Implementing NDS-Enabled Solutions at Clemson University
Articles and Tips: article
LAN Systems Manager
PAMELA J. BOWEN
Consultant and Trainer, Computer Training
Systems Programmer I
Systems Programmer II
01 Jul 1998
Find out how a team of network administrators, trainers, and programmers at one of America's top universities is using NDS to create a campus-wide collaborative learning environment for students, faculty, and visitors.
The Division of Computing and Information Technology (DCIT) at Clemson University in Clemson, South Carolina, has developed a campus computing network that is both technically strong and functionally rich. Designed to take advantage of the power of Novell Directory Services (NDS), the Clemson network provides computing support to students, faculty, and staff in a comprehensive manner, including single login and authentication for all services and work spaces. The services provided by this network are automatically made available to all members of the campus community.
Clemson's strong network provides the foundation for the new campus-wide Collaborative Learning Environment (CLE) being installed this semester. The CLE is a collection of tools and services that facilitate the use of information technology in teaching and research. The CLE also provides a forum for collaboration among students and faculty. Integrated with the student registration system, it provides class work space, time-stamped electronic submission of papers, team and group class projects, and access to library reserve materials and class assignments. Faculty and student access is through Web applications as well as Novell Application Launcher (NAL) services. All students, faculty members, and classes are automatically provided these services.
The purpose of this series of AppNotes is to show how Clemson has provided a rich set of solutions by leveraging the power of NDS and by making NDS the centerpiece of security, fault tolerance, and authentication. This first AppNote covers the hardware configuration, the NDS tree design, and the development of the Collaborative Learning Environment. A follow-up AppNote will cover such topics as virtual laptops, NLM development at Clemson, e-mail, intranet services, and authentication.
Overview of the Clemson University Network
In designing the new network at Clemson, a team of system administrators, trainers, and programmers began by examining the underlying reasons students need their own personal computers. They concluded that, in essence, students need applications, documents, and data to be delivered wherever and whenever they may require them. This includes classrooms, computer labs, dormitory rooms, and off-campus locations. Furthermore, such services are best delivered in a secure and reliable environment with dependable backups. Finally, the support should be delivered at a low cost. This was the basis for the Clemson "virtual laptop," made possible by the network and its features.
Each individual entering Clemson as a student, faculty member, or employee is automatically assigned a computer user identifier (userid) and work space on a server for storage of personal documents and data. Employing the virtual laptop concept, the network allows students to log in from any campus computer laboratory and immediately be presented with the look and feel of their own desktop. This includes settings and preferences used in software such as Microsoft Office, Netscape Navigator and Eudora electronic mail. A series of Clemson-developed NetWare Loadable Modules (NLMs) are used throughout the login and authentication process.
The concept of a standard lab environment has made it possible to provide identical desktops in central labs as well as departmental labs, doubling the number of public workstations to about 700. (A "lab" is a work area containing workstations available to any student.) Furthermore, the data and documents stored by users in other locations are immediately available.
A central server authenticates all student, faculty, and staff logins, and a single login provides access to a wide range of servers and applications. Access to network resources is controlled by Novell Directory Services. Once users are authenticated, they have access to all network resources defined for them and to their personal work spaces. NDS provides information about printers that they can use, building servers where application software resides, and the class and departmental groups to which they may belong. Users also have access to a campus-wide Post Office Protocol (POP) mail server for their mail. A sophisticated mail-list creation system allows faculty members to automatically create mail lists for their classes, with on-going class drops and adds integrated with the student registration system.
The Clemson network includes a mainframe, minicomputers, more than 100 servers, and an assortment of UNIX, Windows, and Macintosh workstations. Ethernet and Fast Ethernet are both used, with twisted-pair cable generally providing local connections to the backbone and FDDI connecting backbone components.
Basic Network Topology
Figure 1 shows the basic topology for the Clemson University network.
Figure 1: The Clemson FDDI backbone.
As shown in Figure 1, the campus backbone uses 100 Mbps fiber optic, FDDI (Fiber Distributed Data Interface) technology. The backbone is composed of a central ring and two smaller rings. One small ring serves the College of Engineering and Science buildings, and the other is essentially a point-to-point connection to Clemson Research Park. The Information Technology Center, the largest campus data center, is located in the Clemson Research Park.
