Make your own free website on

Working with the NetWare 4.11 Server

Novell NetWare 4.11 Server PC
Windows 98 Client PC
2 CAT5 UTP patch cables
Hub or switch
Student CD-ROM, "Room 6359"
The student should become familiar with the Novell NetWare 4.11 server operating system including:
Troubleshooting the startup process of the server,
Manually loading and unloading device drivers and modules,
Some basic server console operations,
Know all associated terminology concerning the NetWare operating system families.
The student will become familiar with the Novell NetWare 4.11 operating system and learn the basic skills of troubleshooting the server startup process on the network and will be able to initiate a diagnostic startup of the server and login to the server using available client components on a Windows 98 PC.

NOTE: None of this material is officially endorsed by Novell Inc. and is provided to the students mainly so that they can gain some albeit limited hands on experience with Novell's products which are used in the IT industry. And also to provide the students with information concerning the Novell products since it is expected for the CompTIA Network+ certification. This material is intended solely for educational purposes and may not be reproduced or used in any commercial environment and must not be used as a substitute for a certified Novell professional on commercially deployed Novell products.


In order to perform the following procedures, a Novell NetWare 4.11 Server must be up and running and attached to the Room 6359 hub. See NET2 Lecture/Lab #1 - Introduction to Novell NetWare 4.11 for details on the complete setup for the following exercises.

Procedures - Diagnostic Startup of the Server

  1. Like any computer, the software is by far the most vulnerable to corruption, user error, or even software design error. The Novell NOS products are incredibly reliable and well designed systems, but especially with versions 3.x and 4.x they are quite old and can encounter problems on modern systems with hardware developed many years after their final release.

  2. Boot the server PC and at the DOS prompt change to the C:\NWSERVER directory. To initiate a diagnostic startup type in the following command:

    C:\NWSERVER>server -na -ns -nl

  3. The switches mean: -na, do not execute the commands in the AUTOEXEC.NCF, -ns, do not execute the commands in the STARTUP.NCF, -nl, (NL) do not load the entire operating system kernel, just the minimal kernel.

  4. Upon executing the above command the server starts and immediately reaches this prompt:

    System Console
    AUTOEXEC.NCF file will not be executed
    STARTUP.NCF file will not be executed
    Novell NetWare 4.11  August 22, 1996
    Processor speed: 141311
    (Type SPEED at the command prompt for an explanation of the speed rating)
    LCONFIG.SYS file exists, overriding default locale values

    File server name: _

  5. Enter your file server's name at this prompt and press [Enter]. You are immediately prompted for the IPX internal network number which must be unique to each server on the network. This will be the 6359000x value used when the server was installed:

    File server name: FS99
    IPX internal network number: _

  6. Upon entering the IPX internal network number the server completes a very fast and minimal kernel load and arrives at the server prompt. At this point instruct the server to load the STARTUP.NCF file:


  7. The output of the drivers as they load is extensive and they will scroll off of the screen faster than they can be viewed on a Pentium 4. Remember that the server is vintage 1996 in this example and was intended to be capable of running on a 386 CPU which was old but serviceable at that time. Note that the driver IDECD.CDM loads and is followed by the file MAC.NAM which will provide support for the long file names in the CD-ROM's file system. This is followed by a warning that the driver has not been tested with the physical CD-ROM device that it detects using the IDE/ATAPI interface language. Control is then returned ot the console prompt. This step is used primarily to see if the device drivers are in fact working and establishing the ability of the server to access the hard drive, CD-ROM, etc. If error occur or the system hangs when loading a driver, it will need to be replaced.

  8. At this point the next set of operating system kernel components can be loaded to observe for errors. This stage attempts to mount the volumes in the NetWare partition and loads the file system drivers. If errors occur in this stage then the volumes or the file systems have become corrupt or damaged. Note that this file is stored in the SYS volume. While the STARTUP.NCF is stored in the C:\NWSERVER directory of the DOS partition. The STARTUP.NCF loaded the NetWare drivers that allow it access the hard drive without using the DOS operating system kernel to do this. Because NetWare is a highly secure and reliable operating system it should neither use nor have to rely on DOS to access the hard drive. Furthermore, DOS cannot interpret the NetWare File System, so upon mounting the volume the native file system drivers load as well so that the secure partition and file system can be accessed. To load this stage of the operating system kernel type the following command at the console prompt:

    FS99:mount sys

  9. Observe that the system successfully mounts the volume without errors and obviously does not hang. If it returns to the console prompt without errors, then proceed to load the AUTOEXEC.NCF.

