NDS for NT 2.0: The Easy Way to Manage Windows NT Servers
Articles and Tips:
01 Apr 1999
If your company's network includes both NetWare and Windows NT servers, you have undoubtedly noticed a slight difference in the manageability of the two platforms. Let's face it, Novell Directory Service (NDS) is a network administrator's dream. With NDS, you can manage the entire network from a single point, with no complex domains or trust relationships to worry about.
Users also benefit from NDS because they can enter a single login name and password to access authorized resources across the entire network. In addition, your boss may be wondering why it takes only one person to manage a group of NetWare servers and a team of people to manage the Windows NT servers. Thanks to Novell's NDS for NT 2.0, managing those Windows NT servers just got easier.
NDS FOR NT 2.0 TO THE RESCUE
NDS for NT 2.0 is Novell's solution for managing Windows NT servers and applications on a heterogeneous network that includes both NetWare 4.x or NetWare 5.x servers and Windows NT servers. When you install NDS for NT 2.0 on your company's Windows NT servers, the network becomes easier to manage, easier to access, and more fault tolerant.
Making Windows NT Servers Easier to Manage
Because NDS for NT 2.0 integrates Windows NT servers and domains with NDS, you can manage all aspects of your company's Windows NT domains through NDS. In addition to having a single point of management for your NetWare environment, you now have a single point of management for the Windows NT environment.
With NDS for NT 2.0, you can use Novell's NetWare Administrator (NWADMIN) utility to manage Windows NT users and groups. The NWADMIN utility provides a global view of the entire network--including multiple domains--and enables you to manage that network from a single location. You can also use Microsoft's User Manager utility to create Windows NT users. In this case, NDS for NT 2.0 redirects the requests to NDS.
Because NDS for NT 2.0 allows you to manage Windows NT file shares through NDS, you save significant time and reduce the costs normally incurred when managing Windows NT file shares. Using the NWADMIN utility, you can set up and manage users' access rights to the file systems on both NetWare servers and Windows NT servers.
Making It Easier for Users to Access the Network
NDS for NT 2.0 also makes it easier for users to access your company's mixed network. When you install NDS for NT 2.0 on Windows NT servers, each user has a single global identity for the entire network. As a result, each user enters a single username and password to access both platforms.
This single global identity also saves management time and costs. For example, you create and manage only one user ID for each user. Without NDS for NT 2.0, you must create and manage one user ID for each user on each platform--essentially doubling your workload. In addition, with NDS for NT 2.0, you will probably spend less time changing forgotten passwords because users have to remember only one login name and password for both platforms.
Providing More Fault Tolerance
NDS for NT 2.0 also allows you to store NDS replicas on Windows NT servers. This capability can provide additional fault tolerance for your company's network and conserve network resources. For example, you can use NDS for NT 2.0 in branch offices that have only a Windows NT server. The replica on the local Windows NT server can service NDS requests made by the users at the branch office. As a result, requests to access NDS data do not have to cross your company's WAN link to a NetWare server that contains an NDS replica.
HOW NDS FOR NT WORKS
After you install NDS for NT 2.0 on your company's Windows NT servers, any user or application requests made to the Windows NT domain name base are redirected to NDS. NDS for NT 2.0 automatically redirects these requests. You do not have to modify the client software or application.
In fact, with NDS for NT 2.0, applications continue to function as if a domain is still present. However, NDS for NT 2.0 only creates the appearance of a domain. To understand how NDS for NT 2.0 works, you must understand how Windows NT authenticates users.
Validating Security in a Windows NT Domain
Both Windows NT workstations and servers have a security database called the Security Accounts Manager (SAM) database. The SAM database is stored in a secure area of the Windows NT registry. You can access the data in the SAM database in only two ways:
Using the Windows NT Application Programming Interfaces (APIs) to read and write to the SAM database
Copying the registry files as some backup software packages do
When an application uses the Windows NT APIs to read and write to the SAM database, two library DLLs are used--SAMSRV.DLL and SAMLIB.DLL. The application and the SAM database communicate in the following way:
The application makes an API call to create, change, delete, or update a user, group, server, or workstation in the SAM database. Windows NT internally calls the SAMLIB.DLL to complete the request.
