Instructions: migrating from Novell to Microsoft

1. Read trustee information from the Novell server 

1.1. Source: Novell Netware

1.1.1. Output Permissions with the Trustee.nlm command

Novell Netware does not have any trustee-database.xml. The trustees however can be read with the console command trustee.nlm.
An example for the syntax is:

TRUSTEE /ET /D SAVE VOL1: sys:\trustee-vol1.csv

/ET for permissions, without ownership
/D for directories, without files
VOL1: permissions and directories from this volume
sys:\trustee-vol1.csv is the output file

If the output file contains unwanted information other than the trustees, you can generate a file reduced to TRUSTEEs with:
FIND “TRUSTEE” trustee.csv > only_trustee.csv

1.1.2. Conversion from ASCII in ANSI

Result of the trustee.nlm is a CSV-file. It is created in ASCII-format. Entries like umlauts or special symbols can represent a problem. The file must be converted into an ANSI-format.

This is possible, for example, in the following way with Excel:

  1. Open Excel
  2. Select the tab “Data”
  3. In the column “access external data”, select “from text” and import the output CSV-file
  4. With the parameters:
    • File type: separated
    • File origin: MS-DOS (PC-8)  !!!
    • Separation symbol: comma
    • press finish

Now, all umlauts and special symbols are correctly represented in this file.

1.1.3. Editing the Data

The output file contains five columns, which must be slightly edited for migRaven.

1. column: Only the lines with “TRUSTEE” are required. All other lines can be removed.
Finally the 1st column is emptied, must however remain for the “depth”.

2. – Path: The volume before the directory is removed. However, the directory remains. For example with the Excel command =SUBSTITUTE (B1;”VOL1:”;””;1).

3. – LONG: This column must be removed.

4. – trustee: A dot is placed at the beginning of all entries in this column, like .Meier.EDV.KMF. for example, with the Excel command = CONCATENATE(“.”;D1).

5. – permissions: The column contains the Novell permissions. These must be converted into NTFS permissions corresponding to the table 2 (see paragraph 3). The column with the NTFS permissions must then be moved in front of the trustee column.

The table structure for migRaven must correspond to the table 3 (see paragraph 1.3.):

NetWare trustees

Fig 1: conversion of the table created with trustee.nlm in the format necessary for migRaven

1.2. Source: Novell Open Enterprise Server

1.2.1. Export the explicit authorizations via the Trustees from the Novell System 

The Trustee-Information from the Trustee_database.XML files is the basis for migrating from Novell to Microsoft via migRaven. In these files, the directory information and the authorizations are included.

For the next steps in migRaven, the XML-files must be provided from the Novell Volume to be converted.

Please find further information here:




1.2.2. Convert Trustee-Information into the CSV-Format with our script

The information about the currently assigned authorizations in the Novell file systems is stored in the “.trustee_database.xml”. For each volume, there is a file with this name. These files are in the directory “/media/nss/VOLUME_NAME/._NETWARE/” (VOLUME_NAME must be replaced by the name of the volume). Deviating from it, the ones for Volume SYS are below “/usr/novell/sys/._NETWARE”.

Then one should convert the.trustee_database.xml in to UTF8-Format. This is necessary if umlaut, ß or other special characters are included in the.trustee_database.xml.

For further processing, it is important to bring the XML file into a readable form.

With the following Power shell-script, all XML files, which exist in the same directory like the script, are converted into easily readable csv-files. Apart from separating the directory- and authorization information, the account information is selected at the same time and converted into conformal form in Microsoft. The DN (Distinguished Name – unique name for X.500-directory objects) from the .trustee_database.xml is converted into a sAMAccountNamen (sAM Account Name) (login name). These represent an option to be able to assign the rights while porting into the Microsoft world to users or groups. In the start-up, it is important that the appropriate accounts are available in the AD. These should have been replicated already in a suitable manner.

Powershell 3.0 is a prerequisite for executing the script. The format for the input of the file corresponds with the one of the current SLES Servers (Suse Linux Enterprise Servers) with Novell File system. It can only read the directly copied.trustee_database.xml. Trustee information, which was made via Backup Tools like metamig, does not run through this script.

Copy the following code and save it in a ps1-file.
[Notice] If an error message, that the file could not loaded because the script execution has been deactivated on the system, appears during the initial execution of a non-signaled Powershell-Script then you can solve the problem in the following manner: You start Powershell as administrator and enter following command „set-ExecutionPolicy unrestricted“. Then the Powershell-Script referred by our website can be executed! [/notice]

Example for the  trustee xml

<inherited_rights_mask path=”/._NETWARE”>
<inherited_rights_mask path=”/~DFSINFO.8-P”>
<trustee path=””>

You can download the new powershell script NWkonv2015.ps1 here.

