HP OpenVMS Systems

Content starts here

HP Advanced Server V7.3B for OpenVMS
Release Notes

Previous Contents Index

13.10 Domain Management Restrictions

This section describes restrictions in managing domains and servers in domains.

13.10.1 A BDC Cannot Be Removed from the Domain If It Has Been Promoted To Be a PDC in Another Domain


If you reconfigure a backup domain controller (BDC) from one domain to become a primary domain controller (PDC) of another domain, you cannot remove the computer name from the original domain.


Delete the computer name in the original domain database during scheduled downtime of the new PDC.

13.10.2 Additions or Deletions of Trusts on One Cluster Node Are Unknown to the Other Cluster Nodes Until NetLogon Restart


If a trust relationship is added or deleted on a cluster node, it will not be known to the other cluster nodes until after they restart NetLogon.


After adding or removing a trust relationship to a cluster node, restart the NetLogon service clusterwide by issuing the following commands on any one cluster member running the Advanced Server software:


13.10.3 Attempts to Promote BDC Might Fail


If you have a Windows NT 4.0 domain controller with Service Pack 4 or later in the domain, you will see the following messages during certain actions, such as synchronization of domain controllers or during promotion of an Advanced Server domain controller to a primary domain controller. These messages are seen on the Advanced Server when it attempts to start the NetLogon service on the Windows NT 4.0 system.

-LM-E-UIC_SYSTEM, a system error has occurred
-LM-E-ERROR_ACCESS_DE, insufficient privileges for attempted

When the Windows NT system attempts to start the NetLogon service, the following two event messages might be seen there:

Error 005: Access is denied.

Failed to authenticate with \\server-name, a Windows NT
domain controller for domain domain-name

The first message is recorded at the Windows NT system as event ID 7023. The second message includes the server and domain names, and is recorded as event ID 3210.


Use the Windows NT 4.0 domain controler to initiate the activity (such as synchronization or promotion).

13.10.4 Member Server Role Restrictions

The following restrictions apply to configuring and managing the Advanced Server in the member server role. Restriction Connecting to Member Server Share from External Domain


You cannot connect to a member server share from any computer outside the domain, using the same user name and password for both domains.


From Windows NT, use the "Connect as..." feature, supplying the user name and domain name. User with "Add Workstations to Domain" Rights Cannot Add Member Server to Domain


Any user with administrator privileges can add a BDC, member server, or workstation to a domain. Normally, a user with "Add workstations to domain" rights can add a member server or workstation to a domain (but not a BDC); however, in this release, a user with "Add workstations to domain" rights cannot add an Advanced Server member server to a domain. A message such as the following is displayed when such a user attempts to add an Advanced Server member server to a domain. The PWRK$CONFIG.COM configuration procedure aborts, leaving the user at the OpenVMS DCL prompt.

%PWRK-F-MAKEMACH, error creating computer account

PWRK-I-RESTORE, restoring original settings



Make sure the user has administrator privileges and enters the appropriate user name and password when prompted by the configuration procedure. Alternatively, the Administrator can add the account on the primary domain controller. Problems Using Certain Characters for a Member Server Computer Name or Cluster Alias Name


When you configure a member server, problems might result if you specify any special ASCII characters in the computer name on a non-clustered server, or in the Advanced Server cluster alias name on a clustered server. The special ASCII characters are those characters other than the following:

A to Z, a to z, 1 to 9, $ (dollar sign), _ (underscore), - (dash)

The - (dash) is considered a special character if it is the first or last character of the name. Note that extended character set characters are not supported in computer names, alias names, domain names, and trusted domain names. Note also that the following characters should never be used in a computer name, domain name, or cluster alias name, and they will not be allowed by the configuration procedure.

" / \ [ ] : | < > + = ; , ? *

After you configure the server using such names, if you attempt to change these names, the PWRK$CONFIG configuration procedure will fail. The following error will be displayed during the PWRK$CONFIG procedure, where pdc-name is the name of the domain's PDC:

Confirming domain name with <pdc-name>
Successfully retrieved domain name from <pdc-name> ...

