Novell is now a part of Micro Focus

NDS 8: Rev Up Your Directory Tree

Articles and Tips:

Sandy Stevens

01 Apr 1999


Do you want to save your company thousands of dollars in network management costs? This is not a rhetorical question. You can actually save your company thousands of dollars by consolidating your network databases into a single directory--Novell Directory Services (NDS).

Over the years, Novell has evolved NDS into a solution that enables you to manage your entire enterprise network--including users, groups, printers, applications, workstations, proxy servers, firewalls, bridges, routers, and more--from a central location. The next generation of NDS, called NDS 8, provides a highly scalable, standards-based solution that makes NDS the only directory you need for enterprise networks, extranets, and the Internet. NDS 8 for the NetWare platform, which is currently in beta testing, is available for downloading from http://support.novell.com/beta/public. (NDS 8 cross-platform support will be available in the near future.)

WHAT IS NDS 8?

NDS 8 delivers the reliability, manageability, and security of earlier versions of NDS and provides the following additional benefits:

  • Unlimited scalability

  • Standards-based, native Lightweight Directory Access Protocol (LDAP) 3

  • Directory importing and exporting capabilities based on LDAP Data Interchange Format (LDIF) 1

  • New and improved ConsoleOne management tool

  • Internet-ready security

Unlimited Scalability

NDS 8 incorporates an underlying database that greatly improves the performance and scalability of NDS, enabling you to store at least one billion (possibly more) objects in one directory tree. As a result, NDS 8 supports millions of more objects than competing directories support.

As Novell demonstrated at BrainShare '99 in Salt Lake City, NDS 8 provides scalable performance, regardless of how many objects the directory tree contains and how quickly objects are added to the directory tree. During a BrainShare '99 general session, millions of network objects were added to a directory tree until the tree contained one billion users. As the objects were being added to the directory tree, NDS 8 performed search queries with consistent speed. With other directories, the time it takes to perform search queries increases in direct proportion to the number of objects stored in the directory tree.

One billion objects in a single directory tree may seem unreal or even unnecessary. However, current business trends show that an increasing number of companies are using the Internet to connect their employees to customers, partners, suppliers, and so on. To connect these virtual business communities, known as extranets, companies require a massively scalable directory such as NDS 8. Because NDS 8 supports a virtually unlimited number of objects, NDS 8 is also a viable directory for Internet service providers (ISPs), telephone companies, and other large enterprises that support thousands or even millions of customers.

Native LDAP 3

Because NDS 8 includes native LDAP 3, NDS 8 can interoperate with LDAP-based directories and applications. Although earlier versions of NDS supported LDAP, this support was provided via an LDAP gateway that you had to install separately. Because LDAP is native in NDS 8, you do not have to separately install an LDAP gateway.

NDS 8 also supports auxiliary classes as defined by the LDAP specification. Auxiliary classes enable you to extend the attributes, or properties, of a single object without having to extend the base class from which the object was derived. For example, suppose that you want to add a new attribute to the Debi User object. To add the new attribute in earlier versions of NDS, you would have to add the attribute to the base class for User objects. You would then add the attribute to all User objects in the directory tree.

With auxiliary class support in NDS 8, however, you can add an attribute to only the Debi User object. You do not have to change the base class for User objects. Auxiliary classes in NDS 8 are dynamic: You can associate auxiliary classes with objects, or you can remove the attributes on the fly.

NDS 8 also supports additional naming attributes for User objects, which are defined in the LDAP 3 specification. In addition to the standard NDS cn= naming attribute, NDS 8 supports the following:

  • Unique Identifier (UID) naming

  • DNS naming support, dc=

These attributes for User objects increase the interoperability between NDS and LDAP-based directories. For example, these attributes enable the NDS tree structure to resemble the structure of other LDAP-accessible directories and enable you to perform LDAP queries on these attributes.

Directory Importing and Exporting Capabilities

To help you build directory trees that contain millions or even billions of objects, NDS 8 supports LDIF 1, an emerging Internet standard that is currently in draft form before the Internet Engineering Task Force (IETF). LDIF 1 describes a file format for importing and exporting directory information between LDAP-based directory servers.

NDS 8 includes the BULKLOAD utility, which enables you to use LDIF files to add, delete, or modify objects in your directory tree. You can create LDIF files in the following ways:

  • Manually create an ASCII file in LDIF format.

  • Use an LDIF-generation utility to generate an LDIF file.

