Enterprise Software

Get IT Done: Expand Windows 2000 server options with Novell's eDirectory

Use Novells eDirectory to expand the capabilities of Windows 2000 server

When Microsoft first shipped Windows 2000, one of the “new” features it touted was Active Directory. With the Windows Server 2003, Microsoft is again saying how wonderful Active Directory is for network administrators who want to run directory services for their network.

What Microsoft seems to be ignoring is that longtime NetWare administrators have enjoyed a full-featured directory service for years in NDS and NetWare. In recent years, Novell has expanded NDS’s horizon, allowing it to run on operating systems other than NetWare. Now, with eDirectory 8.7, you can run a directory service that’s years ahead of Active Directory on almost every operating system on your network, including your Windows 2000 servers.

Not just for NetWare anymore
The latest incarnation of eDirectory 8.7 runs on NetWare, Windows, Linux, AIX, Tru64 UNIX, and Solaris. Together, these operating systems comprise a very large percentage of the installed base. This article will focus on the Windows 2000 eDirectory offering. For the purposes of this article, I will be installing eDirectory 8.7 on a Windows 2000 SP 3 server that also acts as an Active Directory domain controller. I will be installing this server into an existing NetWare 6 NDS tree named NDS-LAB. The name of the NetWare 6 server is NW6-NEW.

Why do you need eDirectory when you already have Active Directory?
If you’re using Active Directory, you might be asking yourself why you would want to use eDirectory instead. While some of the limitations of Active Directory will be resolved with the release of Windows 2003 Server, at the current time, Active Directory is not as mature as eDirectory. For example, eDirectory can handle updates to the directory much more efficiently than Active Directory can. In one example, changing trustee assignments using eDirectory took only a few seconds for tens of thousands of folders while it took hours under Active Directory, during which time the CPU was booked.

In addition, Active Directory containers are not true subdivisions of the tree but are rather used mainly for administrative purposes. This means, among other things, that all users in the tree must have unique names whereas names in eDirectory only have to be unique in the container they are housed in. Keep in mind that a directory can be used for more than keeping track of the users in your organization. Users, visitors to your Web site, software packages, licensing information, and much more can be stored in the directory.

By itself, eDirectory 8.7 does not fully promote interoperability with Active Directory. By that, I mean that it simply provides an additional directory service for your Windows 2000 server. Active Directory and eDirectory are still separate entities with their own administrative tools. eDirectory does not provide the synchronization services between the two databases. Other products, such as DirXML, handle directory synchronization.

Installing eDirectory 8.7 on Windows 2000
Novell is currently offering eDirectory 8.7 as a free download for all platforms. This free version supports up to 250,000 users. In addition, the offer includes 25,000 users for DirXML to aid in directory synchronization. To take advantage of this offer from Novell go to its Web site.

eDirectory 8.7 requires a Windows 2000 server running at least Service Pack 2 and available space on an NTFS partition. To install eDirectory, either insert the eDirectory 8.7 CD or browse to the download location and run Setup from the NT directory. The first screen asks you to select which component you would like to install. For the purposes of this article, I’ll first install eDirectory and later on, the SLP Directory Agent and ConsoleOne. The first step of the installation process installs the Novell Client For Windows if it is not already installed on your server.

The second step of the installer begins the installation of eDirectory. The first thing that it looks for is a valid license, as shown in Figure A. If you purchased eDirectory, you should have a license disk. If you opted to take advantage of Novell’s free version of this product, you should have followed the step in the process to request license files. If you did so, your license files will show up in an e-mail message from Novell and must be copied to a directory named License on a floppy disk.

Figure A
You must first provide your license for eDirectory.

Once you get past the licensing screens and accept the license agreement, NICI (cryptography drivers) will be installed. After the NICI install, you must reboot your server. When the server restarts, you will need to log on to the Windows server using a Novell administrator account. The installation of eDirectory will automatically resume.

The first choice to make is that of language. The version of eDirectory that I downloaded gives options of English or French. I chose the English option.

The next option, shown in Figure B, asks for a location in which to install eDirectory. The default location is C:\Novell\NDS. If you’re running low on space on your system volume, I would recommend installing eDirectory to a different drive.

Figure B
Pick a location to install eDirectory.

Next, you’re asked if you wish to install eDirectory into an existing tree or if you would like to create a new tree. If you’re already running NDS on your network, whether it’s on a NetWare server or another Windows 2000 server, choose Install eDirectory Into Your Existing NDS Tree, as shown in Figure C. If you’ve never used NDS on your network before, choose Create A New eDirectory Tree. For the purposes of this article, I’ll connect to an existing NDS tree.

Figure C
Either install your server into an existing tree or connect to a new one.