The SAMLIB.DLL sends Remote Procedure Calls (RPCs) to the SAMSRV.DLL.
The SAMSRV.DLL communicates with the SAM database to make the requested changes or lookups.
During this process, only the SAMSRV.DLL reads and writes to the SAM database. In a domain configuration, the domain's SAMSRV.DLL is located on the Primary Domain Controller (PDC) and the Backup Domain Controllers (BDCs).
The Role of SAMSRV.DLL
When you set up a domain, the Windows NT operating system on each workstation and server in the domain has both the SAMSRV.DLL and the SAMLIB.DLL. However, only the SAMSRV.DLL on the PDC and the BDCs is used to authenticate users to the Windows NT domain. When a user logs in to the domain, the user's client authenticates to the domain by sending an RPC to the SAMSRV.DLL on the PDC or on a BDC. However, if you are attempting to manage the domain, the SAMLIB.DLL must be able to contact a PDC, or you will be unable to manage the domain in any way.
NDS for NT 2.0 and the SAMSRV.DLL
Now that you understand the role of the SAMSRV.DLL, understanding NDS for NT 2.0 is simple. Essentially, NDS for NT 2.0 enables Windows NT domains to use a different database. Since the only software that communicates with the SAM database is the SAMSRV.DLL, Novell changed the SAMSRV.DLL to use NDS. With a different SAMSRV.DLL that uses NDS instead of the SAM database, all authentication and management requests are redirected to NDS. Figure 1 illustrates how NDS for NT 2.0 replaces the SAMSRV.DLL.
Figure 1: NDS for NT 2.0 provides such seamless integration between Windows NT domains and NDS that your applications and client software do not need to be modified.
HOW NDS FOR NT 2.0 HANDLES PASSWORDS
When NDS for NT 2.0 uses NDS as the database for domain information, you create only one User object for each user. This object enables the user to access both the Windows NT and NetWare environments. However, two passwords are required: one password for Windows NT user authentication and one password for NDS. If you think about how passwords are handled in both the Windows NT and NDS environments, you will understand why two passwords are required. Of course, NDS for NT 2.0 has a solution to this problem.
Passwords and Windows NT
When a Windows NT server (such as the PDC for the domain) authenticates a user, it uses a hash algorithm to encrypt the user's password at the client before sending the password to the server. The server receives the hashed password and compares it to the hashed password stored on the server. If the password is valid, the user is logged on to the Windows NT server. If the password is not valid, the user is not authenticated and can't log on to the Windows NT server.
The Windows NT server cannot reverse-encrypt the password once it has been hashed. The server merely compares one hash to another to verify that the user entered the correct password.
Passwords and NDS
Of course, a user also enters a password to authenticate to NDS. However, NDS handles passwords differently than Windows NT servers and domains do. NDS uses a hashed version of the password to verify the user's identity and then downloads the user's private key to the user's client. After the private key is downloaded, NDS completes the login process by creating a set of credentials. (These credentials are based on factors that are specific to the session and guarantee the uniqueness of the credentials.)
NDS then uses these credentials to transparently log the user in to additional servers as he or she needs access to these servers. As a result, the user does not have to enter a username and password each time he or she needs to access another server.
NDS uses the Rivest Shamir Adleman algorithm (RSA) for authentication. RSA uses a private-public key pair to create a set of credentials. Before these credentials can be created, NDS must download the private key to the client. The password hash verifies the user's identity before NDS downloads the private key to the user's workstation.
HANDLING BOTH PASSWORD TYPES
Since Windows NT and NDS passwords use different hash algorithms, NDS for NT 2.0 must handle each password separately. If a user needs to log in to both NDS and a Windows NT domain, NDS for NT 2.0 stores two passwords--one for NDS and one for the Windows NT domain--in the user's NDS User object.
