| As NDS/eDirectory and DS software development tools have been available for many years , a number of third-party DS-specific utilities are available to help you manage your NDS/eDirectory trees more easily and effectively, as well as to recover lost DS data. The following introduces you to some third-party tools that can help you to recover lost DS data, and, in Chapter 12, you'll find a discussion of some third-party NDS/eDirectory management applications. NOTE Due to the lack of documented APIs necessary to access eDirectory under a data recovery situation by Novell for non-NetWare platforms, the discussions in this section are limited to DS trees where there are NetWare servers present. Should you have a need to recover a lost Admin password or Admin user in an eDirectory tree where there is no NetWare servers hosting replicas, contact Novell for assistance: Visit support.novell.com/additional/telephone.html for a list of telephone numbers for your region.
Recovering a Lost Admin Password It is not uncommon to forget a password, especially one that's considered to be a good, secure password. What can you do if the Admin password is lost, either due to human error or deliberate sabotage ? If you have a backup Admin user that has Write rights to Admin's Access Control List (ACL) attribute then you can simply use it to reset Admin's password. What if you don't have a user that can reset Admin's password? There are a few solutions that you can try. TIP It is generally recommended that a password should not be a common (single) word that is easily guessed; however, instead of using a meaningless word for your password, such as "435ggerpwe", combine a few meaningful (thus easily remembered ) words together into a password, such as "try2guessthispassword".
The first technique is to make use of Bindery Services. If you have a server that holds a writable replica (Master or Read/Write) of the partition containing the Admin object, you can use one of the two following methods : -
Log in to that server using the bindery Supervisor ID, and use a bindery-based management utility, such as SYSCON, to change Admin's password. (You can download a copy of SYSCON.EXE from Novell's knowledgebase; see TID #1003215.) -
If you don't know the bindery Supervisor's password, you can use one of the NLM tools (such as SetPwd), available on the Internet, to reset the Admin password. -
Open an incident with Novell Technical Support. NTS can help you to reset Admin's password via remote access. -
DreamLAN Networking Consulting has a DSPass NLM that can reset an NDS User object password without Bindery Services, or can reset a bindery password if Bindery Services is enabled. Visit www.dreamlan.com/dspass.htm for more information. NOTE Although there are other NLMs easily available on the Internet that can be used to change Admin's password, DSPass is the only YES certified solution (YES Bulletin #44431) that runs on NetWare 4.10 and higher and works with all versions of NDS and eDirectory.
Because these NLMs require server console access, you should always take appropriate steps and care to secure your server console from both physical and remote (for example, RConsole) unauthorized access. Third-party utilities, such as DreamLAN Network Consulting's SSLock for NDS and Protocom Development Systems' SecureConsole can enhance your server console security. See Chapter 15 for additional information. Recovering a Lost Admin User Account If you administered NetWare networks prior to NetWare 4.0, you know that the user Supervisor can't be deleted (at least not by accident and not through standard management tools such as SYSCON). With NetWare 4 and higher, however, it is possible for you to ( accidentally ) remove the Admin user and leave yourself with an unmanageable NDS/eDirectory tree! Chap-ter 15 contains information on how to safeguard your administrative accounts so you'll never have an unmanageable tree. In the unpleasant event that you've lost your Admin user, here are some solutions. If it is a single-server test tree or a tree that can easily be recreated, you can use the following steps to re-create a new Admin user: - Remove DS by loading the NWConfig or Install NLM with the -DSREMOVE command-line switch. (For example, LOAD NWCONFIG -DSREMOVE .)
- Select Directory Options.
- Select Remove Directory Services from the server.
- Press Enter after reading the warning message.
- Select Yes to the Remove Directory Services? prompt.
- Press Esc when prompted for the Admin user and password.
- Select Yes to the Remove the Directory without logging in recommended? prompt.
- After DS has been removed, exit NWConfig and reload NWConfig without the -DSREMOVE switch.
- Use the Directory Options to reinstall DS. You'll be asked to create the Admin user.
WARNING The steps described will destroy your current DS tree! The file system data will not be touched, however.
Another solution is to open an incident with Novell Technical Support. NTS can help you to create a user with Supervisor rights to [Root] and, thus, admin rights to your tree, via remote access. Yet another option is to use the MakeSU ("Make SuperUser") NLM from DreamLAN Networking Consulting. This can create a DS User object that has Supervisor rights to [Root] . Visit www.dreamlan.com/makesu.htm for more information. Unlike the first option, the last two options will create an Admin user in a nondestructive manner. NOTE There are a couple of other NLMs available on the Internet that can create a lost Admin user. MakeSU, however, is the only YES-certified solution (YES Bulletin #44435) that runs on NetWare 4.10 and higher and works with all versions of NDS and eDirectory.
Detecting and Gaining Access to IRF-Blocked Objects Similar to NetWare file system's Inherited Rights Filters (IRFs), DS administrators can apply IRFs to DS objects so they are not accessible by other users except those that have trustee assignments. The one main difference between file system IRFs and DS IRFs is that you can use IRF to block Supervisor access to DS objects while you can't do this in file systems. Therefore, it is not uncommon for security-conscious DS administrators to protect administrative accounts, such as Admin and admin-equivalent user objects, using IRFs. For details on how to protect DS objects, especially Admin-type user objects, from tampering, see Chapter 15. The following section deals with what to do if you need access to IRF-blocked objects. IRF-blocked objects can be categorized into three types: visible but unmanageable (you can't delete or modify them), invisible but manageable, and invisible and unmanageable. The invisible objects are generally referred to as stealth objects. You can't see stealth objects easily using the standard management utilities, such as ConsoleOne, because the IRF blocked the Browse right to the object. They can be detected , however, using certain techniques (if they leave a "footprint" via ACL assignments, for example) and using specialized utilities. You'll find a discussion of one of the utilities, Hidden Object Locator, in Chapter 15. NOTE Another stealth object detector is the NDSTree utility, available from DreamLAN Network Consulting. For more information, see www.dreamlan.com/ndstree.htm.
Once the unmanageable object names are determined, you can regain access to them using one of the following methods: Write Your Own Utility Although there are a large number of utilities available to assist you in data recovery, every network is unique, and you may have specific requirements that the available utilities do not address. If you have some programming background or have access to a programmer, coding your own recovery utility is an option. A wide variety of tools that interface with network services and NDS/eDirectory are available for your choosing. You're not limited to using the C programming language, as was the case in the past when programming for NetWare and other operating systems. Novell and third-party vendors offer class libraries, JavaBeans, scripting languages (such as Visual Basic, JavaScript and Perl), and C/C++ APIs to support the widest range of developer participation and opportunity. Chapter 10 offers some examples on how you can "roll your own" data recovery utilities. | 