  10. If the system returns the prompt without errors, down the server and exit back to DOS:

    IPXRTR: IPX link state router down.
    Notifying stations that file server is down
    Downing the router...
    Dismounting volume DATA
    2-09-05 3:12:30 pm: DS-5.73-30
        Bindery close requested by the SERVER
    2-09-05 3:12:30 pm: DS-5.73-27
        Directory Services: Local database has been closed
    Dismounting volume SYS
    2-09-05 3:12:35 pm: SERVER-4.11-2009
        FS2 TTS shut down
        because backout volume SYS was dismounted.
    Type EXIT to return to DOS.

Server Console Commands

  1. From the C:\NWSERVER> DOS prompt launch the server normally. Type "server" (no quotes!) and press [Enter]. At the server prompt type "help" and press [Enter]. Starting with Novell 4.x, the console will list the possible console commands. Now ask the console for help with the MEMORY command:

    FS99:help memory
     Displays the amount of server RAM.
     Example: memory


  2. Now execute the MEMORY command:

    Total server memory: 130,623 Kilobytes

  3. All of the commands displayed by the HELP command are internal commands understood by the command prompt interface. Just like any other OS, the Netware server can load external commands and utilities. The most commonly used command used from the server console is MONITOR. This utility allows the administrator to literally monitor the server's activity. First, logon to the server from a Windows 98 workstation that has Client32 installed on it. Then from the server console load the monitor utility. These are not standalone executables but are written in a pseudo machine language that can only execute under the netware server kernel. These are referred to as NLM's - NetWare Loadable Modules:

    FS99:load monitor

  4. The MONITOR utility will open into a full screen menu driven application with the same look and feel as the installation program. In fact the installation was a special NLM for handling the installation of the server. After a few seconds the General Information window opens fully listing the server's uptime (since the last startup) Active processors (in the case of multiprocessor machines listing one when it has two will indicate driver support problems. Press [Tab] On the available options window use the down arrow to highlight the LAN/WAN information choice and press [Enter]. In the available LAN drivers window select the first choice and press [Enter] Note the Ethernet frame type, and the total packets sent and received. Press [Esc] and check these statistics on the second choice. The one with the largest number of sent and received packets is the frame type that the client is using and identifies the IPX network that the client machine is using. This is critical to clarify: the server by default loaded the NIC card driver twice, once for what Novell refers to as Ethernet_802.2 frames and again for Ethernet_802.3 frames. Machines using the 802.2 frame type cannot communicate with machines using the 802.3 frame type at all. The server then binds the IPX layer 3 protocol to the 802.2 frame type and establishes an IPX network number for it. It binds IPX again to the 802.3 frame type and assigns another IPX netwoprk number to that. So the server is running to independent IPX networks with which clients can communicate and attach to. The server will serve as a router for transactions between them. Press [Esc] until the dialog box appears asking if you want to exit MONITOR, select "Yes" and press [Enter].

  5. The server can read from DOS drive letters with no problem. Using the Room 6359 Student CD-ROM decompress the file FILER.NLM from the file named FILER.ZIP in the Zipfiles folder to a diskette. Insert the diskette in the floppy drive of the server. For security purposes the server has no internal commands with which to access files directly in the volumes. So even from the server console you cannot copy a file from the SYS volume to a floppy for example. However, this privately written third party utility can allow you to browse the volumes from the server console. Launch it like this:

    FS99:load a:\filer

  6. The program launches quite a few helper modules in order to function. But then opens a menu driven view of the SYS volume. Select the ".." and press [Enter] to move up one level. The view will show a listing of the SYS volume as well as all recognized DOS drive letters. But the CD-ROM is not visible as a Novell volume. Press [Esc] and exit FILER.NLM. Back at the prompt, type:

    FS99:list devices
     1. [V025-A0-D1:1] ATAPI-CD ROM-DRIVE-56MAX rev:56B4.
     2. [V025-A0-D1:0] FUJITSU MPB3032ATU E.

