Many sites today run Novell NetWare and Windows NT networks. Unfortunately
for network administrators, managing these two network platforms is a cumbersome
chore, mainly because of the lack of interoperability between NetWare's Novell
Directory Services (NDS) and NT's domain-based directory service. Administrators
must maintain two sets of user and group accounts, often with users duplicated
in each service.
To simplify NDS and NT account management, Novell recently released Novell
Administrator for Windows NT (NAdminNT) 2.0. NAdminNT is a replication system
that imports NT domain and workgroup account information into the NDS database.
You can then maintain all your NDS and NT accounts using the NetWare
Administrator graphical utility, which ships with NetWare 4.x and eliminates the
need for NT's User Manager. NAdminNT automatically transmits changes you make to
NT accounts in NDS to the appropriate NT domain controller or workstation
Security Accounts Manager (SAM) as needed, providing transparent access to NT
users.
Novell's first step in assimilating NT was to offer the IntranetWare Client
for NT, which provides high-performance NetWare client services and integrated
logons to both networks (for information about this tool, see my article "Windows
NT and NDS," March 1997). Next, Novell's Workstation Manager for Windows NT
addressed the problem of maintaining user accounts on NT workstations connected
to NetWare networks (for information on this tool, see my article, "Novell's
Workstation Manager: A First Step Toward Windows NT and NDS Coexistence,"
May 1997). Now, NAdminNT addresses the issue of maintaining NT domain user and
group accounts. The final step will be the release of NDS for NT, a full port of
NDS to the NT environment, which is due out during the second half of 1997.
NAdminNT's Hybrid Directory Service
NAdminNT does not replace your NT domains with NDS. Instead, it operates
above the existing NT directory service and provides a point of administration
that communicates bidirectionally with the SAMs on your NT systems. Although
Novell has streamlined and simplified the administrator's role, user access to
NT domains remains unchanged.
Adding NT domain account information to NDS via NAdminNT requires two basic
modifications to NDS's architecture. First, NAdminNT must modify the NDS
database so that you can create and maintain new object types representing NT
domains, workstations, users, and groups. Second, the servers where NetWare
stores the NDS partitions and the NT systems that function as domain controllers
or workgroup members must be able to communicate with each other.
NDS uses an open architecture that lets you easily extend its schema
via external programs. A directory service's schema is the guidelines that
determine the types of objects that can exist in the directory and their
attributes. Installing NAdminNT applies extensive modifications to the NDS
schema, including new attributes for existing objects and six new object types.
The new objects represent the domains and workgroup systems on your NT network
and the users and groups they contain.
After NAdminNT extends the schema, you can transfer the properties of your
NT users and groups to their new objects in NDS, where you maintain them from
that point on. NAdminNT includes an NT integration utility, igrate.exe, that
lets you manually migrate objects and properties from one directory to the
other. Igrate.exe also lets you combine the properties of an NDS user object
with those of a domain user representing the same person to form a hybrid user
object with access to both networks.
A snap-in module lets the NetWare Administrator utility view and manage the
new NDS objects and properties. This module is a DLL that the NAdminNT
installation program copies to the server where NetWare stores NT versions of
the NetWare utilities. The program then modifies the Registry of the NT system
that is performing the installation so that it loads the DLL when a user
launches the NetWare Administrator.
Network support employees can then use one utility to perform all their
user and group maintenance tasks for both NDS and NT domain objects. The NetWare
Administrator program replaces NT's User Manager. Changes you make to domain
user and group objects in the NDS database automatically transfer to the
appropriate NT system, letting users access NT resources as usual. To allow data
transfer between the two directory services, NAdminNT creates a communications
channel by installing two programs: a NetWare loadable module (NLM), NDS Event
Monitor (ndsdm.nlm), on the NetWare servers that contain the NDS database and
the NDS Object Replication Service (ORS) on the NT Primary Domain Controller
(PDC) and Backup Domain Controllers (BDCs).