Since I chose to integrate my Windows 2000 server WIN2KSVR into an existing tree, the installer now asks for information about that tree as well as logon information. If you don’t know the name of your NDS tree, click the tree button to the right of the eDirectory Information window and browse the NDS tree. In Figure D below, you can see that I have chosen to install my new server into the NDS-LAB tree.

Figure D
Enter the information about your NDS tree.

By default, Setup automatically names your server by taking its Windows name and appending -NDS to the end of it. So, for this example, Setup assigns a name of WIN2KSVR-NDS to Windows server named WIN2KSVR. You can change this default assignment by typing a new name in the New Server Object field.

Before continuing, you must provide a location for the server object to reside in NDS. I have chosen the Lab 1 organizational unit. Be sure to use fully qualified names on this screen. The installer is quite picky about domain naming, and it will not go on if you don’t enter it correctly. If you’re not 100-percent sure about the context, click the tree button and browse to the proper context in your NDS tree.

After verifying the NDS tree information, the installer asks you for two ports: one to use for clear text and one to use for SSL communication. By default, the installer wants to use ports 80 and 443 for these options. Unfortunately, if you’re also running a Web server on this machine, this is not an option. As such, I have changed these ports to 3080 and 3443, as seen in Figure E.

Figure E
Enter the clear text and SSL communication ports for your tree.

For certificate information, the next step, choose all of the defaults that allow the server to create its own certificate. You’ll then see the LDAP Ports screen shown in Figure F. As with the previous port selection, LDAP ports need to be chosen. As this is an Active Directory domain controller, the default ports of 389 for clear text and 636 for SSL/TLS are already in use by that service. Instead, I have chosen 3389 and 3636 for these services, respectively.

Figure F
You must select the ports for LDAP.

The next step, as shown in Figure G, asks for a selection of logon method. You’ve got several choices here, including:
  • CertMutual method: Uses SASL (Secure Authentication and Security Layer) EXTERNAL with LDAP for logon.
  • Digest-MD5: Uses SASL with MD5 encryption with LDAP for logon.
  • NDS: Uses the typical NDS process for logon to eDirectory. This is a secure password challenge/response process.
  • Simple password: A simple password is stored with the user object as a secret object. It is more flexible but less secure than the NDS method.
  • X509 certificate: Uses an X509 certificate for logon.

I will accept the default on this screen that installs the entire logon methods. In a normal production environment, it would be best to remove those methods that are less secure or not used. However, since I plan to install eDirectory For Linux and other LDAP clients later on, I want the flexibility that all of the methods offer.

Figure G
Select the logon method your NDS tree will support.

Finally, you’re presented with a summary screen indicating what options will be installed. The installer will use these options and install the appropriate files at this point. You will also see messages on NetWare servers in the tree indicating that communication has been established with the new server.

After eDirectory is finished installing, the ConsoleOne installer kicks off, assuming that you selected it at the beginning of the process. If you didn’t, don’t panic. Just rerun Setup and choose ConsoleOne. The defaults are preferred for this utility.

Running ConsoleOne and opening up the .lab1.nds-lab organization where my servers are installed yields a final result of my Windows server being made a part of the NDS tree, as shown in Figure H.

Figure H
The Windows server lives with NetWare servers now.

During the installation of eDirectory 8.7, you’re asked to provide the product with a TCP port to use. This port is used by the Novell iMonitor 2.0 application. For my installation, I used port 3080 for clear text and 3443 for SSL.

iMonitor provides cross-platform monitoring of your eDirectory services. Besides reporting to you about the current health of your directory, it includes the following services:
  • DS trace
  • Object and schema browsing
  • DSRepair

To access the iMonitor services, browse to the NDS directory eDirectory server using HTTPS on the SSL port that you specified during installation. For my installation, the address that I will use is Figure I shows the results.

Figure I
You can administer eDirectory from any Web browser using iMonitor.

Repairing NDS
Like any database, NDS can become corrupt and need repairing. On NetWare servers, this is done via DSRepair. On an eDirectory/Windows server, it is done via the iMonitor application by clicking the Repair button on the menu bar. It’s the one with the picture of the wrench.

The repair process can be run one time or scheduled to run at intervals by selecting the Advanced button on the Repair screen. To run a One Time Repair, just click the wrench icon, select Run In Unattended Mode and then click Start Repair, as shown in Figure J. The page will automatically refresh until the repair is complete at which time the repaired items will be shown. If you have used DSRepair before, this information will look very familiar.

Figure J
Repairing NDS is just as easy using iMonitor as it is using DSRepair from your server’s command prompt.

Go cross platform with eDirectory
Simple, elegant, and free—these are three words that can easily describe eDirectory 8.7 on Windows 2000. With the hordes of Microsoft administrators available, organizations can make use of eDirectory without the need for a NetWare server in their enterprise. With its mature, scalable architecture and support for a wide variety of operating systems, eDirectory 8.7 is an excellent directory choice.


Editor's Picks

Free Newsletters, In your Inbox