Novell’s Directory Services for Windows: NDS for NT

• 03/24/1999

While Microsoft Corp. keeps plugging along with Windows 2000’s Active Directory, Novell Inc. is moving forward with a rival product, Novell Directory Services (NDS) for NT. Novell is shipping a second version of the product.

In our review of NDS for NT 2.0 we found a relatively stable product that simplifies administrative tasks, such as managing multiple domains. But for all its positives, NDS for NT 2.0 has some minor flaws.

To host the server software, we used a pair of IBM Netfinity 5500s, each with a single 400-MHz Pentium II processor, 128 MB of RAM and three 9-GB drives in a RAID 5 array. One server ran NetWare 5.0. The other ran Windows NT Server 4.0 with Service Pack 3 and Microsoft Exchange Server 5.5. NDS for NT was installed on the Windows NT Server, which was configured as a Primary Domain Controller.

Also residing on the test network were HP Kayak and Dell 2200 workstations. These were configured for TCP/IP protocol, while the servers supported both TCP/IP and IPX/SPX.

The first and simplest thing NDS for NT does is enter the process through which applications on a Windows NT server access and use directory data. This process, called redirection, replaces a single dynamic link library -- SAMSRV.DLL -- on the Primary Domain Controller and all Backup Domain Controllers for each Windows NT domain involved.

During installation, all of the user and group information for the Windows NT domain is copied to the NetWare server running NDS. Once that is accomplished, the replaced DLL takes any system call asking for information from the Windows NT domain database and directs that call to NDS.

Once the information about the Windows NT domain or domains is migrated into NDS, the administrator can see a more integrated view of the combined network. The administrator can use the newly installed administration utilities to manipulate the domain.

At this point, a major difference between the two systems becomes apparent: In NetWare, almost all system information for the overall network is handled through the directory. In Windows NT, only user and group information is handled at the domain level. As a result, only user and group information for the Windows NT domain can be handled through Novell’s admin utilities. The administrator may now abandon Windows NT’s User Manager For Domains utility, but is still forced to use Windows Explorer for directory privileges and "My Computer/Printers" to manage printers, for example.

Novell bundled some tools to address these problems, but only had limited success. The File and Folder Sharing Wizard helps the administrator to set up new Windows NT shares on any server in the domain, but only three levels of access are granted: Administrator has full control, Everyone has full control or Administrator has full control and Everyone has read-only. If any other set of rights is needed on the share, the administrator must use Explorer or Server Manager. This was especially surprising in light of the degree of flexibility with which access rights can be defined in NetWare.

Another add-in is a tool for managing Exchange Server mailboxes. This worked well. We defined the mailbox characteristics for each user from the NetWare admin utility. We found, though, that the utility is geared to Exchange 5.0, rather than 5.5. Thus, it lacks some of the configuration options for newer aspects, such as mail protocols.

A more serious flaw, in our opinion, was that configuring mailbox information through the Exchange pages in the NetWare admin tool does not carry over to the directory entry for that user’s e-mail address in the NDS directory.

During the installation, the administrator is given the option to create a replica of the NDS directory on the Windows NT server. If this option is selected, the directory is replicated to the Windows NT server, and a new service is activated under Windows NT. The additional service permits Windows NT server to answer NDS queries without having to pass them back to the master NetWare server.

This is where we hit our only major difficulty in working with NDS for NT. In three separate attempts, we were unable to successfully complete an NDS replica on our NT server. Working with Novell's engineers, we determined the cause to be from an earlier installation of a beta copy of the product. Reinstalling the NDS service on our NetWare server corrected the problem, and we were able to install the NDS replica on our Windows NT server.

Creating the local replica took a few minutes. A simple wizard program detected that there was not a local replica and offered to create one. We specified a local directory for the files, and our work was finished. The two servers, however, spent about 20 minutes synchronizing the initial databases. Once this was accomplished, we noted no functional difference in our systems -- exactly what we hoped for. The local NDS replica on Windows NT began answering queries for the domain, cutting our network traffic between Windows NT and NetWare to a minimum.