To eliminate the hassle of entering two passwords, Novell provides two solutions:
With NDS for NT 2.0, you can use the NWADMIN utility to change and synchronize a user's NDS and Windows NT passwords.
When a user changes his or her password on a workstation that is running both the Novell Client for Windows NT and the Microsoft client, NDS for NT can synchronize the passwords.
NDS for NT 2.0 also allows a user to have one Windows NT password, no matter how many domains the user belongs to. If a user is a member of 10, 20, or 1,000 Windows NT domains, he or she needs only one Windows NT password to access all of these domains. No matter how many domains a user belongs to, the user has only one account in NDS.
NDS for NT 2.0 and Security IDs
Windows NT security uses a Security ID (SID) and a Resource ID (RID) to identify users and resources that need to access the network. NDS for NT 2.0 fully supports Windows NT SIDs and RIDs.
When an object is given rights to a service (such as files) in a Windows NT environment, the Windows NT server or domain uses the SID and RID to identify the object. These security IDs also provide authorization to use network services.
For example, when a user accesses a Microsoft BackOffice service that is running on a Windows NT server, this service contacts the domain to find out if the user has previously been authenticated to the domain. The service uses a set of APIs called the Security Support Provider Interface (SSPI) to contact the domain for this information. If the user has been authenticated properly, the domain sends a token to the service. The service then checks its own authorizations to determine what specific services the user can successfully request.
Because the SAM database is no longer used on Windows NT servers running NDS for NT 2.0, the SIDs and RIDs for the domains that are maintained by NDS are stored in NDS. When a service makes a request to verify that a user has been authenticated to a domain, NDS looks up the user's SID and generates a token that the service can then use to check against its own security tables. By storing the SIDs and RIDs in NDS, NDS for NT 2.0 seamlessly integrates into an environment that includes BackOffice and other Windows NT services.
BEFORE YOU INSTALL NDS FOR NT 2.0
Before you install NDS for NT 2.0, you should make sure your company's network meets the following minimum requirements:
NDS for NT 2.0 supports Windows NT Server 4.0 with Service Pack 3 or above and Windows NT Server 3.51 with Service Pack 5.
The Windows NT server must be running on an NT File System (NTFS).
If the Windows NT server will hold an NDS replica, this server should have a minimum of 32 MB of RAM. (Novell recommends 64 MB of RAM.)
NDS for NT 2.0 requires 90 MB of available disk space on the Windows NT server. If the server will host an NDS replica, you will need 150 MB of disk space for every 1,000 users in each replica.
To install NDS for NT 2.0, you must have administrative rights to the Windows NT server and the NDS tree.
If your company's network includes NetWare 4.11 servers, these servers must be running NetWare Support Pack 6 and NDS 5.99a or above. (To download these support packs, visit Novell's Support Connection web site at http://support.novell.com/misc/patlst.htm#nw411.)
If your company's network includes NetWare 5 servers, these servers must be running NDS 7.02 or above. (The earlier versions of NDS that shipped with the NetWare 5 betas do not work with NDS for NT 2.0.)
If your company uses Microsoft Exchange, you must install Service Pack 1.0 or above to run Mailbox Manager for Exchange.
You should install NDS for NT 2.0 on the PDC and, ideally, on each BDC.
You should install NDS for NT 2.0 on the PDC first and then install NDS for NT 2.0 on the BDCs.
INSTALLING NDS FOR NT 2.0
Installing NDS for NT 2.0 is a straightforward process. In fact, the installation consists of three main steps:
Install NDS for NT 2.0 on the Windows NT server.
Run the Domain Object Wizard.
Install the NDS for NT 2.0 management utilities.
Installing Files on the Server
To install NDS for NT 2.0 on a Windows NT server, you must log in to the server as Administrator or a user with administrative rights. Then, insert the NDS for NT 2.0 CD into the server's CD-ROM drive. The NDS for NT installation process should start automatically. (If the installation doesn't begin, run the WINSETUP.EXE file from the root directory of the CD.) Select the NDS for NT option from the NDS for NT Installation menu. Then select Continue, and the installation program begins copying files.