Building networks connect to the backbone at one of eight locations. Each location is a fiber hub site, with a large Cisco router serving all the buildings in that area of campus. Only TCP/IP and IPX protocols are allowed to transverse the backbone. A parallel OC-12 ATM backbone is being constructed to support Internet2 networking requirements.
Clemson's data network is designed to minimize data leaving a building, so there is often a server located in the building to store commonly used applications and departmental data and to handle local printing. There are over fifty of these servers on the network. Large computer labs usually have their own server because of the high traffic levels. Because everyone in the building shares this server and because many of the applications are fairly large, the server is usually connected to the Ethernet switch by a Fast Ethernet of 100 Mbps bandwidth. There is also a 10 Mbps or 100 Mbps switched Ethernet link leaving the building to connect to a backbone router.
The Ethernet switch also connects many 10BaseT hubs to the building network. In some locations, powerful workstations have their own switched Ethernet segment rather than sharing a segment within a 10BaseT hub. To prevent snooping, hubs are set to transmit network traffic only for the Medium Access Control address of the workstation attached to each port.
Large Computing Systems
We will begin by describing the large computing systems within Clemson University's network.
OS/390 Mainframe. The OS/390 Mainframe is a Hitachi Data Systems Pilot 25 Enterprise Server running the OS/390 operating system. Clemson's mainframe has always allowed users to connect directly, whether to TSO or an application like the Student Information System (SIS) or Library Users Information System (LUIS); however, it also provides some common server functions like FTP, NFS, and ODBC access. In the future, more server-style functions will be available, such as improved database access, a Web server, and perhaps some network-related services.
UNIX Systems. DCIT's general purpose UNIX computer called "hubcap" is a Sun Microsystems HPC 3000 with 1.5 GB of main memory, six 275 MHz processors, and a refrigerator-sized RAID disk subsystem containing more than 135 GB of disk storage. It runs the Solaris 2.6 (SunOS 5.6) operating system. User IDs are available for staff and students who apply.
The substantial resources of hubcap are also used by people who are developing and configuring jobs and simulations that they will eventually run on Clemson's new "super computer," a Sun 6000 with 4 GB of main memory, sixteen 275 MHz processors, and a RAID subsystem similar to hubcap's.
Users also have access to a campus-wide Post Office Protocol (POP) mail server for their mail. This server runs Solaris 2.6 and uses NDS for user authentication.
There are many additional UNIX servers and workstations spread throughout the university to provide additional capability to the campus community.
Clemson's server hardware is constantly changing. Initially we built our own servers from the same components used by server manufacturers. We are now upgrading to Dell servers for increased capability and reliability.
Personal Data Servers. These servers hold the home directories for all users on the LAN. The home directories for approximately 9,000 employees and miscellaneous users of Clemson's network are stored on two HP NetServer LX dual Pentium Pro servers containing a total of 1.5 GB of memory and 100 GB of RAID-5 disk storage. The home directories for approximately 28,000 students are stored on five Dell 4200 servers, each with 512 MB of memory and 50 GB of RAID-5 disk storage. These home directories also provide space for public and private user Web space.
NDS Root Servers. These servers are dedicated to running NDS at Clemson. All workstations (as well as other Novell servers) depend on these servers to be operational. Multiple root servers are placed strategically on the network to enhance performance and to offer fault tolerance. The three NDS root servers are currently Dell 2200 servers with single 300 MHz Pentium II processors, 384 MB of memory, and 4 GB of RAID-5 disk storage. Each server holds a complete copy of Clemson's NDS tree. There is one master and two read-write replicas; no other servers contain replicas.
To support a single user ID and password combination across all software systems, Clemson has developed authentication software to run on Novell servers and a variety of clients. These clients include the OS/390 enterprise server, the central mail server, and many Web servers. Clemson has developed a set of NLMs to accept requests from clients, and has also built hooks on various clients to redirect local user authentication and password changes to the NLM. The NLM runs on two of Clemson's NDS root servers for fault tolerance and is multithreaded to handle simultaneous requests from many client systems.
Student Lab Application Servers. These servers are all exact mirrors of one another and are, for all intents and purposes, read-only. They are placed strategically on the network, basically one per lab, and perform the task of serving up application software and data to the lab workstations. They are currently configured for dynamic fail-over: if one server goes down, the other servers pick up the load. The student lab servers are the application servers from which all labs conforming to the campus standard lab configuration run their desktop software.
