How to Manage Active Directory with Novell's eDirectory
Articles and Tips: article
Office of the CTO
01 Dec 2000
This AppNote addresses Novell's solutions for managing Active Directory.
Today's heterogeneous networks include applications, platforms, and services from a multitude of vendors. Rarely does one encounter a single-vendor or single-platform network. While these multi-vendor networks combine the best-of-breed applications and systems to deliver a robust solution, generally they are difficult or expensive to manage because simple tasks, such as creating or managing a user, require managing each system individually.
In general, there are two solutions to this problem. The first solution requires moving to a single vendor solution, whereby all pieces of the solution are provided by a single vendor. While this may simplify the user management problem, the solution is limited to the products and services provided by the single vendor. In addition, these single-vendor solutions often require discarding all existing systems and starting anew, requiring new investments in hardware, software, and training.
The second solution ties multi-vendor, best-of-breed networks together with a directory service, such as Novell's eDirectory. Novell's eDirectory enables customers to keep their existing investments in applications and platforms, but leverage the directory to simplify management. Many platforms and systems are already eDirectory-enabled, either through native NDS APIs or through the LDAP protocol.
Novell has a rich history of supporting Microsoft operating systems and applications. For example, Novell's NDS for NT greatly reduces Windows NT domain management for Windows NT Server 3.51 and Windows NT Server 4.0 networks. With the advent of Windows 2000 and Active Directory, Novell has delivered a comprehensive solution for integrating the Windows 2000 server platform into the larger eDirectory-enabled enterprise.
Novell Solutions for Windows 2000
Windows 2000 includes many new features in both the desktop and server operating system. For example, the Windows 2000 desktop includes new management features similar to Novell's ZENworks solution, while the Windows 2000 server includes Active Directory, a domain-based directory service. For each of these platforms, Novell delivers several different solutions, which may be used individually or together, depending upon needs.
ZENworks 3-- Novell's ZENworks for Desktops 3 eDirectory-enables many new Windows 2000 desktop features. For example, ZFD3 enables Windows 2000 desktops to use eDirectory for storing and retrieving Windows 2000 Group Policy Objects (GPOs). GPOs are useful for deploying desktop applications and restricting desktop access; by leveraging Novell's eDirectory, Windows 2000 GPOs can be used without deploying Windows 2000 servers and Active Directory.
Novell's eDirectory -- Novell's eDirectory provides a highly-scalable, replicated, fault-tolerant, and standards-based directory service for the Windows 2000 server platform. Novell's eDirectory for Windows 2000 allows NDS-enabled services (such as ZENworks) and LDAP services to leverage eDirectory in a Windows 2000 environment.
Novell Account Management for Windows 2000 (AM) --- Novell Account Management (AM) enables bi-directional user, group, and directory container management between Novell's eDirectory and Windows 2000 Active Directory. AM also includes bi-directional password synchronization capabilities and Active Directory management capabilities from the Novell management console. Novell Account Management enables deployment of Windows 2000 servers while minimizing management overhead.
These solutions enable Windows 2000 desktops and servers to participate within a larger, multi-vendor network while reducing management and administrative costs.
Novell Account Management for Active Directory
Prior to Windows 2000, eDirectory and domain integration was accomplished by Novell's NDS for NT product. NDS for NT was based on a domain redirector, which redirected any domain operations (create/delete/modify) to an NDS object. In this domain-redirector solution, objects, such as users and groups, were not stored in the NT domain system; rather, these objects were located in NDS.
Novell AM for Windows 2000 integrates eDirectory and Active Directory users, groups, and organizational units (OUs) through a directory synchronization approach. Unlike a redirector-based solution, where objects just exist in a single directory, the directory synchronization solution synchronizes objects in eDirectory with corresponding objects in Active Directory. Novell's ultimate goal in the first release of User Account Management for Windows 2000 was to provide all of the features found in NDS for NT for Windows 2000 and Active Directory.
Novell AM for Windows 2000 isn't just a DirXML directory synchronization agent; rather, it's a complete solution for bi-directional management of eDirectory and Active Directory.