  • Export directory information from an LDAP-based directory.

New and Improved ConsoleOne

Now that your company's directory tree contains millions of objects, how do you manage it? NDS 8 includes ConsoleOne 1.2, an entirely new and significantly improved client-side management tool. If you have used ConsoleOne in NetWare 5, the first thing you will notice about the new version of ConsoleOne is that its performance has been improved significantly. In addition, the features provided by ConsoleOne 1.2 are on par with the features provided by the NetWare Administrator (NWADMIN) utility.

Although you can still use the NWADMIN utility to manage an NDS 8 tree, Novell recommends that you use ConsoleOne 1.2. Novell makes this recommendation because ConsoleOne 1.2 can effectively gather and display the contents of large container objects. When you browse a container object that contains thousands of objects, ConsoleOne 1.2 retrieves and displays the contents of the object one page at a time. The NWADMIN utility, on the other hand, gathers all of the contents of the container object before displaying the information. As a result, using the NWADMIN utility to browse large directory trees can be quite cumbersome.

You should also consider using ConsoleOne 1.2 because Novell has announced that ConsoleOne is its management strategy for the future. In addition, ConsoleOne 1.2 supports a snap-in architecture that enables new features and functionality to be added to the management console. As your company's network expands and you need to manage diverse hardware and software or third-party network components and systems, new capabilities can be added to ConsoleOne 1.2, enabling you to manage the components.

As a pure Java application, ConsoleOne is a cross-platform solution and is easily extensible to the web. In fact, Novell has indicated that the next release of ConsoleOne will snap into the web.

If these reason don't convince you to use ConsoleOne 1.2, the new feature set will. These features include the following:

  • Enhanced Search Capabilities. ConsoleOne 1.2 allows you to use complex search queries. For example, you can search for objects that have Supervisor rights to the [Root] of the directory tree.

  • Manage All NDS Objects. ConsoleOne 1.2 provides all of the object management capabilities found in the NWADMIN utility. You can create, move, rename, delete, and modify all objects in the tree. You can also modify attributes of multiple objects simultaneously.

  • Simplified Rights Management. ConsoleOne 1.2 enables you can to manage all object and property rights as well as file system rights and attributes.

  • Schema Extension Capabilities. You can use ConsoleOne 1.2 to extend the NDS schema to accommodate new types of objects and properties in the directory tree.

  • LDAP Management. You can use ConsoleOne 1.2 to configure LDAP services, to manage LDAP mappings, and to control LDAP access to the directory tree.

Internet-Ready Security

When you create an extranet, you must connect outside, authorized individuals--such as customers, partners, and suppliers--to resources on your company's protected network. The directory that you use to connect these users must provide a high level of security and access control. Can you think of a directory that provides better security and access control than NDS? Probably not.

NDS has always offered authentication services that are highly secure. NDS 8 offers additional security features that help ensure a secure environment as your private network extends to support e-commerce, extranets, and the Internet. These features include the following:

  • Full integration of Secure Sockets Layer (SSL) to provide secure Internet access

  • Enhanced support for public key infrastructures (PKI) and cryptography

  • Support for X.509v3 certificates and smart cards

COMPATIBILITY IS NOT AN ISSUE

If you have installed NDS updates before, I am happy to tell you that compatibility is not an issue with NDS 8. The NDS versions that are required to run a mixed NetWare 4 and NetWare 5 tree (NDS 5.17 or higher) are the same versions required for NDS 8. If your directory tree is NetWare 5 compatible, you can install NDS 8, and it will perform seamlessly.

However, you should be aware of a few caveats: First, if a replica ring includes multiple versions of NDS, the features offered will be limited to the lowest common denominator in the replica ring. (A replica ring includes all of the servers that hold copies of a given partition.)

For example, if some servers in a replica ring are running NDS 5.17 or 6.02 and you add a server that is running NDS 8, the replica ring will be bound by the limitations of the earlier versions of NDS. In short, if you want to fully leverage the enhancements in NDS 8, all of the servers in a replica ring should be running NDS 8.

Second, if some servers in the directory tree will continue to run a previous version of NDS, you must run an updated version of the DSREPAIR utility on one of these servers to ensure schema compatibility with NDS 8.

INSTALLING NDS 8 STEP-BY-STEP

To install NDS 8, you must complete the following steps:

  1. Download the current release of NDS 8, NetWare Support Pack 2, the updated DSREPAIR utility, and Novell International Cryptography Infrastructure (NICI) 1.2 for NetWare 5.

