Using Novell Directory Services


NDS automatically installs on your server whenever you install any of the NetWare products that provide it, which are intraNetWare, NetWare 4.x, and NetWare 5.x. That means that you have no additional installation procedures specifically for NDS. However, you can configure NDS, which means that you also are configuring your network. Now that the principles of the NDS structure have been covered, it's time to configure NDS so that it best suits your organization. You can accomplish your administrative tasks through the NWADMN32 and NDS Manager. If you are running NetWare 5.x, you will run these utilities as snap-ins through the ConsoleOne Management framework.

Novell has designed several products so that NDS will work with third-party products. The following are some examples of these products:

  • Novell NDS Corporate Edition works with Microsoft's Windows 2000 Active Directory. This product replaces NDS for NT, which worked with Microsoft's NT File System (NTFS) to provide network security.

  • NDS eDirectory allows NetWare's NDS to work in a mixed Unix-NT environment.

  • MacNDS allows Macintosh (Apple) computers to work with the NDS Directory structure.

  • NetWare NFS allows Unix NFS to work with NDS.

Using NWADMN32

The NWADMN32 utility merges all the network administrative functions into a single, intuitive interface. With it, you can see the availability and location of network resources. If you have NetWare releases prior to NetWare 5, the network administrator is NWAdmin. The NWADMN32 utility is the management console for the entire network, through which you can do the following:

  • Create and delete NDS objects

  • Move and rename NDS objects

  • Assign rights and permissions in the NDS tree and in the NetWare file system

  • Set up print services

  • Set up licensing services

You can browse the directory tree through NWADMN32, and then double-click a selected object to see all the information and properties associated with that resource. You also can set property values for multiple objects simultaneously . With drag-and-drop functions, you can assign access rights to any NDS object and move objects within the directory tree. In addition, NWADMN32 has a configurable toolbar that has shortcuts to menu options and a configurable status bar. With it, you can hide and sort property pages for individual NDS objects. NWADMN32 also has other network administration tools through which you can manage directory trees, subtrees, and containers.

Because NWADMN32 is the location from which you will make most of your network changes, start NWADMN32 by following these steps:

  1. Log on to the network as the administrator by typing admin or by typing admin.dept.company , depending on whether you have set up the network for contextless login. You should be sure that you are running the current client software and that you have an administrator account for the network.

  2. Normally, when you log in, the operating system automatically provides you with a path to the SYS:PUBLIC directory, after which you should go to the \WIN32 subdirectory. If NetWare did not automatically send you to the SYS:PUBLIC directory, you need to map a drive to it. To do this, open the NetWare administration program, which is loaded into the SYS:PUBLIC\WIN32 directory on the NetWare server.

  3. Next , use the RUN command to execute the NWADM32.

Tip

After you access NWADMN32, the easiest way to use this application is to create a shortcut on your desktop, although you can always continue to use the RUN command to execute it.

As soon as you log in as the network administrator, the operating system will display the NetWare Administrator window, as Figure 33.5 shows. The NetWare Administrator window shows you the entire network directory.

Figure 33.5. You will see the NetWare Administrator window when you log in as the administrator.

graphics/33fig05.gif

Creating and Deleting Objects

If you need to create a new object, you should determine what kind of object you want to create (object classes were discussed earlier in this chapter). After that, follow these steps:

  1. At the NetWare Administrator window, highlight the container where you want to place the new object. If you will be deleting an object, be sure you open the container where the object is located, and then highlight the object. (Don't worry, NDS will not let you delete a container unless you first delete everything in that container.)

  2. From the toolbar, click Object to display the Object menu.

  3. If you are going to delete an object, select Delete. If you are going to add an object, select Create to display the New Object screen.

  4. Choose the type of object you want to create, and click OK. The next window you will see depends on the type of object you are creating. Regardless of the type of window you see, you will need to fill in some specific properties for the object type you have chosen .

