NDS Enhancements In NetWare 5

Articles and Tips:

Sandy Stevens

01 Dec 1998

Editor's Note: Does your company need Novell Directory Services (NDS)? If your company is using NDS already, is your company using NDS to its full potential? Over the next year, the Novell Certified Professional section will focus on NDS, explaining how you can use NDS today to better manage your company's network. The Novell Certified Professional section will feature NDS-enabled products, NDS enhancements, how-to articles, and tips and tricks.

NetWare 5 makes integrating your company's network with the Internet easier than ever before and helps you manage your company's network more efficiently. NetWare 5 even makes users more productive. As with NetWare 4, Novell Directory Services (NDS) plays a significant role in delivering these benefits in NetWare 5.

Novell has enhanced NDS to support the new features of NetWare 5 such as Zero Effort Networks (Z.E.N.works), Domain Naming System (DNS)/Dynamic Host Configuration Protocol (DHCP) Services, Novell Distributed Print Services (NDPS), and Novell Storage Services (NSS). NetWare 5 also offers other NDS enhancements, including the following:

Protocol independence
Enhanced NDS synchronization
Improved performance
Better tracking of external references
Security enhancements
Catalog services
WAN traffic manager

PROTOCOL INDEPENDENCE

Probably the most significant change in NetWare 5 is protocol independence. In NetWare 5, Novell has made its core communications layer, NetWare Core Protocol (NCP), independent of IPX. As a result, you can configure your company's NetWare 5 servers to support IP only, IPX only, or both IPX and IP.

In NetWare 5, NDS is also protocol independent, supporting both IP and IPX. This protocol independence provides better interoperability, which makes it easier for you to connect your company's network to the Internet.

Novell also changed the way NDS advertises and discovers NDS tree names. In NetWare 4, NDS relies on Service Advertising Protocol (SAP) to help devices discover NDS trees and other service information on the network. NetWare 4 servers use SAP to broadcast NDS tree names and other service information on the network every 60 seconds. Broadcasting these services can generate a significant amount of network traffic.

If IP is enabled in NetWare 5, NDS can use Service Location Protocol (SLP) to discover NDS trees. SLP eliminates frequent broadcasts, significantly reducing the amount of network traffic generated by advertising services. Rather than broadcasting service information every 60 seconds, SLP stores this information in a service agent. (In large networks, you can use directory agents to provide service information about multiple network services.)

When an application needs a service, an SLP user agent initiates a discovery for the application. The user agent queries the service agent for the service's attributes, and the service agent responds, providing the network address of the service. (For more information about SLP, see "Service Location Protocol: Discovering Services in a Pure IP Environment,"NetWare Connection, July 1998, pp. 32-37. You can download this article from http://www.nwconnection.com/jul.98/slp78.)

ENHANCED NDS SYNCHRONIZATION

In NetWare 5, Novell has also changed the NDS synchronization algorithms to transitive synchronization. Transitive synchronization provides the following benefits:

Allows servers in a mixed IPX and IP environment to synchronize NDS changes
Reduces NDS synchronization traffic

The NDS synchronization process in NetWare 4 requires each server in a replica list to communicate and synchronize with all of the other servers in that replica list. (A replica list includes all of the servers that hold a replica of the same partition.) For example, suppose you stored replicas of Partition A on three servers: SRV-1, SRV-2, and SRV-3. To synchronize partition changes, SRV-1 must synchronize with SRV-2 and SRV-3, SRV-2 must synchronize with SRV-1 and SRV-3, and SRV-3 must synchronize with SRV-1 and SRV-2.

In addition to generating excess network traffic, this method of synchronizing NDS replicas also creates a problem in a mixed IPX and IP environment. For example, suppose the servers in the previous example were NetWare 5 servers. Also suppose SRV-1 was running IPX only, SRV-3 was running IP only, and SRV-2 was running both IPX and IP. If NetWare 5 used the NetWare 4 method of NDS synchronization, the servers could not synchronize the replicas because SRV-1 and SRV-3 could not communicate directly with each other.