%PWRK-F-MAKEMACH, error creating machine account

For related restrictions, see Section 13.3.3, The ^ Character Does Not Get Encoded in Parameter Values, and Section 13.4.14, Server Language Restrictions.


You should avoid using these characters if possible. If you have used these characters and later need to change the name, contact HP customer support for detailed instructions to correct the situation. You Must Restore Explicit Host Maps When Changing the Role of a Server to or from a Member Server


When you change the role of your server from a BDC to a member server, or vice versa, any explicit host mappings are lost.


To prevent the host mappings from being lost, follow these steps prior to making the role change:

  1. Display the host mappings, using the ADMINISTER SHOW HOSTMAP command, and record the existing host mappings.
  2. Change the server role.
  3. Restore the explicit host mappings, using the ADMINISTER ADD HOSTMAP command. You Cannot Add or Modify User and Group Permissions on a Member Server Object Unless Logged Into or Administering the Local Database


To modify user and group permissions on member server objects, you must be logged into or administering the member server's local domain. You cannot modify member server objects while logged into the global domain (administering the domainwide security accounts database).

While logged into the member server's local domain, you cannot assign to a domainwide local group (that is, a local group such as System Operators that is part of the domainwide security accounts database) permissions for access to a member server object.

In addition, as already documented in the Server Administrator's Guide, to administer global groups and trusts, you must be logged into the global domain.


Log in to the appropriate domain to administer the member server objects.

13.10.5 OpenVMS ACME Server Crashes with Access Violation When Advanced Server Is Shut Down


The OpenVMS Authentication and Credentials Management Extensions (ACME) subsystem provides authentication and persona-based credential services, and consists of several components, including the ACME server, MSV1_0 ACME agent, and the VMS ACME agent. The Advanced Server for OpenVMS software includes the MSV1_0 ACME agent, which is designed to provide external authentication. The VMS ACME agent is used for acquiring OpenVMS credentials. The MSV1_0 ACME and VMS ACME agents are used by applications and layered products, such as COM for OpenVMS, that use the ACME subsystem to acquire OpenVMS credentials and credentials of network users authenticated by the Advanced Server. On OpenVMS V7.3-1 and earlier systems, these agents are not currently used for external authentication as provided by the Advanced Server for OpenVMS through the traditional OpenVMS LOGINOUT program. (Again, these agents are currently used by COM for OpenVMS.)

If your OpenVMS system is running the ACME server with the MSV1_0 ACME agent loaded, and you shut down the Advanced Server (@SYS$STARTUP:PWRK$SHUTDOWN) without first shutting down the ACME server or shutting down the MSV1_0 ACME agent, then the ACME server might create a process dump (SYS$MANAGER:ACME_SERVER.DMP) when you attempt to shut down the ACME server.

For example, if you shut down Advanced server, but do not shut down the ACME server or shut down the MSV1_0 ACME agent first, you will see information such as the following when you issue the DCL SET SERVER ACME command:

ACME Information on node QTV26  26-AUG-2002 16:30:21.16
Uptime 2 = 19:04:37

ACME Server id: 1  State: Processing New Requests
   Agents Loaded:        2   Active:      2
   Thread Maximum:       4   Count:       4
   Request Maximum:      8   Count:       0

ACME Agent id: 1  State: Active
   Name: "VMS"
   Identification: "VMS ACME built 18-JUL-2002"
   Information: "No requests completed since the last startup"
   Domain of Interpretation: Yes
   Execution Order:      1

ACME Agent id: 2  State: Active
   Name: "MSV1_0"
   Identification: "MSV1_0 ACME X-04"
   Information: "MSV1_0 inited, Advanced Server not responding,
retry count=13."
   Domain of Interpretation: Yes
   Execution Order:      2


You can either ignore this problem, or you can shut down the ACME server or stop the MSV1_0 ACME agent before you shut down the Advanced Server.

