NDS automatically installs on your server whenever you install any of the NetWare products that provide it, which are intraNetWare, NetWare 4.x, and NetWare 5.x. That means that you have no additional installation procedures specifically for NDS. However, you can configure NDS, which means that you also are configuring your network. Now that the principles of the NDS structure have been covered, it's time to configure NDS so that it best suits your organization. You can accomplish your administrative tasks through the NWADMN32 and NDS Manager. If you are running NetWare 5.x, you will run these utilities as snap-ins through the ConsoleOne Management framework. Novell has designed several products so that NDS will work with third-party products. The following are some examples of these products:
Using NWADMN32The NWADMN32 utility merges all the network administrative functions into a single, intuitive interface. With it, you can see the availability and location of network resources. If you have NetWare releases prior to NetWare 5, the network administrator is NWAdmin. The NWADMN32 utility is the management console for the entire network, through which you can do the following:
You can browse the directory tree through NWADMN32, and then double-click a selected object to see all the information and properties associated with that resource. You also can set property values for multiple objects simultaneously . With drag-and-drop functions, you can assign access rights to any NDS object and move objects within the directory tree. In addition, NWADMN32 has a configurable toolbar that has shortcuts to menu options and a configurable status bar. With it, you can hide and sort property pages for individual NDS objects. NWADMN32 also has other network administration tools through which you can manage directory trees, subtrees, and containers. Because NWADMN32 is the location from which you will make most of your network changes, start NWADMN32 by following these steps:
As soon as you log in as the network administrator, the operating system will display the NetWare Administrator window, as Figure 33.5 shows. The NetWare Administrator window shows you the entire network directory. Figure 33.5. You will see the NetWare Administrator window when you log in as the administrator.
Creating and Deleting ObjectsIf you need to create a new object, you should determine what kind of object you want to create (object classes were discussed earlier in this chapter). After that, follow these steps:
Context and NamingTo understand where an object fits in the NDS structure, you must understand how the NDS naming system works. The context of an object implies its position in the NDS tree. Specify the context as a list of containers separated by periods, between the specified object and the [Root]. Normally, NDS automatically assigns a new object a context based on where you put it in the directory tree. The context can be represented as described here:
The NetWare 5 catalog services and simplified login make it easy for you to create NDS-enabled applications, improve directory access performance, and allow users to log on from any computer in any location without requiring directory knowledge. You can customize directory information that is stored in catalog or index format to enable you to search, sort, and report against the directory entries. Distribution and replication of these indexes allows administrators to quickly access a "snapshot" of the complete network directory as opposed to performing a query across the entire network. NetWare 5 has contextless login, which leverages the NDS catalog to enable users to authenticate from any point on the network by typing their login names and passwords. This type of login removes the need for the user to specify his exact user object location in the NDS tree. Moving and Renaming ObjectsThe capability to move and rename objects comes in handy for things such as interdepartmental transfers. To move a Leaf object from one container to another, follow these steps:
The procedure for renaming an object is simple: Follow step 1, but click Rename at the Object menu. Type in the new name for the object, and click OK. Assigning Rights and Setting PermissionsWhen you create an NDS tree, the default rights assignments give your network and its objects generalized access and security. Some of the default assignments are as shown here:
NDS security controls access to directory objects such as users, groups, printers, and organizations. You can control a user's ability to modify or add objects and to view or modify their properties. When you understand NDS security, you can assign users the necessary directory and object rights while you maintain a secure network. However, before setting rights and privileges, reviewing some basic principles that relate to NDS security is in order. TrusteesNDS security assigns rights to objects by using object trustees . The Access Control List (ACL) for each object contains the list of trustees for that object. An object trustee is any user (or other object) to whom you have assigned rights to the object. These object types often have trustee rights such as these:
To view the trustees of an object, follow these steps:
To view the objects for which a specific trustee has rights, follow these steps:
Access Control List (ACL)The Access Control List is an attribute of NDS objects, and every object in the NDS tree has an ACL attribute. The ACL contains information such as which trustees have access to the object (entry rights), which trustees have access to the object properties, and which users or groups are denied access to that object. This information is stored as the following:
The base schema defines a default ACL template that provides minimum access security for new objects. Because the Top object class defines the properties for a default ACL template, all object classes will inherit a default ACL template. This gives objects that create other objects the right to supervise the created object, which ensures that every new NDS object has a supervisor. When you create an object in an NDS tree, the creation process can set the object's ACLs to any value, including one that changes a value that comes from a default ACL template. Object RightsObject rights are the tasks that a trustee can perform on an object. When a trustee receives rights for an object, any child objects of that container inherit those rights. Subsequently, the trustee receives rights for these child objects also, unless the rights are blocked. There are five types of object rights:
Property RightsProperty rights are the tasks that a trustee can perform on an object's properties. This enables the trustee to read or modify the property values. Trustees can inherit property rights in the same manner as object rights, except that they can inherit only those rights given with the All Properties option. If a trustee receives rights to selected properties of an object, child objects cannot inherit those rights because each of the types of objects, such as Users and Organizational Units, has a different list of properties. Note that although some property rights have the same name as the object rights, the two sets of values are not the same. There are five types of property rights, as listed here:
Inherited RightsWhen an object trustee receives rights to a Container object, that same trustee also receives the same rights for all children of the object. Inheritance affects both object rights and property rights. When a trustee receives rights to a Container object, those rights flow down the directory tree until they are blocked. You can block inherited rights in two ways: with a new (explicit) trustee assignment or with the Inherited Rights Filter (IRF). Figure 33.6 shows you how inherited rights work within the NDS structure and how NDS can block those rights. Figure 33.6. Inherited rights can allow rights or block them.
Through the Inherited Rights Filter , you can control which trustee rights an object can inherit for its parent object. You cannot use the IRF to grant rights, but can only block or permit rights that the object receives from a parent directory. If the IRF includes a right, the child objects can inherit that right. If the IRF omits a right, no trustee can inherit that right for that object. Each NDS object has an IRF for object rights, and each object has an IRF for property rights. As with the rights themselves , you can set the IRF for All Properties or Selected Properties. You also can set an IRF for all properties, and then set different IRFs for certain selected properties. Through explicit assignments, y ou can block the rights that a trustee can inherit for a particular object by giving the trustee new explicit assignments to the object. You can use new trustee assignments to block inherited rights or to add rights. The new trustee assignment replaces the rights that an object would have otherwise inherited. Because explicit assignment blocks inherited rights, you do not need to consider inherited rights if you are granting an explicit assignment. To set the IRF, follow these steps:
Security EquivalenceUnder some conditions, a trustee can automatically receive all the rights that you or NDS has assigned to another trustee. This practice is called security equivalence , of which there are two types: implied security equivalence and explicit security equivalence. Security equivalence also includes instances in which you assign rights to a container object, and all other objects within the container will receive the same rights. If one of these objects is also a container object, the objects in that second-level container will receive the same rights of the first-level container. This is referred to as implied security equivalence or container security equivalence . Although this process might seem very much like inheritance, it is different. With inheritance, any trustee rights you assign to a container object also will be given to the objects composing the container object. To further define the difference, remember that an object inherits the trustees assigned to its parent object, and the IRF can block these rights. On the other hand, a trustee is security equivalent to its parent objects, and the IRF cannot block those rights. The other kind of security equivalence that an object can have is explicit security equivalence . The user's Security Equal To property lists all explicit security equivalences . You specifically assign explicit security equivalence to a user by any of these three means:
Effective RightsMany factors affect a user's rights to Directory objects, such as the following:
So how can you determine what users can do and what they cannot? First, you could calculate them manuallynot a very attractive option. On the other hand, you can take advantage of the nifty little tool that NWADMN32 provides to automatically calculate the user's actual rights. The rights that a user can perform on an object are their effective rights . You can go to either the Trustees of This Object or the Rights to Other Objects properties and see the Effective Rights button. The Effective Rights window shows the current effective rights. Rights that you have granted to the user appear darkened, but those rights that the user does not have are muted. If you have made changes to the trustee rights, you must save the changes before Effective Rights will reflect those changes. Login SecurityBecause users log in to a global directory, you don't need to manage multiple server or domain accounts for each user. It also means that you don't need to manage trust relationships or pass-through authentication among domains. Although a workstation connects to the network, the user has virtually no access to the network resources until they successfully log in. Before a user logs in, the administrator must create a User object in the directory for that user. The User object has a name and password, as well as other properties. When the user logs in, he or she enters a username and password. NetWare does not send the password across the network for authentication; this would be a security risk. Instead, network login security encrypts the username, password, workstation, and other vital details to form a unique user code. The login security performs the same process at the authenticating server, and if the codes match, the user receives network access. Through NWADMN32, you can define several types of user access and login restrictions, as listed here:
In addition to these login security types, you can define intruder detection so that you can specify a number of login attempts that the system will allow before it locks the account. You also can specify a reset interval, which unlocks the account after a certain time elapses following intruder detection. If the system locks a user's account and does not reset automatically, you can unlock it from the Intruder Lockout property of the User object. Default Rights for a New NetWare ServerWhen you install a new NetWare Server object into an NDS tree, Novell has designed the operating system so that it will make the NDS trustee assignments outlined in Table 33.4 by default. Table 33.4. Default Rights for New Servers
Delegated AdministrationNDS enables you to delegate your administration rights of an NDS tree branch, and thus revokes your own management rights to that branch. This attribute is useful if special security requirements require a different administrator to take over your responsibilities with complete control over that branch. You can delegate administration either by granting the Supervisor object right to a container or by creating an IRF at the container that filters the Supervisor and any other rights you want blocked. Network PrintingNDS represents print servers, print queues, and printers as individual NDS objects that you can create and manage independently. NDS users can easily locate and capture printers and queues. The PCONSOLE bindery utility has a Quick Setup option that makes it easy to define and link printers, print servers, and print queues. However, because you will find PCONSOLE only on bindery systems, you will most likely not have an occasion to use this utility. NWADMN32 integrates the Print management utilities and gives you a graphical view of NDS resources to make it easy for you to administer network print services. In addition, a layout page shows all the printers attached to the print server, the queues serviced by those printers, and the print jobs in the queue. Using NDS ManagerThe NDS Manager is an NDS database administrative tool that lets you manage partitions and replicas. The Schema Manager utility of the NDS Manager enables you to manage and modify the NDS schema and distribute updated NDS versions to NetWare servers. Execute SYS:PUBLIC\WIN32\NDSMGR32.EXE to display the NDS Manager window (see Figure 33.7). Figure 33.7. The NDS Manager window lets you manage partitions and replicas.
