To implement Windows 2000 Active Directory in an organization running another directory service, you must plan your transition. Active Directory is designed to extend Windows 2000 interoperability and allows you to synchronize directory information with other directory services. Active Directory is able to synchronize with Microsoft Exchange Server 5.5 directory service, Novell NetWare Bindery or Novell Directory Services (NDS), and other LDAP-compliant directory services. This lesson discusses how to plan the synchronization of your existing directory service with Windows 2000 Active Directory.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
Recall that a directory service is a network service that identifies resources on a network and makes them accessible to users and applications. There are many types of directory services. Some, such as Active Directory, are designed for network computing, whereas others are designed to handle particular applications, such as e-mail. Because Active Directory is designed to extend Windows 2000 interoperability, it has the ability to synchronize directory information with other directory services. Directory synchronization is the sharing of data between two directory services so that changes made to objects in one directory are propagated automatically to the other directory. When data is synchronized between directory services, system administration is more efficient because there is no longer a need to manage multiple directories.
NOTE
A discussion of the actual process setting up synchronization with Active Directory is beyond the scope of this training kit. This lesson covers the tasks necessary to plan Active Directory synchronization with Exchange Server 5.5, Novell Directory Services (NDS), and NetWare 3.x Binderies. Refer to the Microsoft Windows 2000 Server Deployment Planning Guide volume of the Microsoft Windows 2000 Server Resource Kit for more information.
Active Directory is currently able to synchronize with the directory services used by the following:
NOTE
For Exchange 2000 Server, the successor to Exchange Server 5.5, the Exchange Server directory service is seamlessly integrated with Active Directory and no synchronization is necessary.
When an Exchange Server 5.5 directory is synchronized with Active Directory, both directories are maintained in their own information stores. Information is replicated between the directory services in a manner similar to that of Windows 2000 replication. By synchronizing the Microsoft Exchange Server 5.5 directory with Windows 2000 Server Active Directory, you can use Exchange Server to initially populate a new Active Directory with user attributes and objects. In addition, because Exchange Server supports third-party e-mail directory services, you can copy third-party directory user attributes and objects into Exchange Server and then synchronize the third-party data into Active Directory.
NOTE
To synchronize data between Active Directory and Exchange Server 5.5, Exchange Server 5.5 Service Pack 1 or later must be installed.
To set up synchronization between Active Directory and Exchange Server 5.5, you must install the Active Directory Connector (ADC). The installation files for ADC are located on the Windows 2000 Server CD in the Valueadd\Msft\Mgmt\ADC folder. After installation, you can use the Active Directory Connector Management tool to set up connection agreements, which define how synchronization will occur. For each connection agreement, you can specify
You can also set up a primary connection agreement, which allows you to create new objects in the destination directory in addition to replicating information about existing objects. It is recommended that you set up only one primary connection agreement per Exchange Server and Active Directory synchronization to ensure that duplicate objects are not created in the destination directory.
Some organizations that use Novell NetWare will find it convenient and cost effective to introduce Active Directory while continuing to use their existing Novell directory. As with Exchange Server, when you synchronize a Novell NetWare Bindery or NDS directory with Active Directory, you maintain both directories in their own information stores rather than replace one directory with the other. Information is replicated between the directory services in a manner similar to that of Windows 2000 replication.
To enable users of Novell directory services to implement synchronization, Microsoft developed Microsoft Directory Synchronization Services (MSDSS), which is included with Services for NetWare version 5 (SFNW5). MSDSS is managed by using a Microsoft Management Console (MMC) snap-in, and supports Active Directory synchronization with the following Novell directory services:
Using MSDSS, you can choose one-way or two-way synchronization when you initially set up a synchronization session for a pair of containers. One-way synchronization is available for either Bindery or NDS and lets you manage objects in both directories from Active Directory. Two-way synchronization is available for NDS only and lets you manage shared data, such as user account information, from either directory.