During this step, NDS for NT 2.0 files (including the SAMSRV.DLL) are copied to the Windows NT server. In addition, the Novell Client for Windows NT is installed. This client enables the SAM redirection component to communicate with NDS.
After the NDS for NT 2.0 files are copied to the Windows NT server, a dialog box appears, indicating that the server must be rebooted to make the changes take effect.
Running the Domain Object Wizard
After you reboot the Windows NT server, log on to the Windows NT server as Administrator and log in to the NDS tree as the ADMIN user or another user with Write access to the [Root] of the NDS tree. (You need these rights to extend the NDS schema to support the NDS for NT objects). At this point, the Domain Object Wizard (SAMMIG.EXE) will automatically run.
The Domain Object Wizard enables you to do the following:
Move objects from your company's Windows NT domain to NDS
Install an NDS replica on the Windows NT server
You can also use the Domain Object Wizard to remove an NDS replica from the Windows NT server or to remove NDS for NT 2.0 from the Windows NT server.
After the NDS for NT 2.0 introduction screen appears, you are prompted to select the NDS tree to which you want to move the domain users, groups, and workstations. When you select the NDS tree, the Domain Object Wizard checks to see if the NDS schema has been extended to accommodate NDS for NT 2.0. If the NDS schema has not been extended, you are prompted to extend the schema before you can move the domain users, groups, and workstations to NDS. If the schema has already been extended, this prompt does not appear.
You are then prompted to specify the NDS context in which you want to create the Domain object and the NDS context in which you want to create the new NDS users. You can use the Browse button to select the NDS context. NDS users do not need to be created in the same context as the Domain object.
On this context screen, you should also check the Force password synch box if you want to synchronize NDS and Windows NT passwords. If this box is checked, users will be prompted to enter a new password when they log in after the migration is completed. If the users use the NWADMIN utility or another Windows-based utility to change their password, the Windows NT and NDS passwords will remain synchronized. However, if the users use a DOS utility or command such as SETPASS to change their password, the Windows NT and NDS passwords will not remain in sync.
Next, you are given the option to search the NDS tree for existing NDS User objects that have the same name as Windows NT users. You should skip this search only if you do not have any Windows NT users that correspond to existing NDS users.
If the Windows NT users who you are migrating already have NDS accounts, you can use this option to search for these users in NDS. You can then map the Windows NT users being moved with existing NDS User objects. If you are migrating multiple Windows NT domains to NDS, you can also map redundant domain user accounts into one NDS account.
The Domain Object Wizard then asks you what to do if the Windows NT domain users who are being migrated are not found in NDS. You can either choose to create new NDS User objects for these accounts or to not move the accounts.
If you chose to search the NDS tree for existing User objects with the same name, you will be asked to indicate the container object where you want to begin the search. When the search is completed, the Domain Object Wizard displays a summary of the information gathered. (See Figure 2.)
Figure 2: The Domain Object Wizard enables you to specify which Windows NT user accounts you want to move to NDS.
As Figure 2 shows, you can specify how the Domain Object Wizard handles each Windows NT object that is being moved to NDS. You use the following three buttons, which are located in the left-hand side of the screen, to specify how these objects should be handled:
Create As. You use this button to create an existing Windows NT user as a new NDS user object.
Associate With. You use this button to associate the Windows NT user account being moved with an existing NDS User object.
Don't Move. You use this button to specify that you don't want to move an existing Windows NT user account to NDS.
After the Windows NT objects have been moved, the move statistics appear, indicating how many objects were moved and if any errors occurred. If you chose not to move the Windows NT objects to NDS, a warning screen appears, indicating that the objects you do not move will not be able to access the domain after NDS for NT 2.0 is installed. You are given the option to move the users at this time or to bypass the move and continue with the installation.
The final screen that appears allows you to view the move log and to install an NDS replica on the Windows NT server. If you check the Install NDS Replica on This Server box, NDS checks to ensure you have the necessary rights to perform replica operations. If you do not have the necessary rights, you are prompted to enter the name, context, and password for the ADMIN user or a user with equivalent rights.
