Lesson 2: Planning Directory Service Synchronization with Active Directory

To implement Windows 2000 Active Directory in an organization running another directory service, you must plan your transition. Active Directory is designed to extend Windows 2000 interoperability and allows you to synchronize directory information with other directory services. Active Directory is able to synchronize with Microsoft Exchange Server 5.5 directory service, Novell NetWare Bindery or Novell Directory Services (NDS), and other LDAP-compliant directory services. This lesson discusses how to plan the synchronization of your existing directory service with Windows 2000 Active Directory.


After this lesson, you will be able to

  • Identify the tools needed to synchronize Exchange Server 5.5 directory service with Active Directory
  • Identify the tools needed to synchronize Novell NetWare Bindery or NDS with Active Directory
  • Identify the tools needed to synchronize other LDAP-compliant directory services with Active Directory
  • Explain how to plan the synchronization of Exchange Server 5.5 directory service with Active Directory
  • Explain how to plan the synchronization of Novell NetWare Bindery or NDS with Active Directory

Estimated lesson time: 30 minutes


Understanding Directory Service Synchronization

Recall that a directory service is a network service that identifies resources on a network and makes them accessible to users and applications. There are many types of directory services. Some, such as Active Directory, are designed for network computing, whereas others are designed to handle particular applications, such as e-mail. Because Active Directory is designed to extend Windows 2000 interoperability, it has the ability to synchronize directory information with other directory services. Directory synchronization is the sharing of data between two directory services so that changes made to objects in one directory are propagated automatically to the other directory. When data is synchronized between directory services, system administration is more efficient because there is no longer a need to manage multiple directories.

NOTE


A discussion of the actual process setting up synchronization with Active Directory is beyond the scope of this training kit. This lesson covers the tasks necessary to plan Active Directory synchronization with Exchange Server 5.5, Novell Directory Services (NDS), and NetWare 3.x Binderies. Refer to the Microsoft Windows 2000 Server Deployment Planning Guide volume of the Microsoft Windows 2000 Server Resource Kit for more information.

Active Directory is currently able to synchronize with the directory services used by the following:

  • Microsoft Exchange Server 5.5
  • Novell NetWare Bindery or NDS
  • Other LDAP-compliant directory services

NOTE


For Exchange 2000 Server, the successor to Exchange Server 5.5, the Exchange Server directory service is seamlessly integrated with Active Directory and no synchronization is necessary.

Synchronizing with Microsoft Exchange Server 5.5

When an Exchange Server 5.5 directory is synchronized with Active Directory, both directories are maintained in their own information stores. Information is replicated between the directory services in a manner similar to that of Windows 2000 replication. By synchronizing the Microsoft Exchange Server 5.5 directory with Windows 2000 Server Active Directory, you can use Exchange Server to initially populate a new Active Directory with user attributes and objects. In addition, because Exchange Server supports third-party e-mail directory services, you can copy third-party directory user attributes and objects into Exchange Server and then synchronize the third-party data into Active Directory.

NOTE


To synchronize data between Active Directory and Exchange Server 5.5, Exchange Server 5.5 Service Pack 1 or later must be installed.

To set up synchronization between Active Directory and Exchange Server 5.5, you must install the Active Directory Connector (ADC). The installation files for ADC are located on the Windows 2000 Server CD in the Valueadd\Msft\Mgmt\ADC folder. After installation, you can use the Active Directory Connector Management tool to set up connection agreements, which define how synchronization will occur. For each connection agreement, you can specify

  • The direction of replication: two-way, from Exchange to Windows, or from Windows to Exchange
  • The method of authentication used for the replication
  • The replication schedule
  • The objects to be replicated
  • How the replication of deleted objects is handled

You can also set up a primary connection agreement, which allows you to create new objects in the destination directory in addition to replicating information about existing objects. It is recommended that you set up only one primary connection agreement per Exchange Server and Active Directory synchronization to ensure that duplicate objects are not created in the destination directory.

Synchronizing with Novell NetWare Bindery or NDS

Some organizations that use Novell NetWare will find it convenient and cost effective to introduce Active Directory while continuing to use their existing Novell directory. As with Exchange Server, when you synchronize a Novell NetWare Bindery or NDS directory with Active Directory, you maintain both directories in their own information stores rather than replace one directory with the other. Information is replicated between the directory services in a manner similar to that of Windows 2000 replication.