This PowerShell-Program generates a csv-file from each xml-file in this directory.

Table structure

Run the CSV file with Excel to view and optimize it.

depth path Novell rights trustee
0 \Accounting1 RWCEMF .Accounting_G.aikux-novell
0 \Accounting2 RWCEMF .Role_2.aikux-novell
0 \d.menerer RWCEMFA .dm.easy.aikux-novell

Table 1: Table with Novell-Rights

Novell OES trustees

Fig 2: Novell OES  trustees

1.3. Define authorization mapping: Implement Novell rights to MS

Thus transfer your Novell authorizations to the Microsoft environment

The rights in the Novell system and thus also in the Trustee-file are written on the basis of the Unix Notation. This notation cannot be transferred directly to Microsoft.

The Novell rights must be replaced by Windows rights in the table.
It can be also the case than one has not worked with standardized rights under Novell and therefore the various rights are in the table.
You must finally decide for one of the following five Windows rights. For this enter the title for the NTFS-rights in place of the Novell rights in the appropriate column.

migRaven expects following Windows-NTFS-rights:

NTFS-Rights            Novell-Rights
re (read-execute)     instead of RF in Novell,
m    (modify)              instead of RWCEMF in Novell,
mx  (ModifyPlus)       instead of RWCEMF in Novell,
w (read-write)          instead of RWF in Novell,
f (fullcontrol)             instead of S in Novell.

Table 2: NTFS Rights

[notice]The Novell rights must be replaced by NTFS rights in accordance with this table. This is done best with Excel.[/notice]

The values in the “rights” column need to be replaced with Windows NTFS rights.

depth path NTFS right trustee
0 \Accounting1 MX .Accounting_G.aikux-novell
0 \Accounting2 MX .Role_2.aikux-novell
0 \d.menerer F .dm.easy.aikux-novell

Table 3:  Table structure for migRaven

1.4. Windows Setting Region English

Concerning the Windows preferences in the english version, the comma separates one list from each other. Excel uses this information and separates the fields of CSV files by searching for a comma. Nevertheless when you like to load a Netware-Trustee file, you must choose the option „files“ „from text“, in order to transmit Excel the file origin MS-DOS (PC-8).

Therefore a Trustee file from an OES Sever must be imported by using the option „files“ „from text“ to deliver the needed semicolon.


2. Create prerequisite for migRaven

Create accounts on the Windows-Server

In the Windows-AD, the users, as written under Novell, must be created.
All users must be created, which are not included in the trustee-file, like the members of the groups mentioned in the trustee-file.

[notice]Before the migration, the users, as written under Novell, as well as the members of the groups mentioned in the trustee-file must be created.[/notice]

3. Import the excel file

After you edited the table save it as an xlsx file to import it in migRaven directly.

Excel Import

Image 1: Click “Open file” to import the xlsx file.


4. Connection data to the Novell-Server

A connection to the Novell eDirectory is created via a LDAP-interface. Via this, migRaven can determine the container members. In addition to this, the parameters for the connection structure to the Novell server must be specified in the group configuration on the tab “Novell”.

Three specifications are required:

– The address of the Novell-Server (IP-Address or Server-Name) with LDAP-Port, for example

– The name of the admin with fully qualified name (distinguished name, DN), for example CN=admin,OU=Berlin,O=aikux.

– The password of this admin is requested when starting a project.

The admin who logged in here must be in the same organization (o=firma) as the groups and uses, which are to be dissolved.

Configuration Novell

Image 2: The admin name and the Novell server address can be stored in the migRaven config file.

Using this connection, migRaven establishes a LDAP connection to the Novell server and accesses its eDirectory. For the groups and containers included in the trustee-file, migRaven obtains the members name from the eDirectory of the Novell server. Then migRaven checks whether these exist as a user with the same name in the Active Directory of Windows server. If not, it will be acknowledged with an error message in the status column.

5. Configure migRaven

migRaven should always be run as Administrator.

Active Directory Import

While starting, migRaven looks for domains. After starting, the found devices will be displayed. You must mark the desired domain and scan with the button “Read in a complete AD/Forest” in the Neo4j database. This is a prerequisite for all projects in migRaven. This allows migRaven to work with his own copy of your AD.

