AD and eDirectory synchronization 1

[KingE]

I have a mother of all tasks to do. My company loves Novell from the older days and insists on keeping it for file and print services. I run the Microsoft side and we currently have a NT 4.0 domain with Exchange 5.5.

We are upgrading to Netware 6.0 from 4.1 and Windows 2000 Active Directory as well as Exchange 2000.

The plan (not my idea) is to use Netware 6.0 for all file and print services as well home directories and offline files. Active directory will mainly be to allow exchange 2000 access but also we are planning on using the group policy to control XP desktops.

Is this possible? what is the best way for the two directory services to synhronize? will the two directory services have to be identical? Will I have to use the Novell client to dual login (edirectory and AD)?

We have 5 MS guys and 1 Novell guy but they insist on sticking with Novell.

Help required

KingE

 

[GlenJohnson]

I know ms has a tool which allows novell directory service to synch with MS ad, but I think this is only when converting from novell to ms. Might be worth looking into though. Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us



"What really happens is trivial in comparison to what could occur."
Robert von Musil (1880-1942); Austrian author.

 

[GiaBetiu]

Dear EKing,

NetWare is not dead, and it still remains one of the strogest and stabile one. Has many stars and it worth attention. The fact that just one guy is administering NetWare servers, it is an answer how stabile platform it is.
But, I don't want to start now a comparison of NOSes. Al of them have their good and bad. We need from them network services, and they are offering various. Focus on their integration.
I know very well both NOSes involved here. I'm one exam distance to be MCSE w2k, so I'm impartial.

As directory, both of them are LDAP compliants. So, they are able to coexist.
Few tools that will help you for this are:

- from Microsoft: Microsoft Directory Synchronization Services (MSDSS). Allows two-way synchronization between Active Directory and Novell Directory Services (NDS). This synchronization allows users to maintain the same password in the two directory services.

- from Novell: eDirectory for W2k, ZENWorks for policies deploying (wkst. management), and Account Managemet that will help you to have a mapping between eDirectory objects and Active Directory ones. Novell actually is very open to integration. And you can see more products of this kind on their site.

I hope that my answer will help you to find the right solution. Gia Betiu
m.betiu@chello.nl
Computer Eng. CNE 4, CNE 5

 

[GlenJohnson]

Here's a star for ya, GiaBetiu. I knew there would be someone out there who knew more about novell than I did. I'm currently converting Novell 4.0 to W2K, and you want to talk about a headache. Powers that be didn't want to upgrade novell, just kept the old one. I've heard rumors that MS Active Directory was pretty much stolen from the Novell version. Don't know if it's true or not, but I've heard good things about the current versions of Novell. Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us



"What really happens is trivial in comparison to what could occur."
Robert von Musil (1880-1942); Austrian author.

 

[KingE]

I am aware of the products but i need to know if you can authenticate with an edirectory and obtain your policy's from an Active Directory?

Zenworks will create and store policy's for xp and 2000 without requiring an AD to exist. My company has stated that the $60 per head for Zenworks can't be justified when AD can do the same for free. We are experimenting with Account Management 3.0 which is a very new product that can supposidly manage edirectory and AD, however I'm questioning whether you can have identical directory structures or you can redirect objects (ie flat single context as preferred by Novell or multi container as preferred by AD)

I am not a newbie to this and know very well about Novell and its Directory service. I use to use it myself during the 3.10 days.


'The fact that just one guy is administering NetWare servers, it is an answer how stabile platform it is.'

This is becuase all the guys moved into other platforms during Novells depression and not because it is a proof of stability. In fact our 4.11 tree causes more critical problems than that of our NT domain. I was not knocking Novell but giving a business judgement on implementing our upgrade with the resources we have.

 

[GiaBetiu]

Glen,
if I could help you I'll be glad.

As about AD and NDS, I can say just that Microsoft did a big mistake building AD on the old NTDS structure. Because of this, AD is not easy to design, nor to implement in an enterprise configuration.
I miss the flexibility from NDS. Why OUs are not security principal? But I like the idea of sites.
What is difficult on NDS? That synchronization is based on time.
OK,... maybe is a good idea to stop. There can be written pages and pages about such a comparison. Gia Betiu
m.betiu@chello.nl
Computer Eng. CNE 4, CNE 5

 

[GlenJohnson]

Thanks, GiaBetiu. We're basically having problems with old 16 bit stuff not wanting to work on W2K. We're having to get a bit fancy, by going backwards and making batch files and making net use commands to grab printers, or we're having to map drives because some apps don't let you browse network neighborhood. The W2K stuff is not really causing us a problem. We're using active directory, but with only 250 users, I've not implemented OU's yet. No real need. When Novell is gone, I'll start looking at that. Thanks.

Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us



"What really happens is trivial in comparison to what could occur."
Robert von Musil (1880-1942); Austrian author.