To enable users of Novell directory services to implement synchronization, Microsoft developed Microsoft Directory Synchronization Services (MSDSS), which is included with Services for NetWare version 5 (SFNW5). MSDSS is managed by using a Microsoft Management Console (MMC) snap-in, and supports Active Directory synchronization with the following Novell directory services:

  • NDS for Novell NetWare 4, 4.1, 4.11, 4.2, 5, 5 with NDS 8, and 5.1
  • Bindery for Novell NetWare 3.1, 3.11, 3.12, and 3.2, as well as NetWare 4.x configured in bindery emulation mode.

Using MSDSS, you can choose one-way or two-way synchronization when you initially set up a synchronization session for a pair of containers. One-way synchronization is available for either Bindery or NDS and lets you manage objects in both directories from Active Directory. Two-way synchronization is available for NDS only and lets you manage shared data, such as user account information, from either directory.

For both Bindery and NDS, MSDSS synchronization maps Novell user, group, and distribution list objects to Active Directory user, group, and distribution list objects. For NDS only, MSDSS maps Novell OUs and organizations to Active Directory OUs. Also for NDS only, MSDSS synchronization provides optional custom object mapping that lets you map objects in dissimilar directory structures to each other.

A Word About Migrating Novell Bindery or NDS Directories to Windows 2000 Active Directory

Rather than synchronize with Active Directory, some organizations may want to migrate their Novell Bindery or NDS directory to Active Directory. MSDSS migration and the Microsoft File Migration Utility (also included with SFNW5), enable you to migrate your Novell Bindery or NDS directory to Active Directory and your file system to the Windows 2000 NTFS version 5 file system (NTFS5). The File Migration Utility supports migration for the following Novell directory services:

  • NDS for Novell NetWare 4.2, 5, and 5.1
  • Bindery for Novell NetWare 3.12

Using MSDSS migration, you can choose whether to migrate NDS or Bindery objects and files to Active Directory immediately or to implement a phased migration. In an immediate migration, you perform a quick, secure, one-time migration of NDS or Bindery objects and files to Active Directory. In a phased migration, (often employed by organizations with complex directory scenarios) you set up and maintain synchronization for a period of weeks or months, keeping both directories available for the migration of users, computers, services, and applications in planned stages. By moving from a Novell-based directory to Active Directory over a period of time, you minimize the disruption of users.

MSDSS migration enables you to automatically migrate Bindery or NDS directory objects that store the largest amount of information and the most important information, such as user accounts, groups, and distribution lists (for both Bindery and NDS), and (for NDS only) OUs and organizations. All other object classes, such as machine accounts, printer objects, application objects, and object security permissions must be migrated manually.

By using the File Migration Utility in conjunction with MSDSS, you can migrate all or part of your NetWare folders and files to one or more Windows 2000-based file servers. The NetWare structure, the existing rights, and the existing permissions are maintained in the Windows 2000 file system, NTFS version 5 (NTFS5).

MORE INFO


Read the white papers "MSDSS Deployment: Understanding Synchronization and Migration" and "MSDSS Deployment: Implementing Synchronization and Migration," for a discussion of how MSDSS enables interoperability between Active Directory and the Novell NetWare operating system's Novell Directory Service (NDS) and NetWare 3.x Binderies. You can find the white papers on the Supplemental Course Materials CD-ROM (\chapt07\MSDSSund and \chapt07\MSDSSimp).

Synchronizing with Other LDAP-Compliant Directory Services

Some organizations have sophisticated directory management needs, including the need to synchronize more than two directory services, the need for business rule-based processing, or the need to join namespaces to manage objects and attributes across multiple isolated data stores. For these organizations, Microsoft Metadirectory Services (MMS) is available through a service engagement with trained providers.

MMS allows the integration of identity and directory from multiple repositories with Active Directory. This allows organizations to manage diverse information and reduces the cost of directory management. MMS allows the integration of information from platforms such as Microsoft Windows 2000, Microsoft Active Directory, Microsoft Windows NT, Microsoft Exchange, Lotus Notes, Domino, cc: Mail, Novell NDS, Bindery, GroupWise, Netscape Directory and MetaDirectory Server, ISOCOR MetaConnect and X.500, various ODBC/SQL databases, and other systems.

