How to Uninstall Novell Account Management 2.1 for Windows NT
Articles and Tips: article
Major Account Support Engineer
Novell Technical Support
01 Mar 2002
One of the trickier aspects of upgrading from Novell Account Management (NAM) 2.1 for Windows NT to NAM 2.1 for Windows 2000 is the fact that it involves an underlying operating system migration: from Windows NT and Domains to Windows 2000 and Active Directory. For this reason, there is no direct migration path from NAM 2.1 for Windows NT to NAM 2.1 for Windows 2000. You first need to uninstall NAM 2.1 for Windows NT, then proceed to migrate your NT environment to Windows 2000/Active Directory, and finally install NAM 2.1 for Windows 2000. This AppNote outlines the proper procedures for uninstalling NAM 2.1 for Windows NT.
eDirectory, user account management, NT Domains
Novell Account Management 2.1 for Windows NT, Novell Account Management 2.1 for Windows 2000, Novell eDirectory
familiarity with NAM 2.1, eDirectory, and NT Domains
Windows NT 4.0
One of the most common questions asked about the new Novell Account Management (NAM) 2.1 for Windows 2000 product is: "How do I upgrade from Novell Account Management 2.1 for Windows NT to Novell Account Management 2.1 for Windows 2000?"
Although these two products are solving the same problem (managing user accounts on multiple platforms), the underlying OS and architecture is very different. On one side, you have NT Domains and Windows NT 4.0 servers, while on the other side you have Active Directory and Windows 2000 servers. Therefore, upgrading from NAM 2.1 for Windows NT to NAM 2.1 for Windows 2000 implies an operating system migration: migrating from NT Domains/ Windows NT 4.0 servers to Active Directory/Windows 2000 servers.
That's why there is no direct migration path between NAM 2.1 for Windows NT and NAM 2.1 for Windows 2000. First, you need to uninstall NAM 2.1 for Windows NT, then migrate your NT Domains and Windows NT 4.0 servers to Active Directory and Windows 2000 servers, and finally install NAM 2.1 for Windows 2000.
This AppNote outlines the procedures on how to uninstall NAM 2.1 for Windows NT. It is very important to handle this procedure properly, since all the NT Domain user accounts stored in eDirectory will have to be transferred back to the SAM database. An improper uninstallation of NAM 2.1 for Windows NT could result in the loss of all modifications made into the NT Domain since the product was installed. As a result, a number of users would most likely no longer be able to log in to the NT domain.
This AppNote covers in detail how to uninstall NAM 2.1 for Windows NT, beginning with a review of the preparatory steps, possible disaster recovery options, and the product removal procedure itself.
This section outlines the procedures that must be done prior to uninstalling NAM 2.1 for Windows NT.
Before starting to uninstall Novell Account Management 2.1 for Windows NT (NAM21NT), it is important to perform a basic health check. This check includes the following steps:
Novell Client Version. Check the version of the Novell Client on all Domain Controllers of the Domain for which you are going to uninstall NAM21NT. Make sure you are running the same client version everywhere. The recommended client version is 4.80+SP3 or 4.81. If you need to install an upgraded client, choose the custom installation and deselect every optional component, keeping just the client itself.
Also, make sure all the clients are configured with the same protocol. The recommended protocol is IP only.
Note: In the case where some replicas of the partition containing the NT Domain objects are located on NetWare 4.x servers, you must have the IPX protocol or Compatibility Mode configured.
SAM Version. Check the version of SAMSRV.DLL on all the Domain Controllers of the Domain for which you are going to uninstall NAM21NT. Make sure you are running the latest version of this DLL everywhere. Currently, the latest version of SAMSRV.DLL for NAM21NT can be found in the AM210PT2.EXE patch. To locate this patch, go to the Novell Download Web site and search on the filename in the Keyword section (http://download.novell.com/).
Directory Health. Check the eDirectory partition where the NT Domain object is located and make sure it is healthy (check time synchronization, partition synchronization, partition continuity, and so on). See Novell TID #10060600 for more information on how to perform an eDirectory health check. (TIDs can be found at the Novell Support Web site at http://support.novell.com.)