For both Bindery and NDS, MSDSS synchronization maps Novell user, group, and distribution list objects to Active Directory user, group, and distribution list objects. For NDS only, MSDSS maps Novell OUs and organizations to Active Directory OUs. Also for NDS only, MSDSS synchronization provides optional custom object mapping that lets you map objects in dissimilar directory structures to each other.
A Word About Migrating Novell Bindery or NDS Directories to Windows 2000 Active Directory
Rather than synchronize with Active Directory, some organizations may want to migrate their Novell Bindery or NDS directory to Active Directory. MSDSS migration and the Microsoft File Migration Utility (also included with SFNW5), enable you to migrate your Novell Bindery or NDS directory to Active Directory and your file system to the Windows 2000 NTFS version 5 file system (NTFS5). The File Migration Utility supports migration for the following Novell directory services:
Using MSDSS migration, you can choose whether to migrate NDS or Bindery objects and files to Active Directory immediately or to implement a phased migration. In an immediate migration, you perform a quick, secure, one-time migration of NDS or Bindery objects and files to Active Directory. In a phased migration, (often employed by organizations with complex directory scenarios) you set up and maintain synchronization for a period of weeks or months, keeping both directories available for the migration of users, computers, services, and applications in planned stages. By moving from a Novell-based directory to Active Directory over a period of time, you minimize the disruption of users.
MSDSS migration enables you to automatically migrate Bindery or NDS directory objects that store the largest amount of information and the most important information, such as user accounts, groups, and distribution lists (for both Bindery and NDS), and (for NDS only) OUs and organizations. All other object classes, such as machine accounts, printer objects, application objects, and object security permissions must be migrated manually.
By using the File Migration Utility in conjunction with MSDSS, you can migrate all or part of your NetWare folders and files to one or more Windows 2000-based file servers. The NetWare structure, the existing rights, and the existing permissions are maintained in the Windows 2000 file system, NTFS version 5 (NTFS5).
MORE INFO
Read the white papers "MSDSS Deployment: Understanding Synchronization and Migration" and "MSDSS Deployment: Implementing Synchronization and Migration," for a discussion of how MSDSS enables interoperability between Active Directory and the Novell NetWare operating system's Novell Directory Service (NDS) and NetWare 3.x Binderies. You can find the white papers on the Supplemental Course Materials CD-ROM (\chapt07\MSDSSund and \chapt07\MSDSSimp).
Some organizations have sophisticated directory management needs, including the need to synchronize more than two directory services, the need for business rule-based processing, or the need to join namespaces to manage objects and attributes across multiple isolated data stores. For these organizations, Microsoft Metadirectory Services (MMS) is available through a service engagement with trained providers.
MMS allows the integration of identity and directory from multiple repositories with Active Directory. This allows organizations to manage diverse information and reduces the cost of directory management. MMS allows the integration of information from platforms such as Microsoft Windows 2000, Microsoft Active Directory, Microsoft Windows NT, Microsoft Exchange, Lotus Notes, Domino, cc: Mail, Novell NDS, Bindery, GroupWise, Netscape Directory and MetaDirectory Server, ISOCOR MetaConnect and X.500, various ODBC/SQL databases, and other systems.
As of this writing, MMS is still a relatively new synchronization tool, available only through Microsoft Consulting Services or an MMS partner. Check the Microsoft Web site at www.microsoft.com for the most up-to-date information.
MORE INFO
For further information on using MMS, read the white paper "Microsoft Metadirectory Services," on the Supplemental Course Materials CD-ROM (\chapt07\metadire).
The design step for planning directory service synchronization with Active Directory has been divided into two areas:
To plan Microsoft Exchange Server 5.5 synchronization with Active Directory, you must complete the following tasks:
Analyzing the Current Domain Structure and Exchange Server Site Topology
To synchronize the Exchange Server 5.5 directory service with Windows 2000 Server Active Directory, you must first understand the Exchange Server and Windows 2000 structures that exist in your organization. For Exchange Server, you must determine the number of sites, how the sites are managed, and whether the site will be synchronized with Active Directory. For those Exchange Server sites that will be synchronized, you must also identify the objects to be synchronized and the target container to which the objects will be synchronized.
