Imagine for a moment that you are a network administrator for a medium sized company. The network is based solely of Microsoft server products and always will be if you have anything to say about it. One day however, your boss calls you into the office and drops a huge bombshell. The company that you work for has just bought out a competing company. You are going to be in charge of managing that company's network too. The catch is that the newly acquired company is using Novell NetWare. Furthermore, you can't switch them to Windows because they are using a proprietary database application that will only run on NetWare servers.
As you take the whole idea in, your boss goes on to tell you that your first assignment regarding the new company will be to give each of the employees at that company a mailbox on your Exchange Server so that they can have an @yourcompany.com E-mail address. Of course the employees at the new company must be able to continue to authenticate through the NetWare Server as they are doing right now. What do you do?
This is actually a pretty big challenge if you stop and think about it. After all, the normal way to create an Exchange mailbox is to create a user account and then tell Exchange to create a mailbox for the newly created user. Exchange is completely dependant on the Active Directory. The Active Directory contains things like the global address list, and a list of which accounts have permissions to access which mailboxes. Even if you were able to create Exchange mailboxes without creating user accounts, the NetWare users would not be able to access the mailboxes. So what do you? First, read this article.
NetWare uses something called eDirectory. eDirectory is similar to the Microsoft Active Directory, but is not directly compatible with it. Therefore, you can's just create a trust relationship between the Windows network and the Novell network and then start granting the NetWare users access to Exchange mailboxes. It just doesn't work that way.
There are a couple of different ways that you could handle this particular problem. One method involves using Microsoft's Identity Integration Server. The other method involves using the Microsoft Directory Synchronization Service (A sub component of the Services For NetWare). Either technique will work, but for the purposes of this article, I will focus my discussion on using the Microsoft Directory Synchronization Service (MSDSS).
In case you are wondering why I chose to go with MSDSS rather than Microsoft's Identity Integration Service (MIIS), there are a couple of reasons. First, MSDSS is a sub-component of the Services For NetWare. This means that it comes with Windows Server 2003 (as a feature pack that you will have to download). MIIS on the other hand comes in two different flavors; the feature pack and the Enterprise Edition. To facilitate synchronization between the Active Directory and the eDirectory, you would need the Enterprise Edition which costs $24,000 per processor and also requires a Windows Server 2003 and a SQL Server license.
Aside from trying to save you about twenty five thousand dollars, the other reason why I am writing about MSDSS is because it is much easier to configure than MIIS is.
The MSDSS architecture
As I mentioned earlier, MSDSS is a part of the Services For NetWare, which is included as a part of Windows Server 2003. MSDSS can synchronize the Active Directory with all versions of NetWare, but there are a few restrictions. If your NetWare servers are running NetWare 3.x or earlier, then you will only be able to do a one-way synchronization. This is because Windows does not support exporting Active Directory information to the NetWare bindery. Even so, this one-way synchronization is useful if you should want to upgrade from NetWare to Windows. If on the other hand you are running NetWare 4.x or higher, then you will be able to perform two-way synchronization. Changes made to Active Directory data can be written to the eDirectory and visa versa.
Aside from helping you to link NetWare users to an Exchange mailbox, there are some other benefits to using MSDSS as well. One of the main benefits is that you will be able to create a single sign on environment. MSDSS can synchronize passwords between Windows and NetWare. This means that whichever environment the users log into, they will only have one password to remember. If the user were to change their password in Windows, the NetWare password is also changed.
Before I show you how to install MSDSS, there is one more thing that you need to know about it. Although MSDSS is a part of the Services For NetWare, it is completely separate from the File And Print Services For NetWare. The reason for this separation is because of the different roles that these components play. The File And Print Services For NetWare allow NetWare clients to access resources stored on Windows servers, while MSDSS synchronizes the directory information between the two networks.
Typically, the File And Print Services For NetWare would be installed on multiple Windows servers (every server that NetWare users need to access resources from), while MSDSS only gets installed on a single server. Furthermore, MSDSS must be installed onto a domain controller in order for it to function properly.
The first thing that you should do prior to installing MSDSS is to make a full system backup (a system state backup) of your domain controllers. The reason for this is that MSDSS extends the Active Directory schema. If there were to be a power failure or a software glitch during the installation process, your Active Directory could get trashed as a result. You need a good backup to fall back on just in case.
I also recommend that you perform the installation late at night if possible. Once the installation completes, MSDSS will begin to replicate all of the information that's stored in the Novell eDirectory to every global catalog server on your Windows Server network. Depending on how large your NetWare network is and how many global catalog servers you have, this replication process could can have a major impact on the network's performance until the replication cycle completes.
The installation process itself is simple, but it's a little bit different from the way that you would install other Windows Server 2003 services. Although MSDSS is technically a Windows component, it is only available as a part of the Services For NetWare, which is a downloadable feature pack, available at Microsoft's Web site.
