AD with Novell

[Peter]

We are running Novell as NOS. However, there is a Windows
2000 Server that we want to set up a domain. According to
newsgroup, Novell NDS should be compatible with AD.

We would like to know how to change the 2000 Server from a
standalone server to a Domain Controller. Besides, we
would like to know what other services (like DNS ...) has
to be installed on the Server so that it will be a DC ?

Thanks

 

[Cary Shultz [A.D. MVP]]

Peter,

Welcome to Microsoft's Active Directory. I would suggest that you get
yourself a book on Active Directory. Please do not misunderstand me but if
you are asking this question then I will have to operate under the
assumption that you are a Novell person with not much experience with
Microsoft's Active Directory. WIN2000 / WIN2003 Active Directory is a big
beast that takes time to learn.

You can always buy one of the Sybex books that will prepare you for the
MCSA/MCSE certification ( yes, even if you are not preparing for the exams).
This would give you a good starting point. Not trying to promote one
publisher over another. I just happen to like the Sybex books. There are a
lot of other publishers out there. Go to http://www.bookpool.com or
http://www.amazon.com and do a search for Active Directory. The choices
will be a bit overwhelming. There is also a really good book from O'Reilly
that is a bit more involved and there is always 'Inside Active Directory' -
which is very involved. It is a rather thick book. Might be a bit too much
right now. Naturally, Mastering Windows 2000 and now Mastering Windows 2003
( from Mark Minasi and Sybex ) need to be on everyone's bookshelf.

I would also suggest that you get yourself a separate book on Group Policy -
which is a big part of Active Directory. The Windows 2000 Group Policy,
Profiles and IntelliMirror by Jeremy Moskowitz is a really nice book ( and
Sybex just released the WIN2003 version ).

Anyway, you would want to open up Start | Run and enter 'dcpromo' - without
the quotes - on the WIN2000 member server. This will initiate the process
to make it a Domain Controller. Do you have any local user accounts on it?
IIRC, this process will make them domain user account objects. You will
have to create all of your users ( er, those that exist on your Novell
server ) from scratch. Well, I am sure that this is not accurate. I would
like to think that there would be a tool that would 'connect' the two
databases so that they synch up. I would have to look this up.

DNS is all important with WIN2000 and WIN2003. The dcpromo process will
give you the option to install DNS on the Domain Controller. You need to
have DNS that understands SRV records and that understands Dynamic Updates.
Please believe me when I tell you that if DNS is not absolutely correct that
you will have a lot of weird problems ( I know, not a very technical
sentence! ). And please refrain from using a single-label domain name.
What is this? Well, when you have a dns name of nkdsolutions instead of the
required nkdsolutions.com ( or .local or .org or .ad or whatever ). You
must have the "dot whatever" in there.....

Remember, you are going to have two directories, the Novell and the
Microsoft.

HTH,

Cary

 

[Enkidu]

We are running Novell as NOS. However, there is a Windows
2000 Server that we want to set up a domain. According to
newsgroup, Novell NDS should be compatible with AD.

We would like to know how to change the 2000 Server from a
standalone server to a Domain Controller. Besides, we
would like to know what other services (like DNS ...) has
to be installed on the Server so that it will be a DC ?

What Cary says.

1) You need a book or to do research

2) You need to ensure your DNS setup is 100%

3) The upgrade process installs all necessary services.

4) Active Directory is NOT Novell NDS.

Expect there to be things that you'd do in NDS that are done
differently in AD to what they are done in NDS. An exact replication
of facilities is not achievable. I believe that the same would be
true, going from AD to NDS, but you don't hear of many people doing
that.

There may be things that NDS hides from users that are exposed in AD.
There may be things in AD that you would like to expose to the users
that AD won't reveal.

Don't sweat the differences! Your install will go much better....

Cheers,

Cliff

 

[In Disguise]

Peter,

Novell NetWare 6.5 can be used as a Domain Controller, if that is what
you want to do. The documentation for this is:
http://www.novell.com/documentation...=/documentation/nw65/native/data/bqls7eg.html

Another good link:
http://www.iwantnetware.com/

The best bet is to put eDirectory on Windows. eDirectory - unlike
Active Directory - can be installed on multiple platforms, such as
Windows, NetWare, Linux, AS/400, etc. You can also manage the entire
Directory from any web browser, from any computer. This includes DNS,
DHCP, etc. Clients can be DOS, Windows 3.x, OS/2, Win9x, Linux, etc.
Unlike the latest version of AD, eDirectory is not client-dependent, so
you don't have to upgrade all of your workstations, if you don't want to.

