Novell eDirectory and Novell Directory Service (NDS) environments are relatively commonplace in business environments, and there is often a need to integrate them into deployed Exchange infrastructures. Several tools exist that can make this a reality, including the MIIS 2003 tools discussed. In addition, tools in the Microsoft-supplied Services for NetWare can be used to synchronize directory information between the two directory systems.

NOTE

Exchange 2000 Server and Exchange Server 2003 included a GroupWise connector component, to allow for the automatic synchronization of GroupWise address list information and calendaring data directly to Exchange. This connector is no longer supported in Exchange 2007, so the only effective way to synchronize a Novell directory with Exchange 2007 is either with a synchronization tool such as MIIS or Microsoft Directory Synchronization Services (MSDSS), or by keeping an Exchange 2003 server within the organization with the connector installed on it.

Understanding Novell eDirectory

Novell eDirectory is a distributed, hierarchical database of network information that is used to create a relationship between users and resources. It simplifies network management because network administrators can administer global networks from one location (or many) and manage all network resources as part of the eDirectory tree.

User administration is simplified because the users dynamically inherit access to network resources from their placement in the eDirectory tree. For example, eDirectory enables a user to dynamically inherit access to departmental resources, such as applications and printers, when that user is placed in the department’s eDirectory container.

eDirectory information is typically stored on several servers, which are often at different locations. This enables information to be stored near the users who need it and provides efficient operation even if the users are geographically dispersed. Names are organized in a top-down hierarchy or tree structure. This helps users find resources in a structured manner. It also enables an administrator to administer a large network by delegating portions of the tree to local administrators.

The entries in an eDirectory database represent network resources available on the network and are referred to as objects. An object contains information that identifies, characterizes, and locates information pertaining to the resource it represents. eDirectory uses a single naming system that encompasses all servers, services, and users in an internetwork. In the past, names were administered separately on each server. Now, eDirectory enables information entered once to be accessible everywhere and lets a user log in once to access diverse, geographically separated resources.

An eDirectory database can be divided into logical partitions according to business needs, network use, geographical location, access time, and other factors. These partitions can be distributed to any server represented in the directory. When an eDirectory database is distributed to multiple servers, eDirectory maintains the equality of the distributed logical partitions by distributing object information changes to the appropriate servers.

Deploying MIIS 2003 for Identity Management with eDirectory

MIIS 2003 can be an effective tool for managing identities between Novell eDirectory environments and Active Directory. Identity information could include names, email and physical addresses, titles, department affiliations, and much more. Generally speaking, identity information is the type of data commonly found in corporate phone books or intranets. To use MIIS 2003 for identity management between Active Directory and Novell eDirectory, follow these high-level steps:

1. Install MIIS 2003 and the latest service packs and patches.

2. Create an MA for each of the directories, including an Active Directory MA and a Novell eDirectory MA

3. Configure the MAs to import directory object types into their respective connector namespaces

4. Configure one of the MAs—for example, the Active Directory MA—to project the connector space directory objects and directory hierarchy into the metaverse name-space

5. Within each of the MAs, a function can be configured called attribute flow, which defines which directory object attributes from each directory will be projected into the respective metaverse directory objects. Configure the attribute flow rules for each MA.

6. Configure the account-joining properties for directory objects. This is the most crucial step because it determines how the objects in each directory are related to one another within the metaverse namespace. To configure the account join, certain criteria can be used, such as employee ID or first name and last name combination. The key is to find the most unique combination to avoid problems when two objects with similar names are located—for example, if two users named Tom Jones exist in Active Directory.

7. After completely configuring the MAs and account joins, configure MA run profiles to tell the MA what to perform with the connected directory and connector namespace. For example, perform a full import or export of data. The first time the MA is run, the connected directory information is imported to create the initial connector namespace.

8. After running the MAs once, you can run them a second time to propagate the authoritative metaverse data to the respective connector namespaces and out to the connected directories.

These steps outline the most common use of MIIS 2003; these steps can be used to simplify account maintenance tasks when several directories need to be managed simultaneously. When more sophisticated functionality using MIIS 2003 is needed, such as the automatic creation and deletion of directory entries, extensive scripting and customization of MIIS 2003 can be done to create a more complete enterprise account provisioning system.

