|
A key purpose of implementing a network directory is to make the operation of the network more efficient and easy to use. Unfortunately, this means that the directory cannot be rolled out without any consideration for the environment into which it is being installed. There are a few basic rules that should be followed when designing an eDirectory tree:
Each of these issues is addressed in the sections that follow. Top of the Tree Reflects Physical LayoutThe top one or two levels of an eDirectory tree form the foundation for everything that comes later. If these levels are not configured properly, the whole tree suffers. Similar to the construction of a house, the eDirectory tree foundation needs to be stable and not prone to changes in structure. The stable part of an organization tends to be its capital assets (buildings and equipment). Organizational structure might change and merge, but it still generally uses the same physical facilities. Make use of this stability by designing the foundation of the eDirectory tree around physical locations. There are four main points to address when designing the top levels of the eDirectory tree:
When you name your eDirectory tree, you are naming the [Root] object. Make the name descriptive and unique. It should also be different from other Container objects. Many use the following tree name convention: Organization Name_TREE. Next you have to decide how to create the first level in your eDirectory tree. This involves determining whether you are going to incorporate the use of a Country \ or a Locality (L) object into your eDirectory tree design, as shown in Figure 7.4. Figure 7.4. eDirectory Country and Locality objects.Country and Locality object use is optional and may not make sense depending on your directory structure. However, if it is important to comply with X.500 naming syntax in order to interact with external X.500 directories, these objects can be used. Other than that, it is probably easier to start with the Organization (O) object and define geographical regions under the organization as Organizational Unit (OU) objects, as shown in Figure 7.5. Figure 7.5. Sample eDirectory tree.Next you must determine the name of your Organization object. Every eDirectory tree must have at least one Organization container. Normally, this is the first level of the tree, so using the organization name is a good way to go. Finally, define subsequent levels of the tree around the physical network infrastructure currently employed (or planned) by the organization. Regional sites are usually defined as level 2 organizational units. A third level may also be appropriate for larger organizations to designate branch offices. Usually, three levels dedicated to the geographical structure of the organization will accommodate even the largest organizations. The opposite is true for smaller companies. In some cases where the company is located at a single site, the physical levels can be eliminated altogether, if desired. However, this strategy is not recommended if there is any chance the company will grow into multiple sites in the future because the lack of containers based on physical sites will make it more difficult to expand the eDirectory structure as the organization grows. Bottom of the Tree Reflects Organizational StructureThe bottom portion of the tree is where all the action is. Unlike the top of the tree, we fully expect adaptation and evolution to occur over time at the lower levels of the tree. This means we need to design flexibility into the system. For this reason, the lower levels of the eDirectory tree will grow based not on physical locations, but on organizational structure, as shown in Figure 7.6. The best way to visualize the eDirectory tree at this point is to look at a current copy of your company's organizational chart. You will need to understand the divisions and/or departments that operate at each physical site in order to create the lower levels of the eDirectory tree. Figure 7.6. The lower levels of an eDirectory tree mirror the organizational structure.The reason that Organizational Unit containers are so useful at this level is that they allow you to group resources together. You can put the users in the Marketing department together with their printers, servers, and applications. Then those users and resources can be managed together. As you will see in the next section, this grouping also allows you to minimize the overhead associated with maintaining replica integrity and currency. Organize Objects to Facilitate Access and AdministrationNow that you have the general tree design and containers created, the next point to consider becomes how to organize the Leaf objects that will populate the eDirectory tree. The two primary considerations for this are
In most cases, you will be able to place resources such as servers, printers, and departmental applications in the same container with the users who will need access to those resources. However, if users in multiple containers will share resources, place those resources one level above the user containers. This makes the resource much easier to locate. Furthermore, if you group users based on common needs, you can manage things like access controls, login scripts, and policies from the container level, rather than managing each user individually. Only the exceptions to the general container rules need to be specifically managed. Management by exception is tremendously powerful as a tool for reducing complexity and increasing efficiency. Partition and Replicate for Scalability and Fault ToleranceAs a distributed database, eDirectory requires a mechanism for dividing the entire database into discrete chunks that can be installed on different servers across the organization. This is done through a process of partitioning and replicating the database. PARTITIONSeDirectory allows the creation of partitions in order to distribute the directory database across the network. A copy of a given eDirectory partition is known as a replica. By creating multiple replicas of a given partition, you build fault tolerance into the directory architecture. If a server holding a partition replica fails, the partition is still available from other replica servers. Locating those portions of the eDirectory database close to those users who make use of them dramatically increases eDirectory performance. It also greatly reduces network traffic associated with directory queries. This is particularly important when multiple sites are connected by costly WAN links. The last thing you want to do is use a WAN link bandwidth for background operations like searching for a server or printer. When the first eDirectory server is installed, a [Root] partition is automatically created and a replica of that partition is stored on the eDirectory server. When [Root] exists, the rest of the directory can be built by adding the necessary Container and Leaf objects. As other eDirectory servers are installed, replicas of [Root] should be created to provide fault tolerance. If you maintain a small network at a single site, the [Root] partition might be all you need. Replicate it to two or three servers for fault tolerance and you are done. However, if your network environment is more complex, more work should be done to create an efficient eDirectory environment. Planning your eDirectory partition strategy is similar to planning the top levels of the eDirectory tree. Partition creation should follow the physical network infrastructure. WAN links should always be considered boundaries between partitions. This eliminates the need for eDirectory to pass background traffic across these links. Refer to Figure 7.3 for a view of partitioning along geographical lines. Each child partition should then be replicated to multiple servers at the site that partition is serving. When partitions have been created based on the physical boundaries, it is not usually necessary to partition the bottom layers of a tree. However, there are two possible exceptions to this:
The goal of your partitioning strategy should be a small [Root] partition and a child partition for every physical site in the network. The [Root] partition should end up containing only [Root] and the Organization object. The reason for this is explained in the next section. REPLICASA replica is a physical copy of an eDirectory partition. By default, the first replica created is designated as the Master replica. Each partition will have one, and only one, Master replica. Other replicas will be designated as Read/Write, Read-Only, and Subordinate references. There are five types of eDirectory replicas:
The eDirectory replication strategy is a balancing act between the need to provide consistency across the directory and the limitations of network hardware and bandwidth. You should follow three rules when creating your replication strategy:
TIP Novell now offers some advanced services that are helping to redefine directory design and usage in today's modern networks. For example, Nterprise Branch Office helps greatly reduce the cost and complexity of eDirectory replication at satellite offices. Identity Manager is redefining eDirectory as a world-leading meta-directory that allows data to be transparently synchronized across many potential repositories. More information on Identity Manager is available in Chapter 10, "Identity Manager Bundle Edition." For information regarding a Linux-based Nterprise Branch office, watch Novell's website! |
|