For a good comparison between the two, check out
http://www.iwantnetware.com/edir-vs-ad.pdf.

There's just no comparison, really. With eDirectory, you can partition
and replicate all or parts of the Directory. No need for Global
Catalogs, Backup Domain Controllers, Site Servers, etc.

When Novell teaches eDirectory, students have single-server environments
that have billion-object trees, with over 100 million objects per
container. All this on a single-processor, single-server environment.
Active Directory can't touch that.

The MCSE Windows Server 2003 Active Directory and Network Infrastructure
Design (Chapter 8 in the book) states that, "It is recommended that if
there are 500 or more users within a site, the domain controller that is
authenticating them should have at least dual 899 MHz processors."

It also states, "The formula that is used to determine the approximate
amount of drive space that the directory database will consume is
(number of users / 1000) * .4GB." An example given is that 72,000
users require a minimum of 28.8 GB of disk space. That's just for
Active Directory alone.

Should you decide to keep Active Directory and eDirectory, you may want
to use Identity Management 2 (IDM2) www.novell.com/identitymanager.

This lets you synchronize AD, eDirectory, PeopleSoft, Exchange,
GroupWise, SQL, and any other data store all together. This way,
someone leaves the organization, you only have one click to disable or
delete all of their accounts, whether it resides on MS-based, Linux,
Unix, AS/400, NetWare, etc.

 

[Enkidu]

Peter,

Novell NetWare 6.5 can be used as a Domain Controller, if that is what
you want to do. The documentation for this is:
http://www.novell.com/documentation...=/documentation/nw65/native/data/bqls7eg.html

That's only for NT type Primary Domain Controllers, and there are
dwindling number of those around.

Another good link:
http://www.iwantnetware.com/

In spite of the bleat and moan on the above site, let's face it,
Novell's NDS, always a second runner, is on the way out.

NDS is one of those things in computing that are loved by the IT
department but hated by the users. And don't get me started on
Groupwise!

Cheers,

Cliff

 

[Andrew Mitchell]

In spite of the bleat and moan on the above site, let's face it,
Novell's NDS, always a second runner,

So what does that make AD ? (which wasn't available for full 7 years after
NDS appeared)

is on the way out.

Maybe because Novell replaced it with eDirectory........

NDS is one of those things in computing that are loved by the IT
department but hated by the users.

What do you base that on? The directory service is transparent to the end
user.

 

[In Disguise]

Showing your ignorance, and I am embarrased for you. When you get a
chance, check out this article:
http://www.novell.com/coolsolutions/nds/features/a_insideout_ad_edir.html

An excerpt:

"To start to understand why Active Directory pales to other industry
directory offerings - particularly Novell eDirectory - one must remember
why Active Directory was created. Windows NT 4 Server and prior releases
had major scaling and management limitations as a result of Microsoft
carrying forward its legacy LanManager account management system into
Windows NT Domain Services. However, rather than scrapping the old and
building anew, Microsoft built a directory on many of the premises,
protocols and limitations of Windows NT Domain Services. The result
today is Active Directory, a retrofitting of Windows domains into a
quasi-directory hierarchy."

BTW, eDirectory has over one billion licensed connections world-wide.
How about AD? Every Fortune 1000 company uses it. eDirectory is
continually being developed to expand upon their dominance.

Active Directory has been out since when? Windows 2000 introduced it,
and now it is in Windows 2003. Hmmm....

NT started at version 3.1, then 3.5, 3.51, 4.0, then Windows 2000.
NetWare has gone through revisions of ELS, ELS2, NetWare 2.1, 2.11,
2.12, 3.0, 3.10, 3.11, 3.12, 3.2, 4.0, 4.01, 4.02, 4.1, 4.11, 4.2, 5.0,
5.1, 6.0, and then 6.5. eDirectory / NDS was introduced in v4.0. It
has years of development and deployment ahead of AD, yet AD - with all
of M$ cash machine and millionaire programmers behind it - is still
nowhere close to eDirectory in terms of reliability, scalability,
deployment, and functionality.