Transitive synchronization in NetWare 5 eliminates the need for each server in a replica list to communicate with all of the other servers in the replica list. Using transitive synchronization, NDS can synchronize changes made to one replica through intermediaries. For example, if SRV-1 synchronized with SRV-2 and SRV-2 synchronized with SRV-3, SRV-1 would not need to synchronize with SRV-3. Transitive synchronization allows servers in a mixed IPX and IP environment to synchronize NDS changes and reduces the amount of network traffic generated by the NDS synchronization process.

To ensure backward compatibility with NetWare 4 servers, NetWare 5 servers automatically use the NetWare 4 NDS synchronization process with NetWare 4 servers. However, because NetWare 5 servers introduce changes to the NDS schema that previous versions of NDS do not understand, you should update the NDS versions running on NetWare 4 servers before you add NetWare 5 to the network. Novell recommends that you update NetWare 4.1 servers to DS 5.15 and all NetWare 4.11 servers to DS 6.00. (For more information, visit http://support.novell.com.)

IMPROVED PERFORMANCE

Novell has also improved the performance of NDS by providing additional NDS caching in NetWare 5. In NetWare 4, NDS cached only the Access Control List (ACL) information. In NetWare 5, Novell has added a change cache.

In NetWare 5, NDS remembers which objects have been changed. When synchronizing changes, a replica does not have to scan the entire partition. Instead, the replica looks at the change cache. Caching all reads and writes of NDS objects improves the performance of NDS.

BETTER TRACKING OF EXTERNAL REFERENCES

NetWare 5 also includes distributed reference links, which change the way that NDS keeps track of external references. NDS creates an external reference on a server when you perform an operation that affects a particular object and the server does not hold a replica of the partition in which the object resides.

To keep track of all of the servers that contain external references to an object, NDS creates backlinks at the object level. When you make a change to an object, such as moving, renaming, or deleting the object, NDS uses these backlinks to update all of the servers that contain an external reference to that object. With backlinks, a server that updates external references must communicate with every server that contains a read-write replica of the partition that holds the backlink.

Distributed reference links in NetWare 5 contain the distinguished name of the partition root rather than the names of all the servers that contain external references. With distributed reference links, a server can query any read-write replica of the partition to find out which servers in the partition have external references. The partition root then resolves updating the external references for servers within that partition.

To maintain compatibility with previous versions, NDS in NetWare 5 maintains both distributed external references and backlinks. For example, suppose you stored replicas of Partition A on SRV-1 and SRV-2. Also suppose you then granted Bob, whose User object is in Partition A, file rights to a directory on server SRV-3. Because SRV-3 does not hold a replica of Partition A, NDS would create an external reference for the Bob User object on SRV-3. NDS would then create a distributed reference link and a backlink to SRV-3 in the Bob User object.

Now suppose that you moved the Bob User object from the .provo.novell container object to the .sandiego.novell container object. NDS would have to update all of the external references for the Bob User object to reflect its new location.

Using distributed reference links, the server performing the update could simply contact the partition root, which would then update the external references on servers within that partition. Using backlinks, the server performing the update would have to contact each server that contains an external reference.

Novell has also added temporary external references to NDS in NetWare 5. When a user authenticates through a server that does not contain a replica of the partition in which the User object resides, NDS creates a temporary external reference. NDS cleans up any unused temporary external references each time the NDS janitor process runs, reducing the number of external references on your network. (The NDS janitor background process periodically cleans up and optimizes the NDS database.)

SECURITY ENHANCEMENTS

NetWare 5 includes security enhancements that allow you to control which NDS object and property rights are inherited. In NetWare 4, subordinate objects automatically inherit the object rights and all properties rights that are granted to parent containers. When you grant object rights and all properties rights to a container object, these rights flow down the NDS tree to all objects below. (NetWare 4 groups property rights into two categories: all properties and selected properties. Despite the name, all properties rights are not all inclusive.)