There are six basic components of AM:
Novell's DirXML--DirXML is Novell's meta-directory solution for eDirectory. DirXML provides the synchronization engine and rules system for managing objects between eDirectory and Active Directory. DirXML maintains synchronization rules and information in eDirectory, and then bi-directionally synchronizes this information with other systems, such as Active Directory, through DirXML connectors.
Active Directory DirXML connector--The AD DirXML connector is a small Win32 service that uses ADSI and LDAP to communicate changes to and from Active Directory. The AD DirXML connector is installed on at least one Active Directory server per synchronized domain.
AM Setup Wizard--The AM setup wizard transparently installs and configures DirXML and the Active Directory DirXML connector after asking a few configuration questions. The AM Wizard also selects users, and OUs for synchronization.
ConsoleOne Snap-ins-- Novell AM for Windows 2000 includes a set of ConsoleOne snap-ins for viewing and managing the Active Directory attributes of synchronized users.
Password Synchronization Service-- The password synchronization service keeps eDirectory and Active Directory user passwords synchronized whenever a password is changed from within Active Directory management utilities or at the Windows desktops. Each managed domain has one Windows 2000 server running the password synchronization service.
Password Filter -- The password filter resides on all Active Directory domain controllers for every managed domain. The password filter intercepts any Active Directory password changes, forwards this information to Windows 2000 server running the password synchronization service, which in turn updates eDirectory with the new password. A wizard automatically deploys and configured the Password Synchronization Agent on the Active Directory domain controllers.
When evaluating Novell AM for Windows 2000, there are a few important issues that one must understand:
Novell AM for Windows 2000 is for managing users, groups, and OUs. This release does not support managing other common objects found in both systems (like workstations and printers) nor does it manage Windows 2000 file system rights.
Novell AM for Windows 2000 synchronizes users and organizational units (OUs) between eDirectory and Active Directory, including attributes such as account names, telephone numbers, descriptions, etc. This release of Novell AM does not synchronize group objects between eDirectory and Active Directory, although it does provide basic group management capabilities (create, delete, modify the group, add or delete group members) within Novell's ConsoleOne management utility.
This release of Novell AM for Windows 2000 does not synchronize directory access controls and permissions. Synchronization of access controls is a very complex issue that is not addressed by this release of AM for Windows 2000.
This release of Novell AM for Windows 2000 doesn't automatically synchronize schema and schema extensions, although it is possible through minor modifications in the DirXML drivers and style sheets to synchronize new schema extensions.
Novell AM for WiAMndows 2000 does not eliminate the need to design and deploy Active Directory domains or components of Active Directory, such as the Active Directory global catalog server.
By deploying Novell AM for Windows 2000, mixed eDirectory and Windows 2000 server environments will benefit from reduced day-to-day management costs. Directory administrators can manage their users, groups, and OUs from just one management utility, and these changes will automatically synchronize to all systems. Users will have a single password for both systems, and when they change their password, Novell AM for Windows 2000 will automatically update both eDirectory and Active Directory. In addition, since Novell AM for Windows 2000 is based on the DirXML meta-directory synchronization engine, customers who deploy AM for Windows 2000 can easily integrate their systems with other DirXML- and eDirectory-enabled applications and platforms.
Active Directory: A Primer
Before we can dive into the details on installing and configuring Novell AM for Windows 2000, a few Active Directory terms and concepts should be defined.
The domain is the basic building block of an Active Directory system. The domain is the administrative, security, and replication boundary. As the administrative and security boundary, all permissions (such as object or attribute rights) flow down only to objects within the domain and never to other domains. As the replication boundary, the entire domain is replicated to all other domain controllers for the domain. Domains are defined by their DNS name (like provo.novell.com).
Organizational Units (OUs) are used to create a hierarchy within a domain. Active Directory domain OUs allow grouping of domain objects around a common theme, such as a department, division, or projects. By creating a hierarchy of Active Directory domain OUs, it's possible to simplify management by applying rights at higher level OUs which then flow down to subordinate objects.