During the uninstall procedure, it is critical for the Novell SAMSRV.DLL to easily and quickly find the eDirectory tree where the NT Domain object is located. The easiest way to ensure this is to create an entry in the HOSTS file of the Domain Controllers. This entry must contain the name of the eDirectory tree and the IP address of a server containing a replica of the partition where the NT Domain object is located. Preferably, choose a server close to the Domain Controller.
Note: These instructions assume you have a pure IP environment. In an IPX environment, the Novell SAMSRV.DLL will use the Service Advertising Protocol (SAP) to locate a server with a copy of the NT Domain object. In this environment, you don't need the entry in the HOSTS file.
Disaster Recovery Options
Before attempting a major operation such as uninstalling NAM 2.1 for Windows NT, you should assess the different disaster recovery options and choose the best one for your environment. Depending on how critical the data in your NT Domain is, you may want to implement some or all of the following disaster recovery options.
Emergency Repair Disk
In any case, you should have an up-to-date "Emergency Repair Disk" (ERD) for each of your Domain Controllers. Use the RDISK.EXE utility that comes with Windows NT to create the ERD disk. This disk will be the only way to recreate your NT Domain with the same SID in case of a disaster.
Make sure that you have a recent backup of all the domain controllers. To determine whether or not you really need such a backup, ask yourself if it would be possible for you to recover from a situation where the server has been completely wiped out. If the answer is no, then you need a recent backup of that server!
Clean Copy of the SAM Database
As an additional security measure in case of a disaster, you may also want to have a clean copy of the SAM database. The easiest way to achieve this is to add a new Backup Domain Controller (BDC) to your domain. This BDC will retrieve a full and up-to-date copy of the SAM database from the Primary Domain Controller (PDC), which itself is reading the information from eDirectory. Once the BDC is up and running and the full synchronization process is finished (check the Event Log), do not install NAM21NT on it. Just shut it down and keep it powered off during the whole NAM21NT uninstallation process.
This additional BDC with a clean and up-to-date copy of the SAM database offers you an alternative way of restoring your NT Domain in case of a disaster. This will be possible even if all the other Domain Controllers (including the PDC) are gone and even if the eDirectory partition holding the NT Domain object is no longer accessible. All you will have to do is bring this BDC up and promote it to be the PDC of your NT Domain. This process is very quick and will allow you to regain your full NT Domain within minutes. At that point, you will need to add new BDCs as needed by your environment.
Removing NAM 2.1 for Windows NT
You are now ready to remove NAM 2.1 for Windows NT from your Domain. During the uninstallation of NAM21NT, make sure no modifications are being made to the NT Domain.
Removing NAM21NT from the BDC
The first step is to uninstall NAM21NT from the BDC. To do this, run the Domain Object Wizard (SAMMIG.EXE, located in the System32 directory). The Wizard will detect that NAM21NT is already installed on the BDC and will prompt you to uninstall it. Make sure the box is checked to restart the server after the uninstall, and then click the Finish button (see Figure 1).
Uninstalling NAM21NT from a BDC.
The Wizard will proceed to replace the Novell SAMSRV.DLL with the Microsoft SAMSRV.DLL and reboot the BDC. At this point, the BDC data is no longer being redirected into eDirectory.
Removing NAM21NT from the PDC
To uninstall NAM21NT from the PDC, you also use the Domain Object Wizard, but this time on the PDC. Upon startup, the Domain Object Wizard will give you three uninstall options:
Uninstall NDS for NT and include new NDS information in the NT Domain
Uninstall NDS for NT and update passwords from NDS
Uninstall NDS for NT
These options are shown in Figure 2.
Uninstalling NAM21NT from the PDC.
To ensure against the loss of all modifications made to the NT Domain while it was being redirected into eDirectory, you must choose the first option. This option will do a "reverse migration" of the NT Domain information from eDirectory back into the SAM database. For this, the Domain Object Wizard will install a special SAMSRV.DLL. Upon reboot, the PDC will log in automatically to the Domain using a special account and the reverse migration procedure will start.
