Migrate from Novell to Windows Server 2003

Posted on 2004-11-17
Last Modified: 2013-11-29
Has anyone migrated from Novell to windows server 2003. How difficult is it?
Question by:whiwex
    LVL 34

    Expert Comment

    Well, my general advice is: DON'T DO IT.

    If you're looking for some objective reasons why, try the Gartner Group Case Study that shows that Windows costs 2x to 3x MORE than NetWare to own. Do you want to spend 2x to 3x MORE to deliver the same (or lesser) services? The URL is
    You can also find some good information at

    As to some technical reasons why you shouldn't switch, let's look at a number of them:

    0) Windoze is historically unreliable. DLL Hell, Blue Screen of Death, and security holes out the ying-yang ( Yeah, NetWare has its security issues, but they pale in comparison.

    1) There's nothing that you can do with W2K that you can't do with NetWare, aside from run the world's least-secure webserver, IIS. Yet W2K consistently costs more - higher hardware costs, more admins per server on average, more downtime, lower reliability.

    2) Microsoft LIES. They lie about their own products - what they can do and how much they cost. They especially lie about their competitor's products. Do you really want your business to depend on a company that has built an empire out of lying (for example, claiming that NT Server was C2-compliant...and now they say it too broken to fix, after they've spent 6 years selling that lie)?

    3) If you want to repair Active Directory, you must shut down the AD server and boot it up in special "Directory Repair" mode, using a separately administrated password. With NDS, you can run a directory repair without downing the server or even disturbing people already logged in. No such luck with AD.

    4) AD doesn't do time synchronization. Despite M$ claims that time synch is not important, try logging in as Admin into AD and then changing the workstation's time. Then try to administrate AD.

    5) If you have multiple DCs, it is possible for changes made on one DC to overwrite changes made on another DC. Ever heard of that happening in NDS? This is a consequence not only of AD's design and replication, but also its lack of time sync.

    6) AD has no partitioning ability.

    7) The only security principals in AD are Groups and Users. You cannot make an OU a security principal. For example, in NDS, you can grant directory service and/or filesystem rights to user objects based on what OU, or container, they are in (as well as a variety of other ways, such as NAL objects, Org Roles, etc). This means you can leverage eDirectory, make it work for you, and reduce your administration overhead. No such luck in AD.

    8) When AD replicates changes to objects with multi-valued attributes, then ENTIRE list of attributes is replicated, not just the changes. NDS only deals in the deltas, hence NDS is significantly more efficient (in terms of bandwidth consumed by network administration overhead). This flaw in AD also contributes to the aforementioned problem with changes made on one DC overwriting changes on another.

    9) AD uses static inheritance, whereas NDS is dynamic. If you have 50k objects and want to make a change that affects all of them, the ACL for EVERY object has to be modified. This can lead to a HEAVY server load for an extended period of time. NDS makes the changes at the partition boundary and ACLs are dynamically calculated as access requests arrive.

    10) Once an AD user logs in, their rights/access permissions can't be modified without them logging back out and then back in. So if Jane needs access to \\server\drive\directory and you grant it to her, Jane has to log out and log back in to get that access. Since NDS is dynamic, she starts seeing it immediately (as soon as any needed replication occurs).


    Redmond's drones will try to tell you that Novell is going away or NetWare is dead or just about anything to try to keep you from finding out accurate info about non-M$ products. Its FUD. A hint: Micro$oft LIES. More than most companies. They lie about their products and how much they cost. They especially lie about their competitor's products. They pay people to lie for them (whether its paid flacks in Internet chat rooms or newsgroups/forums talking up their products, or outright lies in their paid advertising, such as "Server Crunch").

    When a 16-year-old twerp in Germany can bring Windoze boxes, servers and clients alike, to their knees worldwide, what does that tell you about the lack of security in Windoze? And the argument that Windoze is most-hacked because its most widely installed is specious. If that were true, Apache would be the most-hacked webserver, since (according to NetCraft) it runs THREE TIMES many sites as IIS. Guess which one is most hacked?

    And no, I don't work for Novell, or even a VAR. I just hate to see liars get away with it.
    LVL 34

    Expert Comment

    Some more info. Filesystem security in the Windoze environment is a crude subset of the fine, granular security that the NetWare environment affords you. If you migrate, forget about trying to map permissions from one to the other. You are going to have to sit down and re-think your filesystem security from scratch, because the Windoze environment is so clumsy.

    For example, you cannot grant a user the ability to give other users permissions in a directory without giving the first user "Full Access". So if you have some directory, say \\SERVER1\SOME\PLACE and you want to let Bob User give other people rights to that directory, but you don't want anyone having more than Read-Only rights, you can't do that in Windoze. In NetWare, you cna give Bob Read, Filescan and Access Control, and now Bob can give other people the Read and Filescan (those two are equivalent to Windoze Read-Only) rights, but nothing else, nor can he escalate his own privledges.