Domains can be linked together with trust relationships to form a tree of domains or domain tree. Domains within the domain tree all must adhere to the same DNS naming structure. For example, if the highest domain in the domain tree was acme.com, all child domains must have a DNS suffix of acme.com, such as engineering.acme.com or sales.acme.com.
Multiple domain trees can be linked together with trust relationships to form a Active Directory forest. An Active Directory forest simply links domain trees together.
Figure 1: An Active Directory forest.
Before installing Novell AM for Windows 2000, you'll need a Windows 2000 Server with Active Directory and eDirectory v8.5.
Both NDS eDirectory and Active Directory provide LDAP services. When eDirectory is installed on a Windows 2000 server, eDirectory and Active Directory try to service the default LDAP ports (port 389 for LDAP and 636 for LDAP over SSL). Active Directory doesn't support changing the default LDAP ports, so you must set the eDirectory default LDAP and SSL ports to something other than 389 and 636. The eDirectory ports can be set during installation of eDirectory (see Figure 2) or from within ConsoleOne by editing the LDAP server object (see Figure 3 and 4).
Figure 2: Set the eDirectory LDAP ports so they don't conflict with Active Directory.
Figure 3: Change the eDirectory LDAP port so it doesn't conflict with Active Directory.
Figure 4: Change the LDAP SSL port so it doesn't conflict with Active Directory.
Installing and Configuration AM for Windows 2000
Installing AM for Windows 2000 is a relative simple process. Basically, there are five steps:
Install the Novell Client for Windows 2000 to enable eDirectory communication.
Install and configure the DirXML driver set.
Search eDirectory and Active Directory for users, and synchronize these users if certain criteria are met.
Install and configure password synchronization services.
Install the Active Directory management snap-ins for ConsoleOne.
Fortunately, all of these steps have been integrated into the Installation Wizard. By answering a series of questions, the Installation Wizard automatically installs and configures all components of Novell AM for Windows 2000. After installing Novell AM for Windows 2000, all configuration changes can be made from within ConsoleOne.
Select the eDirectory tree and Windows 2000 domain that will be synchronized (see Figure 5).
Figure 5: Select the Active Directory domain and NDS tree to synchronize.
If you haven't installed AM for Windows 2000 on any of your Active Directory servers, choose "First domain in the Active Directory forest". If this Windows 2000 server is part of a forest that is already represented in eDirectory, choose "No, there are other domains in the forest". The installation wizard will attempt to locate the forest object (see Figure 6).
Figure 6: Choose whether or not this is the first domain in the forest to be synchronized.
Next, choose a location and name for the DirXML driver set. There is a 1:1 mapping between each eDirectory/DirXML server and the DirXML driver set, although each driver set can contain multiple drivers (i.e., one driver for Active Directory, one driver for Lotus notes, etc.).
Figure 7: Choose an existing DirXML driver set for the Active Directory connector, or create a new driver set.
When AM detects changes in Active Directory, it must update the corresponding object(s) within eDirectory. To do this, AM must have sufficient administrative rights in eDirectory. This is accomplished through the DirXML Security Equivalence setting (see Figure 8). Be sure to select an eDirectory administrative account with sufficient rights to modify synchronized users and OUs.
Figure 8: Select an NDS account with sufficient administrative rights.
Novell AM for Windows 2000 creates the Active Directory domain tree and forest hierarchy within the eDirectory. This enables management tools, such as ConsoleOne, to properly represent the Active Directory forest hierarchy within NDS. Choose a NDS context where the Active Directory forest object should be created (see Figure 9).
Figure 9: Choose an NDS context to represent the Active Directory forest and domain hierarchy.
When new users are created in Active Directory, a corresponding eDirectory account is also created. Choose the default eDirectory context for new Active Directory users (see Figure 10). This is just a default selection - it's very easy to change this location, or select multiple locations based on additional logic, by editing Active Directory forest within eDirectory (discussed later).
Figure 10: Choose a default NDS context for Active Directory users.