Using Microsoft Directory Synchronization Services to Integrate Directories

MicrosoftDirectory Synchronization Services (MSDSS), part of the Services for NetWare Toolkit, is a tool used for synchronization of directory information stored in the Active Directory and NDS. MSDSS synchronizes directory information stored in Active Directory with all versions of NetWare; MSDSS supports a two-way synchronization with NDS and a one-way synchronization with Novell 3.x bindery services.

Because Active Directory does not support a container comparable to an NDS root organization and because Active Directory security differs from Novell, MSDSS, in Migration mode only, creates a corresponding domain local security group in Active Directory for each NDS organizational unit (OU) and organization. MSDSS then maps each Novell OU or organization to the corresponding Active Directory domain local security group.

MSDSS provides a single point of administration; with one-way synchronization, changes made to Active Directory will be propagated over to NDS during synchronization. Synchronization from Active Directory to NDS allows changes to object attributes, such as a user’s middle name or address, to be propagated. In two-way synchronization mode, changes from NDS to Active Directory require a full synchronization of the object (all attributes of the user object).

One of the key benefits to MSDSS is password synchronization. Passwords can be administered in Active Directory and the changes propagated over to NDS during synchronization. Password synchronization allows users access to Windows Server 2003 and Novell NDS resources with the same logon credentials.

The MSDSS architecture is made up of the following three components. These components manage, map, read, and write changes that occur in Active Directory, NDS, and NetWare bindery services:

. The configuration of the synchronization parameters is handled by the session manager.

. An object mapper relates the objects to each other (class and attributes), namespace, rights, and permissions between the source and target directories.

. Changes to each directory are handled by a DirSync (read/write) provider. LDAP is used for Active Directory calls and NetWare Core Protocol (NCP) calls for NDS and NetWare binderies.

In addition to the core components of MSDSS, the session configuration settings (session database) are securely stored in Active Directory. Specific scenarios for MSDSS include the following:

. A company is migrating directly from Novell to a Windows Server 2003 network. All network services—such as domain name system (DNS), Dynamic Host Configuration Protocol (DHCP), and Internet Information Services (IIS)—are running on a single server. MSDSS can be used to migrate all users and files over to Windows Server 2003 after all services have been migrated.

. A company is gradually migrating from Novell to a Windows Server 2003 network. The network services—such as DNS, DHCP, and IIS—are installed on multiple servers and sites. MSDSS can be used to migrate and synchronize AD and NDS directories during the migration.

Installing the Microsoft Directory Synchronization Service

MSDSS needs to be installed on a Windows domain controller to properly synchronize directory information between the two different network environments. To install MSDSS on a Windows Server 2003 domain controller, follow these steps:

1.  On the domain controller computer on which MSDSS will be installed, insert the CD into the CD-ROM drive.

2.  Go into the MSDSS directory on the CD-ROM (such as d:\msdss) and run the msdss.msi script package. This launches the Microsoft Directory Synchronization Service Installation Wizard.

3.  Choose to install the Microsoft Directory Synchronization Service.

NOTE

Installing MSDSS initiates an extension of the schema of the Active Directory forest. As with any schema update, the Active Directory should be backed up. Also with a schema update, because the update will replicate directory changes to all global catalogs throughout the organization, the replication should be done at a time when a global catalog synchronization can take place without impact on the normal production environment.

Synchronizing eDirectory/NDS with Active Directory Using Services for NetWare

For organizations that have both a Windows Active Directory and a Novell eDirectory (or NDS) environment, two primary methods are available to perform directory synchronization between the two directories. One method is using the Novell DirXML product, and the other method is using the MSDSS utility. To set up directory synchronization with MSDSS, do the following:

1.  Launch the MSDSS utility by selecting Start, Programs, Administrative Tools, Directory Synchronization.

2.  Right-click on the MSDSS tool option, and select New Session. 3.  Click Next at the New Session Wizard welcome screen.

4.  At the Synchronization and Migration Tasks screen, choose either NDS or Bindery for the type of service.

NOTE

Use the NDS option if Novell NetWare 4.x or higher running NDS or eDirectory is used. Use the Bindery option if Novell NetWare 3.2 or lower bindery mode is running on the Novell network.