To shut down the ACME server before you shut down the Advanced Server, issue the following command:


To stop the ACME agent but leave the OpenVMS ACME agent enabled, issue the following commands:


To restart the ACME agent when you restart Advanced Server on a node, issue the following command:


Or, you can issue these two commands:


13.10.6 Password Lengths Are Limited to 14 Characters


Passwords exceeding 14 characters in length can be set on the Advanced Server from a Windows XP, Windows 2000, or modern Windows NT system, but they are not usable thereafter on Advanced Server V7.3A for OpenVMS (or later) servers, either with ADMINISTER commands or external authentication. In other words, although the passwords are stored on the server, they will not be usable and access will be denied.


When setting passwords from a remote Windows system, limit their length to 14 characters.

13.10.7 Locked Out Account Does Not Get Replicated by Advanced Server or Windows 2000 Server PDCs


In a domain in which the Advanced Server for OpenVMS or a Windows 2000 Server is the PDC, if a user account gets locked out, the status of the locked out account is not replicated to the BDCs. This applies to both Advanced Server and Windows NT BDCs. The locked out user can still access the BDCs.

13.11 Remote Management Restrictions

This section describes restrictions relating to remote management of the Advanced Server for OpenVMS product.

13.11.1 Error When Displaying Advanced Server Domains from a Windows NT Server Manager


When using the Windows NT Server Manager to display directory replication information about an Advanced Server, the following error message might be displayed:

 The data is invalid


This error message indicates that an Advanced Server does not support replication.

13.11.2 Windows NT Explorer Error on Attempt to Take Ownership of Shared File or Directory


Once all permissions are removed from a shared directory, an administrator, using Windows NT Explorer, is not able to take ownership of the directory or of files in the directory. The following message is displayed:

 Windows NT error 0xc002002e occurred.

The problem occurs because the Windows NT client sends a request to the Advanced Server that is not supported. The Advanced Server returns an error code to the client. The Windows NT error reported above occurs because Windows NT misinterprets the server error code response.

For a related problem fixed with Advanced Server V7.3 for OpenVMS, see Section 4.3.9. For a related restriction, see Section 13.7.9.


Use the Advanced Server ADMINISTER TAKE FILE OWNERSHIP command.

13.12 Transport Restrictions

This section describes restrictions involving transports supported by the server.

13.12.1 DEFZA FDDI Controller Is Not Supported with Advanced Server for OpenVMS


The DEFZA FDDI controller is not supported with Advanced Server for OpenVMS.


Use the newer DEFTA controller, which is supported and provides better performance.

13.12.2 NETBIOS Fails to Start, Dumps Invalid Media Address


If an Advanced Server on a DECnet-Plus system does not have a Phase IV address set up for the circuit to be used by the NETBIOS process, the NETBIOS process fails to start. The NETBIOS log file will include the following error:

 %NB-F-SIGFAIL, Startup - error initializing ethernet controller
 -SYSTEM-F-IVADDR, invalid media address


When the Advanced Server is running on a system that is running DECnet-Plus, a DECnet Phase IV address must be set, and it must be enabled on the routing circuit of the device that the NETBIOS process will use. For example, if the Advanced Server is running on a system with DECnet-Plus and is going to use the FDDI device FWA0:2, then in the NCL script SYS$STARTUP:NET$ROUTING_STARTUP.NCL, include the following:



2 By default, the server uses the Ethernet device. To designate that the server uses a non-Ethernet device, define a system logical name NETBIOS$DEVICE to point to the device (in this case, to FWA0:).

13.13 OpenVMS Cluster Restrictions

This section describes restrictions involving servers in an OpenVMS Cluster.

13.13.1 Two or More Advanced Servers in an OpenVMS Cluster Must All Be in the Same Subnet

Two or more Advanced Servers in an OpenVMS Cluster must all be in the same TCP/IP subnet. You cannot have multiple Advanced Servers in the same cluster participating in different TCP/IP subnets.

