In a perfectly networked world, you’d never have to deal with more than one network operating system at a time. Unfortunately, that’s not usually the case. Your network can consist of Windows 2000 and Windows NT as well as other operating systems such as UNIX and NetWare.
As the network administrator, it’s your job to get them to all play together nicely. If you’re in a mixed Windows 2000/NetWare environment, Microsoft has included Gateway Services For NetWare to help make the job easier. In this Daily Drill Down, I’ll show you how it works.
Gateway Services For NetWare connects users through the Windows 2000 server
Gateway Services For Netware can bridge your NetWare and Windows 2000 networks to make them appear as one unit to your users. Users can log in to your Windows 2000 server and connect to NetWare volumes through shares created on your Windows 2000 server.
Your users would never actually connect to the NetWare server. Instead, the Windows 2000 server connects to the NetWare server. You create shares on the Windows 2000 server that reflect shared volumes on the NetWare server. Users then map drives to the reflected shares, thereby accessing files that live on the NetWare server.
Microsoft has included Gateway Services For NetWare since Windows NT 4.0. Microsoft’s main goal for Gateway Services was to make it easier for network administrators to migrate away from NetWare. With Gateway Services, your users connect to your Windows server, and you slowly move the data off your NetWare server, ultimately negating the need for it entirely.
Although you may never retire your NetWare servers, using Gateway Services For NetWare can make your job much easier. First, you eliminate the need to run multiple clients on your workstations. Using Gateway Services for NetWare, you don’t need to run Microsoft’s Client For NetWare Networks or Novell’s Client on your workstations. All the client workstations need is the traditional Microsoft Client For Microsoft Networks.
Because users have only one client running and the Windows server is connected directly to the NetWare server, your users have to log in only once. They won't have to log in multiple times or remember multiple passwords.
Additionally, when you’re using Gateway Services, you don’t have to administer multiple user accounts for the same user. Rather than maintaining a user ID for each user in both Active Directory and NDS, you can simply create the user ID in Active Directory. In NDS, you need only a single account to manage access to the NetWare server. Your Windows 2000 server uses this account to connect to the NetWare server.
Finally, if you still use IPX as the primary transport on your NetWare servers, you can use Gateway Services For NetWare to eliminate IPX entirely. Your users can connect to the Windows 2000 server using TCP/IP, and then your Windows 2000 server can connect to the NetWare server using IPX. This eliminates duplicate protocol traffic on your network, and it can improve response times.
Gateway Services For NetWare is by no means a perfect solution. It has drawbacks as well as benefits. One of the main drawbacks is the fact that you’re funneling access to one server through another server. Your users won’t have the same response rates from the NetWare server that they were used to because the traffic must first go through the Windows 2000 server.
The performance problem can be exacerbated if you have only one Windows 2000 server acting as a gateway to multiple NetWare servers. Your Windows 2000 server might become overburdened if it's serving as a gateway while also doing other duties such as sharing its own files or acting as a Web server.
Preparing your NetWare server
Gateway Services will work with NetWare 3.x’s bindery as well as NetWare 4.x, 5.x, and 6.0’s NDS. For our purposes, I’ll focus on making the connection to a NetWare server running NDS.
You don’t need to do much to prepare your NetWare server to communicate with Gateway Services. To allow Gateway Services to access the NetWare server, you’ll need to create one user ID and one group.
The NTGATEWAY group is mandatory, so we’ll focus on it first. This group must exist on your NetWare server, and the user ID that your Windows 2000 server uses to access NetWare must be a member of this group. If neither of these two conditions exists, you can’t use Gateway Services For NetWare.
To create a group in NDS, you can use NetWare Administrator or ConsoleOne. We’ll focus on using NetWare Administrator. Select a container in your NDS tree to store the group object in. Select Create from the Object menu. When the New Object window appears, select Group and click OK.
You’ll then see the Create Group window appear. Enter the NTGATEWAY in the Group Name field. Click the Define Additional Properties For The User checkbox and click OK.