As of this writing, MMS is still a relatively new synchronization tool, available only through Microsoft Consulting Services or an MMS partner. Check the Microsoft Web site at www.microsoft.com for the most up-to-date information.

MORE INFO


For further information on using MMS, read the white paper "Microsoft Metadirectory Services," on the Supplemental Course Materials CD-ROM (\chapt07\metadire).

Design Step: Planning Directory Service Synchronization with Active Directory

The design step for planning directory service synchronization with Active Directory has been divided into two areas:

  • Planning Microsoft Exchange Server 5.5 synchronization with Active Directory
  • Planning Novell NetWare Bindery or NDS synchronization with Active Directory

Design Step: Planning Microsoft Exchange Server 5.5 Synchronization with Active Directory

To plan Microsoft Exchange Server 5.5 synchronization with Active Directory, you must complete the following tasks:

  1. Analyze the current Windows 2000 domain structure and Exchange Server site topology.
  2. Map Exchange Server sites and containers to Active Directory domains and OUs.
  3. Define objects to be synchronized.
  4. Map Exchange Server attributes to Active Directory attributes.
  5. Determine the location of Active Directory Connectors.
  6. Define the connection agreements needed to synchronize directories.
  7. Configure connection agreements.

Analyzing the Current Domain Structure and Exchange Server Site Topology

To synchronize the Exchange Server 5.5 directory service with Windows 2000 Server Active Directory, you must first understand the Exchange Server and Windows 2000 structures that exist in your organization. For Exchange Server, you must determine the number of sites, how the sites are managed, and whether the site will be synchronized with Active Directory. For those Exchange Server sites that will be synchronized, you must also identify the objects to be synchronized and the target container to which the objects will be synchronized.

Mapping Exchange Server Sites and Containers to Active Directory Domains and OUs

By mapping Exchange Server sites and containers to Active Directory domains and OUs, you create a logical path over which objects can travel between the directories. Each connection agreement you create will be based on these paths. An Exchange container can map to multiple Active Directory OUs and an Active Directory OU can map to multiple Exchange containers.

Defining Directory Objects to Be Synchronized

To define the directory objects to be synchronized, identify the objects and containers you want to synchronize. Then determine how the objects will be represented in the target directory.

Mapping Exchange Server Attributes to Active Directory Attributes

You can map Exchange Server attributes to attributes within Active Directory or to new custom attributes. Attribute mapping is controlled by settings on the ADC group policy object in Active Directory. The following object attributes will not synchronize: Advanced Security settings in Exchange and Access Control Lists (ACLs) in both Exchange and Active Directory.

NOTE


A detailed discussion of the ADC group policy is beyond the scope of this training kit. You can find additional information in the Microsoft Windows 2000 Server Deployment Planning Guide volume of the Microsoft Windows 2000 Server Resource Kit for more information.

Determining the Location of Active Directory Connectors

The minimum requirements for installing ADC are at least one Windows 2000 server; one Active Directory domain; and, at each Exchange Server site, at least one Exchange Server 5.5 with Service Pack 1 or higher. You should also consider the number of ADC servers that will be required to replicate the data. To avoid ADC traffic across the WAN, a separate ADC should be configured for each site in every Active Directory domain that will host synchronized mailbox objects. The ADC server requires direct IP connectivity because it uses LDAP requests and RPC requests when it writes to the Exchange directory.

ADC can be set up on the following servers:

  • Active Directory domain controller
  • Active Directory domain controller with Exchange Server
  • Active Directory global catalog
  • Active Directory global catalog with Exchange Server
  • Active Directory member server
  • Active Directory member server with Exchange Server
  • Active Directory member server with Exchange Server on an Active Directory domain controller
  • Active Directory member server with Exchange Server on an Active Directory global catalog

Defining Connection Agreements

For optimal performance, you must determine the minimum number of connection agreements. It is not always necessary to create a connection agreement between each Exchange Server site and Windows 2000 Server domain. However, you must have enough connection agreements to handle replication. Consider the following when determining the number of connection agreements for your organization:

  • Speed, number of CPUs, and amount of RAM for each Windows 2000 server, Exchange server, and ADC server. If any of these items could impede replication, you should consider additional connection agreements.
  • Network bandwidth. If network bandwidth impedes replication, you should consider additional connection agreements.
  • Number of Exchange Server mailboxes and Active Directory users, number of Exchange Server mail recipients and Active Directory contacts, and number of Exchange Server distribution lists, Active Directory groups, and Active Directory servers. If there are more than 500 of any of these objects, you should divide them among several connection agreements.

