Integration with NetWare Directory Services

Windows NT Server included several tools for integrating with a Novell NetWare environment, including Gateway Services for NetWare (GSNW) , File and Print for NetWare (FPNW) , and NetWare Convert. Of these three utilities, NetWare Convert was the only tool designed to actually integrate and migrate directory information between a NetWare directory and a Windows NT 4.0 directory. Windows 2000 Server includes a new version of NetWare Convert. The tool is now called the Directory Services Migration Tool (DSMT) . In addition to DSMT, there is an important tool for integrating NDS, as well as other directories, and Active Directory for long-term coexistence. This tool is called the DirSync Server. This is an add-on tool to Windows 2000.

The Active Directory DirSync Server is a Windows 2000 service that runs on a Windows 2000 DC. DirSync Server is actually a collection of components that integrate to provide directory synchronization (see Figure 3.7). These components are

• DirSync session manager— The session manager manages the sessions between disparate directories. Each session includes a pair of directories and a set of parameters for synchronizing the two directories.

• Directory providers— Each directory has a directory provider that reads changes incrementally or writes changes incrementally to the directory that the provider supports. There is a directory provider for NetWare directory services.

• Object mappers— Object mappers provide a mapping of objects in the directory schema, access rights and permissions, and namespace for each directory.

Session Manager and Sessions

The session manager coordinates the synchronization process between directories. The session manager provides logging, error handling, recovery, and performance counters.

Sessions are defined by a set of session parameters. A sample of the most common session parameters follows:

• Session owner— The session owner is the identification of the DC on which DirSync is running. Only one DirSync process can run on a DC computer.

• Session ID— The session ID is a unique identifier for the session on the DC that owns it.

• Session name— The session name is a friendly name provided by the administrator for the session.

• Session flags— The session flags specify if two-way synchronization is enabled and if the session is enabled or disabled. Disabled sessions are not started automatically.

• Source directory— The source directory identifies the source directory type, server location, and logon credentials.

• Target directory— The target directory identifies the target directory type, server location, and logon credentials.

• Schedule— The schedule specifies when sessions are to be executed.

• Log level— The log level specifies the level of logging needed for each session.

Challenges

Implementing synchronization architecture between NDS and Active Directory has several challenges. Both NDS and Active Directory are biased on the X.500 directory standard. Consequently, there can be some confusion between the semantics used to describe a directory structure in NDS versus a directory structure in Active Directory. For example, containers in NDS are equivalent to OUs in Active Directory.

The first step in developing a plan for integrating NDS and Active Directory is to map the NDS directory hierarchy that exists and to map the Active Directory hierarchy that either already exists or is in development. This includes mapping all objects and attributes, as well as security and access rights on each container in the directory. After the directories have been mapped, the next step is to identify the master/slave relationships between objects in each directory.

There are limitations to the services that the DirSync Server can provide. These limitations include

• There is support for only one-to-one mapping of object IDs. It is not possible to map a one-to-many relationship between an object in an NDS directory and Active Directory.

• Synchronization takes place on a container level, not on an object level. This means that all objects in a container and all child containers are synchronized between the two directory environments. It is not possible to synchronize a single object in a container.