  2. To ensure schema compatibility in the directory tree, run the updated DSREPAIR utility on servers that you will not upgrade to NDS 8.

  3. Install NetWare 5 Support Pack 2.

  4. Install NICI 1.2 if you plan to use this security cryptography service.

  5. Install NDS 8.

  6. Install ConsoleOne 1.2.

Downloading the Files You Need

Before installing NDS 8, you will need to download the following:

  • NDS 8. NDS 8 includes DS.NLM, DSLOADER.NLM, DSI.NLM, NLDAP.NLM, ConsoleOne 1.2, and the NWADMIN utility. As this article goes to press, NDS 8 is in open beta. You can download NDS 8 from Novell's Beta Program web site (http://support.novell.com/beta/public). After the beta testing is completed, you will be able to download the final version of NDS 8 from Novell's Software Downloads web site (http://www.novell.com/download). NetWare 5 Support Pack 2. You must install this support pack on NetWare 5 servers that will run NDS 8. As this article goes to press, NetWare 5 Support Pack 2 is also in open beta. You can download this support pack from Novell's Beta Program web site (http://support.novell.com/beta/public). After the beta testing is completed, you can download the support pack from Novell's Support Connection web site (http://support.novell.com/misc/patlst.htm).

  • Updated DSREPAIR Utility. You can download the updated DSREPAIR utility from Novell's Beta Program web site (http://support.novell.com/beta/public). After the beta testing is completed, you will be able to download the final version of the DSREPAIR utility from Novell's Software Downloads web site (http://www.novell.com/download). 'Updated versions of the DSREPAIR utility are provided for NetWare 4.10, NetWare 4.11, and NetWare 5. If some servers in the directory tree will continue to run previous versions of NDS, you must run the DSREPAIR utility on one of these servers to extend the schema.

  • NetWare 5 Support Pack 2. You must install this support pack on NetWare 5 servers that will run NDS 8. As this article goes to press, NetWare 5 Support Pack 2 is also in open beta. You can download this support pack from Novell's Beta Program web site (http://support.novell.com/beta/public). After the beta testing is completed, you can download the support pack from Novell's Support Connection web site (http://support.novell.com/misc/patlst.htm).

  • NICI 1.2 for NetWare 5. If you plan to use NICI, you must install NICI 1.2, which contains updates that make NICI compatible with NDS 8. You can download NICI 1.2 from http://www.novell.com/products/cryptography.

Installing and Running the DSREPAIR Utility

If the directory tree contains NetWare 4.10, NetWare 4.11, or NetWare 5 servers that will not be upgraded to NDS 8, you must run the DSREPAIR utility on one of the servers that contains a replica of the [Root] partition. For example, if a replica of the [Root] partition is stored on a NetWare 4 server and a NetWare 5 server, you should run the DSREPAIR utility on one server or on the other, but not on both.

The server on which you run the DSREPAIR utility will then propagate the schema changes to all of the other servers in the directory tree. You must complete this step before installing NDS 8.

To ensure that the servers running previous versions of NDS are compatible with NDS 8, complete the following steps:

  1. Double-click the 4X5XREP.EXE file in Windows or type the filename at a DOS prompt. After the file is expanded, you will see a NetWare 4.x and a NetWare 5 DSREPAIR directory.

  2. Copy the appropriate DSREPAIR.NLM to a server that contains a replica of the [Root] partition of the directory tree. For example, if you will be running the DSREPAIR utility on a NetWare 5 server that contains a replica of the [Root] partition, use the DSREPAIR NLM in the NetWare 5 directory.

  3. Load the DSREPAIR NLM at the server console.

  4. Select the Advanced Options menu.

  5. Select the Global Schema Operations option.

  6. You are prompted to authenticate to the directory tree. Enter the login name and password for ADMIN or a user with equivalent rights.

  7. Select Post NetWare 5 Schema Update. The NDS schema is then updated.

Installing NetWare 5 Support Pack 2

NetWare 5 Support Pack 2 provides updates to services included with NetWare 5, related protocols, and the NetWare 5 operating system itself. When you install the support pack, the installation program checks the version and the date of each file copied to the server. Newer files are not overwritten.

You must complete the following steps before installing NetWare 5 Support Pack 2 on the NetWare 5 server:

  1. Unload the JAVA.NLM and all Java applications on the NetWare 5 server. The JAVA.NLM and the java class libraries can then be updated.

