NetVision's Synchronicity for NT

The essence of the replication-based metadirectory

NetVision's Synchronicity for NT lets Windows NT administrators create and maintain NT user accounts in a Novell Directory Services (NDS) database, which serves as a metadirectory. (For more information about metadirectories see "Metadirectories: Scaling Directory Services for the Enterprise," page 121.) Administrators maintain the NDS database using standard NetWare tools, and Synchronicity for NT synchronizes the metadirectory's objects with linked user accounts in the network's NT domains.

In addition to Synchronicity for NT, NetVision produces Synchronicity for Notes and Synchronicity for NetWare 3. Each Synchronicity product functions independently, but you can combine them to support your network's NT, Lotus Notes, and NetWare 3.x bindery environments through one NDS database. These products keep the NT, Notes, and NetWare bindery directories up to date by replicating changes from NDS and periodically resynchronizing the databases.

Replication vs. Redirection
The Synchronicity products are replication based. When you add them to your network, they do not replace the network's existing directory services. Instead, they work with your current directory services, copying your directories' data to the metadirectory and replicating metadirectory changes to your directories. The metadirectory functions only as a central point of administration; it does not affect most network users. Clients log on to their accounts and network services as they always have. Figure 1, page 126, shows the flow of directory information in a replication-based metadirectory system.

Synchronicity for NT
NetVision * 801-764-0400

The alternative to replication-based metadirectory products are redirector-based products. Redirectors intercept network clients' authentication requests and send them to a different directory service. Novell's NDS for NT is an example of a redirector-based metadirectory product. (For more information about NDS for NT, see William Wong, "Novell's NDS for NT," page 131.) When users log on to a typical NT domain, NT sends their username and password to the domain's Primary Domain Controller (PDC) for authentication. When users log on to a system running a redirector-based metadirectory, the system redirects the username and password information from the PDC to the metadirectory server, bypassing NT's domain directory entirely. Figure 2 shows the flow of authentication information in a redirector-based metadirectory system.

Extensible Schema
During installation, Synchronicity for NT sets up the core element of its replication system: the NDS database. This database contains the objects that comprise the NDS directory tree. NDS objects are logical entities that represent the hardware, software, users, and organizational resources on your network. Servers, printers, applications, users, groups of users, and many other resources exist as objects in the database.

NDS directory trees can contain two types of objects: container objects and leaf objects. A container object is any object that can be superior to other objects on the directory tree. Container objects define entities such as departmental groupings and organizational units. By definition, container objects contain leaf objects--leaf objects cannot contain other objects. Leaf objects represent the physical resources on your network, including users, printers, and servers.

All NDS objects consist of properties, which are the fields in the database where specific types of information reside. Object classes, which are part of the directory schema, define the properties of particular types of objects. For example, the object class for user objects specifies that user objects must contain a username and password and can contain an address and telephone number.

Synchronicity for NT's installation software creates a separate container object in the NDS directory tree for each of your NT domains and imports your NT user and group accounts into the proper container object. For example, Screen 1 shows the group and user objects in the NT4DOMAIN container object on an NDS server's directory tree. By modifying the NDS directory schema, the installation process creates new object classes in the NDS directory tree that contain all the properties of your NT domain accounts. Synchronicity for NT can then import the user and group accounts from your NT domains to the new NDS object classes without losing the values of any NT properties.

After you have installed Synchronicity for NT, you can use NetWare Administrator to manage all your network's user accounts. Synchronicity for NT includes a snap-in module that lets NetWare Administrator display and manage the NT domain objects Synchronicity creates. The snap-in module also adds new choices to your NetWare Administrator Tools menu. These choices let you create NT user and group accounts from NDS objects and create NDS objects from NT accounts. You can also configure Synchronicity to automatically create (or delete) a linked NT user object in your metadirectory whenever you create (or delete) an NDS user object on one of your network's NetWare servers. The snap-in module simplifies the procedures for granting and revoking employee access to multiple network resources.

Object Correlation
One result of Synchronicity for NT's directory replication process is that the NDS directory tree can contain several objects that represent the same user. If your network has two or more NT domains that each contain an account for the same user, the installation process creates an object for the user under each NT domain's NDS container object. The same user might also have a standard NDS user object that was on your NetWare system before you installed Synchronicity for NT. If you're running Synchronicity for NetWare 3 and Synchronicity for Notes, those programs can add other objects for the same user.