Mapping Exchange Server Sites and Containers to Active Directory Domains and OUs
By mapping Exchange Server sites and containers to Active Directory domains and OUs, you create a logical path over which objects can travel between the directories. Each connection agreement you create will be based on these paths. An Exchange container can map to multiple Active Directory OUs and an Active Directory OU can map to multiple Exchange containers.
Defining Directory Objects to Be Synchronized
To define the directory objects to be synchronized, identify the objects and containers you want to synchronize. Then determine how the objects will be represented in the target directory.
Mapping Exchange Server Attributes to Active Directory Attributes
You can map Exchange Server attributes to attributes within Active Directory or to new custom attributes. Attribute mapping is controlled by settings on the ADC group policy object in Active Directory. The following object attributes will not synchronize: Advanced Security settings in Exchange and Access Control Lists (ACLs) in both Exchange and Active Directory.
NOTE
A detailed discussion of the ADC group policy is beyond the scope of this training kit. You can find additional information in the Microsoft Windows 2000 Server Deployment Planning Guide volume of the Microsoft Windows 2000 Server Resource Kit for more information.
Determining the Location of Active Directory Connectors
The minimum requirements for installing ADC are at least one Windows 2000 server; one Active Directory domain; and, at each Exchange Server site, at least one Exchange Server 5.5 with Service Pack 1 or higher. You should also consider the number of ADC servers that will be required to replicate the data. To avoid ADC traffic across the WAN, a separate ADC should be configured for each site in every Active Directory domain that will host synchronized mailbox objects. The ADC server requires direct IP connectivity because it uses LDAP requests and RPC requests when it writes to the Exchange directory.
ADC can be set up on the following servers:
Defining Connection Agreements
For optimal performance, you must determine the minimum number of connection agreements. It is not always necessary to create a connection agreement between each Exchange Server site and Windows 2000 Server domain. However, you must have enough connection agreements to handle replication. Consider the following when determining the number of connection agreements for your organization:
Configuring Connection Agreements
For each connection agreement you must specify the direction of replication, the schedule of replication, the authentication method, the attributes to be replicated, and the manner in which deleted objects will be handled.
To specify the direction of replication, you must determine how your organization manages the information that's being synchronized. You can manage information on security accounts, directory identity, and messaging from Active Directory. However, you can administer mail recipient objects from Exchange Server, Active Directory, or both directory services. The directory service that manages object identity is determined by the direction of replication you set in a connection agreement.
To specify the replication schedule, you must consider the number of users or mailboxes to be replicated, the frequency of the changes, and the replication schedules for other connection agreements.
The authentication method is the type of authentication the connection agreement uses to make a connection, either not encrypted or with SSL encryption. SSL encryption should be used when replicating to a server in another location. Each connection agreement requires you to set up an account that has permission to read from Exchange Server and Active Directory and permission to write to the target directory.
Each connection agreement allows you to specify the attributes to be replicated, which was discussed earlier in the "Defining Directory Objects to Be Synchronized" section.
Each connection object allows you to specify how deleted objects will be handled. If the connection agreement is replicating from Active Directory to Exchange Server, you can select one of the following options for handling deleted objects:
If the connection agreement is replicating from Exchange Server to Active Directory, you can select one of the following options for handling deleted objects:
To plan Novell NetWare Bindery or NDS synchronization with Active Directory, you must complete the following tasks:
Analyzing the Current Novell Network
To analyze the current Novell network, you should
Choosing One- or Two-Way Synchronization
To determine which type of synchronization to use, consider the following factors:
Identifying Objects to Synchronize and Planning Synchronization Sessions
To define the objects to synchronize and plan the synchronization sessions required, you should
Determining Administrative Responsibilities
To determine administrative responsibilities, you should
IMPORTANT
To set up a two-way synchronization session, you must have full administrator privileges for the entire NDS container in which you are creating the synchronization session. These privileges must be maintained for the duration of the session, or objects may be deleted from either the NDS directory or Active Directory.
