other cluster nodes until after they restart NetLogon.
Solution:
After adding or removing a trust relationship to a cluster node, restart the NetLogon service clusterwide by issuing the following commands on any one cluster member running the Advanced Server software:
$ ADMINISTER STOP SERVICE NETLOGON $ ADMINISTER START SERVICE NETLOGON |
Problem:
If you have a Windows NT 4.0 domain controller with Service Pack 4 or later in the domain, you will see the following messages during certain actions, such as synchronization of domain controllers or during promotion of an Advanced Server domain controller to a primary domain controller. These messages are seen on the Advanced Server when it attempts to start the NetLogon service on the Windows NT 4.0 system.
-LM-E-UIC_SYSTEM, a system error has occurred -LM-E-ERROR_ACCESS_DE, insufficient privileges for attempted operation |
When the Windows NT system attempts to start the NetLogon service, the following two event messages might be seen there:
Error 005: Access is denied. Failed to authenticate with \\server-name, a Windows NT domain controller for domain domain-name |
The first message is recorded at the Windows NT system as event ID 7023. The second message includes the server and domain names, and is recorded as event ID 3210.
Solution:
Use the Windows NT 4.0 domain controler to initiate the activity (such
as synchronization or promotion).
13.10.4 Member Server Role Restrictions
The following restrictions apply to configuring and managing the
Advanced Server in the member server role.
13.10.4.1 Restriction Connecting to Member Server Share from External Domain
Problem:
You cannot connect to a member server share from any computer outside the domain, using the same user name and password for both domains.
Solution:
From Windows NT, use the "Connect as..." feature, supplying the user
name and domain name.
13.10.4.2 User with "Add Workstations to Domain" Rights Cannot Add Member Server to Domain
Problem:
Any user with administrator privileges can add a BDC, member server, or workstation to a domain. Normally, a user with "Add workstations to domain" rights can add a member server or workstation to a domain (but not a BDC); however, in this release, a user with "Add workstations to domain" rights cannot add an Advanced Server member server to a domain. A message such as the following is displayed when such a user attempts to add an Advanced Server member server to a domain. The PWRK$CONFIG.COM configuration procedure aborts, leaving the user at the OpenVMS DCL prompt.
%PWRK-F-MAKEMACH, error creating computer account PWRK-I-RESTORE, restoring original settings $ |
Solution:
Make sure the user has administrator privileges and enters the
appropriate user name and password when prompted by the configuration
procedure. Alternatively, the Administrator can add the account on the
primary domain controller.
13.10.4.3 Problems Using Certain Characters for a Member Server Computer Name or Cluster Alias Name
Problem:
When you configure a member server, problems might result if you specify any special ASCII characters in the computer name on a non-clustered server, or in the Advanced Server cluster alias name on a clustered server. The special ASCII characters are those characters other than the following:
A to Z, a to z, 1 to 9, $ (dollar sign), _ (underscore), - (dash)
The - (dash) is considered a special character if it is the first or last character of the name. Note that extended character set characters are not supported in computer names, alias names, domain names, and trusted domain names. Note also that the following characters should never be used in a computer name, domain name, or cluster alias name, and they will not be allowed by the configuration procedure.
" / \ [ ] : | < > + = ; , ? *
After you configure the server using such names, if you attempt to change these names, the PWRK$CONFIG configuration procedure will fail. The following error will be displayed during the PWRK$CONFIG procedure, where pdc-name is the name of the domain's PDC:
Confirming domain name with <pdc-name> Successfully retrieved domain name from <pdc-name> ... %PWRK-F-MAKEMACH, error creating machine account |
For related restrictions, see Section 13.3.3, The ^ Character Does Not Get Encoded in Parameter Values, and Section 13.4.14, Server Language Restrictions.
Solution:
You should avoid using these characters if possible. If you have used
these characters and later need to change the name, contact
HP customer support for detailed instructions to correct
the situation.
13.10.4.4 You Must Restore Explicit Host Maps When Changing the Role of a Server to or from a Member Server
Problem:
When you change the role of your server from a BDC to a member server, or vice versa, any explicit host mappings are lost.