Their base configuration is as follows:
SuperMicro P55STE system board
Cyrix P166+ processor
64 MB of RAM
One Micropolis 3391 9 GB hard disk
Intel Pro/100 network adapter
Faculty/Staff Group Servers. These servers are configured to hold collaborative data and applications for one or more departments or workgroups at Clemson. These servers are placed on the network to be close to the users, either within their buildings or within one router hop away. A group can also make use of this collaborative storage space to serve Web pages to the Internet without having to run a Web server locally. A faculty member may use these servers to do collaborative work with students in a class as well as accept secure file submissions from students.
Individual departments throughout the University often have their own application servers from which department employees may run software purchased by that specific department. These servers were originally home built, but are being converted to Dell 4200 servers as resources permit.
NT Application Servers. These servers are configured to run turnkey applications under Microsoft Windows NT Server. The only direct users of these systems are the people that administer the software systems on them. End-users access these applications through Web browsers. User logins or accesses rely on NDS for security.
Workstations are connected to the backbone by way of twisted-pair, 10BaseT, Ethernet cabling. The minimum configuration recommended for an Intel-based workstation is the following:
266 MHz Pentium II processor
64 MB of RAM
6.4 GB hard disk storage
3.5-inch diskette drive
32X CD-ROM drive
17-inch multi-scan monitor
10/100 Mbps Ethernet adapter
NDS Tree Design
The LAN infrastructure at Clemson is built upon Novell NetWare 4.1x and Novell's NDS. NetWare supports connectivity from DOS/Windows, Windows 95, Windows NT, OS/2, Mac OS, and UNIX systems. NDS is a distributed and replicated database that holds the object and security definitions about the network. NDS provides the users and the network administration staff with a logical view of the network that conceals the sometimes bewildering complexity of the actual physical topology and configuration.
NDS enables the network to appear as a single, cohesive entity to the user. No longer is the view file-server-centric. With NDS, users perform a single login to the network and are authenticated as necessary with respect to their accessible resources on the network.
Tree Design Considerations
In NDS, objects are arranged in an inverted tree hierarchy, starting with a single root object and branching downward from there. Beneath the root object is an Organization (O) object, which shares its name with the root. Under the O object are a number of Organizational Unit (OU) objects. OUs can themselves contain other OU objects.
O and OU objects are sometimes called "containers" since they may contain many types of objects such as users, servers, server volumes, groups, organizational roles, aliases, computers, printers, print queues, and user profiles. The NDS object database is collectively referred to as "the NDS tree."
One way of designing an NDS tree is to arrange the OUs to reflect the structure or function of the organization. Figure 2 shows an example of this in the Clemson tree. The root of the tree takes on the name of the O object, in this case CLEMSONU. Beneath that are several OU container objects representing organizational divisions at the university. The DCIT object has a number of OUs beneath it to represent subordinate departments.
Figure 2: Clemson's NDS tree reflects the organizational structure of the university.
The full names of objects in the tree follow a "dot" naming convention that conforms to the X.500 standard. For example, the full name of the ISD container in Figure 2 is ".isd.dcit.clemsonu".
Designing an NDS tree is a subjective process. You can use the organizational model as described above, or, if your organization is geographically dispersed, you can use a geographic model. In any case, the underlying objective in designing the tree is to make the resources in it easy to manage.
With over 36,000 User objects alone in our single tree, Clemson is one of the larger users of NDS in the world. Given that we want the maintenance of user IDs to be handled by the Automatic Userid System (AUS), we have taken a hybrid approach to tree design, with two distinct flavors that complement each other very well. The first is the traditional organizational model discussed above, and the second is a categorical model based on user type.
As shown in Figure 3, we use three organizational units just below the Organization level to hold User objects of three basic types: students, employee, and miscellaneous.
Figure 3: Three organizational units are used to group User objects by type.
The "students" container holds all user IDs for students. Similarly, the "employee" container holds all user IDs for employees. The "misc" container was created to hold special user IDs that are not expressly owned by a student or employee. Examples of these might be friends of the university, outside customers of DCIT, or other miscellaneous system or test user IDs.
The students, employee, and misc containers each contain 28 OUs: one for each letter of the alphabet, one for groups, and one for printers. The containers for each letter of the alphabet hold users whose user ID starts with that letter. For example, a user ID "arnie" that belongs to an employee would be placed in the ".a.employee.clemsonu" OU. This is also referred to as that user's context. The complete, or fully distinguished name of the user is ".arnie.a.employee.clemsonu". User IDs that do not begin with an alphabetic character are placed in the "Z" container.