When you install an NDS replica on a Windows NT server, an NDS NT Server object is created in the same context in which the Windows NT domain was migrated. The Domain Object Wizard automatically assigns a name to this Server object but gives you the option to rename the object. You are also given the option to specify the Windows NT server directory in which you want to store NDS files.
After the Domain Object Wizard installs the NDS replica on the Windows NT server, you must reboot the Windows NT server to make the changes take affect.
Installing the Administration Utilities
To complete the NDS for NT 2.0 installation, you must install the NDS for NT Administration utilities:
Domain Object Wizard. You can use this utility to add or remove NDS replicas from the Windows NT server. You can also use this utility to remove NDS for NT 2.0 from the Windows NT server.
NDS Manager. You can use this utility to manage NDS partitions and replicas from the Windows NT server.
NetWare Administrator for Windows NT. You can use this utility to manage the NDS tree, including all aspects of the Windows NT domains that have been moved to NDS.
Novell Login. You can use this utility to log in to the NDS tree and the Windows NT server with a single username and password (if you have synchronized passwords).
Novell Send Messages. You can use this utility to send messages to users who are logged in to the NDS tree.
To install the administration utilities, simply insert the NDS for NT 2.0 CD into the CD-ROM drive on the Windows NT server. The installation menu reappears. (If this menu does not appear, run the ADMNSETUP.EXE file from the I386 directory of the NDS for NT 2.0 CD.) Select Admin Utilities from the Installation menu, and then follow the prompts to install these utilities.
MANAGING A MIXED NETWORK
NDS for NT 2.0 simplifies the management of your company's network. When Windows NT servers use NDS as their name base, all of your company's network directories are consolidated into one directory. Managing a network with one common directory is a much easier task than dealing with multiple directories.
As mentioned earlier, NDS for NT 2.0 also makes managing User and Group objects easier because each user has only one user account for both Windows NT and NDS. You will also spend less time changing forgotten passwords because users only have to remember one password (if the passwords are synchronized) for both environments.
After NDS for NT 2.0 is installed on your company's Windows NT servers and all of the Windows NT domains are moved to NDS, you can begin managing your company's mixed environment. Although you can still use standard Windows NT tools (such as User Manager and Explorer) to manage your company's domains, you can manage both NDS and Windows NT users through the same utility--the NWADMIN utility.
Managing Domain Users With the NWADMIN Utility
If you are using the NWADMIN utility to add a user to a Windows NT domain, you first create a standard NDS User object. You can create this User object anywhere in the NDS tree; the User object does not have to reside in the same context as the Domain object.
You can use one of the following approaches to manage domain users with the NWADMIN utility:
When using the domain-centric approach, you select the Domain object to which the User object should belong and choose Details. Then choose Domain Members from the Details page, and click the Add button. (See Figure 3.) Finally, add the User object to the Domain object.
Figure 3: NDS for NT makes it easy to add multiple users to a Windows NT domain.
You can then run the Windows NT User Manager utility and see if the user has been added to the domain. (If this utility is already running, you may need to press the F5 key to refresh the view.)
Using the Domain-centric management approach is useful when you need to add multiple users to a domain at one time. To do this, complete the steps outlined above. When you choose the Add button, hold down the Ctrl key and select as many users as you like.
If you want to use the NWADMIN utility to delete a user, simply choose the Members list of the appropriate Domain object, highlight the User object, and select the Delete button. You can then run the Windows NT User Manager utility to see if the user has been deleted. (Remember, when NDS for NT 2.0 is installed on the Windows NT server, utilities such as the User Manager utility think they are looking at the domain but are really being redirected to NDS.)
When you delete an NDS User object, you effectively remove that User object from all domain memberships and groups. For example, suppose the User object was an Exchange user, an SQL Server user, and a member of 5,000 Windows NT domains. Also, suppose the User object has access to file and print shares as well as NetWare resources. Deleting this User object effectively removes the User object from the entire system. You no longer have to remove the User object multiple times--from the Windows NT domain, the applications, and then NDS. You simply remove the User object once from NDS.
