FEATURE * by Craig Zacker
NAdminNT Brings NT Domains
and NDS Together
Many sites today run Novell NetWare and Windows NT networks. Unfortunately
for network administrators, managing these two network platforms is a cumbersome
chore, mainly because of the lack of interoperability between NetWare's Novell
Directory Services (NDS) and NT's domain-based directory service. Administrators
must maintain two sets of user and group accounts, often with users duplicated
in each service.
To simplify NDS and NT account management, Novell recently released Novell
Administrator for Windows NT (NAdminNT) 2.0. NAdminNT is a replication system
that imports NT domain and workgroup account information into the NDS database.
You can then maintain all your NDS and NT accounts using the NetWare
Administrator graphical utility, which ships with NetWare 4.x and eliminates the
need for NT's User Manager. NAdminNT automatically transmits changes you make to
NT accounts in NDS to the appropriate NT domain controller or workstation
Security Accounts Manager (SAM) as needed, providing transparent access to NT
users.
Novell's first step in assimilating NT was to offer the IntranetWare Client
for NT, which provides high-performance NetWare client services and integrated
logons to both networks (for information about this tool, see my article "Windows
NT and NDS," March 1997). Next, Novell's Workstation Manager for Windows NT
addressed the problem of maintaining user accounts on NT workstations connected
to NetWare networks (for information on this tool, see my article, "Novell's
Workstation Manager: A First Step Toward Windows NT and NDS Coexistence,"
May 1997). Now, NAdminNT addresses the issue of maintaining NT domain user and
group accounts. The final step will be the release of NDS for NT, a full port of
NDS to the NT environment, which is due out during the second half of 1997.
NAdminNT's Hybrid Directory Service
NAdminNT does not replace your NT domains with NDS. Instead, it operates
above the existing NT directory service and provides a point of administration
that communicates bidirectionally with the SAMs on your NT systems. Although
Novell has streamlined and simplified the administrator's role, user access to
NT domains remains unchanged.
Adding NT domain account information to NDS via NAdminNT requires two basic
modifications to NDS's architecture. First, NAdminNT must modify the NDS
database so that you can create and maintain new object types representing NT
domains, workstations, users, and groups. Second, the servers where NetWare
stores the NDS partitions and the NT systems that function as domain controllers
or workgroup members must be able to communicate with each other.
NDS uses an open architecture that lets you easily extend its schema
via external programs. A directory service's schema is the guidelines that
determine the types of objects that can exist in the directory and their
attributes. Installing NAdminNT applies extensive modifications to the NDS
schema, including new attributes for existing objects and six new object types.
The new objects represent the domains and workgroup systems on your NT network
and the users and groups they contain.
After NAdminNT extends the schema, you can transfer the properties of your
NT users and groups to their new objects in NDS, where you maintain them from
that point on. NAdminNT includes an NT integration utility, igrate.exe, that
lets you manually migrate objects and properties from one directory to the
other. Igrate.exe also lets you combine the properties of an NDS user object
with those of a domain user representing the same person to form a hybrid user
object with access to both networks.
A snap-in module lets the NetWare Administrator utility view and manage the
new NDS objects and properties. This module is a DLL that the NAdminNT
installation program copies to the server where NetWare stores NT versions of
the NetWare utilities. The program then modifies the Registry of the NT system
that is performing the installation so that it loads the DLL when a user
launches the NetWare Administrator.
Network support employees can then use one utility to perform all their
user and group maintenance tasks for both NDS and NT domain objects. The NetWare
Administrator program replaces NT's User Manager. Changes you make to domain
user and group objects in the NDS database automatically transfer to the
appropriate NT system, letting users access NT resources as usual. To allow data
transfer between the two directory services, NAdminNT creates a communications
channel by installing two programs: a NetWare loadable module (NLM), NDS Event
Monitor (ndsdm.nlm), on the NetWare servers that contain the NDS database and
the NDS Object Replication Service (ORS) on the NT Primary Domain Controller
(PDC) and Backup Domain Controllers (BDCs).
Event Monitor tracks all modifications made to the NDS database, either by
automated processes or manually. When Event Monitor detects changes that affect
NT domain or workgroup accounts, it sends them to the ORS on the appropriate NT
system, using an authenticated NetWare Core Protocol (NCP) transmission that
ensures the security of the account data. After being notified by NDS, the NT
service then applies the changes to the affected objects in SAM.