Selected properties rights, on the other hand, are not inherited in NetWare 4: For example, when you grant rights to selected properties such as an address or telephone number property, objects below the container cannot inherit the rights.

NetWare 5 allows you to define which rights should be inherited by subordinate objects. You can do the following:

Define whether object rights granted at the container level can be inherited. As a result, you can block inheritance without creating an Inherited Rights Filter for each object that resides in a particular container object.
Allow specific properties to be inherited. As a result, you can grant certain users the rights to manage attributes of objects such as passwords, addresses, and telephone numbers.

To specify which rights are inherited, you use the new Inheritable right, which applies only to container objects. You can set the Inheritable right for object rights, all properties rights, or selected properties rights. (See Figure 1.)

Figure 1: In NetWare 5, you can specify which rights should be inherited by the objects that reside in a container object.

If you select the Inheritable right, the trustee assignment you make for a container object flows down to all of the objects below it. If you don't select the Inheritable right, the trustee assignment you make applies only to the container object. Any subordinate objects do not inherit the rights you have specified.

The Inheritable right is enabled by default for object rights and all properties rights (as indicated by the check mark in Figure 1). The Inheritable right is disabled by default for selected properties. These default settings provide compatibility with NetWare 4.

Since the release of NDS, customers have been asking Novell to provide an easy way to set up password administrators. Novell has provided this capability in NetWare 5 by allowing you to configure the inheritance of selected properties. To make setting up password administrators even easier, Novell has added a Password Management property to the NDS schema.

To set up a password administrator, you grant a user the Supervisor right to the Password Management property. You can assign this right to a User, Group, or container object. If you assign this right to a container object, you should also assign the Inheritable right so that the trustee assignment is inherited by the objects that reside in the container object.

CATALOG SERVICES

Catalog services is another NetWare 5 enhancement to NDS. Catalog services allows you to create flat file databases, calledcatalogs, of frequently accessed NDS objects. Catalogs provide faster access to information stored in the NDS database.

Without catalog services, a client or an application must "walk" the NDS tree to find an object. With catalog services, the client or the application simply searches the catalog for the object. Catalog services speeds up access to NDS objects, especially if the objects are located across a WAN link.

Catalog services includes the following components:

DSCAT.NLM. This NetWare Loadable Module (NLM) contains the catalog dredger that searches the NDS database for the objects and properties to include in a catalog. When you install NetWare 5 on a server, DSCAT.NLM is installed and loaded automatically.
DSCQRY16.DLL&DSCQRY32.DLL. These DLLs are the search engines that applications such as the NetWare Administrator (NWADMIN) utility use to query the NDS database.
DSCATMGR.DLL. This DLL is a snap-in module for the NWADMIN utility. With this snap-in module, you you can use the NWADMIN utility to create, modify, query, index, and delete catalog objects.

Creating a Catalog

You use the NWADMIN utility to create and manage catalogs. When you create a catalog, you specify the objects and properties that you want to include in the catalog. (See Figure 2.) For example, you can create a catalog of your company's employees and their telephone numbers.

Figure 2: In NetWare 5, you can create catalogs, which speed up access to information in the NDS database.

Sometimes applications create their own catalogs. For example when you install Novell's LDAP Services for NDS, you can have it create a catalog of NDS User objects to speed up Lightweight Directory Access Protocol (LDAP) lookups.

You can create two types of catalogs in NDS: master catalogs and slave catalogs. A master catalog is the original copy of a catalog. You must create at least one master catalog for each catalog.

A slave catalog is a copy of the master catalog. You can create one or more slave catalogs for each catalog. When the master catalog receives information from the dredger, the master catalog automatically replicates that information to the slave catalogs.