Group configuration

When creating new authority structures in accordance with the best practice recommendations of Microsoft, migRaven creates authorization groups. For this, we must determine here the group type, its location in the AD and the names design. If these groups are later used by 8MAN, we have already noted, what demands and opportunities 8MAN offers for name design of its rights groups. A detailed instruction is provided with the documentation “Cooperation of migRaven and 8MAN“.

As a “type” for the authorization groups, one of the three group types must be selected. We recommend Universal groups, since they contribute only to 8 bytes instead of 40 bytes in case of global groups to the Kerberos token. Their disadvantage is that they cannot include local groups.
These authorization groups are stored in an OU in the AD. We determine this OU here:
“In the OU (canonical name):” test.local\novell (Example). migRaven creates among them an OU with your server names. In this lands the created groups.

On the tab “Name” we design the group name.
The group name is comprised of several elements connected by separators.
1. Prefix: The prefix can be freely selected, for example “8M”.
2. Group type: For the group type, u, dl and g are possible. Because we favor universal groups, appears “u”.
3. Directory: It follows the directory, in migRaven it is mandatory. It may be accompanied by release- and server-name.
4. Access rights: As suffix, abbreviations for the access rights are provided:
li      –   For list right
re    –   For read/execute
w    –   For read/write
m     –   For modify
mx   –   modify plus (like modify, prevents however the deletion, moving and renaming the authorization endpoint)
f      –   For full control.
In case of migRaven, these short descriptions can be changed since the version 2.1.1020.

5. Separator: The underscore, the hyphen and the space are possible as separator.

In the preview for the group names, one displays:  8M_u_<Verzeichnisse>_<Suffix>


6. Import the Excel-Table with the authorizations in migRaven

After we created the prerequisites, we call the Novell Migration.

If a reference to “Activation of the Novell-Migration” appears, you must complete three parameters in the Config file, with which migRaven can create the connection to the Novell-Server.

One recognizes this parameter with the keyword “Novell_eD”.

If these parameters are available, it proceeds.
In case of Project-Name any text can be entered, for example Novell1.
In case of release path the target address (Windows-Server and target release) is specified, for example \\WIN-I7KUHV97KJJ\Novell1.

Then we can start the Migration.
The data prepared in excel are marked and copied in the buffer.
This concerns the three columns with the path, the (Windows-) rights and the trustees, without headings.
In migRaven, please click on the left field, “Enter” and insert the data with Ctrl-V.

While validating migRaven establishes a connection with the Novell-Server.
If no connection can be created with the Novell-Server, please control the correctness of the parameters for the Novell server on the tab “Novell”.

If the connection could be established, the column “Status” provides references for the users and members not found.
Error cause can be that the mentioned users or objects were not found in the current Windows-AD.
It must be available with the same name as under Novell. You must create missing accounts in the AD and thereafter you must read in the AD again in migRaven. Then you can repeat the Novell-Migration.


7. Form new groups/authorizations of migRaven


On the basis of the read and if necessary the corrected authorizations, migRaven creates new authorization groups in accordance with the Best Practice-recommendations of Microsoft. You can display these new authorization structures in detail in a visualized directory tree.

The new authorization structure is then implemented by the next both work steps. That is, nothing was not yet written in your system.


Image 3: Save into the database

8. View New state check

Afterwards migRaven branches out in the visual portrayal.

In the View New state you can see the authorizations that migRaven has planned for you.

Here you can examine the planned authorizations in detail.

New state

New State

Image 4: New state

9. Create and nest new groups in AD – Deploy Groups

In this step, the groups are lastly created and nested in the AD.

Details on “Deploy Groups”

10. Create target directory on the Windows-Server – Deploy ACL

Create an empty, fully authorized duplicate of the directories

Details on “Deploy ACL”


11. Result control

Control whether the regenerated authorizations in the target directory correspond with the expectations

After successfully generating the target directory by migRaven, the result should be checked. This is easily possible, in which one generates a new project with the newly created directory tree.

Explanation for the interface-> Link http://www.migraven.com/berechtigungen-visualisieren/

Please control all regenerated authorizations, whether they correspond with your expectations. Thereafter the replication of the data should be triggered.


12. Replicate old data in the new directory tree

If this target directory should include your data and function as new share, then only the data must be replicated in the new area. This cannot be done directly via migRaven.

The replication can be done in various ways. Robocopy of Microsoft is offered with fewer amounts of data.

Details on “Deploy Data”

If the directory tree contains lot of files, then we have had very good experiences with PeerSync. That is a tool that enables a clear Realtime bytelevel-Replication, without which Source and Target must be always compared. A further advantage of PeerSync is the support for NetApp.

Because the source is a Novell server, one must reckon with the function restrictions in case of copy programs.