Because groups of users may have common management and/or security attributes, NDS provides the Group object. In the Clemson tree these objects are placed in the "groups" container. Many of the groups are automatically created and maintained within NDS. Other special groups may be created and maintained manually by Computer Resources. Users who need to make use of a group may either contact Computer Resources to have a group created and maintained for them, or a user may create and maintain the group himself in the organizational part of the tree. Users who choose to create and maintain groups themselves may obtain assistance from Computer Resources over the telephone or from Client Support. Additional groups, consisting of any set of users, may be requested by anyone to facilitate the sharing of resources.
The "printers" container holds print queues designated to be serviced by printers located physically throughout the organization. Most print queues are available to all users. Print servers and printers that are located centrally within the NDS tree service the print queues. The printers group is centralized for easy access by users and categorized by the physical location of the printer. Also, all printers defined to NDS may be made accessible from other systems across campus such as MVS or any UNIX host. Similarly, NDS print queues may be accessed by these other systems.
The server objects for the data servers discussed earlier are located under the Employee and Students containers, as shown in Figure 4. Named EMPLOYEDn and STUDENTDn (where n is an identifying number), these servers hold the home directories for all employees and students.
Figure 4: The data servers hold the home directories for all users.
While this is a departure from the traditional approach of users having home directories on the departmental (group) server, it is necessary since at this point a number of users do not have access to a group server. Other benefits of this departure are increased manageability and a high-speed backup/restore capability. As users move between departments and buildings, no data movement is required.
Students have a default home directory disk space limit of 20 MB per user. Employee and misc users receive a 100 MB limit by default. These limits may be increased on a per-user basis by contacting Computer Resources.
Student Application Servers
The students container is also home to the student application servers, which are named student0 through student11 (see Figure 5).
Figure 5: The student application servers are exact mirrors of each other.
These "read-only" servers are placed strategically on the network, basically one per lab, to serve up application software to the lab workstations. As a user logs in to the network, the lab workstation locates the nearest application server. The workstation attaches to it for the purpose of obtaining applications and also attaches to the appropriate data server to give the user connectivity to his/her personal data.
While the application server does provide applications to the workstation, the user's home directory contains the configuration files for Windows and other application software available in the lab. This allows the user to control his/her own Windows and other software setup.
Figure 6 shows the environment as seen by a lab workstation.
Figure 6: The lab workstation environment.
In the case where an employee or miscellaneous user is using a public access lab, these configuration files are automatically placed in a subdirectory under the user's home directory. The name of this subdirectory is "win95.lab". This name ensures that lab configuration files will not conflict with any other setup information that may be there for running software from some other configuration or location, such as the user's office.
Group servers are another integral part of Clemson's campus-wide strategy, as illustrated in Figure 7.
Figure 7: Group servers integrate into the campus-wide strategy.
As the employee or miscellaneous user performs the login and the profile login script executes, there are certain resources that the user is automatically connected to by way of drive mappings. Additional resources may be added, but these are the base standards that are expected to remain constant.
Drive U maps to the user's home directory. Drive U is "you." Individual users control this space and have the authority to permit any user or group to access it.
Drive Z is a search drive that maps to general network utilities provided by Novell. Although necessary, since this is a drive in the search path, users usually don't need to be concerned with it.
Drive P maps to a set of ready-to-run programs. Drive P is for "programs." These are applications that have been configured on users' behalf by DCIT to run from the server, requiring no installation. They are appropriately licensed, whether freeware or site license acquired.
Drive S maps to a general shared space (S is for "share"). Each directory under drive S has a unique purpose, as described below:
The EVERYONE subdirectory is wide open. All users have all rights. This is really intended as a big scratch pad for users and administrators. Files or directories may be put here and optionally protected as desired. The caveat concerning EVERYONE is that the data is susceptible to automatic scratch after 48 hours, or sooner if a substantial percentage of the total available space is used within the period.
The SOFTWARE subdirectory is a set of ready-to-install software maintained by Client Support. For example, if a user wants to install the latest 32-bit version of Eudora, this is where he or she can find the latest tested and supported copy of all free or site licensed software supported by DCIT. There are versions for each operating system where appropriate, as well as 16- and 32-bit versions of most Windows applications.