At this point in the installation most of the DirXML driver synchronization parameters are configured. The next step is to search eDirectory and Active Directory for common users and create associates between the users in the different directories (Figure 11). This is beneficial for existing eDirectory and Active Directory installation which have already defined the user accounts in both systems. If this is a new Active Directory installation, there's very few (if any) existing Active Directory accounts that need to be associated with a corresponding eDirectory account.
Figure 11: The wizard enables synchronization of users that currently exist in both directories.
Depending on the naming structured adopted in eDirectory and Active Directory, user account may have a different name structure. For example, a user could be "ghein" in eDirectory and "GaryH" in Active Directory. Novell AM for Windows 2000 enables association based on different attributes. At this point in the installation, it's possible to choose the attributes that define an associated user.
Figure 12: Select the best attribute for associated existing users between the two directories.
At this point, the wizard will display a list of any possible matches between eDirectory and Active Directory users. It's possible at this point in time (or after installation) to create or remove any additional associations (see Figure 13).
Figure 13: Unassociated Active Directory objects can be manually assigned to a corresponding NDS object if desired.
The majority of this installation is complete. Up to this point the DirXML driver set parameters and Active Directory components have been configured, and the synchronized user accounts have been defined. All that is left is the installation of the password synchronization agents and the ConsoleOne snap-ins.
Setting up Password Synchronization
Bi-directional password synchronization is one significant distinguishing feature between Novell AM for Windows 2000 and other directory synchronization solutions. Other solutions are a bit more cumbersome. For example, some require users to use special utilities or web pages to properly synchronize passwords between the systems. One mistake, such as changing a password from the workstation desktop instead of the special password utility, will result in password inconsistencies between the directories. Only Novell AM for Windows 2000 provides bi-directional passwords synchronization between eDirectory and Active Directory without any special user intervention.
Password synchronization consists of three components: an NDS Password Synchronization container, a Win32 service "Novell Password Synchronization Service", and a Windows 2000 password filter. Together, these components keep passwords synchronized between eDirectory and Active Directory, whether the password is changed from a Windows desktop or from an Active Directory management utility.
How it Works
When a user password is changed in Active Directory, the password is sent to the domain controller in a reversible format. The Active Directory domain controller decrypts the new user password and hands the password to any password filters. Novell's password filter (installed on every domain controller within the Active Directory domain) takes this new user password, encrypts the password using the RSA public keys stored in the NDS Password synchronization container, and passes this encrypted blob to the NDS Password Synchronization Service (running on just one Windows 2000 server). The NDS Password Synchronization Service decrypts the password using it's private key, encrypts the password in NDS format, and updates the corresponding object in NDS. The password never travels across the wire in either clear text or in an unsecured format (see Figure 14).
Figure 14: Flow of this process.
Passwords that are changed from within Novell management utilities or from the Novell Client utilize Active Directory encryption functions built into the Novell client libraries. These are the same encryption functions utilized by Novell's earlier Windows NT management solution, NDS for NT. Therefore, any Novell client that had been released within the past two years contain the necessary functions to properly encrypt password for Active Directory.
Configuring password synchronization with Novell AM for Windows 2000 is a straightforward process.
First, a eDirectory container is created to hold the key material for encryption/decryption of Active Directory passwords (see Figure 15).
Figure 15: The Installation Wizard creates a container for a password synchronization objects.
Next, the Password Synchronization Server is installed and automatically starts every time Windows 2000 is restarted (see Figure 16).
Figure 16: The Password synchronization service receives encrypted passwords from domain controllers, encrypts the passwords in NDS format, and updates the appropriate synchronized object in NDS.
A password filter is installed on every domain controller (see Figure 17).
Figure 17: Password filters intercept passwords from Active Directory and sends the encrypted password to the Novell Password Synchronization Service.
The final installation step copies the ConsoleOne snap-in (ADLink.jar) to the default ConsoleOne directory. This Active Directory management snap-in properly displays the Active Directory forest within the NDS hierarchy and allows Active Directory user, group, and Container management from within ConsoleOne.
Congratulations! Novell AM for Windows 2000 is now configured and is synchronizing users and data between eDirectory and Active Directory. Based on the choices made during the installation, eDirectory now looks like this (see Figure 18).