Using master catalogs and slave catalogs provides two main benefits:

You can strategically place slave catalogs close to users who use the catalogs.
The catalog dredger only has to search the NDS database from one location. Searching from one location frees up network bandwidth since dredging the NDS database is a bandwidth-intensive process.

To create a catalog, you must have the following rights:

You must have the Supervisor file right to the Server object that will host the catalog. This server will run the DSCAT.NLM to build and update the catalog.
You must have the Write object right to the container object in which you will create the catalog.
You must have the Write property right to the Catalog List property of the Server object.

Contextless Login

Contextless login is an example of how catalog services can benefit your company. After creating a catalog of all User objects and their full names, you can enable the contextless login option on the NetWare 5 client software's Properties page. You must enable contextless login at each workstation that you want to use contextless login. (Tip: You can use the policies feature of the Z.E.N.works Starter Pack to enable the contextless login option on multiple workstations simultaneously.)

After you enable the contextless login, a user can simply press the Tab key at the username prompt when logging in to the network. The user is then presented with a dialog box that contains usernames, and the user can simply choose the appropriate username. (See Figure 3.)

Figure 3: NetWare 5 provides a contextless login, which allows users to log in to the network without knowing their NDS distinguished name.

You can also configure the NetWare 5 client software to support wildcards. For example, if Bob wanted to see only the usernames that begin with the letter B, he could enter B* in the username field and press the Tab key. NDS would then return only those usernames that matched the wildcard criteria.

WAN TRAFFIC MANAGER

NetWare 5 also includes the WAN traffic manager, which is a policy-based service that can reduce your company's communications costs. With the WAN traffic manager, you can control NDS traffic on your company's network.

Because NDS servers regularly synchronize the NDS database, this synchronization can sometimes be intensive. If you use dial-up Integrated Services Digital Network (ISDN) or analog circuits for server-to-server communications, every time the NDS servers synchronize, the phone line comes up, and the charges start.

The WAN traffic manager lets you manage the cost of synchronizing NDS. Using the NWADMIN utility, you can control NDS communications based on the time, the type of traffic, the destination of traffic, and other settings. You create WAN traffic policies, which are rules that control the generation of NDS traffic. NDS stores these WAN traffic policies as attributes of Server objects or LAN Area objects. (A LAN Area object allows you to manage policies for a group of servers.)

When you load the WAN traffic manager (which is WANMAN.NLM), it reads the WAN traffic policies. When NetWare servers need to communicate, NDS calls the WAN traffic manager. The WAN traffic manager then analyzes its policies and controls server-to-server communication based on those policies.

You must load the WAN traffic manager on each server whose traffic you want to control. If a partition's replica ring includes servers on both sides of a WAN link, you should install the WAN traffic manager on all servers in that replica ring. Although Novell designed the WAN traffic manager to control traffic across WAN links, you can use it to control NDS traffic between any servers in the NDS tree.

CONCLUSION

NetWare 5 provides many enhancements to NDS: Because NDS now supports both IP and IPX as core communications protocols, you can choose the protocol that best fits your company's environment. NDS in NetWare 5 also delivers better performance than previous versions of NDS due to changes in synchronization algorithms and new NDS caching.

In addition, NetWare 5 makes NDS security more flexible by letting you decide which trustee assignments subordinate objects should inherit. As a result, you can set up users who can manage only certain attributes such as passwords.

Catalog services allows you to create catalogs that make it easier and faster to find NDS information. Catalog services also provides the contextless login, which allows users to log in without knowing their full NDS distinguished name.

Finally, with the new WAN traffic manager, you can control and manage NDS synchronization traffic, reducing the costs of your company's WAN.

Sandy Stevens is a freelance writer based in Salt Lake City. She is coauthor ofNovell's Guide to Integrating intraNetWare and NT,Novell's Guide to BorderManager,andNovell's Guide to NetWare Printing.

NetWare Connection,December 1998, pp. 32-35

* Originally published in Novell Connection Magazine

Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.