Figure 3 shows the Domain Object Wizard Reverse Process Log File that displays on the screen while the reverse migration is taking place.
Reverse migration process log file.
During the reverse migration, you will likely see multiple "Event Type 5716" messages generated by NETLOGON in the Event Log of the BDC:
The partial synchronization replication of the BUILTIN database from the primary domain controller <PDC Name> failed with the following error.
These error messages are normal during the reverse migration process.
Also, depending on how many objects you have in the SAM, you might see a "System Log is full" error message. This error has no impact on the reverse migration process; it merely occurs because the system log file is full. To resolve this situation, go into the Event Viewer and manually delete the Events of the System Log. To prevent this error from occurring, you can increase the size of the System Log before starting the reverse migration process. Another possibility is to enable the "Overwrite events as needed" parameter (which can be found in the "Log Settings" option under the Log menu of the Event Viewer).
Once the reverse migration process is finished, the NT Domain Object-as well as the Local and Global group objects and the Workstation Object-will be deleted from eDirectory (but the User objects will not be deleted). The special SAMSRV.DLL will then be replaced by the Microsoft SAMSRV.DLL and the PDC will be rebooted one last time.
At this point, the PDC information is no longer being redirected into eDirectory and all the NT Domain information that was stored in eDirectory has been imported back into the SAM database.
You can check the details of the reverse migration procedure in the REVMIG.LOG file located in the System32 directory. This log file contains the list of all the objects that have been imported back into the SAM database.
To verify that the uninstallation procedure went fine, check the Event Log on each BDC and verify that you see an "Event type 5717" message generated by NETLOGON:
The full synchronization replication of the BUILTIN database from the primary domain controller <PDC Name> completed successfully.
In addition to that, you should also see an "Event Type 5715" message generated by NETLOGON:
The partial synchronization replication of the SAM database from the primary domain controller <PDC Name> completed successfully.
At this point, NAM21NT has been uninstalled from all the Domain Controllers and the NT Domain is no longer being redirected into eDirectory.
Removing eDirectory from the NT Server
Since you have uninstalled NAM21NT, some of the eDirectory replicas that were created might not be needed any more. For example, it could be that some eDirectory replicas were created on NT servers only to improve the performance of NAM21NT. In that case, it makes sense to remove those eDirectory replicas since they are no longer needed.
First, you need to make sure that the NT server from which you are removing eDirectory does not contain a Master replica. If it does, use NDS Manager to move the Master replica to another server. Then, run the NDS Services Console from the Control Panel. Select the NDS Install Utility, click on the Start button, and select the option "Remove Directory Services from this server"(see Figure 4).
Removing Directory Services from the NT server.
This will remove any replicas from the server and will update the replica ring of all the other servers. It will also delete the corresponding Server object in eDirectory.
Now that the NT server is no longer hosting any replica, you need to remove eDirectory itself from the NT server. To do this, go into the Control Panel and select Add/Remove Programs. From there, select NDS eDirectory and click on the Remove button. Follow the prompts.
Once eDirectory has been removed, you can delete the directory where eDirectory was installed (by default, it is C:\Novell\NDS). Finally, use ConsoleOne to delete the remaining server-specific objects: Server-PS, LDAP Server, LDAP Group, SAS service, SSL CertificateIP, and SSL CertificateDNS.
At this point, eDirectory has been completely removed from the NT server.
At this point, only a few tasks remain for you to take care of:
Remove the eDirectory tree entry from the HOSTS file of the Domain Controllers.
If needed, you can also remove the Novell Client from the Domain Controllers (Control Panel | Network | Services | Novell Client | Remove).
If you created an additional BDC for disaster recovery purposes, decide whether or not you want to keep it. If not, delete the BDC.
Following the recommendations in this AppNote will ensure a smooth uninstallation of Novell Account Management 2.1 for Windows NT. In turn, this will allow you to migrate from NT Domains to Active Directory. Once the migration is finished, you can install Novell Account Management 2.1 for Windows 2000 in order to manage the Active Directory user accounts from eDirectory.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.