13.13.2 Server Parameter Hidden Causes Browser to Fail to Announce Itself


OpenVMS Cluster configurations that were upgraded from PATHWORKS V5 for OpenVMS (LAN Manager) may exhibit the following behavior. With PATHWORKS V5 for OpenVMS (LAN Manager), it is possible to set server configuration parameters in a way that presents the PATHWORKS cluster alias to the clients, but not the names of the individual nodes in the cluster. The configuration settings can be included in the LANMAN.INI file as follows:

  • In the [SERVER] section: srvhidden=yes
  • In the [VMSSERVER] section: pwrkaliashidden=no

With the Advanced Server for OpenVMS, these parameters are stored in the OpenVMS Registry as follows:

  • Value Hidden in registry key
  • Value AliasHidden in registry key

The settings for these Advanced Server for OpenVMS parameters in the OpenVMS Registry behave differently. The Browser service included with the Advanced Server for OpenVMS interprets the Hidden value setting and fails to announce the availability of the browser on the network.


HP recommends making sure that the Hidden value is not set to "yes" when you start the Advanced Server for OpenVMS.

13.13.3 Using the Windows NT Server Manager to Promote a Clustered BDC


When using the Windows NT Server Manager to promote a backup domain controller (BDC), if you select a cluster member name instead of the cluster alias, the operation will fail with the following error message:

 Error 2249 occurred, this replicant database is outdated,
 synchronization is required.

The cluster's system event log will include several messages similar to the following message:

 NET3210, Failed to authenticate with "CLUSTER ALIAS


Use the cluster alias rather than the cluster member name when promoting a BDC.

13.13.4 After Upgrading the Advanced Server, PWRK$CONFIG Must Be Run Before Changing the Cluster State


If you are upgrading the Advanced Server from a previous Advanced Server for OpenVMS or PATHWORKS V6 for OpenVMS (Advanced Server) product, and at the same time, you change the cluster state of your server system (from a standalone to a cluster system, or vice versa), PWRK$CONFIG will fail.


You can change the cluster state and reconfigure the previous version of the server (before upgrading), or upgrade to V7.3 or higher, and afterward, change the cluster state.

13.13.5 Attempts to Add Multiple User Accounts Might Fail


This problem has been seen when the Advanced Server is in an OpenVMS Cluster with members running OpenVMS Version 7.3 systems. Attempts to add multiple user accounts to the domain might fail, such as when an automated process is invoked to add hundreds of users. Error messages such as the following might be seen:

%PWRK-E-ERRADDUSER, error adding user "user-name"


For any OpenVMS Version 7.3 platform in the cluster, do either of the following:

  • Turn off the XFC (extended file cache), as recommended in the Readme file for OpenVMS Version 7.3 patch update VMS73_XFC Version 2.0.
  • Install at least the following mandatory updates:
    DEC AXPVMS VMS73_XFC Version 2.0
    DEC AXPVMS VMS73_SYS Version 3.0
    DEC AXPVMS VMS73_UPDATE Version 1.0

    For information on the patches to install, refer to the following web site location:

13.14 Advanced Server with DEC Rdb (Oracle) Restrictions

This section describes restrictions involving interaction with DEC Rdb (Oracle).

13.14.1 Advanced Server Fails to Start Correctly on Systems Running DEC Rdb (Oracle)


Advanced Server for OpenVMS fails to start correctly on systems that are also configured to run Oracle Rdb (Relational Database) software, because of the way that Rdb uses the systemwide login command procedure SYLOGIN.COM and the way that the Advanced Server creates processes.


To correct this problem:

  1. Remove the following line in the system login procedure SYLOGIN.COM:

  2. Replace it with the following lines:

    $ SET NOON
    $ SET ON

13.15 Miscellaneous Restrictions

This section describes restrictions that do not fall under the categories described in other sections of this chapter.

13.15.1 PWVER ALL Output


Starting with Advanced Server Version 7.3A-ECO4, PWVER ALL output would not be able to retrieve image identification and link time for the following I64 external authentication images:


These images are introduced newly in the Advanced Server kit for Advanced Server Version 7.3A-ECO4.

Status 7FFAC06C getting information about
Status 7FFAC06C getting information about

This is due to the new header format, ELF (Extended Linking Format), for I64 images, which is different from existing Alpha/VAX header format.


An Analyze/image on an I64 system for these images would indicate the image identification and the link time.

Previous Next Contents Index