  7. So the hardware level driver is loaded and can see the CD-ROM drive. However, another NLM is needed to activate it as a NetWare Volume meaning that it is accessible from client workstations. Load this NLM now:

    FS99:load cdrom

  8. You can view the CD-ROM's help pages as indicated one at a time time by repeatedly typing "cd help" at the prompt. But for now insert the Room 6359 student CD-ROM and type this command to set it up as a volume:

    FS99:cd mount 1

  9. These commands have a lot of output to the screen. If none of this output looks like error messages then continue. Now view the CD-ROM volumes like this:

    FS99:cd volume list

  10. Now you know the volume name. From the client Windows 98 PC open Network Neighborhood, open FS9 (or whatever the server is named) and the CD-ROM volume will be visible. Open it and the contents will be visible and accessible.

  11. The Novell 4.11 server is capable of emulating the Novell 3.12 Bindery based server. This allows the clients of the old NW 3.12 server to be able to logon to it and access it as if it was an NW 3.12 server using the Novell Bindery services rather than the NetWare Directory Services as the network structure and security system. Type:

    FS99:bindery add context= O=RM6359

  12. If this bindery context is already in the context list then that is fine. Either way, the diskette used to logon to the older server in the other exercises can now be used to logon to the NW 4.11 server. Boot another PC to this diskette and load the drivers. Indicate the NW 4.11 server's name when loading NETX. The diskette should attach. Change to the F: drive and login. The user name is "admin" and the password is also "admin". Now execute the following command:

    A:\>map Q:=FS99/RM6359P4:BIN

  13. Change to the Q: drive and run DIR. The directory of the BIN directory of the CD-ROM installed as a volume on the server should be displayed. At this point you could GHOST the PC from it as if it was installed locally using the mapped letter to the server's CD-ROM.

  14. Change to the Y: drive which is mapped by default to the root of the SYS volume and type NDIR. Note the layout of the Novell version of DIR displays more pertinent information about directory information than the regular DOS DIR. Change into the SYSTEM directory and type NDIR *.EXE to display all external commands that can be executed from the client system.

  15. Locate the executable WHOAMI.EXE on the last display page. Now type WHOAMI at the command prompt:


    User ID:    ADMIN
    Server:     FS99  NetWare 4.11
    Connection: 4 (Bindery)
    Login Time: Friday 2-11-05 10:30:59 am


  16. This command is quite useful when the Administrator has been testing a user login and has been logging in as Admin and logging out and logging back in as a user repeatedly. At some point one might forget which user account is currently logged in. Whoami is used to check which user account the user is currently logged in to the server with at this moment. Now type NDIR *.BAT. This list is mostly composed of batch files with the same names as the commands of the older NetWare 3.x server commands that are no longer implemented on the NetWare 4.x generation of servers. Their functions have been moved into other commands as of NetWare 4.11. Type VERSION at the prompt:

    This utility is not supported with 4.x NetWare products.
    Use NDIR [path] /Ver

  17. Armed with this small help message displayed by the file VERSION.BAT, type NDIR /VER:

    Y:\PUBLIC>ndir /ver

    Version: 4.26
    (c) Copyright 1983-1996, Novell Inc. All rights reserved.

    Files required for this utility:
     NDIR.MSG (4.05)

    Unicode files needed for country 1 and code page 437:


    If a file is specified it will display similar version information for that file as well. So all of the functionality of the NetWare 3.x VERSION.EXE command has been moved into NDIR and can be accessed by using the /VER switch with it.

  18. To prepare a place for users home directories in the upcoming exercise, first move to the root of the Y: drive (which is the root of the SYS volume):

    Y:\PUBLIC>cd ..

    Y:\>md users


  19. Now we'll prepare the system for a remote console session to be established from the workstation. First, step over to the server console prompt and enter this command:

    FS99:load remote
    Loading module REMOTE.NLM
     NetWare 4.1 Remote Console
     Version 4.10   July 2,1996
     Copyright 1996 Novell, All rights reserved.

