Getting NAM to Work with AD Upgrade
Articles and Tips: qna
01 Jun 2002
Q.
I am currently trying to get the Novell Account Manager (NAM) to work with my recently upgraded Windows NT servers to Windows 2000, but with no luck. Any chance you know the steps to make this work?
Frustrated in Fontana
A.
Dear Frustrated: Michael Subasic, a Senior Technology Account Manager at Novell, Inc., recently sat through a lab experience along this subject's lines. While his response was for a "Microsoft NT 4 with NAM upgrade to Windows 2000 AD with DirXML" question, there may be some pertinent information to answer your question as well. Here's his report:
"I'm in a lab this week working on NAM with Active Directory, and you must first uninstall NAM, then upgrade to Windows 2000 AD, then you can install NAM for Windows 2000 (NAMw2k). To get the workstations moved over to AD, there should be a utility on the Windows 2000 Resource Kit, but I haven't had a chance to look at it yet. In the lab I've been doing it the manual way for the five workstations we are dealing with.
Some notes from the trenches....
Install Active Directory and get it working properly with DNS sites and DHCP if you are running it for SLP. Install Service Pack 2 or better on the Windows 2000 servers and Novell's Client 4.83.
Also create the various OUs in AD that you'll use to synchronize users into various parts of NDS. In my case, I've created in AD an OU called ADlondon, ADcalgary, etc. These will later be tied to eDirectory with corresponding geographic OUs called: london, calgary, etc.
Install eDirectory 8.6.1 (there was no way to install 8.6.2 directly--you have to upgrade to it).
Now upgrade to eDirectory 8.6.2 and install ConsoleOne v1.3.3.
Download the DirXML patch file called DXNTP1.exe which you can get from http://support.novell.com/cgi-bin/search/searchtid.cgi?/2961207.htm.
In NDS services, run install, and only install the schema file in the DirXML Schema directory (if you don't, you'll get an error starting up XML, and you'll have to do it then!)
Now you can install NAMw2k. You can get the Novell Account Management for Windows 2000 v1.1 Update and install patch from the following location: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10068147.htm.
Plan your tree design before you do the installation; otherwise you'll end up with more partitions and replicas than you know what to do with. Keep in mind that any user that you want "synchronized" must be in a partition that must be on the Windows 2000 machine. This can make for some really interesting replicas in a large network.
You'll also need to install NICI 1.5.7 right after you do the NAM install or else your XML service won't start, and it doesn't give you a reason as to why....but NICI is the reason. You can download the NICI Crypto Upgrade Version 1.5.7 - Domestic file from http://support.novell.com/cgi-bin/search/searchtid.cgi?/2959570.htm and the International version from http://support.novell.com/cgi-bin/search/searchtid.cgi?/2959571.htm.
During the installation of NAM, it will offer to perform the user creations and associations. You can opt not to do it here and you can perform this later. If that's the case, you can run the entire installation again, or you can just run DIRLINK.EXE utility from the /WINNT/SYSTEM32 directory.
Install password synchronization on one server at a time. If you blow this, you'll have to clean the registry as per the information found in the following TID: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10064788.htm.
You will then need to refer to the readme from the patch (amw2ksp1), which will point you deep within the directory structure to a SETUP.EXE that you run with /pwdsync as an option. This will trigger the password sync installer.
Now head over to your driverset in ConsoleOne, and set the synchronization interval to 0 so you can watch the sync process in real time.
Note: In a multi-site AD environment, the minimum synchronization interval is 15 minutes (this is not the default). Check all of your AD site to site connections to make sure they have been tuned down (at least for testing).
Only one Windows 2000 AD server should be a bridgehead server for each end of a link. This will reduce AD traffic significantly by only allowing the two servers to handle replication over the link instead of every DC in AD. Think of it as a Z4S proxy server.
This would also be a good time to increase your XML trace information that you'll want to see in DSTRACE. You can get this information from a Cool Solution tip found at http://www.novell.com/coolsolutions/dirxml/features/tips/t_dstrace_dirxml.html.
If you made it this far, everything should be working. You'll have an AD object representing the Active Directory "domain" in Novell eDirectory.
Now in ConsoleOne, go into the properties of each of the AD OUs you've created earlier and associate that context with a corresponding eDirectory OU. This tells the XML driver to place your AD-created users in the proper eDirectory OUs.
Now you can go to one of your eDirectory contexts, like calgary or london, and create eDirectory users. You'll be prompted to create them in the AD domain, and you'll have to select which OU to create them in every time (I haven't found a way to automate or template this, although I'm sure it's possible). If you choose to define additional properties, you can make the user a member of the various Active Directory groups they need membership in.
And if you create a user in AD via MMC in any of the "linked" OUs, they will appear where they are supposed to.
One final comment: eDirectory 8.6.2 rules! I've been partitioning, merging partitions into parents, as well as performing tons of eDirectory and partition activity. eDirectory 8.6.2 is fast, stable and robust. It's very impressive. All directory activity completes in mere minutes, even over a 64kb WAN link.
* Originally published in Novell AppNotes
Disclaimer
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.