Many sites today run Novell NetWare and Windows NT networks. Unfortunately for network administrators, managing these two network platforms is a cumbersome chore, mainly because of the lack of interoperability between NetWare's Novell Directory Services (NDS) and NT's domain-based directory service. Administrators must maintain two sets of user and group accounts, often with users duplicated in each service.
To simplify NDS and NT account management, Novell recently released Novell Administrator for Windows NT (NAdminNT) 2.0. NAdminNT is a replication system that imports NT domain and workgroup account information into the NDS database. You can then maintain all your NDS and NT accounts using the NetWare Administrator graphical utility, which ships with NetWare 4.x and eliminates the need for NT's User Manager. NAdminNT automatically transmits changes you make to NT accounts in NDS to the appropriate NT domain controller or workstation Security Accounts Manager (SAM) as needed, providing transparent access to NT users.
Novell's first step in assimilating NT was to offer the IntranetWare Client for NT, which provides high-performance NetWare client services and integrated logons to both networks (for information about this tool, see my article "Windows NT and NDS," March 1997). Next, Novell's Workstation Manager for Windows NT addressed the problem of maintaining user accounts on NT workstations connected to NetWare networks (for information on this tool, see my article, "Novell's Workstation Manager: A First Step Toward Windows NT and NDS Coexistence," May 1997). Now, NAdminNT addresses the issue of maintaining NT domain user and group accounts. The final step will be the release of NDS for NT, a full port of NDS to the NT environment, which is due out during the second half of 1997.
NAdminNT's Hybrid Directory Service
NAdminNT does not replace your NT domains with NDS. Instead, it operates
above the existing NT directory service and provides a point of administration
that communicates bidirectionally with the SAMs on your NT systems. Although
Novell has streamlined and simplified the administrator's role, user access to
NT domains remains unchanged.
Adding NT domain account information to NDS via NAdminNT requires two basic modifications to NDS's architecture. First, NAdminNT must modify the NDS database so that you can create and maintain new object types representing NT domains, workstations, users, and groups. Second, the servers where NetWare stores the NDS partitions and the NT systems that function as domain controllers or workgroup members must be able to communicate with each other.
NDS uses an open architecture that lets you easily extend its schema via external programs. A directory service's schema is the guidelines that determine the types of objects that can exist in the directory and their attributes. Installing NAdminNT applies extensive modifications to the NDS schema, including new attributes for existing objects and six new object types. The new objects represent the domains and workgroup systems on your NT network and the users and groups they contain.
After NAdminNT extends the schema, you can transfer the properties of your NT users and groups to their new objects in NDS, where you maintain them from that point on. NAdminNT includes an NT integration utility, igrate.exe, that lets you manually migrate objects and properties from one directory to the other. Igrate.exe also lets you combine the properties of an NDS user object with those of a domain user representing the same person to form a hybrid user object with access to both networks.
A snap-in module lets the NetWare Administrator utility view and manage the new NDS objects and properties. This module is a DLL that the NAdminNT installation program copies to the server where NetWare stores NT versions of the NetWare utilities. The program then modifies the Registry of the NT system that is performing the installation so that it loads the DLL when a user launches the NetWare Administrator.
Network support employees can then use one utility to perform all their user and group maintenance tasks for both NDS and NT domain objects. The NetWare Administrator program replaces NT's User Manager. Changes you make to domain user and group objects in the NDS database automatically transfer to the appropriate NT system, letting users access NT resources as usual. To allow data transfer between the two directory services, NAdminNT creates a communications channel by installing two programs: a NetWare loadable module (NLM), NDS Event Monitor (ndsdm.nlm), on the NetWare servers that contain the NDS database and the NDS Object Replication Service (ORS) on the NT Primary Domain Controller (PDC) and Backup Domain Controllers (BDCs).
Event Monitor tracks all modifications made to the NDS database, either by automated processes or manually. When Event Monitor detects changes that affect NT domain or workgroup accounts, it sends them to the ORS on the appropriate NT system, using an authenticated NetWare Core Protocol (NCP) transmission that ensures the security of the account data. After being notified by NDS, the NT service then applies the changes to the affected objects in SAM. Figure 1 shows the NDS and NT communications process.