  5. When you have filled in the necessary information, click Create.

Context and Naming

To understand where an object fits in the NDS structure, you must understand how the NDS naming system works. The context of an object implies its position in the NDS tree. Specify the context as a list of containers separated by periods, between the specified object and the [Root]. Normally, NDS automatically assigns a new object a context based on where you put it in the directory tree. The context can be represented as described here:

  • The complete name , also called the distinguished name , of an object is its object name with the context appended. An example would be username.departmentname.divisionname.companyname . A complete name does not have a leading period. A complete name can be either typeful or typeless.

  • A fully distinguished name is a complete name with a leading period, so that the name appears as such: .username.departmentname.divisionname.companyname . The leading period means that NDS will resolve the name from the root, regardless of the current context. A fully distinguished name also can be either typeful or typeless.

  • You also might see the typeful name displayed in some NDS utilities. In creating a typeful name, NDS uses the type abbreviation, an equal sign, and then the name of the object. You can use typeful names interchangeably with typeless names in NDS utilities. A typeless name is essentially a typeful name without an object type. Typeful names include the object type abbreviations shown in Table 33.3.

    Table 33.3. Typeful Name Abbreviations

    Object Class/Type

    Abbreviation

    All leaf object/Common Name

    CN

    Organization

    O

    Organizational Unit

    OU

    Country

    C

  • Name resolution is the process that NDS uses to find the location of an object within the directory tree. When you use object names in NDS utilities, NDS resolves the names relative to either the current context or the [Root].

  • Current (workstation) context is set when the networking software runs, and it's key to understanding the use of leading periods, relative naming, and trailing periods.

  • Leading periods resolve the name from [Root], no matter where the current context was previously set.

  • Relative naming means that NDS resolves names relative to the workstation's current context, rather than [Root]. Relative naming never involves a leading period because a leading period indicates resolution from [Root]. For example, if the workstation's current context is accounting.yourcompany and the user 's relative name is joeuser.accounting , NDS reads the name as joeuser in accounting in the current context.

  • Trailing periods can be used only in relative naming, and you cannot use both leading periods and trailing periods. A trailing period changes the container from which NDS has resolved the name. Each trailing period changes the resolution point one container toward the [Root].

The NetWare 5 catalog services and simplified login make it easy for you to create NDS-enabled applications, improve directory access performance, and allow users to log on from any computer in any location without requiring directory knowledge. You can customize directory information that is stored in catalog or index format to enable you to search, sort, and report against the directory entries. Distribution and replication of these indexes allows administrators to quickly access a "snapshot" of the complete network directory as opposed to performing a query across the entire network. NetWare 5 has contextless login, which leverages the NDS catalog to enable users to authenticate from any point on the network by typing their login names and passwords. This type of login removes the need for the user to specify his exact user object location in the NDS tree.

Moving and Renaming Objects

The capability to move and rename objects comes in handy for things such as interdepartmental transfers. To move a Leaf object from one container to another, follow these steps:

  1. At the NetWare Administrator window, browse to the Leaf object you want to move, and click it.

  2. From the Object menu, click Move to display the Move dialog box.

  3. Browse to the destination container object and click OK.

The procedure for renaming an object is simple: Follow step 1, but click Rename at the Object menu. Type in the new name for the object, and click OK.

Assigning Rights and Setting Permissions

When you create an NDS tree, the default rights assignments give your network and its objects generalized access and security. Some of the default assignments are as shown here:

  • User Admin has Supervisor rights to [Root] for complete control over the entire directory. Admin also has Supervisor rights to the NetWare Server object for complete control over the volumes on that server. [Public] retains the Browse right to [Root] so that any user can view any objects in the NDS tree.

  • Objects created through an upgrade process or migration receive NDS trustee assignments appropriate for most situations.

NDS security controls access to directory objects such as users, groups, printers, and organizations. You can control a user's ability to modify or add objects and to view or modify their properties. When you understand NDS security, you can assign users the necessary directory and object rights while you maintain a secure network. However, before setting rights and privileges, reviewing some basic principles that relate to NDS security is in order.