Configuring Connection Agreements

For each connection agreement you must specify the direction of replication, the schedule of replication, the authentication method, the attributes to be replicated, and the manner in which deleted objects will be handled.

To specify the direction of replication, you must determine how your organization manages the information that's being synchronized. You can manage information on security accounts, directory identity, and messaging from Active Directory. However, you can administer mail recipient objects from Exchange Server, Active Directory, or both directory services. The directory service that manages object identity is determined by the direction of replication you set in a connection agreement.

To specify the replication schedule, you must consider the number of users or mailboxes to be replicated, the frequency of the changes, and the replication schedules for other connection agreements.

The authentication method is the type of authentication the connection agreement uses to make a connection, either not encrypted or with SSL encryption. SSL encryption should be used when replicating to a server in another location. Each connection agreement requires you to set up an account that has permission to read from Exchange Server and Active Directory and permission to write to the target directory.

Each connection agreement allows you to specify the attributes to be replicated, which was discussed earlier in the "Defining Directory Objects to Be Synchronized" section.

Each connection object allows you to specify how deleted objects will be handled. If the connection agreement is replicating from Active Directory to Exchange Server, you can select one of the following options for handling deleted objects:

  • Delete The Exchange Mailboxes, Custom Recipients And Distribution Lists. If a user account is removed from Active Directory, the user's Exchange Server mailbox is deleted and the user is deleted from mail recipient and distribution lists
  • Keep The Exchange Deleted Items And Store The Deletion List In The Temporary .CSV File. The list of deleted objects is placed in a comma separated values (CSV) log file. Information is appended to this file as replication occurs. The log file is located in %SystemRoot%\MSADC\Connection Agreement Name\ex55.csv.

If the connection agreement is replicating from Exchange Server to Active Directory, you can select one of the following options for handling deleted objects:

  • Delete The Windows Users, Contacts And Groups. Deletes from Active Directory any mailbox that was deleted in the Exchange Server directory.
  • Keep The Windows Deleted Items And Store The Deletion List In The Temporary .LDF File. Removes any mail attributes on each object in Active Directory whose corresponding mailbox was deleted in the Exchange Server directory. The list of deleted objects is then stored in an LDF file. Information is appended to this file as replication occurs. The log file is located in %SystemRoot%\MSADC\Connection Agreement Name\win2000.ldf.

Design Step: Planning Novell NetWare Bindery or NDS Synchronization with Active Directory

To plan Novell NetWare Bindery or NDS synchronization with Active Directory, you must complete the following tasks:

  1. Analyze the current Novell network.
  2. Choose one- or two-way synchronization.
  3. Identify the objects to synchronize and plan synchronization sessions.
  4. Determine administrative responsibilities.
  5. Plan pilot testing and user education.

Analyzing the Current Novell Network

To analyze the current Novell network, you should

  • Identify information stored on the Novell network and determine its owners, users, and locations. Identify all types of information stored on your NetWare network, the location in which the information is stored, the persons responsible for the information, the users who have access to the information, and the security requirements for the information.
  • Identify all hardware and software in the Novell network, indicating software that runs only on NDS. Diagram the network and all components. Identify file, print, Internet, mail, database, and any other servers. Determine whether NDS-dependent software can be replaced.
  • Obtain the hardware and software needed for future requirements. Determine the hardware and software your organization will require in the future to obtain its desired functionality. Purchase server hardware. Purchase Windows 2000 Server (which includes Client Service for NetWare) and Services for NetWare version 5 (which includes MSDSS). Purchase any Active Directory-compliant software required to replace NDS-dependent software. Obtain the latest version of Novell Client Access from the Novell Web site.
  • Diagram the current Novell namespace. Determine whether the new Active Directory namespace should be identical to or different from the existing Novell namespace.
  • Modify the current Novell or Active Directory namespace. If necessary, use NetWare administrative tools to update NDS containers, and use the Windows 2000 Active Directory Users And Computers administrative tool to create Active Directory OUs.
  • Determine how objects will map.
  • Determine whether to use direct or remote administration. Determine where you will install MSDSS and Novell Client Access and whether you will remotely administer MSDSS sessions. If you choose remote administration, install MSDSS and Novell Client Access on a computer (a non-domain controller server) running Windows 2000 Server or Windows 2000 Professional.

