Synchronizing Exchange Server 2003 with Novell eDirectory

 < Day Day Up > 

Novell eDirectory and NDS environments are commonplace in business environments, and there is an increasing need to integrate them into deployed Exchange infrastructures . Several tools exist that can make this a reality, including the MIIS 2003 tools discussed. In addition, tools in the Microsoft-supplied Services for NetWare can be used to synchronize directory information between the two directory systems.

Understanding Novell eDirectory

Novell eDirectory is a distributed, hierarchical database of network information that is used to create a relationship between users and resources. It simplifies network management because network administrators can administer global networks from one location (or many) and manage all network resources as part of the eDirectory tree.

User administration is simplified because the users dynamically inherit access to network resources from their placement in the eDirectory tree. For example, eDirectory enables a user to dynamically inherit access to departmental resources, such as applications and printers, when that user is placed in the department's eDirectory container.

eDirectory information is typically stored on several servers, which are often at different locations. This enables information to be stored near the users who need it and provides efficient operation even if the users are geographically dispersed. Names are organized in a top-down hierarchy or tree structure. This helps users find resources in a structured manner. It also enables an administrator to administer a large network by delegating portions of the tree to local administrators.

The entries in an eDirectory database represent network resources available on the network and are referred to as objects. An object contains information that identifies, characterizes, and locates information pertaining to the resource it represents. eDirectory uses a single naming system that encompasses all servers, services, and users in an internetwork. In the past, names were administered separately on each server. Now, eDirectory enables information entered once to be accessible everywhere and lets a user log in once to access diverse, geographically separated resources.

An eDirectory database can be divided into logical partitions according to business needs, network use, geographical location, access time, and other factors. These partitions can be distributed to any server represented in the directory. When an eDirectory database is distributed to multiple servers, eDirectory maintains the equality of the distributed logical partitions by distributing object information changes to the appropriate servers.

Deploying MIIS 2003 for Identity Management with eDirectory

MIIS 2003 can be an effective tool for managing identities between Novell eDirectory environments and Active Directory. Identity information could include names, email and physical addresses, titles, department affiliations, and much more. Generally speaking, identity information is the type of data commonly found in corporate phone books or intranets . To use MIIS 2003 for identity management between Active Directory and Novell eDirectory, follow these high-level steps:

  1. Install MIIS 2003.

  2. Create a management agent for each of the directories, including an Active Directory management agent and a Novell eDirectory management agent.

  3. Configure the management agents to import directory object types into their respective connector namespaces.

  4. Configure one of the management agentsfor example, the Active Directory MAto project the connector space directory objects and directory hierarchy into the metaverse namespace.

  5. Within each of the management agents, a function can be configured called attribute flow, which defines which directory object attributes from each directory will be projected into the respective metaverse directory objects. Configure the attribute flow rules for each management agent.

  6. Configure the account-joining properties for directory objects. This is the most crucial step because it determines how the objects in each directory are related to one another within the metaverse namespace. To configure the account join, certain criteria can be used, such as employee ID or first name and last name combination. The key is to find the most unique combination to avoid problems when two objects with similar names are locatedfor example, if two users named Tom Jones exist in Active Directory.

  7. After completely configuring the MAs and account joins, configure management agent run profiles to tell the management agent what to perform with the connected directory and connector namespace. For example, perform a full import or export of data. The first time the MA is run, the connected directory information is imported to create the initial connector namespace.

  8. After running the MAs once, you can run them a second time to propagate the authoritative metaverse data to the respective connector namespaces and out to the connected directories.

These steps outline the most common use of MIIS 2003; these steps can be used to simplify account maintenance tasks when several directories need to be managed simultaneously . When more sophisticated functionality using MIIS 2003 is needed, such as the automatic creation and deletion of directory entries, extensive scripting and customization of MIIS 2003 can be done to create a more complete enterprise account provisioning system.

Using Microsoft Directory Synchronization Service to Integrate Directories

Microsoft Directory Synchronization Services (MSDSS), part of the Services for NetWare Toolkit, is a tool used for synchronization of directory information stored in the Active Directory and NDS. MSDSS synchronizes directory information stored in Active Directory with all versions of NetWare; MSDSS supports a two-way synchronization with NDS and a one-way synchronization with Novell 3.x bindery services.

Because Active Directory does not support a container comparable to an NDS root organization and because Active Directory security differs from Novell, MSDSS, in migration mode only, creates a corresponding domain local security group in Active Directory for each NDS organizational unit (OU) and organization. MSDSS then maps each Novell OU or organization to the corresponding Active Directory domain local security group .