Trustees

NDS security assigns rights to objects by using object trustees . The Access Control List (ACL) for each object contains the list of trustees for that object. An object trustee is any user (or other object) to whom you have assigned rights to the object. These object types often have trustee rights such as these:

  • The [Root] object

  • Organization objects

  • Organizational Unit objects

  • Organizational Role and Group objects

  • User objects

  • The [Public] trustee

To view the trustees of an object, follow these steps:

  1. At the NetWare Administrator window, highlight File System Object, then click Object, and then click Details to display the Details window for that object.

  2. Click the Trustees of This File System button to display the list of trustees for the object.

  3. If you want to see the other objects for which a certain trustee has rights, click on the trustee's name. If you want to remove a trustee, highlight the trustee's name and click the Delete Trustee button.

  4. To add a trustee, click Add Trustee to display the Select Object dialog box. In this dialog box, you can select a user, a group, or another object.

  5. After you add the trustee, you can assign rights by clicking the desired check boxes. By default, NDS assigns the Read and File Scan rights.

  6. Click OK to save your changes.

To view the objects for which a specific trustee has rights, follow these steps:

  1. At the NWADMN32 window, browse to the desired object (or user), highlight the object name, and then click Object, and click Details to display the Details window for that object.

  2. Click Rights to Files and Directories.

  3. Click the Find button to find the volumes you want to display, and then click the volumes you want to see. NWADMN32 shows you all the directories and files to which the user has rights.

  4. If you want to add rights for that user/object to another file or directory, click the Add button.

  5. In the Select Object box, browse to the desired object and highlight it, and click OK to add the user to the list of trustees for that object. You can specify which rights the user/object has, for which Read and File Scan are the defaults.

Access Control List (ACL)

The Access Control List is an attribute of NDS objects, and every object in the NDS tree has an ACL attribute. The ACL contains information such as which trustees have access to the object (entry rights), which trustees have access to the object properties, and which users or groups are denied access to that object. This information is stored as the following:

  • The trustee name

  • The affected attribute[Entry Rights], [All Attributes Rights], or specific attributes

  • The privileges

The base schema defines a default ACL template that provides minimum access security for new objects. Because the Top object class defines the properties for a default ACL template, all object classes will inherit a default ACL template. This gives objects that create other objects the right to supervise the created object, which ensures that every new NDS object has a supervisor. When you create an object in an NDS tree, the creation process can set the object's ACLs to any value, including one that changes a value that comes from a default ACL template.

Object Rights

Object rights are the tasks that a trustee can perform on an object. When a trustee receives rights for an object, any child objects of that container inherit those rights. Subsequently, the trustee receives rights for these child objects also, unless the rights are blocked. There are five types of object rights:

  • Supervisor The trustee receives all rights of the object, which are Browse, Create, Delete, and Rename. Unlike the Supervisor right in the file system, you can block the NDS Supervisor right through the Inherited Rights Filter (IRF).

  • Browse The trustee can see the object in the directory tree. If an object/user does not have the Browse right, NDS will not show the object in the list.

  • Create The trustee can create child objects under the object. This right is available only for Container objects.

  • Delete The trustee can delete the object from the directory. To delete an object, you also must have the Write right for All Properties of the object.

  • Rename The trustee can change the name of the object.

Property Rights

Property rights are the tasks that a trustee can perform on an object's properties. This enables the trustee to read or modify the property values. Trustees can inherit property rights in the same manner as object rights, except that they can inherit only those rights given with the All Properties option. If a trustee receives rights to selected properties of an object, child objects cannot inherit those rights because each of the types of objects, such as Users and Organizational Units, has a different list of properties. Note that although some property rights have the same name as the object rights, the two sets of values are not the same. There are five types of property rights, as listed here:

  • Supervisor The trustee receives all property rights, which are Compare, Read, Write, and Add Self. Again, the IRF can block this right. Trustees with Supervisor object rights automatically receive Supervisor rights to All Properties of the object.