    Enter a password for Remote Console

  20. Enter the password as "rm" be sure the capslock is OFF and type it precisely because nothing appears on screen when you type this password in and it does not ask you to type it twice. If you make a mistake the only solution is to unload it from the server console and then load it again. Press [Enter] and the server returns to the prompt:

    FS99:load remote
    Loading module REMOTE.NLM
     NetWare 4.1 Remote Console
     Version 4.10   July 2,1996
     Copyright 1996 Novell, All rights reserved.

    Enter a password for Remote Console
    Remote Console successfully loaded

  21. Now the server can support a remote console session that is going to be performed from the workstation over IPX/SPX. It will need the IPX/SPX driver support for this operation to be loaded as well. Type in "load rspx" and press [Enter]:

    FS99:load rspx
    Loading module RSPX.NLM
     NetWare Remote Console SPX Driver
     Version 4.10   July 2,1996
     Copyright 1996 Novell, All rights reserved.

  22. Now return to the client PC and type "rconsole":


  23. This launches a full screen utility which asks if the RCONSOLE session will attach using "asynchronous" (serial port) or SPX (over the LAN) Be sure that SPX is highlighted and press [Enter]. This results in a list of available servers. The server should appear in the list. With it highlighted press [Enter]. RCONSOLE now prompts for the password. Type it in and press [Enter]. RCONSOLE now generates an exact replica of what is currently appearing on the desktop of the server including the message that a remote console connection was granted for: the workstation's IPX address:


  24. The attachment to the server's console is fairly strong. Type "help" at the remote console and check the server's actual screen and it will be there. Press [Enter] on the server's keyboard and the help output will be displayed on both screens. To terminate the RCONSOLE session press [Alt]+[F2]. NOTE: for NetWare 3.x you have to type [Shift]+[Esc] to break the RCONSOLE session with the server. The program asks if you want to end the connection, press [Enter] with Yes highlighted. Change back to the A: drive and logout of the server with the LOGOUT command. Properly down the server with these commands: CLEAR STATION ALL, DISABLE LOGIN, DOWN, EXIT. Turn both PC's off.


Procedures - Managing the Server and the Network

  1. Remember that starting with NetWare 4.x Novell began the implementation of NDS. This in essence treats the entire network as an tree of objects structured roughly like a directory tree hence the term Novell Directory Services. The tree has a root called [Root] on all trees regardless of the tree's actual name. The tree's name can be thought of as roughly equal to a volume label of a DOS drive whereas the root of the directory structure on the DOS drive will always have the name "\" Remember that the NDS tree is not a directory file system. It is only roughly organized like one. It is a directory structure of network objects based on the X.500 standard for implementing global network organization to its various components including the physical devices, storage volumes (which do contain true directory trees and files), organizational units (the object tree equivalent of a subdirectory), and "leaf" objects like user accounts, print queue's, etc.

    When the server was installed in Lecture/Lab #1 the tree was named and an organization name was specified. An organization is not much more than an organizational unit that branches directly from the [Root] of the tree. Think of organizations as main tree trunks that branch directly off of the [Root]. Organizational units then branch off of these organizations further subdividing the network into manageable logical groups of users, groups, servers, print queue's, etc. Leaf objects can be stored anywhere within the tree. However, the whole point of the tree is to group related objects together.

    For example, the ACME company might name their tree "ACME" and they might create two organizations within the [Root] named "MIAMI" and "NEWYORK" representing their two offices. Within these they can each have organizational units (called OU's) named "MGMT", "ACCT", "MRKTNG", etc. The "MANAGER" user within the "ACCT" OU would therefore be the manager of the accounting department. And has implicit rights within that OU but not in any other OU in the tree. For that, they would have to explicitly granted to him by the Administrator. This is one of the useful features of the tree. Note that the server is the caretaker of the tree, and makes the tree happen, but the tree is larger than the server, the server in fact is nothing more than just another leaf node within the tree it creates. Its actual storage volumes are also other leaf nodes within the tree.

    This discussion is certainly no substitute for the Novell CNA and CNE courses and certifications in which the NDS tree (now called eDirectory on the current server versions) is covered in detail...and it has a lot of details to be covered. In this exercise the student will work with NwAdmin for which a shortcut was created on the desktop of the client32 based PC in the installation exercise. NwAdmin allows the administrator to access the entire tree (or the part of it that originates from his server), and create, modify or delete any object node within it. Obviously one would expect strange effects to things like deleting the server object from the tree it is creating!