Can you use MS-provided tools to manage the Directory and OS via web
browser? Can with NetWare / eDirectory - and the browser can be any
browser, not IE.

Everything that I have posted are facts, not opinions. All you can post
in return are more M$ FUD. Typical.

Regarding GroupWise, it is virtually virus and exploit-free. The
"ILoveYou" virus didn't hit GroupWise. Same with Melissa, et al. It is
inherently more secure, which is why the US Government and Military use
GroupWise exclusively. WebAccess to your email has been a standard for
GroupWise for years now. I hear Exchange is just now picking up on it.
It can run on Linux, NetWare, or Windows. Exchange, like all other
M$-based products, will only run on Windows, so you are tied to a
particular OS.

 

[In Disguise]

Good point. When M$ FUD is confronted with facts, it's impossible to
defend.

 

[Enkidu]

So what does that make AD ? (which wasn't available for full 7 years after
NDS appeared)


Maybe because Novell replaced it with eDirectory........



What do you base that on? The directory service is transparent to the end
user.

I just realised that I started a flame war. Sorry, my frustration and
irritation at Novell's NDS based on *five years* as an end-user still
rankles after a few years away. Yes, I do know the users hated it, and
yes, I do know that IT loved it.

Cheers,

Cliff

 

[Enkidu]

Showing your ignorance, and I am embarrased for you. When you get a
chance, check out this article:
http://www.novell.com/coolsolutions/nds/features/a_insideout_ad_edir.html

An excerpt:

"To start to understand why Active Directory pales to other industry
directory offerings - particularly Novell eDirectory - one must remember
why Active Directory was created. Windows NT 4 Server and prior releases
had major scaling and management limitations as a result of Microsoft
carrying forward its legacy LanManager account management system into
Windows NT Domain Services. However, rather than scrapping the old and
building anew, Microsoft built a directory on many of the premises,
protocols and limitations of Windows NT Domain Services. The result
today is Active Directory, a retrofitting of Windows domains into a
quasi-directory hierarchy."

You post opinion as fact? Oh well.

NT started at version 3.1, then 3.5, 3.51, 4.0, then Windows 2000.
NetWare has gone through revisions of ELS, ELS2, NetWare 2.1, 2.11,
2.12, 3.0, 3.10, 3.11, 3.12, 3.2, 4.0, 4.01, 4.02, 4.1, 4.11, 4.2, 5.0,
5.1, 6.0, and then 6.5. eDirectory / NDS was introduced in v4.0. It
has years of development and deployment ahead of AD, yet AD - with all
of M$ cash machine and millionaire programmers behind it - is still
nowhere close to eDirectory in terms of reliability, scalability,
deployment, and functionality.

What you don't point out is that *every* major version upgrade has
been traumatic for the end users. There are still Netware 3.11
machines out there, not because they are stable (which they mostly
are), but because no one *dares* to upgrade them.

This is personal experience, not some waffly opinion piece. I've been
on the receiving end and the picture I have is not pleasant.

Can you use MS-provided tools to manage the Directory and OS via web
browser? Can with NetWare / eDirectory - and the browser can be any
browser, not IE.

Having the tools available via a web browser is nice operationally.
It's not a big deal. It does adds another layer of security risk.

Everything that I have posted are facts, not opinions. All you can post
in return are more M$ FUD. Typical.

Regarding GroupWise, it is virtually virus and exploit-free. The
"ILoveYou" virus didn't hit GroupWise. Same with Melissa, et al. It is
inherently more secure, which is why the US Government and Military use
GroupWise exclusively. WebAccess to your email has been a standard for
GroupWise for years now. I hear Exchange is just now picking up on it.
It can run on Linux, NetWare, or Windows. Exchange, like all other
M$-based products, will only run on Windows, so you are tied to a
particular OS.

Here's some of the things that I have personally had happen with
Groupwise:

1) Someone else's mail appears among my mail.
2) Open Groupwise and get a completely different mailbox.
3) Unable to update address book.
4) Corrupted corporate address book. (One time it had 1000s of
identical entries).
5) Unable to send emails.
6) Emails going to a group of people instead of one person.
7) Corrupted emails - some words readable and otherwise junk
characters.