5.  Depending on the synchronization option, choose either a one-way (from AD to NDS/Bindery), a two-way (AD to NDS/Bindery and back), or a migration from NDS/Bindery to AD. Click Next.

6.  For the Active Directory container and domain controller, choose the AD container to which objects will be synchronized, as well as the name of the domain controller that will be used to extract and synchronize information Click Next.

7.  For the NDS container and password, select the NDS container to and/or from which AD information will be synchronized. Enter a logon name and password for a supervisor account on Novell to access the Novell directory. Click Next.

8.  On the initial reverse synchronization screen, select the password option to define passwords to be either blank, same as the username, set to a random value (that can be viewed in the log file), or set to an organizational default. Click OK after selecting the password option, and then click Next to continue.

9.  Click Finish to begin the synchronization/migration process.

Implementing MSDSS

MSDSS runs on a Windows 2000 Server or Windows Server 2003 domain controller and replicates user account and password information between the Active Directory environment and a Novell eDirectory or NDS environment. MSDSS is a Windows service that synchronizes user account information between Active Directory and NetWare. The following are best practices determined in the implementation of MSDSS in an enterprise environment:

. Ensure that the Microsoft MSDSS server that is running on a Windows Active Directory domain controller and the Novell directory server are on the same network segment or have limited hops between each other.

. Because directory synchronization reads and writes information directly to the network directory, test the replication process between mirrored domain and directory services in a test lab environment before implementing MSDSS for the first time in a production environment.

. Monitor directory and password synchronization processing times to confirm the transactions are occurring fast enough for users to access network resources. If users get an authentication error, consider upgrading the MSDSS server to a faster system.

. Password characteristic policies (requiring upper- and lowercase letters, numbers, or extended characters in the password and password change times) should be similar on both the Microsoft and Novell environments to minimize inconsistencies in authorization and update processes.

Identifying Limitations on Directory Synchronization with MSDSS

Although directory synchronization can provide common logon names and passwords, MSDSS does not provide dual client support or any application-level linkage between multiple platform configurations. This means that if a Novell server is running IPX as a communication protocol and Windows is running TCP/IP, MSDSS does not do protocol conversion. Likewise, if an application is running on a Novell server requiring SAP, because Windows servers commonly use NetBIOS for device advertising, a dual client protocol stack must be enabled to provide common communications.

MSDSS merely links the logon names and passwords between multiple environments. The following are areas that need to be considered separate from the logon and password synchronization process:

. Protocols, such as TCP/IP and IPX/SPX, should be supported by servers and clients.

. Applications that require communication standards for logon authentication might require a client component to be installed on the workstations or servers in the mixed environment.

. Applications that were written for Novell servers (such as Network Loadable Modules [NLMs] or BTrieve databases) should be converted to support Windows.

. Logon scripts, drive mappings, or other access systems compatible with one networking environment might not work across multiple environments, so those components should be tested for full compatibility.

. Backup utilities, antivirus applications, network management components, or system monitoring tools that work on one system should be purchased or relicensed to support another network operating configuration.

Backing Up and Restoring MSDSS Information

MSDSS configuration, tables, and system configurations are critical to the operations of the MSDSS synchronization tool. Microsoft provides a backup and restore utility that enables the storage and recovery of MSDSS information. To back up MSDSS, do the following:

1.  Select Start, Programs, Administrative Tools, MSDSS Backup & Restore Utility.

2.  Either click Backup Now to back up the MSDSS session directory, or change the default time when the MSDSS information should be backed up.

3.  If it is required to back up the session directory information, the process will notify that the MSDSS service will need to be stopped. Choose Yes to continue.

4.  Upon completion of the backup, there will be a prompt that the MSDSS service will need to be restarted. Choose Yes to restart the MSDSS service.

At any time, if the MSDSS session directory information becomes corrupt or behaves erratically, the MSDSS information can be restored. To restore MSDSS, do the following:

1.  Select Start, Programs, Administrative Tools, MSDSS Backup & Restore Utility. 2.  Click Restore Now to restore the MSDSS session directory.

3.  When notified that the MSDSS service will need to be stopped, choose Yes to continue.

4.  Upon completion of the restore, a final prompt will appear to signify that the MSDSS service will need to be restarted. Choose Yes to restart the MSDSS service.