Planning Pilot Testing and User Education
To plan pilot testing and user education, you should
The design step example for planning directory service synchronization with Active Directory has been divided into two areas:
City Power and Light is headquartered in Indianapolis, with two branch offices, located in Gary and Ft. Wayne, and a training facility, located in Evansville. The Indianapolis and Evansville locations are administered by the main IT management department in Indianapolis. The Gary and Ft. Wayne offices each have their own small IT management departments.
The utility is currently running Windows 2000, with a server at each location running Exchange Server 5.5 (Service Pack 1 applied). The branch offices and training facility are connected to Indianapolis by WAN connections, and e-mail is routed there for connectivity to the Internet. The client workstations in Indianapolis are running Windows 2000 Professional, and the branch offices and training facility are running Windows 98-based workstations. The branch offices will continue to use Windows 98 until a decision can be made on whether to upgrade to Windows 2000 Professional or Windows ME. Budget constraints have ruled out the possibility of upgrading to Exchange 2000 Server, so the administrators will use ADC to synchronize Exchange Server directory with Active Directory.
The administrators collectively decided that the Gary and Ft. Wayne branch offices would replicate from their Exchange Server computers to Active Directory so the administration of user accounts could still be handled at the branch offices. In the Indianapolis office and at the Evansville training office, replication would occur from Active Directory to Exchange Server to simplify the administration of user accounts at headquarters.
The administrators performed the following steps to synchronize Exchange Server 5.5 with Active Directory:
Figure 7.8 depicts how City Power and Light set up Exchange Server 5.5 synchronization with Active Directory.
Figure 7.8 Exchange Server 5.5 synchronization with Active Directory
The following examples outline two ways of synchronizing Novell NetWare Bindery or NDS with Active Directory.
Synchronizing NDS and Active Directory
Company A would like to keep its existing NDS directory and add Active Directory until it is ready to retire NDS. The administrators analyze the Novell network and assess the readiness of the directory for synchronization. They make the necessary adjustments to prepare for synchronization. The one-way directory synchronization option is selected, and the administrators perform an initial reverse synchronization for the entire NDS directory. They determine the information to be synchronized and schedule a forward synchronization session to run from Active Directory to NDS every fifteen minutes. Pilot tests are run to determine whether the system is working correctly. Users are trained to handle the changes. At this point administrators can use Active Directory to manage network objects.
Synchronizing Specific NDS Directory Information with Active Directory
Company B would like to keep only the information stored in its NDS-based human resources application synchronized with Active Directory. No other information will be synchronized. The administrators analyze the Novell network and assess the readiness of the directory for synchronization. They make the necessary adjustments to prepare for synchronization. The two-way directory synchronization option is selected, and the administrators perform an initial reverse synchronization. They specify the objects (Novell container and Active Directory OU) between which to establish a one-to-one relationship. Pilot tests are run to determine whether the system is working correctly. Users are trained to handle the changes. The administrator then configures forward and reverse synchronization sessions for the human resources directory data.
In this lesson you learned how to plan Active Directory synchronization with Microsoft Exchange Server 5.5 directory service, Novell NetWare Bindery or NDS, and other LDAP-compliant directory services. To plan Exchange Server 5.5 synchronization with Active Directory, you learned that you must analyze the current Windows 2000 domain structure and Exchange Server site topology, determine which directory service will manage object identity, define objects to be synchronized, map Exchange Server sites and containers to Active Directory domains and OUs, map Exchange Server attributes to Active Directory attributes, determine the location of Active Directory Connectors, define the connection agreements needed to synchronize directories, and configure connection agreements. To plan Novell NetWare Bindery or NDS synchronization with Active directory, you learned that you must analyze the current Novell network, choose one- or two-way synchronization, identify the objects to synchronize and plan synchronization sessions, determine administrative responsibilities, and plan pilot testing and user education.