One obvious environment where NDS for NT can be useful is a network with both NetWare and Windows NT servers. NDS for NT provides the simple but important advantage of a single login for both environments, which keeps the security and authentication information for a user consistent between Windows NT and NetWare. This, with the ability to manage user and group information from a single administrative utility, will make NDS for NT attractive to seasoned NetWare administrators.

NDS for NT also has potential in an environment with multiple Windows NT domains. But for the Windows NT administrator who is not familiar with NetWare concepts, that may be hidden at first. For example, NDS for NT will come as welcome relief to anyone who has struggled with setting up trust relationships among Windows NT domains in a large organization.

The reason for this is simple: In a Windows NT multidomain environment, when a user in Domain A needs access to a resource in Domain B, that access must be granted by the administrator in Domain B. For the administrator to do so, a trust relationship must exist between the two domains. As the number of domains increase, the number of trusts needed increases as well.

In the NDS for NT environment, each Windows NT domain has a trust relationship with the over-riding NDS tree. Users may be moved from one domain to another or may be granted rights to cross the lines between domains because everyone is looking to the NDS directory for final approval.

Windows NT 4.0 environments rely on separate directories for a variety of information types. The User Manager application manipulates information about users and their characteristics, while the Windows Explorer and Disk Administrator utilities manage disk resources. Separate applications, such as Microsoft Exchange Server, may maintain separate directories of information, though that information is redundant. Even when information is stored in the same repository, there is not a consistent means of ensuring that both sets of data are in sync.

By contrast, in NetWare environments NDS provides a single repository with consistent means of manipulation for information on a wide variety of network resources, including users, hardware, applications and storage devices.

Looking to the future, the puzzling issue is whether to adopt NDS for NT now or wait for the release of Active Directory. This assumes that NDS for NT and Active Directory do the same things. Although it is possible to draw comparisons between native NDS as it exists and Active Directory as it may exist in Windows 2000, NDS for NT is altogether something different. It is a method for bringing some of the benefits of the NDS environment to the Windows NT 4.0 environment.

Active Directory -- if delivered as promised by Microsoft Corp. -- will provide directory services for Windows 2000 far more effectively than NDS for NT does for Windows NT 4.0. This, however, is a reflection on the state of Windows NT, not the model and plan of NDS for NT. Windows NT 4.0 and the common applications used with it simply were not developed with comprehensive directory services in mind.

Novell announced its commitment to release an update to NDS for NT that will connect information in Active Directory into NDS in much the same way the current product does for Windows NT 4.0 domains. Novell has not announced a timeline for this release, but said it will follow shortly after the release of Active Directory.

It is likely that networks that combine Windows NT and NetWare will continue to grow for the foreseeable future. As Windows NT moves to become Windows 2000 and Active Directory replaces the existing Windows NT domain directory, interest in directory-based applications will increase. But Active Directory is not here, and though there has been talk of Microsoft repositioning it as a meta-directory, it cannot be expected to include cross-environment management between Windows and NetWare environments.

It is even less likely that Microsoft will fold operating systems such as Solaris into a heterogeneous environment, which is what Novell has done with NDS. NDS for NT 2.0 looks to be a viable path for beginning such integration.

NDS for NT 2.0
Novell Inc.
Provo, Utah
(888) 321-4272
www.novell.com

Price: NDS for NT 2.0 has two licensing components: a server license and a per-user connection license.

The licenses can be purchased for $26 per user and $695 per Windows NT replica/server. A server license is required to place an NDS replica on an NT server.

Customers using NDS for NT 2.0 to redirect Windows NT domains to NDS on NetWare servers do not require a server license.

User licenses are always required.

+ Management of user and group information from single administrative utility
+ Eases set up of trust relationships among several Windows NT domains
- Supports Exchange 5.0, but not 5.5. Thus it lacks configuration options for 5.5
- Mailbox configurations through Exchange pages in NetWare admin tool do not carry over to NDS directory