When using the user-centric approach to managing Windows NT domain users, you first select or create the User object you want to add to a domain. Next, choose Details and then the Domain Access tab. A list of the current Domain memberships (if any) appears. You can then choose Add and browse the NDS tree for the appropriate Domain object.
The ability to view all of a user's domain memberships (and group memberships) is a unique benefit of NDS for NT 2.0. The Windows NT User Manager utility does not provide this capability. With the User Manager utility, you must view each domain separately. NDS for NT 2.0 also allows you to add a User object to multiple domains in a single operation. If you use the User Manager utility to add a User object to multiple domains, you must access each domain separately and add the user.
After you add a user to a domain, you can grant the user membership to other groups that are supported by the domain. To do this, select the appropriate Domain object in the user's Domain Access list, and choose Add. The NWADMIN utility displays the groups available for the Domain object you selected. You can then choose the appropriate group and select OK.
To delete a User object from a Domain object (and also delete all domain group memberships), select the domain in the User object's Domain Access list, and choose Delete. To delete a user from a domain group, select the group name in the user's Domain Access list, and press the Delete key.
Moving Users Between Domains
In the Windows NT world, domain administrators often complain about the difficulty of moving users from one domain to another. There really isn't a simple way to move a user from one domain to another. To move a user between domains, you usually have to perform several steps:
Find out all the file and print shares the user has access to.
Document which groups the user belongs to.
Delete the user's account from the old domain.
Create a new account for the user in the new domain.
Assign the user a new password.
Add the user to the groups that he or she needs membership to.
Reassign the file and print shares that the user needs.
After NDS for NT 2.0 is installed and the user information is stored in NDS, this process becomes much simpler. To use the NWADMIN utility to move a user between domains, you complete following steps:
Select the user's Domain Access list, delete the old domain from the list, and add the new domain.
Drag-and-drop the NDS User object from the old NDS container object to the new container object.
Grant the User object rights to any new resources the user requires.
When you use the NWADMIN utility to move a User object between domains, you do not have to document anything. You merely perform the move, and all of the user's information is moved to the new location. This feature alone can save you hundreds of hours in management time, since user moves are common occurrences.
Windows NT Tools
Another time-saving feature NDS for NT 2.0 provides is the NT Tools property page. The NT Tools property page allows you to use Windows NT management tools (such as the Server Manager, User Manager, and Event Viewer utilities) directly within the NWADMIN utility.
NDS for NT 2.0 automatically sets up several Windows NT tools and their corresponding Help files. In addition, you can add other executable programs to this page. To add an executable program, select the Add button, and specify the directory path to the program. You can remove or edit the icons on this page by using the Delete or Properties button.
Managing Windows NT File Shares
NDS for NT 2.0 also includes the File and Folder Sharing Wizard (SHRPUBW.EXE), which is part of the NT Tools property page. This wizard allows you to manage Windows NT file shares from within the NWADMIN utility.
To manage Windows NT file shares, double-click the File and Folder Sharing Wizard icon in the NT Tools property page of the Domain object. You can then specify whether you would like to manage file shares on your workstation or on a different computer, and you can specify the drive and directory for which you want to manage file and folder access. You can then set the Windows NT permissions as desired.
With NDS for NT 2.0, Novell has created a solution that allows you to use a single directory service--NDS--to seamlessly manage both NetWare and Windows NT. With NDS for NT 2.0, you can create one user account for each user. This user account provides access to both NetWare and Windows NT services (such as file, print, and BackOffice services). If your company's network includes both NetWare and Windows NT servers, NDS for NT 2.0 will save you significant time in managing this mixed environment and reduce your company's network management costs.
Sandy Stevens is a freelance writer based in Salt Lake City, Utah. She is coauthor of Novell's Guide to Integrating NetWare and NT, Novell's Guide to BorderManager, and Novell's Guide to NetWare Printing, available from Novell Press.
* Originally published in Novell Connection Magazine
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.