  2. If you are running an IP-only environment, load IPXSPX.NLM. This NLM is required to successfully install NetWare 5 Support Pack 2.

  3. Record current SET parameter values on the NetWare 5 server. NetWare 5 Support Pack 2 resolves a problem with the registry. This fix resets all SET parameters to the NetWare 5 default values. To record modified SET parameters, complete the following steps at the server console:

    a. Load the CONLOG NLM.

    b. Type Display Modified Environment. The information displayed on the screen is saved in the SYS:\ETC\CONSOLE.LOG file. You can use this file to reset the SET parameters after NetWare 5 Support Pack 2 is installed.

    c. Unload the CONLOG NLM.

After you have completed these steps, you can install NetWare 5 Support Pack 2 by completing the following steps:

  1. Double-click the NW5SP2.EXE file in Windows or type the filename at a DOS prompt.

    Note: Because the NW5SP2.EXE file contains directory path names that exceed the DOS 8.3 limits, you should extract this file in a root-level directory on your workstation hard drive or on a NetWare volume that accepts longer path names.

  2. Load NWCONFIG at the server console.

  3. Select Product Options.

  4. Select the Install a Product Not Listed option.

  5. Press the F3 key. Specify the directory path in which you expanded the files, and press the Enter key.

  6. Indicate the file groups you want to install. If you want to uninstall NetWare 5 Support Pack 2 at a later time, you should also select the option to back up files. The old files are then copied to SYS:\SYSTEM\BACKKSP2.

  7. Press the F10 key to accept the marked options. The installation program begins to copy files.

  8. After the files are copied, you should review the .NCF files for accuracy.

Restart the server by typing the following command at the server console:

RESTART SERVER

Installing NICI Updates

The NICI updates provide enhancements to the NICI Modules such as Novell PKI and Novell SSL. (For more information about NICI, see "With NICI It's All Holes Barred," NetWare Connection, Dec. 1998, pp. 8-20. You can download this article from http://www.nwconnection.com/dec.98/nicid8.) To install the NICI updates on the NetWare 5 server on which you plan to use NICI and LDAP, complete the following steps:

  1. Double-click the NICI-UO.EXE file in Windows or type the filename at a DOS prompt.

  2. Load NWCONFIG at the server console.

  3. Select Product Options.

  4. Select the Install a Product Not Listed option.

  5. Press the F3 key, and specify the directory path in which you expanded the files. If you expanded the files to a floppy diskette, press the Enter key.

  6. The Software License screen appears. Accept the License Agreement. The installation program begins to copy files.

  7. When the installation is completed, press the Enter key.

  8. Restart the server by typing the following command at the server console:

    RESTART SERVER

Installing NDS 8

After you have downloaded NDS 8, you must complete the following steps before installing it on a NetWare 5 server:

  1. Run the DSREPAIR utility as described in the "Installing and Running the DSREPAIR Utility."

  2. Close ConsoleOne and the DSREPAIR utility so that the files are properly updated.

  3. Mount all volumes. NDS 8 updates all trustee rights. If a volume is not mounted when NDS 8 is installed, the trustee assignments for that volume will be lost.

After you complete the above steps, install NDS 8 on a NetWare 5 server by completing the following steps:

  1. Double-click the NDS 8 file in Windows or type the filename at a DOS prompt.

  2. Load NWCONFIG at the server console.

  3. Select Product Options.

  4. Select the Install a Product Not Listed option.

  5. Press the F3 key. Specify the directory path in which you expanded the files, and press the Enter key.

  6. If you have not installed the updated NICI files, you are prompted to exit the installation program and install these files if you require ephemeral key support for SSL connections. If you do not require this support, press the Enter key to continue the installation.

  7. The Novell License Agreement page appears. Press Escape to continue. Then select the Accept License Agreement option.

  8. The NDS 8 README file is displayed. After reading the file, press the Escape key to continue. The installation program begins to copy the NDS 8 files.

  9. After the files are copied, the NetWare 5 server automatically reboots. The NDS 8 installation then automatically continues by updating the NDS schema.

  10. After the NDS schema has been updated, a message appears, telling you to ensure that all volumes are mounted so that the trustee assignments for thosevolumes are properly updated. If you have not already mounted all volumes, do so before continuing.