The SUPERUSR subdirectory is available only to users defined to the Technology Support Provider (TSP) group within NDS. It consists of information and tools provided by DCIT and others in the group to make the TSP group's job easier. TSP provides first-level technical support to the user community. In addition there are a number of directories created at this level to hold shared data and applications for a group or set of groups. These are located here when there is no suitable group server available or one is not justified. Also, applications which are not site licensed, but are used on a wide scale for a particular group of users, are installed here-- Microsoft Office is an example.
Collaborative Learning Environment
As part of an initiative to propel Clemson University into a national leadership position in the campus-wide integration of information technology into the curriculum, the university has developed the Clemson Collaborative Learning Environment (CLE). This is a collection of tools and services that facilitates the use of information technology in teaching and research and provides a forum for collaboration among students and faculty.
Current information technology support at Clemson has afforded us the opportunity to significantly advance our efforts in collaborative learning. The availability of unique features and programs has set the stage for the emergence of the Collaborative Learning Environment. Those features available include the fully automated registration and course management system, the single login system which assigns users rights to network services through a single userid and password, and the "virtual laptop" environment for students. Comprehensive training programs that introduce students to computing and assist faculty in the integration of computing into the curriculum have established an environment conducive to collaborative learning, active learning and educational technology.
The three major components of the CLE are:
Group Work Space. Like class e-mail lists, NDS groups are set up and maintained automatically based on the class enrollment. Access rights are granted through the single user ID and password which students use for access to the network. Group work space for each course section is set up for purposes such as class notes and syllabus, class discussion, time-stamped submission of papers by students to the instructor (drop box), class projects, and access to library reserve materials and class homework data sets.
Faculty Training. Faculty training plays a major role in the efforts to improve instruction through the use of technology. A faculty training group has been established in cooperation with Academic Computer Training to develop and coordinate the training curriculum according to faculty needs. Training resources also includes faculty-led instruction, as well as visiting instructors with expertise in the desired areas of training. Training topics include how to use the CLE, creation of Web pages to access course material and syllabi, as well as other specialized classes that faculty deem necessary to enhance their teaching strategies. Incentives are offered to faculty to undergo training and implement technology in their classes.
Lab Facility. A lab in Clemson's Brackett Hall has been re-fitted as the primary training location. This lab provides the necessary media, hardware, and software to support faculty in their collaborative learning endeavors. Lab and training schedules accommodate faculty by including one-hour, one-day, and weekly seminars and week-long summer workshops, as well as one-on-one consulting, walk-in clinics, and open lab time for development work.
A faculty-led committee has been created to define the primary goals and objectives of the CLE and to address the major components and determine what resources and services are necessary to implement this environment for learning. With these resources and support, faculty have the opportunity to re-examine curriculum issues and instructional methods that allow them to focus on student-centered learning and adapt to the changing needs of students. The twelve faculty members on the committee represent the various colleges and schools at Clemson. DCIT has also established a project team to provide faculty with assistance and support as defined by the committee.
Integration Between Faculty and Students
Clemson's CLE supports approximately 5,000 class sections per semester, with faculty and students requiring the following capabilities:
Faculty members making data available to students
Students submitting work to faculty
Students collaborating on team projects with assistance from faculty members
Students and faculty collaborating on projects
Students and faculty publishing Web pages as a team or class
The Novell Application Launcher (NAL) is used as the CLE interface, allowing students to see a folder on their desktops for each class they are taking. In addition, collaborative storage allows for integration between faculty and students, as shown in Figure 8.
Figure 8: Collaborative storage for faculty and students.
One key aspect of CLE is the "smart classroom" initiative. The primary goal is to deliver multimedia presentation technology to selected classrooms. Within this overall goal, there are several subordinate objectives:
Standard presentation of technology to faculty
Ease of use of technology
Central technology point in classroom
Adequate work surface
Ease of maintenance
Security of equipment
Flexibility and exapandability
Each lectern contains a 200 MHz Pentium PC, a VCR, an amplifier for a room PA system, network and CATV hookups, and external connections for "transient" devices (such as a laptop, video visualizer, tape player, or slide-to-video converter). The equipment in the lectern connects to an overhead projector. These are Epson 5000 units that provide true 800 x 600 SVGA resolution and also project standard broadcast video.
This AppNote has provided an introduction to the NDS-enabled network at Clemson University, including its hardware configuration, its NDS tree design, and the CLE (Collaborative Learning Environment).
The next AppNote in this series will cover the following topics:
Programs executed by virtual laptops
How Clemson employs NDS to provide authentication across the network
Clemson's e-mail strategy
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.