    Double-click the shortcut that was created on the desktop in Introduction to Novell NetWare which opens NwAdmin (your tree and organization names may be different):

  2. Currently the top level displayed by NwAdmin is the login context which is not the top level of the tree. To change it so that the entire tree can be seen from the [Root] down, click View > Set Context:

  3. The Set Context dialog box opens. Click on the "browse" button to the right of the currently highlighted context:

  4. The standard object browser window opens. To use it, double-click on the item to move into in the right-hand panel. When the desired object appears in the lefthand panel double-click it to select it. In this case, double-click the up arrow in the righthand panel to move up one level:

  5. From this browsing vantage point within the tree, the [Root] of the tree can be seen now listed in the lefthand window. This is the topmost level of the tree and the context that NwAdmin should be set to. Double-click it now:

  6. Now the [Root] of the tree is the topmost level displayed in NwAdmin. The organization created during the installation of the server is visible as an object one layer under the [Root] of the tree:

  7. With the [Root] highlighted click Object > Create:

  8. This opens the New Object dialog box with the choices of kinds of objects that can be created in the [Root]. Choose Organization and click OK:

  9. This opens the Create Organization dialog box. Type in "RM6360" and check the "Define additional properties" check box and click the Create button:

  10. Fill in the description of the organization with whatever you like, then click OK:

  11. Now right-click on RM6359 and select Create. In the New Object dialog box notice that there are many more types of objects that can be created in an organization than can be created in the [Root] of the tree. Select organizational unit and click Create:

  12. In the Create Organizational Unit dialog box, name it NET2, check the "Define additional properties" and click the Create button:

  13. Type in whatever you like in the Description and location boxes and then click OK:

  14. Now create another object within the NET2 OU. This time select a template:

  15. The Create Template dialog box opens. Name it CLASSUSERS and check "Define additional properties:

  16. In the additional properties, type "Template for creating NET2 Users" in the Description and then click the "Environment" button on the right. This opens the Environment properties sheet. Click the browse button to the right of the "Default server" box and browse to and select the server of the network. In this case it is FS99. Now click the browse button to the right of the home directory Volume and Path boxes and browse to the directory "USERS" created in the earlier exercise: The situation should now look like this:

  17. Now click the Login Time Restrictions button on the right. In this panel, the white boxes are half hour blocks beginning on the specified time in which the user is allowed to be logged in. The dark gray boxes are half hour blocks of time starting at the specified time in which the user may not be logged in to the server. The default is that a user may login at any time (they are all white). Float the mouse pointer over the upper lefthand corner box which represents the block from midnight to 12:30AM on Sundays. Now press and hold the left mouse button and drag the mouse to the last square on the Thursday row. The situation looks like this:

  18. Release the left mouse button and the selected square of times will be turned to the dark color indicating that the user cannot login to the server at any time from Sunday through Thursday. Now block logins from midnight to 5:30PM on Friday and Saturday. Block logins from 10:00PM to midnight on Friday and Saturday. And block the remaining time on Saturday so that Saturday is completely blocked. This will leave available only Fridays from 5:30PM to 10:00PM (9:59PM actually) as available to login. The panel should now look like this:

  19. Now click the OK button to create the new Template with all of these properties. The purpose of a Template is to be able to use it to create a user with all of these common properties set already. Right click on NET2 and select create. This time select User in the New Object dialog box and click Create:

  20. In the Create User dialog box name the new user STAx where x is the name of your workstation printed on the sticker on the front panel of the PC. Check the use Template check box and click the browse button to the right of it. When the object browser opens the template should be in the lefthand panel. Double click it to select it. The home directory defined in the template will be used and this is reflected on the Create User dialog box after the selection of the template. The situation should look like this:

  21. Click the create button. At this point, a new user exists in the tree in the context OU=NET2.O=RM6359 Notice that this is not the same context as Admin. Click Start > Logoff Admin. Agree to logoff as Admin. Windows will save settings and close explorer.exe and restart nwlogn32.exe which displays the client login screen again. Type in the user name of STAx (x is your station number) and click the "Advanced>>" button. Click the contexts button and a browser window appears. Open RM6359 and then select NET2. Click OK and this returns to the login screen with the context now reading NET2.RM6359 Click OK and the system will log you on as the user. If this is done in the open lab hours an error message will appear indicating that the user is attempting to login during a restricted time and the login will fail and return to the login screen. Otherwise the login should work and you may be prompted for a password, if so change it to STAx where x is the station number. Logoff as the user and log back in as Admin. Do not forget to browse back to the proper context of RM6359 before clicking OK to login.