Prior to installing MSDSS, you must download and install Novell's Client32 for NetWare. You can get the latest NetWare client directly from Novell's Web site.
After downloading and extracting Services For NetWare, you can install MSDSS by double clicking the MSDSS.MSI file (MSDSS must be installed onto a domain controller). When you do, Windows will launch the MSDSS installation program. Click Next to bypass the Welcome screen and you will be prompted to accept the end user license agreement. After accepting the license agreement, click Next. You will now see a screen that asks which components you want to install. Select the Microsoft Directory Synchronization Services option and click Next. Setup will now prompt you to enter your name and the name of your organization.
After entering this information, click Next and then tell Setup that you want to perform a typical installation. Click Next two more times, and Setup will begin copying the necessary files. When the file copy process completes, Setup will inform you that it needs to update the Active Directory schema. Click OK to acknowledge this message and to perform the schema update. When the operation completes, click Finish. You will now be prompted to reboot your server.
Performing the directory synchronization
Now that the MSDSS utility has been installed, it is time to begin the directory synchronization. To do so, begin by opening the MSDSS utility. You can find this utility on the domain controller's Administrative Tools menu, listed as Directory Synchronization. After launching the tool, right click on the MSDSS tool option and select the New Session command from the resulting shortcut menu. This will cause Windows to launch the New Session Wizard.
Click Next to bypass the wizard's Welcome screen and you will be taken to the wizard's Synchronization and Migration Task screen. At this point, you will be prompted as to whether you need to synchronize with a NetWare Directory Service or a NetWare bindery. You will have to select the bindery option if your NetWare servers are running NetWare 3.x or an earlier version, or if your NetWare Servers are running in bindery emulation mode. Otherwise, you should choose the NDS option. Click Next to continue.
At this point, the wizard will ask you what type of synchronization you want to perform. I recommend using the two-way synchronization option (this option is not available is you are using a NetWare bindery). The reason why I recommend using this option is because it will keep your NetWare accounts and your Active Directory accounts perfectly synchronized. This is ideal for easing the administrative burden associated with running multiple network operating systems.
The next screen that you will see asks for an Active Directory container and for the name of a domain controller. This is one of those important screens that you need to stop and think about rather than giving a quick answer. Whatever container you specify is the one that objects from the NetWare directory will be copied into. On the flip side, any objects that presently exist in the container will also be synchronized into the NetWare directory (assuming that you are performing a two-way synchronization). When choosing a container, you need to think about whether you want to bring the NetWare users into a separate OU from the "normal" Windows user accounts or if you would prefer to lump all of the accounts together.
As I mentioned, this screen also asks you to enter the name of one of your network's domain controllers. The domain controller that you enter will be used to perform the actual synchronization. Since keeping the directories in synch is an ongoing task, I recommend choosing a domain controller that usually has a pretty light workload.
Click Next and you will see a screen prompting you for an NDS container and a set of authentication credentials. This screen works similarly to the last one. You must enter the container that contains the objects that you want to import into the Active Directory. The authentication credentials that you enter must have NetWare Supervisor rights to the container that you have specified. Click Next to continue.
The next screen that you will see prompts you for the password that should be initially used for all of the synchronized accounts. You can choose to use a blank password, a password that matches the user name, an organizational default password, or a random value. Click Next, followed by Finish to initiate the migration process.
Once the synchronization process completes, users should be able to log into both the NetWare and the Windows networks. Keep in mind though that in order to do so, the client machines must be able to communicate with both systems. If TCP/IP isn't used on both systems, then clients will require multiple protocols. For example, if the Windows network is running NetBeui and the NetWare network is running IPX/SPX then client machines would need both protocols. Depending on your network configuration, workstations may also need clients for NetWare and for Windows.
Creating Exchange mailboxes
The next task is to create Exchange mailboxes for the NetWare users. Pick a domain controller in the domain that the NetWare accounts have been synchronized to and install the Exchange System Manager onto it. The reason for this step is because the Active Directory Users and Computers console must be Exchange Aware before it will allow you to create Exchange mailboxes. The way to make the console Exchange aware is to install the Exchange System Manager.
Now, it's time to create an Exchange mailbox for each user. In the past this process had to be done manually for each user account. Keep in mind though that the Windows Server 2003 version of the Active Directory Users and Computers console allows you to select multiple user accounts by holding down the CTRL key as you select users. This allows you to create mailboxes for all of the accounts in a single action.
Once you have selected the desired accounts, right click on them and select the Exchange Tasks command from the resulting shortcut menu. This will cause Windows to launch the Exchange Tasks wizard. Click Next to bypass the wizard's Welcome screen. The following screen asks you what type of task you want to perform. Select the Create Mailbox option and click Next. You will now be prompted to select the Exchange Server and the store that you want to create the mailbox on. Make your selection and click Next. The mailboxes will now be created. Click Finish when the mailbox creation process completes.