Users log on to the NT network with their domain or workgroup accounts as they always have. NAdminNT simplifies directory service maintenance tasks by eliminating the need to run two administration utilities and by letting you create hybrid users with access to both NT and NetWare networks.
Installing NAdminNT 2.0
NAdminNT 2.0 includes a setup program that runs on any NT system you want to
use to manage the NDS tree. The program extends the NDS schema, copies the
snap-in module and integration utility to your NetWare servers, and installs and
launches the Event Monitor NLM and the ORS. However, before you begin the
installation process, you must satisfy some prerequisites:
- You must be running NetWare 4.10 or 4.11 on your servers with the CLIB modules from the libupc.exe patch release installed and TCP/IP installed and configured.
- Use the INETCFG utility on the server console to verify that you are running the Service Advertising Protocol (SAP) on your NetWare servers.
- Be sure you're running the latest version (4.10) of the IntranetWare Client for Windows NT on the workstations you'll use to administer NDS.
- Make sure you have Administrator rights to the domains and workgroups you'll migrate and Supervisor object rights to the root of the NDS tree.
- Make sure the user and group names in your NT domains and workgroups do not contain periods. Periods are not allowed in NDS names.
The NAdminNT setup program lets you select the NetWare servers and NT domains where you want to install the NAdminNT modules. You must select the NDS context in which to create the new domain objects, as you see in Screen 1. However, before you begin the installation process, take time to plan how you will integrate your NT domains and workgroups into the NDS tree. For example, if you have NT domain users who are part of the NDS tree, you need to create the domain objects in the same context as the NDS users.
You can replicate both NDS and the NT directory service for fault-tolerance purposes. You can also partition the NDS database (i.e., split it into discrete segments that you store on different servers). Each partition needs to have at least two replicas so that the failure of one server cannot shut down NDS. For the same reason, you need both a PDC and BDC on your NT network.
When you install NAdminNT, always first install the Event Monitor NLM on the NetWare server that holds the master replica of the partition containing your selected context. Then select at least one other server for storing a read/write replica. When you choose an NT domain to add to the NDS database, the setup program locates all domain controllers on the network for you and installs the ORS on each one. If you select a workgroup to add to the NDS database, you must then specify the systems on which the ORS is installed.
For a domain installation, the setup program activates the ORS only on the PDC. Setup installs the service on the BDCs, but leaves the service dormant. When a BDC is promoted to a PDC (i.e., when a PDC fails), you must manually start and configure the ORS for automatic startup in the Services Control Panel. Select the NetWare servers and NT domains (or workgroups) where you want to install NAdminNT, and specify the context for creating the new domain objects. Then the setup program displays the logon dialog boxes for both NetWare and NT, with the default usernames Admin and Administrator, respectively. This approach ensures that the installing workstation has the appropriate rights to both networks.
After the installation program extends the NDS schema and copies the required files, it starts Event Monitor on the NetWare server and the ORS on the selected NT system. The setup program logs the entire installation process to the mwantinstall.log file in the directory set by the TEMP environment variable on the NT system where you performed the installation. The log file contains a complete account of the installation process, including messages flagged INFORMATION, WARNING, and CRITICAL for both NT and NetWare aspects of the installation. The setup program automatically displays the log file if it detects errors during the installation.
The NAdminNT setup program lets you select specific modules for installation, as Screen 2 shows. If you create a new domain or add a NetWare server to your network, you can choose to install only the modules you need. This ability is particularly useful when you want to administer domain objects from a different NT workstation, because you must register the NetWare Administrator snap-in module for each system separately.
Integrating NT and NDS User Accounts
NAdminNT's integration utility (igrate.exe) is an NT program that lets
you transfer object information from one directory service to the other. The
program displays twin directory browsers, with NDS on the left and NT on the
right, as you see in Screen 3. Before you manipulate individual accounts, you
must select the NT domain to assimilate into NDS and click the Update NT
Objects button to copy all domain user and group account information to the
corresponding objects in the NDS database.