Solution:
To prevent the host mappings from being lost, follow these steps prior to making the role change:
Problem:
To modify user and group permissions on member server objects, you must be logged into or administering the member server's local domain. You cannot modify member server objects while logged into the global domain (administering the domainwide security accounts database).
While logged into the member server's local domain, you cannot assign to a domainwide local group (that is, a local group such as System Operators that is part of the domainwide security accounts database) permissions for access to a member server object.
In addition, as already documented in the Server Administrator's Guide, to administer global groups and trusts, you must be logged into the global domain.
Solution:
Log in to the appropriate domain to administer the member server
objects.
13.10.5 OpenVMS ACME Server Crashes with Access Violation When Advanced Server Is Shut Down
Problem:
The OpenVMS Authentication and Credentials Management Extensions (ACME) subsystem provides authentication and persona-based credential services, and consists of several components, including the ACME server, MSV1_0 ACME agent, and the VMS ACME agent. The Advanced Server for OpenVMS software includes the MSV1_0 ACME agent, which is designed to provide external authentication. The VMS ACME agent is used for acquiring OpenVMS credentials. The MSV1_0 ACME and VMS ACME agents are used by applications and layered products, such as COM for OpenVMS, that use the ACME subsystem to acquire OpenVMS credentials and credentials of network users authenticated by the Advanced Server. On OpenVMS V7.3-1 and earlier systems, these agents are not currently used for external authentication as provided by the Advanced Server for OpenVMS through the traditional OpenVMS LOGINOUT program. (Again, these agents are currently used by COM for OpenVMS.)
If your OpenVMS system is running the ACME server with the MSV1_0 ACME agent loaded, and you shut down the Advanced Server (@SYS$STARTUP:PWRK$SHUTDOWN) without first shutting down the ACME server or shutting down the MSV1_0 ACME agent, then the ACME server might create a process dump (SYS$MANAGER:ACME_SERVER.DMP) when you attempt to shut down the ACME server.
For example, if you shut down Advanced server, but do not shut down the ACME server or shut down the MSV1_0 ACME agent first, you will see information such as the following when you issue the DCL SET SERVER ACME command:
$ SHOW SERVER ACME ACME Information on node QTV26 26-AUG-2002 16:30:21.16 Uptime 2 = 19:04:37 ACME Server id: 1 State: Processing New Requests Agents Loaded: 2 Active: 2 Thread Maximum: 4 Count: 4 Request Maximum: 8 Count: 0 ACME Agent id: 1 State: Active Name: "VMS" Image: "DISK1$:[VMS$COMMON.SYSLIB]VMS$VMS_ACMESHR.EXE;1" Identification: "VMS ACME built 18-JUL-2002" Information: "No requests completed since the last startup" Domain of Interpretation: Yes Execution Order: 1 ACME Agent id: 2 State: Active Name: "MSV1_0" Image: "DISK1$:[SYS0.SYSLIB]PWRK$MSV1_0_ACMESHR.EXE;1" Identification: "MSV1_0 ACME X-04" Information: "MSV1_0 inited, Advanced Server not responding, retry count=13." Domain of Interpretation: Yes Execution Order: 2 |
Solution:
You can either ignore this problem, or you can shut down the ACME server or stop the MSV1_0 ACME agent before you shut down the Advanced Server.
To shut down the ACME server before you shut down the Advanced Server, issue the following command:
$ SET SERVER ACME/EXIT |
To stop the ACME agent but leave the OpenVMS ACME agent enabled, issue the following commands:
$ SET SERVER ACME/DISABLE $ SET SERVER ACME/ENABLE=(NAME=VMS) |
To restart the ACME agent when you restart Advanced Server on a node, issue the following command:
$ @SYS$STARTUP:NTA$STARTUP_NT_ACME |
Or, you can issue these two commands:
$ SET SERVER ACME/DISABLE $ SET SERVER ACME/ENABLE=(NAME=VMS,MSV1_0) |
Problem:
Passwords exceeding 14 characters in length can be set on the Advanced Server from a Windows XP, Windows 2000, or modern Windows NT system, but they are not usable thereafter on Advanced Server V7.3A for OpenVMS (or later) servers, either with ADMINISTER commands or external authentication. In other words, although the passwords are stored on the server, they will not be usable and access will be denied.
