< Day Day Up > |
Novell eDirectory and NDS environments are commonplace in business environments, and there is an increasing need to integrate them into deployed Exchange infrastructures . Several tools exist that can make this a reality, including the MIIS 2003 tools discussed. In addition, tools in the Microsoft-supplied Services for NetWare can be used to synchronize directory information between the two directory systems. Understanding Novell eDirectoryNovell eDirectory is a distributed, hierarchical database of network information that is used to create a relationship between users and resources. It simplifies network management because network administrators can administer global networks from one location (or many) and manage all network resources as part of the eDirectory tree. User administration is simplified because the users dynamically inherit access to network resources from their placement in the eDirectory tree. For example, eDirectory enables a user to dynamically inherit access to departmental resources, such as applications and printers, when that user is placed in the department's eDirectory container. eDirectory information is typically stored on several servers, which are often at different locations. This enables information to be stored near the users who need it and provides efficient operation even if the users are geographically dispersed. Names are organized in a top-down hierarchy or tree structure. This helps users find resources in a structured manner. It also enables an administrator to administer a large network by delegating portions of the tree to local administrators. The entries in an eDirectory database represent network resources available on the network and are referred to as objects. An object contains information that identifies, characterizes, and locates information pertaining to the resource it represents. eDirectory uses a single naming system that encompasses all servers, services, and users in an internetwork. In the past, names were administered separately on each server. Now, eDirectory enables information entered once to be accessible everywhere and lets a user log in once to access diverse, geographically separated resources. An eDirectory database can be divided into logical partitions according to business needs, network use, geographical location, access time, and other factors. These partitions can be distributed to any server represented in the directory. When an eDirectory database is distributed to multiple servers, eDirectory maintains the equality of the distributed logical partitions by distributing object information changes to the appropriate servers. Deploying MIIS 2003 for Identity Management with eDirectoryMIIS 2003 can be an effective tool for managing identities between Novell eDirectory environments and Active Directory. Identity information could include names, email and physical addresses, titles, department affiliations, and much more. Generally speaking, identity information is the type of data commonly found in corporate phone books or intranets . To use MIIS 2003 for identity management between Active Directory and Novell eDirectory, follow these high-level steps:
These steps outline the most common use of MIIS 2003; these steps can be used to simplify account maintenance tasks when several directories need to be managed simultaneously . When more sophisticated functionality using MIIS 2003 is needed, such as the automatic creation and deletion of directory entries, extensive scripting and customization of MIIS 2003 can be done to create a more complete enterprise account provisioning system. Using Microsoft Directory Synchronization Service to Integrate DirectoriesMicrosoft Directory Synchronization Services (MSDSS), part of the Services for NetWare Toolkit, is a tool used for synchronization of directory information stored in the Active Directory and NDS. MSDSS synchronizes directory information stored in Active Directory with all versions of NetWare; MSDSS supports a two-way synchronization with NDS and a one-way synchronization with Novell 3.x bindery services. Because Active Directory does not support a container comparable to an NDS root organization and because Active Directory security differs from Novell, MSDSS, in migration mode only, creates a corresponding domain local security group in Active Directory for each NDS organizational unit (OU) and organization. MSDSS then maps each Novell OU or organization to the corresponding Active Directory domain local security group . MSDSS provides a single point of administration; with a one-way synchronization, changes made to Active Directory will be propagated over to NDS during synchronization. Synchronization from Active Directory to NDS allows changes to object attributes, such as a user's middle name or address, to be propagated. In two-way synchronization mode, changes from NDS to Active Directory require a full synchronization of the object (all attributes of the user object). One of the key benefits to MSDSS is password synchronization. Passwords can be administered in Active Directory and the changes propagated over to NDS during synchronization. Password synchronization allows users access to Windows Server 2003 and Novell NDS resources with the same logon credentials. The MSDSS architecture is made up of the following three components. These components manage, map, read, and write changes that occur in Active Directory, NDS, and NetWare bindery services:
In addition to the core components of MSDSS, the session configuration settings (session database) are securely stored in Active Directory. Specific scenarios for MSDSS include the following:
Installation of the Microsoft Directory Synchronization ServiceSeparate from the installation of the File and Print Services for NetWare (FPNW) is the installation of the MSDSS. This tool is not installed with the rest of the File and Print Services for NetWare tools; an organization may install FPNW on one server, whereas MSDSS will likely be installed only on a single server. Effectively, MSDSS does the synchronization between Active Directory and Novell NDS and eDirectory. MSDSS needs to be installed on a Windows domain controller to properly synchronize directory information between the two different network environments. To install MSDSS on a Windows 2003 domain controller, follow these steps:
NOTE Installing MSDSS initiates an extension of the schema of the Active Directory forest. As with any schema update, the Active Directory should be backed up (see Chapter 31, "Backing Up the Exchange Server 2003 Environment," for details on doing a full backup of the Active Directory). Also with a schema update, because the update will replicate directory changes to all global catalogs throughout the organization, the replication should be done at a time when a Global Catalog synchronization can take place without impact on the normal production environment. Synchronizing eDirectory/NDS with Active Directory Using Services for NetWareFor organizations that have both a Windows Active Directory and a Novell eDirectory (or NDS) environment, there are two primary methods of performing directory synchronization between the two directories. One method is using the Novell DirXML product, and the other method is using the MSDSS utility. With regard to synchronization of user accounts and passwords, both tools do the same job, and for the purpose of this book, the Microsoft solution will be the focus of this section. To set up directory synchronization with MSDSS, do the following:
Implementing MSDSSMSDSS runs on a Windows 2000 or Windows 2003 domain controller and replicates user account and password information between the Active Directory environment and a Novell eDirectory or NDS environment. MSDSS is a Windows service that synchronizes user account information between Active Directory and NetWare. The following are best practices determined in the implementation of MSDSS in an enterprise environment:
Identifying Limitations on Directory Synchronization with MSDSSAlthough directory synchronization can provide common logon names and passwords, MSDSS does not provide dual client support or any application-level linkage between multiple platform configurations. This means that if a Novell server is running IPX as a communication protocol and Windows is running TCP/IP, MSDSS does not do protocol conversion. Likewise, if an application is running on a Novell server requiring the Service Advertising Protocol (SAP), because Windows servers commonly use NetBIOS for device advertising, a dual client protocol stack must be enabled to provide common communications. MSDSS merely links the logon names and passwords between multiple environments. The following are areas that need to be considered separate from the logon and password synchronization process:
Backing Up and Restoring MSDSS InformationMSDSS configuration, tables, and system configurations are critical to the operations of the MSDSS synchronization tool. Microsoft provides a backup and restore utility that enables the storage and recovery of MSDSS information. To back up MSDSS, do the following:
At any time, if the MSDSS session directory information gets corrupt or behaves erratically, the MSDSS information can be restored. To restore MSDSS, do the following:
|
< Day Day Up > |