  • Compare The trustee can compare the property's values to a given value. This enables the trustee to search for a certain value but not to look at the value itself.

  • Read The trustee can read the values of the property. Any trustee who has the Read property right automatically receives the Compare right.

  • Write The trustee can modify, add, or remove values of the property.

  • Add Self The trustee object can add or remove itself as a value of the property. For example, a user who has the Add Self right for a group could add himself to the group. The Write right is automatically granted to a trustee who is granted the Add Self property.

Inherited Rights

When an object trustee receives rights to a Container object, that same trustee also receives the same rights for all children of the object. Inheritance affects both object rights and property rights. When a trustee receives rights to a Container object, those rights flow down the directory tree until they are blocked. You can block inherited rights in two ways: with a new (explicit) trustee assignment or with the Inherited Rights Filter (IRF). Figure 33.6 shows you how inherited rights work within the NDS structure and how NDS can block those rights.

Figure 33.6. Inherited rights can allow rights or block them.

graphics/33fig06.gif

Through the Inherited Rights Filter , you can control which trustee rights an object can inherit for its parent object. You cannot use the IRF to grant rights, but can only block or permit rights that the object receives from a parent directory. If the IRF includes a right, the child objects can inherit that right. If the IRF omits a right, no trustee can inherit that right for that object.

Each NDS object has an IRF for object rights, and each object has an IRF for property rights. As with the rights themselves , you can set the IRF for All Properties or Selected Properties. You also can set an IRF for all properties, and then set different IRFs for certain selected properties.

Through explicit assignments, y ou can block the rights that a trustee can inherit for a particular object by giving the trustee new explicit assignments to the object. You can use new trustee assignments to block inherited rights or to add rights. The new trustee assignment replaces the rights that an object would have otherwise inherited. Because explicit assignment blocks inherited rights, you do not need to consider inherited rights if you are granting an explicit assignment.

To set the IRF, follow these steps:

  1. From the NWADMN32 window, browse through the directory tree to find the desired object. Highlight the object, click Object, and then select Trustees of This Object.

  2. Click the Inherited Rights Filter button to display the Inherited Rights Filter window.

  3. You can block/allow both object rights and property rights. Check the boxes to permit inheritance of that right, or uncheck them to block that right. In addition, you can set the IRF for selected properties of that object or for all properties.

  4. When you have specified all the desired rights, click OK to apply the rights filter.

Security Equivalence

Under some conditions, a trustee can automatically receive all the rights that you or NDS has assigned to another trustee. This practice is called security equivalence , of which there are two types: implied security equivalence and explicit security equivalence. Security equivalence also includes instances in which you assign rights to a container object, and all other objects within the container will receive the same rights. If one of these objects is also a container object, the objects in that second-level container will receive the same rights of the first-level container. This is referred to as implied security equivalence or container security equivalence .

Although this process might seem very much like inheritance, it is different. With inheritance, any trustee rights you assign to a container object also will be given to the objects composing the container object. To further define the difference, remember that an object inherits the trustees assigned to its parent object, and the IRF can block these rights. On the other hand, a trustee is security equivalent to its parent objects, and the IRF cannot block those rights.

The other kind of security equivalence that an object can have is explicit security equivalence . The user's Security Equal To property lists all explicit security equivalences . You specifically assign explicit security equivalence to a user by any of these three means:

  • Through the Security Equal To property that each user has. You can add users or other objects to this list, and the user receives the rights given to those objects.

  • If you assign a user to the membership list of a Group object, the user becomes security equivalent to the Group object, and the Security Equal To property will reflect that equivalence.

  • If a user is an occupant of the Organizational Role object, the user becomes security equivalent to the Organizational Unit object, which also is reflected in the Security Equal To property.