PartitioningA partition is a logical division of the NDS directory database that forms a distinct unit of data in the NDS tree to store directory information. Each partition contains a set of container objects, the objects in the container, and the object properties. Keep in mind that NDS partitions contain only NDS directory information, and not any information about the file system, where your data is stored. The NetWare default is to keep the entire directory in one partition. That being the case, how do you know whether you should partition your NDS directory? If you have in excess of 1,000 objects in your NDS tree, your server might be overwhelmed and access to NDS could be slow. A new partition allows you to divide the NDS directory and move the objects in the specified branch to a different server. A slow WAN link is another indication that partitioning might be for you. You can make NDS perform faster and more reliably if the directory is divided into two partitions. If you left your NDS structure with only one partition, NetWare will do one of two things. It will either keep the replicas of the single partition at one site (discussed in the next section), or distribute the single partition between the servers on either side of the WAN link. You have the option of partitioning the NDS or leaving it as one big database. The deciding factor should be slow NDS response. The two major factors that affect NDS response are size and network speed. The problems that might arise from the first scenario are that users at the other side of the WAN link experience login and resource accessing delays. In addition, if the WAN link fails, those users cannot log in or access resources at all. The second scenario, too, has problems: If NDS distributes the replica of the single partition between the two sites on either side of the WAN link, users can access the directory locally. However, the WAN link is the conduit for the server-to-server synchronization of replicas. This means that if the WAN link is unreliable, there might be NDS errors, not to mention that directory changes are slow to reproduce across the WAN link. So now that you understand the benefits of partitions, let's get to the business of actually creating a partition. At the NDSMGR window, highlight the container object that will be the root of the new partition, click Object, and then click Create Partition to display the Create Partition dialog box. If you are certain that you have chosen the correct object, click the Yes button to initiate the new partition. Repeat these steps as many times as needed. Before you start creating partitions, however, you should think about why you want to create each partition, and what benefit it will serve on the network. Reasons for creating partitions include, as mentioned earlier, putting that part of the database in close proximity to the users. Another good reason to create partitions would be to divide up the workload among several other servers in a network where the directory is frequently accessed. Creating ReplicasReplicas, as previously indicated, allow for the creation of a distributed database system within NDS. Here are a few more details so that you will know how to institute them on your NetWare network. If your network consists of at least three NDS servers, you can create replicas of the NDS directory. Replicas provide a measure of fault tolerance if a server or network link fails, which means that you will not lose your directory structure and the information about your NDS objects. Replicas are simply a copy of the entire directory, or a copy of a partition of the directory. Each replica contains the same directory information as other replicas for that partition or the entire directory, depending on whether you use partitions. Changes to the directory or partition are replicated to the other replicas. However, NDS replication does not provide fault tolerance for the file system (that means your data). You can establish fault tolerance for file systems through any of the most commonly used fault tolerance methods , such as disk mirroring and disk duplexing (RAID Level 1), Stripe sets with Parity (RAID 5), or Novell Replication Services (NRS). If your network provides bindery services, you must create a master or read/write replica of the directory structure. Replication also decreases access time for users who access NDS information across a LAN or WAN link. To reduce access time, you can place a replica of the needed information on a local server (that is, on the other side of the WAN or LAN link). You can create four types of replicas, as shown here:
Synchronizing ServersWhen multiple servers in the network hold replicas of the same partition, those servers create a replica ring. NDS automatically keeps those servers synchronized, so the object data is consistent on all replicas. By default, the synchronization process, sometimes referred to as NDS heartbeat or skulking , takes place every 30 minutes for NetWare 4, or every 60 minutes for NetWare 5. The following NDS processes work to synchronize the servers in the replica ring:
In a single-server environment, the server's internal clock can maintain a common and consistent time source for the network. However, for multiserver networks, NDS requires that all the servers agree on time. Time synchronization does these things for your network:
Whenever you make changes to NDS objects, you can specify that the operating system make those changes to different replicas on different servers, and these changes must be enacted in the order in which they were requested . NDS records the time of each event with a timestamp. The timestamp ensures that when NDS actually modifies the database, events appear on the replicas in the time and order in which they happened . NDS also uses timestamps to record time values for the network and set expiration dates. Setting Up Bindery ServicesYou still might find applications, such as print servers and backup software, that were written for NetWare 2.x and 3.x. These applications used the NetWare bindery instead of NDS for network access and object manipulation. As discussed before, the bindery is a flat database of objects such as users, groups, and volumes known to a given server. The bindery is server-specific and server-centric. In addition, older NetWare client software used a bindery login procedure in which a user logged in to a specific server only. Access to multiple servers required multiple logins using multiple user accounts. NDS allows applications written for a bindery to function using bindery services. Bindery services enable you to set a context or several contexts as a server's virtual bindery. The context you set for the server is the server's bindery context. Whenever you institute bindery services, you should keep the following in mind:
|