Solution:
When setting passwords from a remote Windows system, limit their length
to 14 characters.
13.10.7 Locked Out Account Does Not Get Replicated by Advanced Server or Windows 2000 Server PDCs
Problem:
In a domain in which the Advanced Server for OpenVMS or a Windows 2000
Server is the PDC, if a user account gets locked out, the status of the
locked out account is not replicated to the BDCs. This applies to both
Advanced Server and Windows NT BDCs. The locked out user can still
access the BDCs.
13.11 Remote Management Restrictions
This section describes restrictions relating to remote management of
the Advanced Server for OpenVMS product.
13.11.1 Error When Displaying Advanced Server Domains from a Windows NT Server Manager
Problem:
When using the Windows NT Server Manager to display directory replication information about an Advanced Server, the following error message might be displayed:
The data is invalid |
Solution:
This error message indicates that an Advanced Server does not support
replication.
13.11.2 Windows NT Explorer Error on Attempt to Take Ownership of Shared File or Directory
Problem:
Once all permissions are removed from a shared directory, an administrator, using Windows NT Explorer, is not able to take ownership of the directory or of files in the directory. The following message is displayed:
Windows NT error 0xc002002e occurred. |
The problem occurs because the Windows NT client sends a request to the Advanced Server that is not supported. The Advanced Server returns an error code to the client. The Windows NT error reported above occurs because Windows NT misinterprets the server error code response.
For a related problem fixed with Advanced Server V7.3 for OpenVMS, see Section 4.3.9. For a related restriction, see Section 13.7.9.
Solution:
Use the Advanced Server ADMINISTER TAKE FILE OWNERSHIP command.
13.12 Transport Restrictions
This section describes restrictions involving transports supported by
the server.
13.12.1 DEFZA FDDI Controller Is Not Supported with Advanced Server for OpenVMS
Problem:
The DEFZA FDDI controller is not supported with Advanced Server for OpenVMS.
Solution:
Use the newer DEFTA controller, which is supported and provides better
performance.
13.12.2 NETBIOS Fails to Start, Dumps Invalid Media Address
Problem:
If an Advanced Server on a DECnet-Plus system does not have a Phase IV address set up for the circuit to be used by the NETBIOS process, the NETBIOS process fails to start. The NETBIOS log file will include the following error:
%NB-F-SIGFAIL, Startup - error initializing ethernet controller -SYSTEM-F-IVADDR, invalid media address |
Solution:
When the Advanced Server is running on a system that is running DECnet-Plus, a DECnet Phase IV address must be set, and it must be enabled on the routing circuit of the device that the NETBIOS process will use. For example, if the Advanced Server is running on a system with DECnet-Plus and is going to use the FDDI device FWA0:2, then in the NCL script SYS$STARTUP:NET$ROUTING_STARTUP.NCL, include the following:
SET NODE 0 ROUTING PHASEIV ADDRESS = 13.1012 SET NODE 0 ROUTING PHASEIV PREFIX = 49:: SET NODE 0 ROUTING CIRCUIT FDDI-0 ENABLE PHASEIV ADDRESS = TRUE SET NODE 0 ROUTING CIRCUIT CSMACD-0 ENABLE PHASEIV ADDRESS = FALSE |
2 By default, the server uses the Ethernet device. To designate that the server uses a non-Ethernet device, define a system logical name NETBIOS$DEVICE to point to the device (in this case, to FWA0:). |
13.13 OpenVMS Cluster Restrictions
This section describes restrictions involving servers in an OpenVMS
Cluster.
13.13.1 Two or More Advanced Servers in an OpenVMS Cluster Must All Be in the Same Subnet
Two or more Advanced Servers in an OpenVMS Cluster must all be in the
same TCP/IP subnet. You cannot have multiple Advanced Servers in the
same cluster participating in different TCP/IP subnets.