Outside the integration utility, account information can move between the directory services in one direction only. Changes you make to domain user and group object properties in the NDS tree automatically propagate to the NT SAM, but not the reverse. The fundamental purpose of NAdminNT is to let you manage all your user accounts with the NetWare Administrator utility. If you modify domain accounts with NT's User Manager, NAdminNT doesn't propagate the changes to NDS unless you manually update NT objects again with igrate.exe. If you have large domains, this process can be lengthy.
After you assimilate your NT objects into NDS, you see a domain container object in the NDS tree including all domain users and groups, as shown in Screen 4. A right-facing icon represents users who exist only in the domain; other icons stand for the NT domain (a server box), the domain group (PC with two users), hybrid users (left-facing icon), NT system (a PC), and an NDS user. You can manage all the standard domain properties for your NT users and groups from the details dialog box in the NetWare Administrator, as you see in Screen 5.
When you add domain users to the NDS tree, NAdminNT synchronizes NDS usernames with names that exist in the context, to create hybrid users. You can also synchronize accounts manually by selecting an NDS user and a domain user on the integration utility screen and clicking Synchronize.
When you create a hybrid user, NAdminNT combines the properties of the NDS and NT accounts (the NDS information takes precedence over the equivalent NT account properties). NAdminNT changes the NT username to that of the NDS user (if necessary) and establishes a link between the NDS user object and the domain user.
The details dialog box for a hybrid user object, as you see in Screen 6, page 156, is different from that of a nonsynchronized NT user. Only properties exclusively involved with NT logons and access restrictions, such as NT group memberships and user profile locations, remain in the domain user object. You must configure properties that duplicate functions in NDS user objects, such as logon time restrictions and account expiration dates, in the NDS user's dialog box.
Creating New Users
You can use igrate.exe to manually integrate NT domain users into NDS and
NDS users into an NT domain, thus granting a user of one network rights to the
other. Igrate.exe creates a hybrid user in the NDS domain container and
transfers the original object's properties (except the password) to the new
object.
Passwords don't transmit across the data link between NetWare and NT. You can configure the User Properties options in the integration utility to specify a password for all new accounts or leave the password field empty. By default, NAdminNT creates new accounts with no passwords but requires that the user specify a password during the next logon.
Although useful, hybrid users are not an essential element of NAdminNT's functionality. You can choose to maintain separate user accounts for your NetWare and NT networks and just take advantage of the ability to manage all your users and groups with one utility.
If you deintegrate a hybrid user with igrate.exe, the utility separates the domain user and NDS user accounts, and you can specify different values for the equivalent properties in each one. You can also create new users and groups in an NT domain with the NetWare Administrator utility just as you'd create any other object in the NDS tree.
To create a new account that consists of a standard NDS user object and a hybrid user in an NT domain, you don't need to create two objects and integrate them. Instead, you can use an NDS user template to create a fully functional user account providing access to both networks. A user template is a collection of properties that an administrator uses to create multiple new accounts with the same capabilities.
The schema extensions in NAdminNT add an Application Server screen to every user object in the NDS tree. An NT domain object on this screen signifies that a hybrid user object exists in that domain. Manually adding a domain object to a user template's Application Server screen automatically creates a hybrid user in the domain when you create a user object with the template.
What's Next?
Novell's campaign to bring NDS's functionality to NT has concentrated on
heterogeneous networks running both operating systems. The next step is to
address NT networks exclusively. Novell has ported NDS to UNIX operating systems
such as HP/UX and SCO, and an NT version of NDS should soon be available. NDS
for NT will run natively on NT networks, eliminating the need for NetWare
servers.
With Microsoft's Active Directory on the horizon, Novell's push to assert the viability of its own directory service, which has had four years of debugging and is installed at 20 million sites, comes as no surprise. NAdminNT is a preemptive strike against Active Directory; it won't work with Microsoft's directory service. If NDS can prove itself on NT, its chances of continuing to be the directory service of choice are excellent, especially when compared with a fledgling product that will require lengthy evaluation.
