Novell eDirectory and Novell
Directory Service (NDS) environments are relatively commonplace in
business environments, and there is often a need to integrate them into
deployed Exchange infrastructures. Several tools exist that can make
this a reality, including the MIIS 2003 tools discussed. In addition,
tools in the Microsoft-supplied Services for NetWare can be used to
synchronize directory information between the two directory systems.
Note
Exchange 2000
Server and Exchange Server 2003 included a GroupWise connector
component, to allow for the automatic synchronization of GroupWise
address list information and calendaring data directly to Exchange. This
connector is no longer supported in Exchange 2007, so the only
effective way to synchronize a Novell directory with Exchange 2007 is
either with a synchronization tool such as MIIS or Microsoft Directory
Synchronization Services (MSDSS), or by keeping an Exchange 2003 server
within the organization with the connector installed on it.
Understanding Novell eDirectory
Novell eDirectory is
a distributed, hierarchical database of network information that is
used to create a relationship between users and resources. It simplifies
network management because network administrators can administer global
networks from one location (or many) and manage all network resources
as part of the eDirectory tree.
User administration is
simplified because the users dynamically inherit access to network
resources from their placement in the eDirectory tree. For example,
eDirectory enables a user to dynamically inherit access to departmental
resources, such as applications and printers, when that user is placed
in the department’s eDirectory container.
eDirectory information
is typically stored on several servers, which are often at different
locations. This enables information to be stored near the users who need
it and provides efficient operation even if the users are
geographically dispersed. Names are organized in a top-down hierarchy or
tree structure. This helps users find resources in a structured manner.
It also enables an administrator to administer a large network by
delegating portions of the tree to local administrators.
The entries in
an eDirectory database represent network resources available on the
network and are referred to as objects. An object contains information
that identifies, characterizes, and locates information pertaining to
the resource it represents. eDirectory uses a single naming system that
encompasses all servers, services, and users in an internetwork. In the
past, names were administered separately on each server. Now, eDirectory
enables information entered once to be accessible everywhere and lets a
user log in once to access diverse, geographically separated resources.
An
eDirectory database can be divided into logical partitions according to
business needs, network use, geographical location, access time, and
other factors. These partitions can be distributed to any server
represented in the directory. When an eDirectory database is distributed
to multiple servers, eDirectory maintains the equality of the
distributed logical partitions by distributing object information
changes to the appropriate servers.
Deploying MIIS 2003 for Identity Management with eDirectory
MIIS 2003 can be an
effective tool for managing identities between Novell eDirectory
environments and Active Directory. Identity information could include
names, email and physical addresses, titles, department affiliations,
and much more. Generally speaking, identity information is the type of
data commonly found in corporate phone books or intranets. To use MIIS
2003 for identity management between Active Directory and Novell
eDirectory, follow these high-level steps:
1. | Install MIIS 2003 and the latest service packs and patches.
|
2. | Create an MA for each of the directories, including an Active Directory MA and a Novell eDirectory MA.
|
3. | Configure the MAs to import directory object types into their respective connector namespaces.
|
4. | Configure
one of the MAs—for example, the Active Directory MA—to project the
connector space directory objects and directory hierarchy into the
metaverse namespace.
|
5. | Within
each of the MAs, a function can be configured called attribute flow,
which defines which directory object attributes from each directory will
be projected into the respective metaverse directory objects. Configure
the attribute flow rules for each MA.
|
6. | Configure
the account-joining properties for directory objects. This is the most
crucial step because it determines how the objects in each directory are
related to one another within the metaverse namespace. To configure the
account join, certain criteria can be used, such as employee ID or
first name and last name combination. The key is to find the most unique
combination to avoid problems when two objects with similar names are
located—for example, if two users named Tom Jones exist in Active
Directory.
|
7. | After
completely configuring the MAs and account joins, configure MA run
profiles to tell the MA what to perform with the connected directory and
connector namespace. For example, perform a full import or export of
data. The first time the MA is run, the connected directory information
is imported to create the initial connector namespace.
|
8. | After
running the MAs once, you can run them a second time to propagate the
authoritative metaverse data to the respective connector namespaces and
out to the connected directories.
|
These
steps outline the most common use of MIIS 2003; these steps can be used
to simplify account maintenance tasks when several directories need to
be managed simultaneously. When more sophisticated functionality using
MIIS 2003 is needed, such as the automatic creation and deletion of
directory entries, extensive scripting and customization of MIIS 2003
can be done to create a more complete enterprise account provisioning
system.