MSDSS provides a single point of administration; with a one-way synchronization, changes made to Active Directory will be propagated over to NDS during synchronization. Synchronization from Active Directory to NDS allows changes to object attributes, such as a user's middle name or address, to be propagated. In two-way synchronization mode, changes from NDS to Active Directory require a full synchronization of the object (all attributes of the user object).

One of the key benefits to MSDSS is password synchronization. Passwords can be administered in Active Directory and the changes propagated over to NDS during synchronization. Password synchronization allows users access to Windows Server 2003 and Novell NDS resources with the same logon credentials.

The MSDSS architecture is made up of the following three components. These components manage, map, read, and write changes that occur in Active Directory, NDS, and NetWare bindery services:

  • The configuration of the synchronization parameters is handled by the session manager.

  • An object mapper relates the objects to each other (class and attributes), namespace, rights, and permissions between the source and target directories.

  • Changes to each directory are handled by a DirSync (read/write) provider. LDAP is used for Active Directory calls and NetWare NCP calls for NDS and NetWare binderies.

In addition to the core components of MSDSS, the session configuration settings (session database) are securely stored in Active Directory. Specific scenarios for MSDSS include the following:

  • A company is migrating directly from Novell to a Windows Server 2003 network. All network servicessuch as DNS, DHCP, and IIS servicesare running on a single server. MSDSS can be used to migrate all users and files over to Windows Server 2003 after all services have been migrated .

  • A company is gradually migrating from Novell to a Windows Server 2003 network. The network servicessuch as DNS, DHCP, and IISare installed on multiple servers and sites. MSDSS can be used to migrate and synchronize AD and NDS directories during the migration.

Installation of the Microsoft Directory Synchronization Service

Separate from the installation of the File and Print Services for NetWare (FPNW) is the installation of the MSDSS. This tool is not installed with the rest of the File and Print Services for NetWare tools; an organization may install FPNW on one server, whereas MSDSS will likely be installed only on a single server. Effectively, MSDSS does the synchronization between Active Directory and Novell NDS and eDirectory. MSDSS needs to be installed on a Windows domain controller to properly synchronize directory information between the two different network environments.

To install MSDSS on a Windows 2003 domain controller, follow these steps:

  1. On the domain controller computer on which the MSDSS will be installed, insert the CD into the CD-ROM drive.

  2. Go into the MSDSS directory on the CD-ROM (such as d:\msdss ) and run the msdss.msi script package. This launches the installation wizard.

  3. Choose to install the Microsoft Directory Synchronization Service.

NOTE

Installing MSDSS initiates an extension of the schema of the Active Directory forest. As with any schema update, the Active Directory should be backed up (see Chapter 31, "Backing Up the Exchange Server 2003 Environment," for details on doing a full backup of the Active Directory). Also with a schema update, because the update will replicate directory changes to all global catalogs throughout the organization, the replication should be done at a time when a Global Catalog synchronization can take place without impact on the normal production environment.


Synchronizing eDirectory/NDS with Active Directory Using Services for NetWare

For organizations that have both a Windows Active Directory and a Novell eDirectory (or NDS) environment, there are two primary methods of performing directory synchronization between the two directories. One method is using the Novell DirXML product, and the other method is using the MSDSS utility. With regard to synchronization of user accounts and passwords, both tools do the same job, and for the purpose of this book, the Microsoft solution will be the focus of this section. To set up directory synchronization with MSDSS, do the following:

  1. Launch the MSDSS utility by selecting Start, Programs, Administrative Tools, Directory Synchronization.

  2. Right-click on the MSDSS tool option and select New Session.

  3. Click Next at the New Session Welcome screen.

  4. At the synchronization and migration tasks screen, choose either NDS or Bindery for the type of service.

    NOTE

    Use the NDS option if Novell NetWare 4.x or higher running NDS or eDirectory is used. Use the Bindery option if Novell NetWare 3.2 or lower bindery mode is running on the Novell network.

  5. Dependent on the synchronization option, choose either a one way (from Active Directory to NDS/Bindery), a two-way (AD to NDS/Bindery and back), or a migration from NDS/Bindery to Active Directory. Click Next.

  6. For the Active Directory container and domain controller, choose the AD container to which objects will be synchronized, as well as the name of the domain controller that'll be used to extract and synchronize information, similar to the settings shown in Figure 6.2. Click Next.