    Similarly, let's say you have \\SERVER1\STUFF and \\SERVER1\STUFF\SECURE. In the Windoze environment, the moment you give Bob any access in \\SERVER1\STUFF, he can see \\SERVER1\STUFF\SECURE, even if he doesn't have any permissions in it. In the NetWare environment, if someone doesn't have permissions in a subdir, they don't get to even SEE the subdir.

    Directory Service security suffers similarly in the AD environment. You only have Groups and Users as security principals. You cannot, for example, assign rights to the SALES OU and have all the user objects in the OU receive those rights. You can do that in the eDirectory environment - almost any object can be a security principal - users, groups, OUs, Os, Profiles, Org Roles.

    So, again, if you've made any use at all of the flexibility of NDS/eDirectory, you can forget about migrating that. You will have to redesign your entire directory service structure and security from scratch, because you are losing all the flexibility and adaptability of NDS/eDirectory.

    With AD, your Tree structure is chained by the neck to DNS. Doesn't matter if that is what's best or even most logical for your organization, you don't have a choice. eDirectory gives you a choice.

    And, for that matter, calling AD a "directory service" is false advertising. Its still NT Domains, just with transitive trust and an extensible schema. The database is still a 2-D database, its just a 3-D view. eDirectory is an actual, ground-up, 3-D hierarchical database; no naming collisions, for example. You can have Bob.Sales.Company and Bob.Engineering.Company in the eDirectory environment. Can't do it in AD, if those OUs are in the same Tree, because its really a 2-D namespace.

    AD lacks basic data integrity mechanisms like backlinks (aka Distributed Reference Links), where Object A knows that other objects (say, Objects 1 2 and 3) point to it. The usefulness of this becomes apparent when you go to delete Object A. In eDirectory, because it has this basic data integrity mechanism, the directory service can go and update Objects 1, 2 and 3, so they no longer point to the deleted object. AD uses pathetic "tombstones" that disappear after 60 days; there's no way for Object A to know what other objects point to it, so no way to update those other objects.

    Well, that's all I can think of at this moment. I'm sure I'll think of more, and other Experts will chime in.
    LVL 3

    Expert Comment

    I work for a very large financial institution.    I have been supporting both the Windows & Novell Netware environments in our company for about 10 years, but Novell Netware is my primary area of responsibility.  I am used to seeing anywhere from 8 to 5,000 clients supported by a single Netware server, with 1,500 - 2,000 being the most common in our corporate sites.  

    We are currently in the process of merging with a MUCH larger financial institution.  I was amazed watching the presentations for the AD environment. As I was watching the extremely complicated design presentations I started to do the math on clients to server ratios.  It turns out that there is about an 18 to 1 client to server ratio for this HUGE worldwide AD environment.

    I had to check my math 4 times to be sure I was REALLY seeing this.  I still can hardly believe it is true.  What a waste of hardware!!

    LVL 3

    Expert Comment

    And that doesn't even go into the support costs, additional network equipment to support connectivity, maintenance contracts, etc....  What a waste period!!!!!!!!!!

    LVL 6

    Expert Comment

    It is a snap, I done many times now.

    1. you just copy the data from the netware server too windows server.

    2. Windows a program called Servics for netware (around a $100) this can copy users and groups to windows 2003.  Novell has a program called dirxml, It can also move your file rights, but it is hard to install and use (It's not cheep ).  

    As as foe security I have been windows servers for 2 years no sercuity porblems what so ever,  but don't run IIS - I run Apache and keep on patches.

    As for Cost  I am running both windows and netware side by side so far windows 2003 cost is far far less than that of Netware.

    As netware can do ever thing that windows can do "not".  Netware has no faxserver, no Dialup no 64 bit support. Netware is very poor at VPN, firewall, remote access, web servering, Dual CPU suport, support for new hardware  

    LVL 8

    Expert Comment

    Sorry, I rarely rant, but this thread is just calling me out...
    Having to use both NetWare and Windows frequently, here are my thoughts:

    If you HAVE to switch, it is not difficult, although your support costs on the back-end will go up significantly. I am lucky enough to go the other way: consolidating Windows servers and AD farms into consolidated NetWare servers and unified eDirectory trees.

    The _ONLY_ Total Cost of Ownership comparisons that have even come close to putting Windows as cost effective as NetWare are the ones that are paid for by MS; don't believe the hype, do your own research.

    Some facts to help you realize the advantages fo NetWare over Windows:

    * NetWare charges by the user, not by the server: One user account can access as many NetWare servers as he/she/it needs
    * I have patched my NetWare servers twice this year, taking a grand total of 3 hours for 64 servers <This is what TCO is all about>
    * eDirectory is the #1 directory service in the world for a reason
    * I migrated a 180 server, 2700 employee Windows server -based company to 64 NetWare file/print/web/app/email servers with ZERO hardware upgrades for a total cost savings of $670,000 is the FIRST year alone. Total staff requirements dropped by 33% the following fiscal year.