Let's not go near scheduling meetings and so on...

I got a call from a Groupwise user once. His groupwise system had
decided to send all emails to everyone in his address book, so he was
ringing aroound to try to limit the damage. And no it wasn't a virus.

Cheers,

Cliff

 

[In Disguise]

You post opinion as fact? Oh well.


What you don't point out is that *every* major version upgrade has
been traumatic for the end users. There are still Netware 3.11
machines out there, not because they are stable (which they mostly
are), but because no one *dares* to upgrade them.

No, it has not - you must be thinking of Windows. There are still
NetWare 3.1x servers out there because they just work. If the customer
does not need to upgrade, then they don't have to. These stay up for
years. Here's proof:
http://www.novell.com/coolsolutions/netware/features/a_uptime_winners_nw.html

Why upgrade if what you have does what you need? There's a Microsoft
mentality that says you *must* upgrade every time a new OS is released,
whether you need any of the new features or not. Novellians aren't like
that.

This is personal experience, not some waffly opinion piece. I've been
on the receiving end and the picture I have is not pleasant.

Then those who performed the upgrade were not the right people to do it.

Having the tools available via a web browser is nice operationally.
It's not a big deal. It does adds another layer of security risk.

When using IE, it does. The web interface is built into the management
of the OS and Directory - it's called "iManager" and has been out for a
few years now. Check it out - you'll like it.

Here's some of the things that I have personally had happen with
Groupwise:

1) Someone else's mail appears among my mail.
2) Open Groupwise and get a completely different mailbox.
3) Unable to update address book.
4) Corrupted corporate address book. (One time it had 1000s of
identical entries).
5) Unable to send emails.
6) Emails going to a group of people instead of one person.
7) Corrupted emails - some words readable and otherwise junk
characters.

Let's not go near scheduling meetings and so on...

I got a call from a Groupwise user once. His groupwise system had
decided to send all emails to everyone in his address book, so he was
ringing aroound to try to limit the damage. And no it wasn't a virus.

Then you've got the wrong person managing that GroupWise system. A
garden will only grow as long as it's handled properly. Whether
GroupWise, Notes, or Exchange, if you don't know what you're doing with
it, it will be a disaster. I know of a GroupWise system of 13,500
users that has one administrator. Passwords were synchronized to
eDirectory, so there were never any "I Forgot My Password" calls to the
HelpDesk. Nearly all calls where along the line of, "How do I....?"

This isn't to say that GW is perfect - whatever humans design or build
will have its flaws, but GW is light years ahead of Exchange, IMO.

You can put GroupWise on Linux, Windows, and NetWare. You can access
GroupWise from any browser, on any platform, anywhere in the world as a
part of the standard package.

You can only put Exchange on Windows.

No vendor lock-in there, eh?

 

[In Disguise]

Enkidu,

Yeah, a flame war is always good once in a while.

Like the Godfather says, "We need one every 5 or 10 years. Helps thin
out the blood." (Or something close to that <g>)

 

[Enkidu]

Then you've got the wrong person managing that GroupWise system. A
garden will only grow as long as it's handled properly. Whether
GroupWise, Notes, or Exchange, if you don't know what you're doing with
it, it will be a disaster. I know of a GroupWise system of 13,500
users that has one administrator. Passwords were synchronized to
eDirectory, so there were never any "I Forgot My Password" calls to the
HelpDesk. Nearly all calls where along the line of, "How do I....?"

We switched to Lotus Notes and had no more problems. Not that I would
advocate Lotus Notes.

This isn't to say that GW is perfect - whatever humans design or build
will have its flaws, but GW is light years ahead of Exchange, IMO.

You can put GroupWise on Linux, Windows, and NetWare. You can access
GroupWise from any browser, on any platform, anywhere in the world as a
part of the standard package.
But why would you want to?

You can only put Exchange on Windows.

So you can, and organisations are doing it all the time.

Cheers,

Cliff

 

[Andrew Mitchell]

I just realised that I started a flame war. Sorry, my frustration and
irritation at Novell's NDS based on *five years* as an end-user still
rankles after a few years away.

