NDS for NT Q & A
Articles and Tips: article
01 Apr 1999
NDS for NT Q & A
Q. What is NDS for NT?
A. NDS for NT 2.0 is software that centralizes the administration of Windows NT and NetWare networks and reduces the complexity of managing Windows NT domains. NDS for NT 2.0 also eliminates the need to establish and maintain complicated trust relationships. You can add users to one or more domains without having to delete and recreate them.
NDS for NT 2.0 includes NWAdmin, a utility you can use to manage your entire mixed network. NWAdmin also provides flexibility: you can integrate familiar NT utilities, such as User Manager, Server Manager, and File Sharing Wizard, with NWAdmin.
With NDS for NT 2.0 users only need to log in once to reach all the resources they need on both your NetWare and Windows NT servers. NDS for NT 2.0 does not change the domain architecture, so it is completely compatible with existing Windows NT applications. And you can still use familiar Windows NT tools to manage your NT domains. NDS for NT 2.0 is Year 2000 Ready.
NDS for NT 2.0 integrates your Windows NT servers (3.51 and above) with your NetWare servers (4.2 and above).
Q. How does a domain fit into NDS?
A. Users are created as NDS User objects. The domain is created as a special NDS Container, holding the domain groups and workstations. Resources from both environments can now be managed in NDS using NWAdmin.
Q. Can I install NDS replicas on remote domain controllers?
A. Yes, you can place replicas of NDS partitions on redirected NT domain controllers at remote locations. This powerful feature provides remote users with the ability to authenticate locally rather than across the WAN, improving system access and productivity. NDS information at remote sites is kept current and consistent with the network hub through replication.
Additionally, the Replica Advisor details page of the Domain Object provides network administrators with the information necessary to determine which replicas should be placed at the remote location.
NDS database management functions are provided by the NDS Manager utility (ndsmgr32.exe). These functions, such as managing partitions and replicas, are performed at the domain controller for partitions that contain domains.
Q. Do I have to install new software on the workstations?
A. NDS for NT is installed on the NT Domain Controllers. No workstation components or workstation configuration is required. From the perspective of the Microsoft clients or applications using that domain, nothing has changed. All workstations and applications will continue to function as they did before NDS for NT was installed.
Q. Can I still use User Manager?
A. Yes, the administrator can use Microsoft User Manager for Domains to create the user. As such, User Manager becomes an NDS administration tool (specific for the Domain object). Alternatively, if an administrator needs to add a new user with access to an NT Domain, the administrator can use NWAdmin to add the user in NDS and grant the user rights to the NT Domain.
User Manager for Domains sends requests to the NT domain controller to create the user in the domain and NDS for NT directs those requests to NDS. The user is created in NDS with the same properties and access rights or restrictions that are available from the domain itself.
Any subsequent modifications made to that user with User Manager or any other domain administration utility is serviced in the same way. While Microsoft User Manager for Domains can be used to create and modify users in NDS, NWAdmin offers all the same administration features, as well as significantly more configuration options.
Q. Does the Domain Object Wizard convert NT domain trust relationships into NDS object relationships?
A. Yes, trust relationships are preserved by NDS for NT. You will be able to view the NT domain trust relationships via Microsoft's administrative tools. Trust relationships are supported in NDS for NT but are not necessary. If a user in Domain A needs to use resources in Domain B, simply make the NDS User object a member of the NDS object Domain B.
Q. Does the Domain Object Wizard move more than one NT domain at a time?
A. No, the Domain Object Wizard only moves one NT domain over to NDS at a time. You will need to run the NDS for NT installation for each Primary Domain Controller (PDC) and each Backup Domain Controller (BDC) you want to move to NDS.
NDS for NT moves the information from a PDC to NDS, redirects requests for SAM to NDS, and allows an NDS replica to reside on the PDC. Installing NDS for NT on a BDC does not move domain objects to NDS, but it redirects requests for SAM to NDS and allows the BDC to hold a replica of the NDS database.
Q. Can I go back to an NT-Only solution after using NDS for NT?
A. Yes, you can return to an NT-only solution by simply restarting the Domain Object Wizard (sammig.exe) and following the screen prompts. The uninstall will:
return your NT domain to your original NT domain state. Objects are, moved out of NDS back to the domain and the original samsrv.dll, if restored.
or, if you choose,
update the original NT domain with changes made since the original migration to NDS. Changes made to the original objects are copied to the domain, and any new user objects are created in the domain.
Because Windows NT frequently updates passwords, password information is always updated during the uninstall.
Q. How does NDS for NT preserve password security?
A. Windows NT uses an MD4 password encryption algorithm. NDS, however, uses the public/private key RSA encryption. When user passwords are created, they are encrypted by the respective algorithms; then these encrypted values are stored on the respective servers.
When a user logs in, the password is passed through the RSA encryption algorithm at the workstation and the encrypted value is sent to NDS for verification. If the encrypted value of the entered password matches that stored in NDS, the user is authenticated to NDS.
At the same time, the password is also encrypted with the MD4 algorithm and sent to the Windows NT domain controller. This encrypted value is compared to that stored in the domain User object. If they match, the user is authenticated to the NT Server. This authentication process is secure because the encryption process that is performed on each password is irreversible.
With NDS for NT, both passwords are checked by the respective environments. Both passwords, however, are stored in NDS. The authentication process is equally secure, since the encryption process that is performed on each password is still irreversible.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.