The following figure shows
the NDS and NT communications process.
Users log on to the NT network with their domain or workgroup accounts as
they always have. NAdminNT simplifies directory service maintenance tasks by
eliminating the need to run two administration utilities and by letting you
create hybrid users with access to both NT and NetWare networks.
Installing NAdminNT 2.0
NAdminNT 2.0 includes a setup program that runs on any NT system you want to
use to manage the NDS tree. The program extends the NDS schema, copies the
snap-in module and integration utility to your NetWare servers, and installs and
launches the Event Monitor NLM and the ORS. However, before you begin the
installation process, you must satisfy some prerequisites:
- You must be running NetWare 4.10 or 4.11 on your servers with the CLIB
modules from the libupc.exe patch release installed and TCP/IP installed and
configured.
- Use the INETCFG utility on the server console to verify that you are
running the Service Advertising Protocol (SAP) on your NetWare servers.
- Be sure you're running the latest version (4.10) of the IntranetWare
Client for Windows NT on the workstations you'll use to administer NDS.
- Make sure you have Administrator rights to the domains and workgroups
you'll migrate and Supervisor object rights to the root of the NDS tree.
- Make sure the user and group names in your NT domains and workgroups do
not contain periods. Periods are not allowed in NDS names.
The NAdminNT setup program lets you select the NetWare servers and NT
domains where you want to install the NAdminNT modules. You must select the NDS
context in which to create the new domain objects, as you see in the following screen.
However, before you begin the installation process, take time to plan how you
will integrate your NT domains and workgroups into the NDS tree. For example, if
you have NT domain users who are part of the NDS tree, you need to create the
domain objects in the same context as the NDS users.
You can replicate both NDS and the NT directory service for fault-tolerance
purposes. You can also partition the NDS database (i.e., split it into discrete
segments that you store on different servers). Each partition needs to have at
least two replicas so that the failure of one server cannot shut down NDS. For
the same reason, you need both a PDC and BDC on your NT network.
When you install NAdminNT, always first install the Event Monitor NLM on
the NetWare server that holds the master replica of the partition containing
your selected context. Then select at least one other server for storing a
read/write replica. When you choose an NT domain to add to the NDS database, the
setup program locates all domain controllers on the network for you and installs
the ORS on each one. If you select a workgroup to add to the NDS database, you
must then specify the systems on which the ORS is installed.
For a domain installation, the setup program activates the ORS only on the
PDC. Setup installs the service on the BDCs, but leaves the service dormant.
When a BDC is promoted to a PDC (i.e., when a PDC fails), you must manually
start and configure the ORS for automatic startup in the Services Control Panel.
Select the NetWare servers and NT domains (or workgroups) where you want to
install NAdminNT, and specify the context for creating the new domain objects.
Then the setup program displays the logon dialog boxes for both NetWare and NT,
with the default usernames Admin and Administrator, respectively. This approach
ensures that the installing workstation has the appropriate rights to both
networks.
After the installation program extends the NDS schema and copies the
required files, it starts Event Monitor on the NetWare server and the ORS on the
selected NT system. The setup program logs the entire installation process to
the mwantinstall.log file in the directory set by the TEMP environment variable
on the NT system where you performed the installation. The log file contains a
complete account of the installation process, including messages flagged
INFORMATION, WARNING, and CRITICAL for both NT and NetWare aspects of the
installation. The setup program automatically displays the log file if it
detects errors during the installation.
The NAdminNT setup program lets you select specific modules for
installation, as the screen below shows. If you create a new domain or
add a NetWare server to your network, you can choose to install only the modules you need.
This ability is particularly useful when you want to administer domain objects
from a different NT workstation, because you must register the NetWare
Administrator snap-in module for each system separately.
Integrating NT and NDS User Accounts
NAdminNT's integration utility (igrate.exe) is an NT program that lets
you transfer object information from one directory service to the other. The
program displays twin directory browsers, with NDS on the left and NT on the
right, as you see below. Before you manipulate individual accounts, you
must select the NT domain to assimilate into NDS and click the Update NT
Objects button to copy all domain user and group account information to the
corresponding objects in the NDS database.