When the Properties notebook for the group appears, you can then select any additional properties you want to define for the group object. On the Identification tab, you may want to enter information about the Windows 2000 server’s location, for example.
Unfortunately NDS doesn’t allow nested groups, so you can’t grant the NTGATEWAY rights to files and directories by making it a member of preexisting groups. If there are special rights to files you want to grant to the NTGATEWAY group, you can set them by clicking the Rights To Files And Directories tab. On the Rights To Files And Directories screen, you can set file system rights to specific NetWare volumes, directories, and files. When you’re all done, click OK to save your changes.
You’ll then need a user ID that’s a member of the NTGATEWAY group. The user ID is any NetWare user ID used by the Windows 2000 server to access the NetWare server. To ensure that your Windows 2000 server has full access to resources on the NetWare server, you can use the Admin user or a preexisting user with administrator rights. However, from a security standpoint, it’s probably a better idea to create a user especially for the Windows 2000 server with only those rights you want to grant to users who will be using the gateway.
To create a user in NDS, you can use NetWare Administrator or ConsoleOne. Select a container in your NDS tree to store the user object in. Select Create from the Object menu. When the New Object window appears, select User and click OK.
You’ll then see the Create User window appear. Enter the login ID for your Windows 2000 server in the Login Name field. In the Last Name field, enter the name of the Windows 2000 server running Gateway Services. This will make it easy to identify which user object belongs to the Windows 2000 server. Don’t worry about creating a home directory for the user ID. Click the Define Additional Properties For The User checkbox and click OK.
When the Properties notebook for the user appears, you can select any additional properties you want to define for the user object. For example, on the Identification tab, you may want to enter information about the Windows 2000 server’s location.
One thing you definitely should do is click the Password Restrictions tab and enter a password for the Windows 2000 user object. When the Password Restrictions screen appears, select Require A Password. Click Change Password and enter a password for the User object. You should deselect the Allow User To Change Password checkbox to prevent anyone at the Windows 2000 server from changing the NetWare password of the object.
After you enter a password for the Windows 2000 user object, you should click the Group Membership tab. This will list the groups that the user object belongs to. At a minimum you should click Add and then add the NTGATEWAY group. This will make the Windows 2000 user object a member of the group that enables Gateway Services on the Windows 2000 server itself. You may also want to add group membership to any regular user groups you've defined on your server. This will ensure that the users connecting through Gateway Services will have proper rights.
If there are special rights to files you want to grant outside of a group membership, you can set them by clicking the Rights To Files And Directories tab. On the Rights To Files And Directories screen, you can set file system rights to specific NetWare volumes, directories, and files. When you’re all done, click OK to save your changes.
Configuring Gateway Service For NetWare on your Windows 2000 server
After you’ve added the user ID and group on your NetWare server, you can configure Gateway Services on your Windows 2000 server. Log in to your server as Administrator, right-click My Network Places, and select Properties. When the Network And Dialup Connections window appears, right-click Local Area Connection and select Properties again. If you have two network cards in your server, one going to your main network and one dedicated to connecting to your NetWare servers, select the connection to the NetWare servers.
When the Local Area Connection Properties window appears, click Install. You’ll then see the Select Network Component Type screen. Here, select Client and click Add. The Select Network Client screen will appear. You have only one choice on this screen, Gateway (And Client) Services For NetWare, so select it and click OK.
After Windows 2000 copies the Gateway Services files to your server, you’ll see the Select NetWare Logon screen shown in Figure A. As you can see, you can choose to log in to an individual server or to the NDS tree. Unless you’re connecting to a NetWare 3.x server, select Default Tree And Context. Enter the NDS tree information in the Tree and Context fields that point to your server’s user ID. If the password you logged in to your server differs from the password you use to connect to the NDS tree, Windows 2000 will prompt you to enter the correct password for the tree.
|Enter information necessary to connect to your NDS tree.|
At this point, Windows 2000 will prompt you to shut down and restart your server. You’ll need to do so to make the NetWare client you just added take effect. Your server will restart as normal, although it may again prompt you to enter a password for your NetWare server.