Effective Rights

Many factors affect a user's rights to Directory objects, such as the following:

  • Rights given directly to the object/user

  • The object's inherited rights from parent objects

  • Limitations specified by the Inherited Rights Filter or an explicit assignment

  • Rights received from containers in which the user resides through implied security equivalence

  • Security equivalences to Group or Organizational Role objects

So how can you determine what users can do and what they cannot? First, you could calculate them manuallynot a very attractive option. On the other hand, you can take advantage of the nifty little tool that NWADMN32 provides to automatically calculate the user's actual rights. The rights that a user can perform on an object are their effective rights . You can go to either the Trustees of This Object or the Rights to Other Objects properties and see the Effective Rights button. The Effective Rights window shows the current effective rights. Rights that you have granted to the user appear darkened, but those rights that the user does not have are muted. If you have made changes to the trustee rights, you must save the changes before Effective Rights will reflect those changes.

Login Security

Because users log in to a global directory, you don't need to manage multiple server or domain accounts for each user. It also means that you don't need to manage trust relationships or pass-through authentication among domains. Although a workstation connects to the network, the user has virtually no access to the network resources until they successfully log in. Before a user logs in, the administrator must create a User object in the directory for that user. The User object has a name and password, as well as other properties.

When the user logs in, he or she enters a username and password. NetWare does not send the password across the network for authentication; this would be a security risk. Instead, network login security encrypts the username, password, workstation, and other vital details to form a unique user code. The login security performs the same process at the authenticating server, and if the codes match, the user receives network access.

Through NWADMN32, you can define several types of user access and login restrictions, as listed here:

  • Login restrictions enable you to disable the account entirely, make it expire on a certain date, or limit the number of concurrent logins for the user.

  • Password restrictions include various options dealing with passwords. You can specify whether the user can change passwords, how often the user will be required to change the password, and how many grace logins are allowed with the old password after a change is required.

  • Login Time restrictions control the times and days the user is allowed access to the network.

  • Network Address restrictions enable you to create a list of workstation addresses from which the user can access the network. This lets you limit the user to a single workstation or a particular group of workstations.

In addition to these login security types, you can define intruder detection so that you can specify a number of login attempts that the system will allow before it locks the account. You also can specify a reset interval, which unlocks the account after a certain time elapses following intruder detection. If the system locks a user's account and does not reset automatically, you can unlock it from the Intruder Lockout property of the User object.

Default Rights for a New NetWare Server

When you install a new NetWare Server object into an NDS tree, Novell has designed the operating system so that it will make the NDS trustee assignments outlined in Table 33.4 by default.

Table 33.4. Default Rights for New Servers

Default Trustees

Default Rights

Admin (first NDS server in the tree)

Supervisor object right to [Root].

[Public] (first NDS server in the tree)

Browse object right to [Root].

NetWare Server

Admin has the Supervisor object right to the NetWare Server object, which means that Admin also has the Supervisor right to the root directory of the file system of any NetWare volumes on the server.

Volumes (if created)

[Root] has Read property right to the Host Server Name and Host Resource properties on all Volume objects. This gives all objects access to the physical volume name and physical server name. Admin has the Supervisor right to the root directory of the file systems on the volume. For volume SYS, the container object has Read and File Scan rights to the \PUBLIC directory of the volume. This allows User objects under the container to access NetWare utilities in \PUBLIC .

User

If you set the system to automatically create home directories for users, they have the Supervisor right to those directories.

Delegated Administration

NDS enables you to delegate your administration rights of an NDS tree branch, and thus revokes your own management rights to that branch. This attribute is useful if special security requirements require a different administrator to take over your responsibilities with complete control over that branch. You can delegate administration either by granting the Supervisor object right to a container or by creating an IRF at the container that filters the Supervisor and any other rights you want blocked.

Network Printing

NDS represents print servers, print queues, and printers as individual NDS objects that you can create and manage independently. NDS users can easily locate and capture printers and queues.

The PCONSOLE bindery utility has a Quick Setup option that makes it easy to define and link printers, print servers, and print queues. However, because you will find PCONSOLE only on bindery systems, you will most likely not have an occasion to use this utility.

NWADMN32 integrates the Print management utilities and gives you a graphical view of NDS resources to make it easy for you to administer network print services. In addition, a layout page shows all the printers attached to the print server, the queues serviced by those printers, and the print jobs in the queue.