Outside the integration utility, account information can move between the
directory services in one direction only. Changes you make to domain user and
group object properties in the NDS tree automatically propagate to the NT SAM,
but not the reverse. The fundamental purpose of NAdminNT is to let you manage
all your user accounts with the NetWare Administrator utility. If you modify
domain accounts with NT's User Manager, NAdminNT doesn't propagate the changes
to NDS unless you manually update NT objects again with igrate.exe. If you have
large domains, this process can be lengthy.
After you assimilate your NT objects into NDS, you see a domain container
object in the NDS tree including all domain users and groups, as shown here.
A right-facing icon represents users who exist only in the domain; other
icons stand for the NT domain (a server box), the domain group (PC with two
users), hybrid users (left-facing icon), NT system (a PC), and an NDS user. You
can manage all the standard domain properties for your NT users and groups from
the details dialog box in the NetWare Administrator, as you see here
When you add domain users to the NDS tree, NAdminNT synchronizes NDS
usernames with names that exist in the context, to create hybrid users. You can
also synchronize accounts manually by selecting an NDS user and a domain user on
the integration utility screen and clicking Synchronize.
When you create a hybrid user, NAdminNT combines the properties of the NDS
and NT accounts (the NDS information takes precedence over the equivalent NT
account properties). NAdminNT changes the NT username to that of the NDS user
(if necessary) and establishes a link between the NDS user object and the domain
user.
The details dialog box for a hybrid user object, as you see below,
is different from that of a nonsynchronized NT user. Only properties
exclusively involved with NT logons and access restrictions, such as NT group
memberships and user profile locations, remain in the domain user object. You
must configure properties that duplicate functions in NDS user objects, such as
logon time restrictions and account expiration dates, in the NDS user's dialog
box.
Creating New Users
You can use igrate.exe to manually integrate NT domain users into NDS and
NDS users into an NT domain, thus granting a user of one network rights to the
other. Igrate.exe creates a hybrid user in the NDS domain container and
transfers the original object's properties (except the password) to the new
object.
Passwords don't transmit across the data link between NetWare and NT. You
can configure the User Properties options in the integration utility to specify
a password for all new accounts or leave the password field empty. By default,
NAdminNT creates new accounts with no passwords but requires that the user
specify a password during the next logon.
Although useful, hybrid users are not an essential element of NAdminNT's
functionality. You can choose to maintain separate user accounts for your
NetWare and NT networks and just take advantage of the ability to manage all
your users and groups with one utility.
If you deintegrate a hybrid user with igrate.exe, the utility separates the
domain user and NDS user accounts, and you can specify different values for the
equivalent properties in each one. You can also create new users and groups in
an NT domain with the NetWare Administrator utility just as you'd create any
other object in the NDS tree.
To create a new account that consists of a standard NDS user object and a
hybrid user in an NT domain, you don't need to create two objects and integrate
them. Instead, you can use an NDS user template to create a fully functional
user account providing access to both networks. A user template is a collection
of properties that an administrator uses to create multiple new accounts with
the same capabilities.
The schema extensions in NAdminNT add an Application Server screen to every
user object in the NDS tree. An NT domain object on this screen signifies that a
hybrid user object exists in that domain. Manually adding a domain object to a
user template's Application Server screen automatically creates a hybrid user in
the domain when you create a user object with the template.
What's Next?
Novell's campaign to bring NDS's functionality to NT has concentrated on
heterogeneous networks running both operating systems. The next step is to
address NT networks exclusively. Novell has ported NDS to UNIX operating systems
such as HP/UX and SCO, and an NT version of NDS should soon be available. NDS
for NT will run natively on NT networks, eliminating the need for NetWare
servers.
With Microsoft's Active Directory on the horizon, Novell's push to assert
the viability of its own directory service, which has had four years of
debugging and is installed at 20 million sites, comes as no surprise. NAdminNT
is a preemptive strike against Active Directory; it won't work with Microsoft's
directory service. If NDS can prove itself on NT, its chances of continuing to
be the directory service of choice are excellent, especially when compared with
a fledgling product that will require lengthy evaluation.