Figure 18: After installing Novell AM for Windows 2000, eDirectory contains objects for Active Directory, DirXML, and the password synchronization services.
Common Management Tasks
Novell AM for Windows 2000 selects the best set of defaults based on customer needs. By using the Installation Wizard, Novell AM for Windows 2000 is very easy to configure and provide basic synchronization services in less than 15 minutes.
While these defaults will suffice for the majority of customers, others may wish to customize synchronization rules and conditions. Basic customization, such as mapping a eDirectory organizational unit to an Active Directory organization unit, is a straightforward process provided by the ConsoleOne Active Directory management snap-in. Since Novell AM for Windows 2000 is based upon the DirXML meta-directory synchronization engine, further customization is possible, but is generally recommended for administrators and consultants familiar with DirXML meta-directory services.
For more information regarding DirXML, including a detailed description of each components, please visit the Novell Developer web site at http://developer.novell.com. In particular, please see http://developer.novell.com/ndk/dirxml.htm.
Managing Active Directory Objects within ConsoleOne
Novell AM for Windows 2000 populates eDirectory with the Active Directory forest, including all domains and organizational units. This portion of the eDirectory tree is reserved for Active Directory objects; in other words, it's while it is part of the normal eDirectory tree, only Active Directory domain objects are allowed within it's hierarchy. However, by representing the Active Directory forest within eDirectory, this enables managing Active Directory directly from ConsoleOne. Common tasks may include:
Creating or deleting Active Directory organizational units
Adding existing eDirectory users to Active Directory
Creating, deleting, or managing Active Directory groups
Creating associations between eDirectory and Active Directory organizational units
Managing password synchronization service information
Modifying the Synchronization Interval
Since Novell AM for Windows 2000 is based on DirXML, it is automatically notified when events, such as when a user is created, deleted, or modified, occurs in the directory. DirXML acts as an event system, notifying other systems when events occur in eDirectory. Changes made in eDirectory generally synchronize to Active Directory in a very short period of time, usually within seconds.
Active Directory, unfortunately, doesn't provide an event system for external directories. Therefore, directory synchronization systems (including Microsoft's solution) must poll or periodically scan the Active Directory system for changes. By default, Novell AM for Windows 2000 defaults to a 15 minute polling interval. Changes in Active Directory may take upwards of 15 minutes before appearing in the eDirectory. By selecting the properties on the DirXML driver, its possible to either increase or decrease this polling interval (see Figure 19).
Note: If this parameter decreased, synchronization occurs more frequently. Setting this value to 0 will force immediate synchronization. This is not a recommended setting as it will create high server utilization for the Active Directory server, especially for Active Directory servers with more than a few thousands synchronized users.
Figure 19: Decrease the polling interval for more frequent synchronization.
Creating New Associations
During installation, a single eDirectory context was configured as the default container for any new users that were created within Active Directory (see Figure 10). Thus, new users in Active Directory are automatically placed into this eDirectory container.
In larger installations, it may be desirable to map organizational units between the two directories. For example, it might be necessary to map users from provo.novell.com in eDirectory to provo.novell.com in Active Directory.
To accomplish this task:
Create the organizational units in both eDirectory and Active Directory. The organizational unit names need not be identical.
Using ConsoleOne, browse into the Active Directory forest, into the proper Active Directory domain, and select the new organizational unit (provo.novell.com in this example).
From the properties page (see Figure 20), enter the default eDirectory user creation context (provo.novell in this example).
Figure 20: Selecting the properties of the Active Directory organizational unit in edirectory.
By selecting the properties of the Active Directory organizational unit in eDirectory, it's possible to set a default context for new users of the Active Directory OU.
Now, whenever new users are created in the provo.novell.com organizational unit in Active Directory, they are automatically added to the provo.novell eDirectory organizational unit.
Novell AM for Windows 2000 uses the following rules for associations:
Associations only apply to new users. Changing a container association between Active Directory and NDS does not affect existing users in that container.
If no association is set on an Active Directory container, it defaults to the context set during installation. This default context can be modified with ConsoleOne by selecting the properties of the domain object within eDirectory.