I wasn't trying to flame, just curious as to what your problem was with it.
As an end user, the directory service should be transparent.
If you are talking about NetWare as a whole, there are some things about it
that are worse than Windows (the setup for one, and trying to find decent
compilers for writing NLMs), but there are also things that IMHO were done
much better in NetWare (like a directory not even appearing in explorer if a
user didn't have the correct permissions)

Yes, I do know the users hated it,

Still curious as to why????

and
yes, I do know that IT loved it.

Having worked on Windows and NetWare (in both admin and development roles)
there are pro's and con's to both. They are simply tools to achieve a goal
and neither really stands out against the other, no matter what both camps
say in their marketing blurbs.

 

[Enkidu]

Having worked on Windows and NetWare (in both admin and
development roles) there are pro's and con's to both. They are
simply tools to achieve a goal and neither really stands out
against the other, no matter what both camps say in their
marketing blurbs.

I think we had best leave it at that, don't you? Maybe I was scarred
by a particularly bad experience. I could give you details, but I'd
say that the response would be that it doesn't *have* to be that way.
I'm not trying to dodge the questions - well in a way I am, because I
*know* that I had a very bad experience, and I have only anecdotal
evidence that at least some others feel the same way. Novel fans would
say that that was very unusual, no doubt! No worries!

And we are straying way off topic!

Cheers,

Cliff

 

[SysEng]

Peter,

Novell NetWare 6.5 can be used as a Domain Controller, if that is what
you want to do. The documentation for this is:
http://www.novell.com/documentation...=/documentation/nw65/native/data/bqls7eg.html

Another good link:
http://www.iwantnetware.com/

The best bet is to put eDirectory on Windows. eDirectory - unlike
Active Directory - can be installed on multiple platforms, such as
Windows, NetWare, Linux, AS/400, etc. You can also manage the entire
Directory from any web browser, from any computer. This includes DNS,
DHCP, etc. Clients can be DOS, Windows 3.x, OS/2, Win9x, Linux, etc.
Unlike the latest version of AD, eDirectory is not client-dependent, so
you don't have to upgrade all of your workstations, if you don't want to.

For a good comparison between the two, check out
http://www.iwantnetware.com/edir-vs-ad.pdf.

You mean a biased comparison right?

There's just no comparison, really. With eDirectory, you can partition
and replicate all or parts of the Directory. No need for Global
Catalogs, Backup Domain Controllers, Site Servers, etc.

Can't partition in AD? Why do you suppose there are GCs in the first
place? BDC? Site Server? Are you sure you're talking about AD? From
your lack of understand the basic AD terminology I'm guessing there
hasn't been a whole lot of real-world experience here.

When Novell teaches eDirectory, students have single-server environments
that have billion-object trees, with over 100 million objects per
container. All this on a single-processor, single-server environment.
Active Directory can't touch that.

Why don't we try comparing apple to apples here. The reason why AD has
a larger footprint than eDirectory is largely in part due to it's
extensible nature. A good example would be eDirectory's lack of native
Kerb support. After installing NMAS and enabling Kerb auth for all
those millions of edirectory principles, honey you just blew up the
kid.

Is the schema a little top heavy in AD? Possibly, but if you want to
compare eDirectory with any MS product try AD/AM. It's better suited
for a competitive scrap against eDirectory anyway. Any application
that requires an LDAP directory to maintain a billion objects likely
isn't going to need all the added benefits of the full featured AD.

The MCSE Windows Server 2003 Active Directory and Network Infrastructure
Design (Chapter 8 in the book) states that, "It is recommended that if
there are 500 or more users within a site, the domain controller that is
authenticating them should have at least dual 899 MHz processors."

It also states, "The formula that is used to determine the approximate
amount of drive space that the directory database will consume is
(number of users / 1000) * .4GB." An example given is that 72,000
users require a minimum of 28.8 GB of disk space. That's just for
Active Directory alone.

Should you decide to keep Active Directory and eDirectory, you may want
to use Identity Management 2 (IDM2) www.novell.com/identitymanager.

This lets you synchronize AD, eDirectory, PeopleSoft, Exchange,
GroupWise, SQL, and any other data store all together. This way,
someone leaves the organization, you only have one click to disable or
delete all of their accounts, whether it resides on MS-based, Linux,
Unix, AS/400, NetWare, etc.

Sounds like they're attempting to catch up with MIIS.