Event Monitor tracks all modifications made to the NDS database, either by
automated processes or manually. When Event Monitor detects changes that affect
NT domain or workgroup accounts, it sends them to the ORS on the appropriate NT
system, using an authenticated NetWare Core Protocol (NCP) transmission that
ensures the security of the account data. After being notified by NDS, the NT
service then applies the changes to the affected objects in SAM.
Figure 1 shows
the NDS and NT communications process.
Users log on to the NT network with their domain or workgroup accounts as
they always have. NAdminNT simplifies directory service maintenance tasks by
eliminating the need to run two administration utilities and by letting you
create hybrid users with access to both NT and NetWare networks.
Installing NAdminNT 2.0
NAdminNT 2.0 includes a setup program that runs on any NT system you want to
use to manage the NDS tree. The program extends the NDS schema, copies the
snap-in module and integration utility to your NetWare servers, and installs and
launches the Event Monitor NLM and the ORS. However, before you begin the
installation process, you must satisfy some prerequisites:
- You must be running NetWare 4.10 or 4.11 on your servers with the CLIB
modules from the libupc.exe patch release installed and TCP/IP installed and
configured.
- Use the INETCFG utility on the server console to verify that you are
running the Service Advertising Protocol (SAP) on your NetWare servers.
- Be sure you're running the latest version (4.10) of the IntranetWare
Client for Windows NT on the workstations you'll use to administer NDS.
- Make sure you have Administrator rights to the domains and workgroups
you'll migrate and Supervisor object rights to the root of the NDS tree.
- Make sure the user and group names in your NT domains and workgroups do
not contain periods. Periods are not allowed in NDS names.
The NAdminNT setup program lets you select the NetWare servers and NT
domains where you want to install the NAdminNT modules. You must select the NDS
context in which to create the new domain objects, as you see in
Screen 1.
However, before you begin the installation process, take time to plan how you
will integrate your NT domains and workgroups into the NDS tree. For example, if
you have NT domain users who are part of the NDS tree, you need to create the
domain objects in the same context as the NDS users.
You can replicate both NDS and the NT directory service for fault-tolerance
purposes. You can also partition the NDS database (i.e., split it into discrete
segments that you store on different servers). Each partition needs to have at
least two replicas so that the failure of one server cannot shut down NDS. For
the same reason, you need both a PDC and BDC on your NT network.
When you install NAdminNT, always first install the Event Monitor NLM on
the NetWare server that holds the master replica of the partition containing
your selected context. Then select at least one other server for storing a
read/write replica. When you choose an NT domain to add to the NDS database, the
setup program locates all domain controllers on the network for you and installs
the ORS on each one. If you select a workgroup to add to the NDS database, you
must then specify the systems on which the ORS is installed.
For a domain installation, the setup program activates the ORS only on the
PDC. Setup installs the service on the BDCs, but leaves the service dormant.
When a BDC is promoted to a PDC (i.e., when a PDC fails), you must manually
start and configure the ORS for automatic startup in the Services Control Panel.
Select the NetWare servers and NT domains (or workgroups) where you want to
install NAdminNT, and specify the context for creating the new domain objects.
Then the setup program displays the logon dialog boxes for both NetWare and NT,
with the default usernames Admin and Administrator, respectively. This approach
ensures that the installing workstation has the appropriate rights to both
networks.
After the installation program extends the NDS schema and copies the
required files, it starts Event Monitor on the NetWare server and the ORS on the
selected NT system. The setup program logs the entire installation process to
the mwantinstall.log file in the directory set by the TEMP environment variable
on the NT system where you performed the installation. The log file contains a
complete account of the installation process, including messages flagged
INFORMATION, WARNING, and CRITICAL for both NT and NetWare aspects of the
installation. The setup program automatically displays the log file if it
detects errors during the installation.
The NAdminNT setup program lets you select specific modules for
installation, as Screen 2 shows. If you create a new domain or
add a NetWare server to your network, you can choose to install only the modules you need.
This ability is particularly useful when you want to administer domain objects
from a different NT workstation, because you must register the NetWare
Administrator snap-in module for each system separately.
Previous
Register