Using NDS Manager

The NDS Manager is an NDS database administrative tool that lets you manage partitions and replicas. The Schema Manager utility of the NDS Manager enables you to manage and modify the NDS schema and distribute updated NDS versions to NetWare servers. Execute SYS:PUBLIC\WIN32\NDSMGR32.EXE to display the NDS Manager window (see Figure 33.7).

Figure 33.7. The NDS Manager window lets you manage partitions and replicas.

graphics/33fig07.gif

Partitioning

A partition is a logical division of the NDS directory database that forms a distinct unit of data in the NDS tree to store directory information. Each partition contains a set of container objects, the objects in the container, and the object properties. Keep in mind that NDS partitions contain only NDS directory information, and not any information about the file system, where your data is stored.

The NetWare default is to keep the entire directory in one partition. That being the case, how do you know whether you should partition your NDS directory? If you have in excess of 1,000 objects in your NDS tree, your server might be overwhelmed and access to NDS could be slow. A new partition allows you to divide the NDS directory and move the objects in the specified branch to a different server.

A slow WAN link is another indication that partitioning might be for you. You can make NDS perform faster and more reliably if the directory is divided into two partitions. If you left your NDS structure with only one partition, NetWare will do one of two things. It will either keep the replicas of the single partition at one site (discussed in the next section), or distribute the single partition between the servers on either side of the WAN link.

You have the option of partitioning the NDS or leaving it as one big database. The deciding factor should be slow NDS response. The two major factors that affect NDS response are size and network speed.

The problems that might arise from the first scenario are that users at the other side of the WAN link experience login and resource accessing delays. In addition, if the WAN link fails, those users cannot log in or access resources at all.

The second scenario, too, has problems: If NDS distributes the replica of the single partition between the two sites on either side of the WAN link, users can access the directory locally. However, the WAN link is the conduit for the server-to-server synchronization of replicas. This means that if the WAN link is unreliable, there might be NDS errors, not to mention that directory changes are slow to reproduce across the WAN link.

So now that you understand the benefits of partitions, let's get to the business of actually creating a partition. At the NDSMGR window, highlight the container object that will be the root of the new partition, click Object, and then click Create Partition to display the Create Partition dialog box. If you are certain that you have chosen the correct object, click the Yes button to initiate the new partition. Repeat these steps as many times as needed. Before you start creating partitions, however, you should think about why you want to create each partition, and what benefit it will serve on the network. Reasons for creating partitions include, as mentioned earlier, putting that part of the database in close proximity to the users. Another good reason to create partitions would be to divide up the workload among several other servers in a network where the directory is frequently accessed.

Creating Replicas

Replicas, as previously indicated, allow for the creation of a distributed database system within NDS. Here are a few more details so that you will know how to institute them on your NetWare network. If your network consists of at least three NDS servers, you can create replicas of the NDS directory. Replicas provide a measure of fault tolerance if a server or network link fails, which means that you will not lose your directory structure and the information about your NDS objects.

Replicas are simply a copy of the entire directory, or a copy of a partition of the directory. Each replica contains the same directory information as other replicas for that partition or the entire directory, depending on whether you use partitions. Changes to the directory or partition are replicated to the other replicas.

However, NDS replication does not provide fault tolerance for the file system (that means your data). You can establish fault tolerance for file systems through any of the most commonly used fault tolerance methods , such as disk mirroring and disk duplexing (RAID Level 1), Stripe sets with Parity (RAID 5), or Novell Replication Services (NRS). If your network provides bindery services, you must create a master or read/write replica of the directory structure.

Replication also decreases access time for users who access NDS information across a LAN or WAN link. To reduce access time, you can place a replica of the needed information on a local server (that is, on the other side of the WAN or LAN link). You can create four types of replicas, as shown here:

  • Master replica By default, the first NDS server on your network holds the master replica. There is only one master replica for each partition at a time. If you create other replicas, they will be read/write replicas by default. If you plan to bring down the server that holds a master replica, you can promote one of the read/write replicas to the master. Then, the original master replica automatically becomes read/write. A master replica must be available on the network for NDS to perform operations such as creating a new replica or creating a new partition.