Strong Password Enforcement in NetWare 4.11

  1. Open NwAdmin and right click on the user STAx created in the previous exercise and select Details:

  2. Click on the Password Restrictions button on the right. Be sure that "Allow User to Change Password" is checked. Now check "Require Password" and change the minimum length to 8 characters. Check "Force periodic password changes" and change the time to every 30 days. The date that the current password expires was automatically set to the current date and time which will for the user to change the password the next time they login which is fine. Check "Require unique passwords" This keeps records of old passwords and will not allow the user to repeat previously used passwords which would defeat the purpose of forcing them to change them in the first place. Check "Limit grace logins" and change both boxes to 3. This will allow the user to login three times after the password expires with the old password while refusing the offer to change it. After that, they will no longer be allowed to login until they change it. The properties sheet should look like this:

  3. If working outside of the class time. Click on the Login Time Restrictions and open the day that you are working so that the user is allowed to login, otherwise simply continue. Click OK to save the changes made and logoff as Admin and login as the user. The system should issue the message that the password has expired and offer the user to change it. Agree to change it and use the password: 12345678 Cancel the offer from Windows (it does not work - a bug) and the system will continue with the login process. Windows will ask for the new password a second time. Change it here and it will work properly.

  4. Generally speaking, for an old server software these password rules are fairly strong and in keeping with what is considered by modern networking professionals to be strong and effective password policies. The only modern strong password policy that the NetWare 4.11 server does not regulate and enforce is the use of mixed case and "funny" characters in the password. Here are the modern "strong password policy standards":

    • Minimum 8 characters in length - brute force cracking programs must try 268=208,827,064,576 possibilities, but only need to check 264=456,976 possibilities using all capital letters four character passwords.
    • Should contain both letters and numbers (alphanumeric) - In 8 character passwords increases the possible combinations to 368=2,821,109,907,456.
    • Should contain both upper and lower case letters (mixed case) - In 8 character passwords increases the possible combinations to 628=218,340,105,584,896
    • Should contain "funny characters" like !, @, #, etc. (non-alphanumberic characters) - Increases the possible combinations just adding the characters over the number keys to 728=722,204,136,308,736 Remember that by making password include mixed case alphanumeric plus non-aphanumberic combinations of at least 8 characters this has created 722 trillion possibilities versus all capitals four letters long yielding less than 1/2 a million combinations. A modern P4 PC can cover all 1/2 million combinations in less than 1 second, but it would take days to work on trillions of possibilities. At least it might frustrate an intruder.
    • Should be changed periodically and not be repeated (users might toggle such passwords as A1a1B2b2 and B2b2A1a1 if the system does not enforce this, then if an intruder discovers an "old" password and tries it, it will work if the user has gone back to it) This prevents intruders who are capturing encrypted packets from using this added data input to assist the brute force cracking program. Also if the program does break the password, it will be changed again within a few weeks so that it will be ineffective again. Intruders may not have the ability to login to the network assuming the identity of an authorized person at any time or day that they would like. Hopefully the window of opportunity (a delivery person stepping into an unoccupied cubicle while no one notices) will pass and the password will have changed already.
    • Should not be written down (nor be so hard to remember that the user has to write it down) - Obviously you don't want a user's password written on a sticky note on the monitor.
    • Should not include the user's login name not even backwards (a popular old trick, hackers know it too)
    • Should not include the any of the user's easily accessible personal information such as their office phone number extension, first name, part of the work or home street address, etc(another popular old trick that hackers know too)
  5. NetWare 4.11 covers several of these issues but not all of them. Incidentally Windows 2000 Server is not that much better. Windows Server 2003 does however, have a very powerful password enforcement policy that does cover as many of the features listed above as the machine knows of (it cannot know the user's children's names, for example which are easily ascertained personal information that should not make its way into passwords).

Review Questions

Copyrightę2000-2004 Brian Robinson ALL RIGHTS RESERVED