Choosing One- or Two-Way Synchronization

To determine which type of synchronization to use, consider the following factors:

  • Reasons to choose one-way synchronization:
    • To centralize directory administration from Active Directory
    • If your network is Windows-based or if your network is currently NDS-based but you plan to reduce the number of directories over time
    • To administer and update NDS user account passwords to support a single set of logon credentials that let users log on to both a Windows-based and a Novell-based network
    • If you are preparing to migrate your NDS-based directory environment to Active Directory
  • Reasons to choose two-way synchronization:
    • If Active Directory and NDS are each administered by a different set of network administrators
    • If your network environment contains NDS as your primary directory and you have no plans to consolidate the number of directory platforms
    • If you are planning to maintain and actively administer both directoryenvironments for an extended period of time

Identifying Objects to Synchronize and Planning Synchronization Sessions

To define the objects to synchronize and plan the synchronization sessions required, you should

  • Identify objects to synchronize. Identify the containers you want to synchronize. Identify the Active Directory and NDS or Bindery servers between which you wish to establish a synchronization relationship.
  • Determine the number of synchronization sessions. Calculate the number of sessions needed to synchronize the desired NDS or Bindery objects. You can specify only one NDS container or Bindery server per session. All objects within that OU or Bindery server will be synchronized. In general, Microsoft advises customers to configure sessions for containers that hold up to (but not more than) 10,000 total objects. You can have up to 50 simultaneous sessions running on one domain controller, and each session can point to a different NDS or Bindery server source.

Determining Administrative Responsibilities

To determine administrative responsibilities, you should

  • Obtain administrator permissions. If you will use one-way synchronization, confirm that you have the required permissions to extend the Active Directory schema. Although MSDSS does this automatically, you must have schema-extending administrative authority. If you will use two-way synchronization, confirm that you have the necessary permissions to extend the NDS schema.

IMPORTANT


To set up a two-way synchronization session, you must have full administrator privileges for the entire NDS container in which you are creating the synchronization session. These privileges must be maintained for the duration of the session, or objects may be deleted from either the NDS directory or Active Directory.

  • Decide delegation. When you install MSDSS, a special security group called the MSDSS Admins group is created. The MSDSS Admins group is a domain local security group that is unique to each domain, enabling you to use this group to delegate administrative control to specific users. To decide delegation, you must determine the members of the MSDSS Admins group and to whom MSDSS administrative tasks will be delegated.

Planning Pilot Testing and User Education

To plan pilot testing and user education, you should

  • Recruit a pilot group. Recruit and train a group of technically oriented users willing to help test a pilot synchronization and to support other users.
  • Educate users. Keep your organization's users informed. Be sure they know what to expect and schedule any necessary training. Explain logon procedures and how passwords will be handled. Because the preferred method for password management is to administer passwords from Active Directory only, clients will be required to log on to Active Directory. Password control can be provided from Active Directory in both one-way and two-way synchronization.

Design Step Example: Planning Directory Service Integration with Active Directory

The design step example for planning directory service synchronization with Active Directory has been divided into two areas:

  • Microsoft Exchange Server 5.5 synchronization with Active Directory
  • Novell NetWare Bindery or NDS synchronization with Active Directory

Design Step Example: Planning Microsoft Exchange Server 5.5 Synchronization with Active Directory

City Power and Light is headquartered in Indianapolis, with two branch offices, located in Gary and Ft. Wayne, and a training facility, located in Evansville. The Indianapolis and Evansville locations are administered by the main IT management department in Indianapolis. The Gary and Ft. Wayne offices each have their own small IT management departments.

The utility is currently running Windows 2000, with a server at each location running Exchange Server 5.5 (Service Pack 1 applied). The branch offices and training facility are connected to Indianapolis by WAN connections, and e-mail is routed there for connectivity to the Internet. The client workstations in Indianapolis are running Windows 2000 Professional, and the branch offices and training facility are running Windows 98-based workstations. The branch offices will continue to use Windows 98 until a decision can be made on whether to upgrade to Windows 2000 Professional or Windows ME. Budget constraints have ruled out the possibility of upgrading to Exchange 2000 Server, so the administrators will use ADC to synchronize Exchange Server directory with Active Directory.