Using Microsoft Directory Synchronization Services to Integrate Directories
MicrosoftDirectory
Synchronization Services (MSDSS), part of the Services for NetWare
Toolkit, is a tool used for synchronization of directory information
stored in the Active Directory and NDS. MSDSS synchronizes directory
information stored in Active Directory with all versions of NetWare;
MSDSS supports a two-way synchronization with NDS and a one-way
synchronization with Novell 3.x bindery services.
Because Active
Directory does not support a container comparable to an NDS root
organization and because Active Directory security differs from Novell,
MSDSS, in Migration mode only, creates a corresponding domain local
security group in Active Directory for each NDS organizational unit (OU)
and organization. MSDSS then maps each Novell OU or organization to the
corresponding Active Directory domain local security group.
MSDSS provides a
single point of administration; with one-way synchronization, changes
made to Active Directory will be propagated over to NDS during
synchronization. Synchronization from Active Directory to NDS allows
changes to object attributes, such as a user’s middle name or address,
to be propagated. In two-way synchronization mode, changes from NDS to
Active Directory require a full synchronization of the object (all
attributes of the user object).
One of the key
benefits to MSDSS is password synchronization. Passwords can be
administered in Active Directory and the changes propagated over to NDS
during synchronization. Password synchronization allows users access to
Windows Server 2003 and Novell NDS resources with the same logon
credentials.
The MSDSS architecture is
made up of the following three components. These components manage, map,
read, and write changes that occur in Active Directory, NDS, and
NetWare bindery services:
The configuration of the synchronization parameters is handled by the session manager.
An
object mapper relates the objects to each other (class and attributes),
namespace, rights, and permissions between the source and target
directories.
Changes
to each directory are handled by a DirSync (read/write) provider. LDAP
is used for Active Directory calls and NetWare Core Protocol (NCP) calls
for NDS and NetWare binderies.
In
addition to the core components of MSDSS, the session configuration
settings (session database) are securely stored in Active Directory.
Specific scenarios for MSDSS include the following:
A company is
migrating directly from Novell to a Windows Server 2003 network. All
network services—such as domain name system (DNS), Dynamic Host
Configuration Protocol (DHCP), and Internet Information Services
(IIS)—are running on a single server. MSDSS can be used to migrate all
users and files over to Windows Server 2003 after all services have been
migrated.
A company
is gradually migrating from Novell to a Windows Server 2003 network. The
network services—such as DNS, DHCP, and IIS—are installed on multiple
servers and sites. MSDSS can be used to migrate and synchronize AD and
NDS directories during the migration.
Installing the Microsoft Directory Synchronization Service
MSDSS needs to be
installed on a Windows domain controller to properly synchronize
directory information between the two different network environments. To
install MSDSS on a Windows Server 2003 domain controller, follow these
steps:
1. | On the domain controller computer on which MSDSS will be installed, insert the CD into the CD-ROM drive.
|
2. | Go into the MSDSS directory on the CD-ROM (such as d:\msdss) and run the msdss.msi script package. This launches the Microsoft Directory Synchronization Service Installation Wizard.
|
3. | Choose to install the Microsoft Directory Synchronization Service.
|
Note
Installing MSDSS
initiates an extension of the schema of the Active Directory forest. As
with any schema update, the Active Directory should be backed up . Also with a schema update, because
the update will replicate directory changes to all global catalogs
throughout the organization, the replication should be done at a time
when a global catalog synchronization can take place without impact on
the normal production environment.
Synchronizing eDirectory/NDS with Active Directory Using Services for NetWare
For organizations that have
both a Windows Active Directory and a Novell eDirectory (or NDS)
environment, two primary methods are available to perform directory
synchronization between the two directories. One method is using the
Novell DirXML product, and the other method is using the MSDSS utility.
To set up directory synchronization with MSDSS, do the following:
1. | Launch the MSDSS utility by selecting Start, Programs, Administrative Tools, Directory Synchronization.
|
2. | Right-click on the MSDSS tool option, and select New Session.
|
3. | Click Next at the New Session Wizard welcome screen.
|
4. | At the Synchronization and Migration Tasks screen, choose either NDS or Bindery for the type of service.