13.13.2 Server Parameter Hidden Causes Browser to Fail to Announce Itself
Problem:
OpenVMS Cluster configurations that were upgraded from PATHWORKS V5 for OpenVMS (LAN Manager) may exhibit the following behavior. With PATHWORKS V5 for OpenVMS (LAN Manager), it is possible to set server configuration parameters in a way that presents the PATHWORKS cluster alias to the clients, but not the names of the individual nodes in the cluster. The configuration settings can be included in the LANMAN.INI file as follows:
With the Advanced Server for OpenVMS, these parameters are stored in the OpenVMS Registry as follows:
The settings for these Advanced Server for OpenVMS parameters in the OpenVMS Registry behave differently. The Browser service included with the Advanced Server for OpenVMS interprets the Hidden value setting and fails to announce the availability of the browser on the network.
Solution:
HP recommends making sure that the Hidden value is not
set to "yes" when you start the Advanced Server for OpenVMS.
13.13.3 Using the Windows NT Server Manager to Promote a Clustered BDC
Problem:
When using the Windows NT Server Manager to promote a backup domain controller (BDC), if you select a cluster member name instead of the cluster alias, the operation will fail with the following error message:
Error 2249 occurred, this replicant database is outdated, synchronization is required. |
The cluster's system event log will include several messages similar to the following message:
NET3210, Failed to authenticate with "CLUSTER ALIAS NAME". |
Solution:
Use the cluster alias rather than the cluster member name when
promoting a BDC.
13.13.4 After Upgrading the Advanced Server, PWRK$CONFIG Must Be Run Before Changing the Cluster State
Problem:
If you are upgrading the Advanced Server from a previous Advanced Server for OpenVMS or PATHWORKS V6 for OpenVMS (Advanced Server) product, and at the same time, you change the cluster state of your server system (from a standalone to a cluster system, or vice versa), PWRK$CONFIG will fail.
Solution:
You can change the cluster state and reconfigure the previous version
of the server (before upgrading), or upgrade to V7.3 or higher, and
afterward, change the cluster state.
13.13.5 Attempts to Add Multiple User Accounts Might Fail
Problem:
This problem has been seen when the Advanced Server is in an OpenVMS Cluster with members running OpenVMS Version 7.3 systems. Attempts to add multiple user accounts to the domain might fail, such as when an automated process is invoked to add hundreds of users. Error messages such as the following might be seen:
%PWRK-E-ERRADDUSER, error adding user "user-name" |
Solution:
For any OpenVMS Version 7.3 platform in the cluster, do either of the following:
DEC AXPVMS VMS73_XFC Version 2.0
DEC AXPVMS VMS73_SYS Version 3.0
DEC AXPVMS VMS73_UPDATE Version 1.0
This section describes restrictions involving interaction with DEC Rdb
(Oracle).
13.14.1 Advanced Server Fails to Start Correctly on Systems Running DEC Rdb (Oracle)
Problem:
Advanced Server for OpenVMS fails to start correctly on systems that are also configured to run Oracle Rdb (Relational Database) software, because of the way that Rdb uses the systemwide login command procedure SYLOGIN.COM and the way that the Advanced Server creates processes.
Solution:
To correct this problem:
$ @DECRDB$SETVER.COM |
$ SET NOON $ @DECRDB$SETVER.COM $ SET ON |
This section describes restrictions that do not fall under the
categories described in other sections of this chapter.
13.15.1 PWVER ALL Output
Problem:
Starting with Advanced Server Version 7.3A-ECO4, PWVER ALL output would not be able to retrieve image identification and link time for the following I64 external authentication images:
PWRK$ACME_MODULE_IA64.EXE PWRK$MSV1_0_ACMESHR_IA64.EXE |
These images are introduced newly in the Advanced Server kit for Advanced Server Version 7.3A-ECO4.
JINXED\AMJAD>PWVER ALL . . . Status 7FFAC06C getting information about SYS$COMMON:[SYSLIB]PWRK$ACME_MODULE_IA64.EXE;1 Status 7FFAC06C getting information about SYS$COMMON:[SYSLIB]PWRK$MSV1_0_ACMESHR_IA64.EXE;1 . . |
This is due to the new header format, ELF (Extended Linking Format), for I64 images, which is different from existing Alpha/VAX header format.
Solution:
An Analyze/image on an I64 system for these images would indicate the image identification and the link time.
| Previous | Next | Contents | Index |