 

[GiaBetiu]

Hi Glen,

Why you are not using OU's? At least me, I hate to see all my objects in a single place.
OU's will help you for a better management, and if not at least a better view of your network.
This actually is one of the strength of a directory.

Assigning group policies in AD I would do it just via OU's.
Of course is so pitty that Microsoft forgot so easy the other little brothers and sisters of him (DOS, W3.x, w9x). But this is marketing.
Gia Betiu
m.betiu@chello.nl
Computer Eng. CNE 4, CNE 5

 

[Galrahn]

KingE,

Turns out your not the only Enterprise who is looking to do what your discussing. We are in month 5 of a massive deployment with E-Directory as our directory service, Novell for File, Print, (and we use Groupwise) and email.

But our entire applicaiton enviornment is Microsoft, and 99% of our desktops for tens of thousands of users is Microsoft, and we are doing exactly as you.

The difference is, I think E-Directory is great, and even claim in enviornments where you use lots of services, example we use Oracle on Linux/Unix and Cisco for almost all of network, Checkpoint and Netscreen, and dozens of other independent products, E-Directory is superiour to Active Directory in many ways for us. Namely because E-Directory is true LDAP, while Active Directory is MS LDAP API wantabe bullshit.

As to your questions...

Besides the obvious, learn as much as you can about Novell E-Directory as fast as you can, you need to look into DirXML and Account Management Services. Call your Novell representitive, I have found their support has improved drastically lately, and they can fill you in and give you the information you need to make this successful. DirXML is the very best product that exists for integration of Novell E-Directory and Active Directory. Now for the why...

You probably understand NDS and NT 4.0, and how that stupid redirector file on your Windows NT 4.0 domain controller is always screwing things up. In my opinion, in our enviornment, it is easily the most unstable pieces of garbage POS Novell product EVER. Unfortunately, Microsoft and Novell have never really played nice together. Finally however, with DIRXML and Account Management from Novell, those days of IT headache are over.

I am finding DIRXML is exactly what we were looking for. It allows you to administrate from either Microsoft's Active Directory tools, or Novells Account Management Tools, and the sync. seems to work fantastic everytime between directories. The really nice thing in my opinion, is that it allows us to pretty much tie everything into Novells LDAP directory, and seemlessly have few login or user issues from Microsoft Active Directory accounts to the rest of our enterprise services through E-Directory.

Another huge feature coming into your future, With Netware 6 there are now products available that eliminate the need for ZEN. You can make Novell file shares look exactly like Microsoft File shares, and get almost everything Novell specific off the workstation. Without the Novell Client, you can have an IP only netowrk (no stupid IPX crap!), no Novell client crap, and do your workstation management completely with Active Directory.

I am almost exclusively a Microsoft Guy, but to be honest E-Directory has made it so much easier to intigrate our Microsoft Enterprise into everything else. Single Sign-on was out modivation, .NET soon to come was another. All in all in my opinion, for our large enterprise, E-Directory ended up being our solution for our enterprises needs, including our Active Directory Solution.

And I was like you at first, I didn't think we wanted that Novell stuff on my network anymore either after the Novell 5 NDS 7 headaches we have had... but as I learned more, I found I we ended up better off with it.

Let me know if this helps. Also email me if you have any questions, not sure how big you are, we are about 40K users and have had great results.

Galrahn
galrahn@galrahn.com

 

[KingE]

Thanks Galrahn

I will be sure to email you with some questions next week

KingE

 

[scouse12]

W2k, E-directory 8.6.2, Novell Account Management and DIRXML for Exchange 2000 works extremely well.

as Galrahn Says, either managed through AD admin tools or through Console1 makes directory management very easy.

We use Novell for all our admin, and use zenworks and novell clients etc, but each to their own for that i suppose.

Anyways, Good luck

Scouse

 

[GlenJohnson]

Gia, any place you would suggesting looking for more info on OU's? I've lost 3 people in the company I work for in the past year do to layoffs so I don't have the time to study up on this at work. (That's why I started Johnson Computer Consulting, trying to get something going on the side.) Need to break out the books at home also. Can you give me a brief synopsis of OU's and why you think there worth using? My specialty has always been more in the lines of connectivy and such, not security. Probably my weakest point. (Fine place to admit that, isn't it. Tell everybody on the internet I don't know security. At least I know enogh to use Zone Alarm at home.) Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us



"What really happens is trivial in comparison to what could occur."
Robert von Musil (1880-1942); Austrian author.

 

[GiaBetiu]

Glen,

I will prepare a such an article for you (this evening).
I will send you via email.


Gia Betiu
m.betiu@chello.nl
Computer Eng. CNE 4, CNE 5, soon MCSE2k

 

[GlenJohnson]

Thanks. I'm never above taking advice or help.
Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us



"What really happens is trivial in comparison to what could occur."
Robert von Musil (1880-1942); Austrian author.