  11. Press the Enter key to continue. The installation program updates the trustee assignments.

  12. You are then prompted to authenticate to the directory tree with supervisory rights to the directory tree. Enter the login name and password for the ADMIN user or a user with equivalent rights.

  13. After the installation is completed, the installation log file is displayed. After you read the log file, press the Escape key to continue.

  14. When you are prompted to restart the server, select Yes.

After the installation is completed, you must complete the following tasks:

  1. Install the NWADMIN snap-in modules for Catalog Services and WAN Traffic Manager. Although the NDS 8 installation program copies updated versions of DSCAT.NLM and WTM.NLM, the installation program does not install the NWADMIN snap-in modules for managing these services. You must run the NetWare 5 installation program to install these snap-in modules. During the installation process, select No when you are prompted to overwrite the newer NLM files. Selecting Yes installs the old files over the newly installed files.

  2. Run the NDS Backlinker by typing the following command at the server console:

    SET DSTRACE=*b

The NDS 8 installation program changes the internal NDS identifiers. To ensure consistency, the backlinker process has to update backlinked objects. This process will run automatically after 50 minutes. Entering this SET command forces the backlinker process to run immediately and prevents inconsistent state objects.

Installing ConsoleOne 1.2

The ConsoleOne 1.2 installation program simply installs a few necessary .DLL files to your workstation and adds the ConsoleOne program icon to your Windows desktop. The 1.2 release of ConsoleOne is designed to run the ConsoleOne program files from a server directory. You cannot install the program files on your workstation.

At the time this article was written, you could not run ConsoleOne 1.2 at the server. According to Novell, however, Java 1.1.7, which is necessary to run ConsoleOne 1.2 at the server, will be available in the near future.

The NDS 8 installation process copies a new version of ConsoleOne to the NetWare 5 server. Before installing the ConsoleOne 1.2 .DLL files and program icon to your workstation, ensure that the workstation meets the following requirements:

  • A minimum of 64 MB of RAM and 64 MB of virtual memory swapper space

  • 200 MHz or greater processor

  • Windows NT, 98, or 95

  • The latest NetWare 5 client software

To install the ConsoleOne 1.2 .DLL files and program icon on a workstation, complete the following steps:

  1. Map a network drive to the SYS:PUBLIC\MGMT\CONSOLEONE\1.2\INSTALL directory.

  2. Run the SETUP.EXE file.

  3. Continue past the Welcome and License Agreement screens.

  4. Specify the program folder in which you want to add the ConsoleOne 1.2 icons.

  5. Verify the current installation settings and click Continue.

  6. When the installation is completed, restart the workstation.

Running ConsoleOne 1.2 for the first time can be a bit tricky. Although the installation program installed a program group and a shortcut on your desktop, the group and shortcut are not functional yet. Before running ConsoleOne 1.2, you must first map a drive to the ConsoleOne program on the server. ConsoleOne is located in the SYS:\PUBLIC\MGMT\CONSOLEONE\1.2\BIN directory. You must use the same drive letter that you used to map a drive during the installation process. For example, suppose that you created the following drive mapping during the installation of ConsoleOne 1.2:

G:=SYS:PUBLIC\MGMT\CONSOLEONE\1.2\INSTALL

You must then create the following drive mapping before you can run ConsoleOne 1.2:

G:=SYS:PUBLIC\MGMT\CONSOLEONE\1.2\BIN

After creating this drive mapping, you should be able to refresh your screen, and the ConsoleOne icon should appear in the shortcut on your desktop. You can then launch ConsoleOne by double-clicking the icon.

CONCLUSION

NDS 8 is a giant leap for Novell, making its enterprise directory an ideal solution for the Internet and e-commerce. By providing massive scalability, NDS 8 takes Novell's directory into new markets such as huge global organizations, ISPs, and telcos.

But even if your organization doesn't fall into one of these categories, NDS 8 will benefit your company. In addition to providing more scalability and faster search queries, NDS 8 can give your company a competitive edge. Because the Internet is changing how we do business, it's hard to foresee what the future of e-commerce will hold. With NDS 8, however, you can build a directory today that is scalable enough to meet the future needs of your company as it extends to the Internet.

Sandy Stevens is a freelance writer based in Salt Lake City, Utah. She is coauthor of Novell's Guide to Integrating NetWare and NT, Novell's Guide to BorderManager, and Novell's Guide to NetWare Printing, available from Novell Press.

* Originally published in Novell Connection Magazine

Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.

© Copyright Micro Focus or one of its affiliates