Note
Use the NDS option if
Novell NetWare 4.x or higher running NDS or eDirectory is used. Use the
Bindery option if Novell NetWare 3.2 or lower bindery mode is running
on the Novell network.
|
5. | Depending
on the synchronization option, choose either a one-way (from AD to
NDS/Bindery), a two-way (AD to NDS/Bindery and back), or a migration
from NDS/Bindery to AD. Click Next.
|
6. | For
the Active Directory container and domain controller, choose the AD
container to which objects will be synchronized, as well as the name of
the domain controller that will be used to extract and synchronize
information, similar to the settings shown in Figure 1. Click Next.
|
7. | For
the NDS container and password, select the NDS container to and/or from
which AD information will be synchronized. Enter a logon name and
password for a supervisor account on Novell to access the Novell
directory. Click Next.
|
8. | On
the initial reverse synchronization screen, select the password option
to define passwords to be either blank, same as the username, set to a
random value (that can be viewed in the log file), or set to an
organizational default. Click OK after selecting the password option,
and then click Next to continue.
|
9. | Click Finish to begin the synchronization/migration process.
|
Implementing MSDSS
MSDSS runs on a Windows
2000 Server or Windows Server 2003 domain controller and replicates user
account and password information between the Active Directory
environment and a Novell eDirectory or NDS environment. MSDSS is a
Windows service that synchronizes user account information between
Active Directory and NetWare. The following are best practices
determined in the implementation of MSDSS in an enterprise environment:
Ensure that the
Microsoft MSDSS server that is running on a Windows Active Directory
domain controller and the Novell directory server are on the same
network segment or have limited hops between each other.
Because
directory synchronization reads and writes information directly to the
network directory, test the replication process between mirrored domain
and directory services in a test lab environment before implementing
MSDSS for the first time in a production environment.
Monitor
directory and password synchronization processing times to confirm the
transactions are occurring fast enough for users to access network
resources. If users get an authentication error, consider upgrading the
MSDSS server to a faster system.
Password
characteristic policies (requiring upper- and lowercase letters,
numbers, or extended characters in the password and password change
times) should be similar on both the Microsoft and Novell environments
to minimize inconsistencies in authorization and update processes.
Identifying Limitations on Directory Synchronization with MSDSS
Although
directory synchronization can provide common logon names and passwords,
MSDSS does not provide dual client support or any application-level
linkage between multiple platform configurations. This means that if a
Novell server is running IPX as a communication protocol and Windows is
running TCP/IP, MSDSS does not do protocol conversion. Likewise, if an
application is running on a Novell server requiring SAP, because Windows
servers commonly use NetBIOS for device advertising, a dual client
protocol stack must be enabled to provide common communications.
MSDSS merely links the
logon names and passwords between multiple environments. The following
are areas that need to be considered separate from the logon and
password synchronization process:
Protocols, such as TCP/IP and IPX/SPX, should be supported by servers and clients.
Applications
that require communication standards for logon authentication might
require a client component to be installed on the workstations or
servers in the mixed environment.
Applications
that were written for Novell servers (such as Network Loadable Modules
[NLMs] or BTrieve databases) should be converted to support Windows.
Logon
scripts, drive mappings, or other access systems compatible with one
networking environment might not work across multiple environments, so
those components should be tested for full compatibility.
Backup
utilities, antivirus applications, network management components, or
system monitoring tools that work on one system should be purchased or
relicensed to support another network operating configuration.
Backing Up and Restoring MSDSS Information
MSDSS
configuration, tables, and system configurations are critical to the
operations of the MSDSS synchronization tool. Microsoft provides a
backup and restore utility that enables the storage and recovery of
MSDSS information. To back up MSDSS, do the following:
1. | Select Start, Programs, Administrative Tools, MSDSS Backup & Restore Utility. A screen similar to the one shown in Figure 2 should appear.
|
2. | Either
click Backup Now to back up the MSDSS session directory, or change the
default time when the MSDSS information should be backed up.
|
3. | If
it is required to back up the session directory information, the
process will notify that the MSDSS service will need to be stopped.
Choose Yes to continue.
|
4. | Upon
completion of the backup, there will be a prompt that the MSDSS service
will need to be restarted. Choose Yes to restart the MSDSS service.
|
At any time, if the
MSDSS session directory information becomes corrupt or behaves
erratically, the MSDSS information can be restored. To restore MSDSS, do
the following:
1. | Select Start, Programs, Administrative Tools, MSDSS Backup & Restore Utility.
|
2. | Click Restore Now to restore the MSDSS session directory.
|
3. | When notified that the MSDSS service will need to be stopped, choose Yes to continue.
|
4. | Upon
completion of the restore, a final prompt will appear to signify that
the MSDSS service will need to be restarted. Choose Yes to restart the
MSDSS service. |