To facilitate the administration of one user's multiple objects, the Synchronicity products let you link a standard NDS user or group object with one or more Synchronicity-created objects. (You cannot link Synchronicity-created objects to each other without also linking them to a standard NDS user object.) When you link two or more objects, the Synchronicity products synchronize the values for the properties that the objects share and replicate changes you make in one object's values to the other objects. For example, if you disable a standard NDS user object or change its logon time restrictions, Synchronicity for NT applies that change to all the linked NT user objects. Likewise, Synchronicity for NT applies changes in NT user objects' values to linked NDS user objects. You can also synchronize the passwords of linked objects.

When you synchronize object properties between directories, you face the possibility that two objects will have different values for the same property, such as two different logon time restrictions. You must specify which value takes precedence. The Synchronicity products let you create collision rules that control the reconciliation of conflicting values before you begin the synchronization process.

NDS's replication system can maintain redundant copies of a directory database on NDS servers distributed throughout the network. But NDS can't transfer directory information to other platforms, such as NT. So you must use Synchronicity for NT to replicate information between NDS servers and NT domain controllers. Figure 3 shows Synchronicity for NT's replication process. On a small test network, this replication process is almost instantaneous--the NT User Manager registers changes to a user account seconds after you modify an NT user object in NDS.

To achieve this response time, Synchronicity for NT relies on two basic components: the Global Event Services (GES) Broker NetWare loadable module (NLM) and the NT Synchronization Agent. The GES Broker monitors the NDS metadirectory. When the GES Broker detects a change in the database that Synchronicity needs to replicate to one of your NT domain controllers, the GES Broker transmits the change to the Synchronization Agent running on the appropriate NT computer. The Synchronization Agent then modifies the appropriate entry in the NT domain directory.

The Synchronization Agent must run on one NT machine (a PDC, Backup Domain Controller--BDC--or workstation) in every domain on the network. Every NT server on a workgroup-based network must run the Synchronization Agent. In contrast, you can run the GES Broker on only one NetWare server if that server hosts replicas of all the NDS partitions that contain NT domain data. However, if you run the GES Broker on only one machine, when you modify data in a metadirectory replica on another NetWare server, Synchronicity will not detect the change until the NDS replication system has copied the change to the server that is running the GES Broker. Although the replication process is almost instantaneous on a small network, it works more slowly on a large one. To maximize the speed of the replication process, you can run the GES Broker on all your network's NetWare servers that host NDS replicas containing NT domain data.

When you load the Synchronization Agent on an NT machine, the agent registers itself with your network's GES Brokers. This registration process ensures that Synchronicity for NT updates the correct NT domain when you change the NDS metadirectory. In addition, this registration lets Synchronicity for NT resynchronize NT domain directories with the NDS metadirectory at scheduled intervals by comparing the directories' information and updating the NT domain directories, if necessary. Resynchronization ensures that Synchronicity replicates any account modifications you make while a directory is out of contact with the NDS database (e.g., because of a server outage).

The resynchronization process can also work in reverse, because the communication between NT domains and the NDS database is bidirectional. Although Synchronicity for NT lets you manage all your user accounts from the NDS metadirectory, the program does not inhibit the NT User Manager's functionality. You can create, delete, and modify NT accounts as you did before you installed Synchronicity for NT, and the Synchronization Agent will replicate the changes to the NDS database.

To set up a resynchronization event, you must open the NT domain object's Details dialog box in NetWare Administrator. From the Resynchronization Actions screen, you can choose to change your NT domain accounts so that they match the NDS database or change the NT domain objects in your NDS database so that they match the corresponding NT domain accounts. You can also specify when the resynchronization process will execute: immediately, at a particular time, or at regular intervals. Regularly scheduled resynchronization events ensure that the information in both your NDS metadirectory and all your NT domain directories remains current.

No Waiting Necessary
The Synchronicity products provide comprehensive directory synchronization services, without requiring administrators who already know NDS to learn another directory service. The products add the synchronization and administration functions that can turn an NDS database into a metadirectory. Administrators with NDS experience can have a Synchronicity-based metadirectory up in a short time. The Synchronicity products can help you manage your network's multiple directory services immediately and easily, while most metadirectory products are still on the drawing board.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.