  • Read/write replica NDS can access and change object information in the master and any read/write replicas. Any changes you make automatically replicate to all the other replicas. If NDS responds slowly to users because of delays in the network infrastructure (such as slow WAN links or busy routers), you can create a read/write replica closer to the users who need it. You can have as many read/write replicas as you have servers to hold them, although more replicas cause more traffic to keep them synchronized with each other.

  • Read-only replica Novell created this type of replica in anticipation of capabilities that future implementations of NDS might offer. Read-only replicas receive synchronization updates from master and read/write replicas but don't receive changes directly from clients .

  • Subordinate reference replica Subordinate reference replicas are special, system-generated replicas that don't contain all the object data of a master or a read/write replica, and therefore do not provide fault tolerance. They contain only enough information for NDS to resolve names across partition boundaries. You cannot delete a subordinate reference replica because NDS deletes it automatically when it no longer is needed. NDS creates subordinate reference replicas only on servers that hold a replica of a parent partition but that have no replicas of its child partitions. If NDS copies a replica of the child partition to a server holding the replica of the parent, the subordinate reference replica is deleted automatically.

Synchronizing Servers

When multiple servers in the network hold replicas of the same partition, those servers create a replica ring. NDS automatically keeps those servers synchronized, so the object data is consistent on all replicas. By default, the synchronization process, sometimes referred to as NDS heartbeat or skulking , takes place every 30 minutes for NetWare 4, or every 60 minutes for NetWare 5. The following NDS processes work to synchronize the servers in the replica ring:

  • Replica synchronization

  • Replica Purger

  • Schema synchronization

  • Limber

  • Janitor

  • Flat Cleaner

  • Database Initialization

  • Backlinker

In a single-server environment, the server's internal clock can maintain a common and consistent time source for the network. However, for multiserver networks, NDS requires that all the servers agree on time. Time synchronization does these things for your network:

  • Applications that run on your server provide accurate timestamps to events. Messaging and collaboration applications and databases all benefit from synchronized time.

  • You can configure workstations to get their time from the servers, taking synchronized time benefits to locally run applications.

  • NDS applies correct timestamps to NDS events.

Whenever you make changes to NDS objects, you can specify that the operating system make those changes to different replicas on different servers, and these changes must be enacted in the order in which they were requested . NDS records the time of each event with a timestamp. The timestamp ensures that when NDS actually modifies the database, events appear on the replicas in the time and order in which they happened . NDS also uses timestamps to record time values for the network and set expiration dates.

Setting Up Bindery Services

You still might find applications, such as print servers and backup software, that were written for NetWare 2.x and 3.x. These applications used the NetWare bindery instead of NDS for network access and object manipulation. As discussed before, the bindery is a flat database of objects such as users, groups, and volumes known to a given server. The bindery is server-specific and server-centric.

In addition, older NetWare client software used a bindery login procedure in which a user logged in to a specific server only. Access to multiple servers required multiple logins using multiple user accounts.

NDS allows applications written for a bindery to function using bindery services. Bindery services enable you to set a context or several contexts as a server's virtual bindery. The context you set for the server is the server's bindery context. Whenever you institute bindery services, you should keep the following in mind:

  • To use bindery services, you must set a bindery context for the server.

  • Not all NDS objects map to bindery objects. Many NDS objects, such as Alias objects, do not have a bindery equivalent.

  • Most bindery applications have been upgraded to work with NDS. Check with your application vendor to get the newest version.

  • Each server (before NetWare 5) with a bindery context must hold a master or read/write replica of the partition that includes the bindery context.



Upgrading and Repairing Networks
Upgrading and Repairing Networks (5th Edition)
ISBN: 078973530X
EAN: 2147483647
Year: 2003
Pages: 434

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net