 

[SysEng]

Showing your ignorance, and I am embarrased for you. When you get a
chance, check out this article:
http://www.novell.com/coolsolutions/nds/features/a_insideout_ad_edir.html

Oh great. Another biased misdirect.

An excerpt:

"To start to understand why Active Directory pales to other industry
directory offerings - particularly Novell eDirectory - one must remember
why Active Directory was created. Windows NT 4 Server and prior releases
had major scaling and management limitations as a result of Microsoft
carrying forward its legacy LanManager account management system into
Windows NT Domain Services. However, rather than scrapping the old and
building anew, Microsoft built a directory on many of the premises,
protocols and limitations of Windows NT Domain Services. The result
today is Active Directory, a retrofitting of Windows domains into a
quasi-directory hierarchy."

Actually, AD wasn't based on the old NT SAM technology at all. It
evolved from the Exchange directory service dating back to an initial
release of Exchange 4.0 in 1996.

BTW, eDirectory has over one billion licensed connections world-wide.
How about AD? Every Fortune 1000 company uses it. eDirectory is
continually being developed to expand upon their dominance.

Active Directory has been out since when? Windows 2000 introduced it,
and now it is in Windows 2003. Hmmm....

Again, if you want to get specific...

ExchDS/AD initial release date: 1996
NDS/eDirectory release date: 1993

Wow. 3 year headstart negated by all the poor business decision's
Novell has made over the past decade.

NT started at version 3.1, then 3.5, 3.51, 4.0, then Windows 2000.
NetWare has gone through revisions of ELS, ELS2, NetWare 2.1, 2.11,
2.12, 3.0, 3.10, 3.11, 3.12, 3.2, 4.0, 4.01, 4.02, 4.1, 4.11, 4.2, 5.0,
5.1, 6.0, and then 6.5. eDirectory / NDS was introduced in v4.0. It
has years of development and deployment ahead of AD, yet AD - with all
of M$ cash machine and millionaire programmers behind it - is still
nowhere close to eDirectory in terms of reliability, scalability,
deployment, and functionality.

Once more, a 3 year headstart dating back to a decade ago does not
constitute a whole lot of value. That's would be like saying Ford must
be lightyears ahead of Toyota because they've been manufacturing cars
for 4 decades longer.

I suppose that all four branches of the US Dept of Defense have all
made the wrong decisions to go with AD and Exchange across the board?
The countless millions they've spent on evaluating solutions, choosing
AD over every other directory, including eDirectory, and they're still
wrong?

Can you use MS-provided tools to manage the Directory and OS via web
browser? Can with NetWare / eDirectory - and the browser can be any
browser, not IE.

Yes, there are web-based admin tools built-in. Just hit it with a
browser that supports WebDAV and you're set. Is it MS's fault that
every other browser was slow to adopt innovative web standards?

Everything that I have posted are facts, not opinions. All you can post
in return are more M$ FUD. Typical.

Regarding GroupWise, it is virtually virus and exploit-free. The
"ILoveYou" virus didn't hit GroupWise. Same with Melissa, et al. It is
inherently more secure, which is why the US Government and Military use
GroupWise exclusively.

Yeah, maybe it wasn't the smartest thing to do when MS allowed VB
scripts to be included as attachments and ran directly from within
Outlook. However, anything post Outlook 2000 SR1 (2001) shored up the
vulnerability, yet it's continually harped upon as if the problem
still exists. You don't hear folks still ragging on Netware because
you used to be able to crack the Supervisor password with a simple DOS
util in less than 10 seconds.

And for the record, the US Gov't and DoD DO NOT use GroupWise
exclusively. Not even remotely close! In fact Exchange holds about a
91% marketshare in the Public Sector.

WebAccess to your email has been a standard for
GroupWise for years now. I hear Exchange is just now picking up on it.

Just picking it up?! Outlook Web Access has been around since March
1997. I'm told constantly by customers that OWA is miles beyond any
other web-based mail client. Who's spreading the FUD now?

It can run on Linux, NetWare, or Windows. Exchange, like all other
M$-based products, will only run on Windows, so you are tied to a
particular OS.

Yep, tied. By Novell's own admission at Brainshare last year, they
recommend running GW on Netware due to the instabilities encountered
running on anything else. They simply can't give enough attention to
every version. They had the same advice for eDirectory coincidently.