    Figure 6.2. Setting server synchronization information settings.

    graphics/06fig02.gif

  7. For the NDS Container and Password, select the NDS container to and/or from which AD information will be synchronized. Enter a logon name and password for a supervisor account on Novell to access the Novell directory. Click Next.

  8. On the initial reverse synchronization screen, select the password option to define passwords to be either blank, same as the username, set to a random value (that can be viewed in the log file), or set to an organizational default. Click OK after making the password option, and then click Next to continue.

  9. Click Finish to begin the synchronization/migration process.

Implementing MSDSS

MSDSS runs on a Windows 2000 or Windows 2003 domain controller and replicates user account and password information between the Active Directory environment and a Novell eDirectory or NDS environment. MSDSS is a Windows service that synchronizes user account information between Active Directory and NetWare. The following are best practices determined in the implementation of MSDSS in an enterprise environment:

  • Ensure that the Microsoft MSDSS server that is running on a Windows Active Directory domain controller and then Novell directory server are on the same network segment or have limited hops between each other.

  • Because directory synchronization reads and writes information directly to the network directory, test the replication process between mirrored domain and directory services in a test lab environment before implementing MSDSS for the first time in a production environment.

  • Monitor directory and password synchronization processing times to confirm the transactions are occurring fast enough for users to access network resources. If users get an authentication error, consider upgrading the MSDSS server to a faster system

  • Password characteristic policies (requiring upper- and lowercase letters , numbers , or extended characters in the password, and password change times) should be similar on both the Microsoft and Novell environments to minimize inconsistencies in authorization and update processes.

Identifying Limitations on Directory Synchronization with MSDSS

Although directory synchronization can provide common logon names and passwords, MSDSS does not provide dual client support or any application-level linkage between multiple platform configurations. This means that if a Novell server is running IPX as a communication protocol and Windows is running TCP/IP, MSDSS does not do protocol conversion. Likewise, if an application is running on a Novell server requiring the Service Advertising Protocol (SAP), because Windows servers commonly use NetBIOS for device advertising, a dual client protocol stack must be enabled to provide common communications.

MSDSS merely links the logon names and passwords between multiple environments. The following are areas that need to be considered separate from the logon and password synchronization process:

  • Protocols, such as TCP/IP and IPX/SPX, should be supported by servers and clients .

  • Applications that require communication standards for logon authentication may require a client component to be installed on the workstations or servers in the mixed environment.

  • Applications that were written for Novell servers (such as Network Loadable Modules [NLMs] or BTrieve databases) should be converted to support Windows.

  • Login scripts, drive mappings, or other access systems compatible with one networking environment may not work across multiple environments, so those components should be tested for full compatibility.

  • Backup utilities, antivirus applications, network management components, or system monitoring tools that work on one system should be purchased or relicensed to support another network operating configuration.

Backing Up and Restoring MSDSS Information

MSDSS configuration, tables, and system configurations are critical to the operations of the MSDSS synchronization tool. Microsoft provides a backup and restore utility that enables the storage and recovery of MSDSS information. To back up MSDSS, do the following:

  1. Select Start, Programs, Administrative Tools, MSDSS Backup & Restore Utility. A screen similar to the one shown in Figure 6.3 should appear.

    Figure 6.3. Backing up MSDSS information.

    graphics/06fig03.gif

  2. Either click on Backup Now to back up the MSDSS session directory, or change the default time when the MSDSS information should be backed up.

  3. If it is required to back up the session directory information, the process will notify that the MSDSS service will need to be stopped . Choose Yes to continue.

  4. Upon completion of the backup, there will be a prompt that the MSDSS service will need to be restarted. Choose Yes to restart the MSDSS service.

At any time, if the MSDSS session directory information gets corrupt or behaves erratically, the MSDSS information can be restored. To restore MSDSS, do the following:

  1. Select Start, Programs, Administrative Tools, MSDSS Backup & Restore Utility.

  2. Click on Restore Now to restore the MSDSS session directory.

  3. When notified that the MSDSS service will need to be stopped, choose Yes to continue.

  4. Upon completion of the restore, a final prompt will appear to signify that the MSDSS service will need to be restarted. Choose Yes to restart the MSDSS service.

 < Day Day Up > 


Microsoft Exchange Server 2003 Unleashed
Microsoft Exchange Server 2003 Unleashed (2nd Edition)
ISBN: 0672328070
EAN: 2147483647
Year: 2003
Pages: 393
Authors: Rand Morimoto

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net