The administrators collectively decided that the Gary and Ft. Wayne branch offices would replicate from their Exchange Server computers to Active Directory so the administration of user accounts could still be handled at the branch offices. In the Indianapolis office and at the Evansville training office, replication would occur from Active Directory to Exchange Server to simplify the administration of user accounts at headquarters.

The administrators performed the following steps to synchronize Exchange Server 5.5 with Active Directory:

  1. ADC was installed on one of the Windows 2000 domain controllers.
  2. The Exchange Server structure was changed so that its sites and containers could be mapped to Active Directory domains and OUs.
  3. Four connection agreements were defined, one between each Exchange Server site and Active Directory.
  4. Connection agreements were configured in the following manner:
    • Connections 1 and 4: One-way connection from Active Directory to Exchange Server, replicating user account information, replicating once per day at night, authenticating with SSL encryption, and set as a primary connection agreement to allow new user accounts added to Active Directory to be replicated to Exchange Server automatically.
    • Connections 2 and 3: Two-way connections between Active Directory and Exchange Server, replicating user account information, replicating on a per-event basis, authenticating with SSL encryption.

Figure 7.8 depicts how City Power and Light set up Exchange Server 5.5 synchronization with Active Directory.

click to view at full size

Figure 7.8 Exchange Server 5.5 synchronization with Active Directory

Design Step Example: Planning Novell NetWare Bindery or NDS Synchronization with Active Directory

The following examples outline two ways of synchronizing Novell NetWare Bindery or NDS with Active Directory.

Synchronizing NDS and Active Directory

Company A would like to keep its existing NDS directory and add Active Directory until it is ready to retire NDS. The administrators analyze the Novell network and assess the readiness of the directory for synchronization. They make the necessary adjustments to prepare for synchronization. The one-way directory synchronization option is selected, and the administrators perform an initial reverse synchronization for the entire NDS directory. They determine the information to be synchronized and schedule a forward synchronization session to run from Active Directory to NDS every fifteen minutes. Pilot tests are run to determine whether the system is working correctly. Users are trained to handle the changes. At this point administrators can use Active Directory to manage network objects.

Synchronizing Specific NDS Directory Information with Active Directory

Company B would like to keep only the information stored in its NDS-based human resources application synchronized with Active Directory. No other information will be synchronized. The administrators analyze the Novell network and assess the readiness of the directory for synchronization. They make the necessary adjustments to prepare for synchronization. The two-way directory synchronization option is selected, and the administrators perform an initial reverse synchronization. They specify the objects (Novell container and Active Directory OU) between which to establish a one-to-one relationship. Pilot tests are run to determine whether the system is working correctly. Users are trained to handle the changes. The administrator then configures forward and reverse synchronization sessions for the human resources directory data.

Lesson Summary

In this lesson you learned how to plan Active Directory synchronization with Microsoft Exchange Server 5.5 directory service, Novell NetWare Bindery or NDS, and other LDAP-compliant directory services. To plan Exchange Server 5.5 synchronization with Active Directory, you learned that you must analyze the current Windows 2000 domain structure and Exchange Server site topology, determine which directory service will manage object identity, define objects to be synchronized, map Exchange Server sites and containers to Active Directory domains and OUs, map Exchange Server attributes to Active Directory attributes, determine the location of Active Directory Connectors, define the connection agreements needed to synchronize directories, and configure connection agreements. To plan Novell NetWare Bindery or NDS synchronization with Active directory, you learned that you must analyze the current Novell network, choose one- or two-way synchronization, identify the objects to synchronize and plan synchronization sessions, determine administrative responsibilities, and plan pilot testing and user education.



MCSE Training Kit Exam 70-219(c) Designing a Microsoft Windows 2000 Directory Services Infrastructure
MCSE Designing a Microsoft Windows 2000 Directory Services Infrastructure Readiness Review; Exam 70-219 (Pro-Certification)
ISBN: 0735613648
EAN: 2147483647
Year: 2001
Pages: 76

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net