    Some facts to help you realize the advantages of Windows over NetWare:

    * Some apps are written for Windows only. Don't know why with web-based standards these days, but it is true.
    * Buying bigger and badder hardware is fun, and you'll get to do it often
    * MS reps drive nicer cars
    * It's always easy to find an MCSE that knows nothing to be a scapegoat when needed

    To take some of G's comments (forgive my 'Netware' quotes, they are sic):

    "Netware has no faxserver" -- True, although utterly meaningless

    "Netware has no Dialup" -- With portal services available, why would anybody use dial-up? Direct dial into my file & print server is a security concern

    "Netware is very poor at VPN" -- So is Windows, neither are designed as a VPN

    "Netware is very poor at firewall" -- Laugh Windows for a firewall? How do you explain the incessant patching downtime to your CIO? hardware firewalls are where it's at, any true admin wouldn't consider a software firewall to begin with. BorderManager (additional product) is a VERY capable firewall product, though most that bash it have spent 5 minutes working with it and get confounded by the myriad of options it provides.

    "Netware is very poor at remote access" -- Don't know what version of NW you use, but Virtual Office, iDrive, and iFolder are unbelievably good at remote access, with buiilt-in end-to-end SSL and better yet, they are included with NetWare.

    "Netware is very poor at web servering" -- NetWare runs Apache (just like you state) like a scalded banshee, again, I don't know what versions you are running but my NW/Apache webservers set the standard for availabity, performance, and up-time. This and I don't have to worry about my OS being exploited every 10 minutes.

    "Netware is poor at Dual CPU suport" -- I can't speak for everyone but all of my dual and quad processor NetWare servers run great. Now if you don't understand multi-processort support platform support under NetWare, I can see where you would miscontrue this as poor performance.

    "Netware is poor at support for new hardware" -- My USB-installed HP blade servers running iSCSI say otherwise.

    Just my $0.02
    LVL 35

    Expert Comment

    I don't know where G gets this stuff.

    How about what NetWare does that Windows cannot?  

    NetWare file system security is much more granular and robust than Windows
    NetWare can serve more data to more users faster on less hardware than Windows
    NetWare can stay up and running for over a year (just ask DSPoole) with zero downtime.
    NetWare can act as a multiprotocol router better than Windows
    NetWare, with BorderManager 3.8, is actually a MUCH superior VPN and firewall to Windows RRAS/ICS
    NetWare runs rings around Windows in MP support - it hits the "law of diminishing returns" somewhere between 6 and 8 processors, while Windows hits that limit between 4 and 6 processors - and NetWare's throughput beats Windows' by a ton through the whole spectrum.
    You can cluster 2 NetWare servers without paying for extra server licensing, and you don't have to have identical hardware on the clustered servers.
    NetWare supports more IETF/IEEE standards, and its LDAP server is LDAP v3 compliant.
    NetWare supports native client access to more platforms out of the box.  Windows needs third-party software.
    eDirectory can run on more than one platform.  AD 2003 can only run on Windows 2003 server - it can't even run on Windows 2000 server, which uses release 1 of AD.
    eDirectory can be repaired without taking any servers offline or otherwise adversely affecting the users.

    As far as 64-bit, in a few months, when OES (formerly known as NetWare 7) is released, it will be run on more than one kernel - and the SuSE Enterprise 9 kernel (one of the options) runs quite nicely on 64-bit platforms.

    That's all I have at the moment - it's quittin' time and I gotta go.  More later.
    LVL 34

    Expert Comment

    Wow. This thread got a rant from waybadmojo. I'm impressed.

    whiwex, I can't add too much to what hendrixl, waybadmojo and ShineOn have put in on this topic. I've had similar experiences to theirs, and I'm not going to repeat what they've stated so well.

    gjohnson99, unfortunately, seems to have not investigated any version of NetWare after v3.2, and has only read the M$-financed TCO studies. It's sad to see the Redmond FUD promulgated here.
    LVL 2

    Expert Comment

    The Redmond marketing engine is strong. With some of their M$ moneys, maybe Novell’s engine will kick in soon. I hope the EU understands and of course, Chris will be missed.

    LVL 3

    Accepted Solution


    We didn't mean to scare you away.  If you are convinced this is the direction you want to go I am sure there are Experts who would be happy to provide more information, although staying with Netware, judging by the opinions in the above thread from a group of first rate Experts and from personal experience, would be a much better option. :-)

    LVL 3

    Expert Comment


    This is just some friendly advice.

    I appreciate the points award, but as I did not really answer the question asked in your original post you really should have asked that the question be deleted or moved to the Microsoft TA to get input from those Experts.  I don't know if you are a premium services customer, but if you had to pay for those points I hate to think you only heard my opinion, based on much experience I might add :-), that it would be a serious mistake to move from a Novell to Microsoft platform for many reasons.

    If you were satisfied with the wealth of information you received in this thread a point split between the participating Experts would have been a much more equitable outcome for all.  You may find that Experts are reluctant to provide their time in the future to answer your questions if a decision on the "right" answer is completely arbitrary and not based on some measurable criteria.

    I really do appreciate the points, but I don't want you to find yourself desperately needing help with an issue and no help in sight...


    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    #Citrix #Citrix Netscaler #HTTP Compression #Load Balance
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now