Child containers inherit their parent's association. For example, if provo.novell.com in Active Directory was associated to provo.novell in eDirectory, creating a child container in Active Directory called engineering.provo.novell.com would create a eDirectory container called engineering.provo.novell. The container engineering.provo.novell.com in Active Directory would be associated to the eDirectory container engineering.provo.novell.
Adding eDirectory users to Active Directory
There are three options for adding eDirectory users to Active Directory. All of these options require the Active Directory management snap-in for ConsoleOne.
When a new eDirectory user is created, ConsoleOne offers the option of adding the new eDirectory user to an Active Directory domain.
ConsoleOne offers a new "Domain" property page on users objects, which enables adding an existing eDirectory user to an Active Directory domain.
For multiple users, or for very large eDirectory trees, ConsoleOne provides the ability to search eDirectory and import a large batch of eDirectory users into Active Directory.
The first two options are self-explanatory; however, the third option is very useful for adding multiple eDirectory users to Active Directory. To use this feature, use ConsoleOne to browse into the Active Directory forest, down into the desired domain:
Select the Active Directory OU where the eDirectory users should be added.
Choose Properties, and select the Add Users button. ConsoleOne then enables a browse window, complete with searching capabilities, for selecting existing eDirectory users (see Figure 21).
Figure 21: From within the Active Directory organization unit in eDirectory, it's possible to add multiple users from eDirectory to Active Directory.
While the goal of any directory synchronization solution is to synchronize users between different directories, at times it is desirable to exclude users from synchronization. Sensitive accounts, such as administrative accounts or other accounts with broad access rights, may need to be excluded from synchronization between Active Directory and eDirectory.
To accomplish this task, simply use ConsoleOne to browse into the DirXML driver set:
Select the Active Directory driver (NOVELL-Driver in Figure 18).
Select the properties of the driver.
Under the DirXML tab, select the Excluded Users sub menu.
From this browse window, select eDirectory users that should NOT be synchronized to Active Directory (see Figure 22).
Figure 22: From the properties tab of the DirXML driver set, select users that should not be synchronized between eDirectory and Active Directory.
Frequently Asked Questions
Q. Does Novell AM for W2K require a NetWare Server?
A. No. Novell AM for Windows 2000 does not require a NetWare server. The only requirement is eDirectory v8.5 for Windows 2000.
Q. Will Active Directory or eDirectory lose directory changes if either system is unavailable?
A. No. The DirXML component of Novell AM for Windows 2000 queues both Active Directory and eDirectory changes when either directory is unavailable. Once both directories become available, synchronization will resume and any queued changes will be exchanged between the two directories.
Q. Does Novell AM for Windows 2000 support renaming users?
A. Yes. AM keeps unique object IDs in both eDirectory and Active Directory, allowing it to synchronized any object renames.
Q. Does Novell AM for Windows 20000 support moving objects within each directory system?
A. Yes. Objects can be moved with either eDirectory or Active Directory tools. AM maintains synchronization for any moved.
Q. Is it possible to manually edit the DirXML publisher and subscriber rules?
A. Yes. However, Novell recommends that only experienced individuals directly modify the DirXML publisher and subscriber rules. While modification allows greater customization, it may make increase troubleshooting complexity for Novell's front-line support engineers.
Q. Does Novell AM for Windows 2000 manage Windows 2000 file system access?
A. No, not in the initial release. Future releases may address this issue.
Q. Does Novell AM for Windows 2000 modify any Windows 2000 system files?
A. No. AM is based on standard Widows 2000 APIs such as LDAP and ADSI.
Novell AM for Windows 2000 delivers a robust, scalable, and highly functional solution for managing Windows 2000 and Active Directory. While Novell AM for Windows 2000 provides many of the features found in Novell's NDS for NT product, it is a significant first step towards Novell's strategic vision of integration Active Directory into larger, heterogeneous environments. Deploying Novell AM for Windows 2000 not only enables synchronization and management of Active Directory from within eDirectory, but it provides the foundation to deploy additional eDirectory and DirXML based solutions.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.