When the server restarts, you must configure the Gateway service. Even though you just added the Gateway And Client service, Windows only enables the client portion. You must manually configure the Gateway service.
To do so, click Start | Settings | Control Panel | GSNW. You’ll then see the Gateway Service For NetWare window appear as shown in Figure B. As you can see, this screen is very similar to the client screen in Figure A. It shows the current tree and context you’re logged in to along with print and login script options.
|You must configure the Gateway Service from Control Panel.|
To start the gateway, click Gateway. You’ll then see the Configure Gateway screen shown in Figure C. On this screen you’ll enter the information necessary to create the gateway shares and to access the NetWare server.
|Click Enable Gateway to turn on the gateway.|
Begin by clicking Enable Gateway. In the Gateway Account field, enter the name of the user account you created in the previous section. Enter the password for the gateway account in the Password field. This account can be entirely different from the account you used to start your server. The gateway account only accesses the NetWare server.
Next, you’ll need to create a share that points to the volumes on the NetWare server you want to access. This share is what your users will connect to from their workstations. It lives on your server just like any other share you would create to reflect files and directories that exist on the server.
To do so, click Add. You’ll see the New Share window appear as shown in Figure D. Enter the name of the share that your users will see in the Share Name field. To make it easy, you may want to create a share name that reflects the name of the NetWare volume you’re mapping to.
|You must create a Windows 2000 share that points to the NetWare volume you want users to access.|
In the Network Path field, enter the directory path that points to the directory you want to share on the NetWare server in the form \\server\volume\directory, where server is the name of your server, volume is the volume where the directory resides, and directory is the name of the directory the share is pointing to. If you want the share to reflect an entire volume rather than a specific directory, just omit \directory. For the share to work properly, your gateway account must have rights to the specified NetWare volume and directory.
You can use the Comment field to enter further information about the share. This field is purely optional.
Select a drive letter from the Use Drive drop-down list box. This drive will appear in My Computer on your server and is a placeholder for the share. You can use any available drive letter, but if you’re migrating users from NetWare, you may want to mirror the original NetWare drive mappings to these folders. This will keep you from becoming confused when you ultimately map drives for users.
The User Limit box controls how many users can simultaneously access the share. The default value is Unlimited, which means theoretically you can exceed the number of licensed connections on your NetWare server by pumping users through the gateway. Where NetWare limits connections based on the number of licenses you purchase, Windows 2000 won’t. Because users are going through the Windows 2000 machine, the NetWare server thinks that only one user is connected, even if 1,000 users are actually attached using the gateway. To avoid violating your NetWare license, you should click the Allow radio button and set the Users value equal to your NetWare server’s connection limit.
When you’re done, click OK. The share will then appear in the Share Name box at the bottom of the Configure Gateway screen. You can then add additional shares that point to other NetWare servers, volumes, and directories. Each share will appear separately when you’re done.
By default, Windows 2000 gives complete permissions to the shares for everyone on the network. Chances are you’ll want to more heavily secure your gateway shares just as you would regular shares. To do so, select the NetWare share you want to secure and click Permissions. You’ll then see the Access Through Share Permissions screen shown in Figure E.
|Don’t forget to secure your gateway shares.|
Start by selecting Everyone and clicking Remove. This denies access to all users. Then click Add and add back any specific users or groups you want to assign rights to. At this point, granting permissions for the gateway shares works like any other shares you’ve ever created.
Share and share alike
When you’re all done creating and securing shares, click OK on the Configure Gateway screen. You can then close Control Panel and open My Computer. You’ll see the drive letter you chose along with the name of the share reflecting your NetWare volume. Users can also view and access the shares through My Network Places or Network Neighborhood just like regular shares.