Solved

migrating from Novell to Active directory

Posted on 2006-10-27
3
295 Views
Last Modified: 2013-11-29
i would like to know if there is any link that would server as a guide for migration from Novell to microsoft active directory.

thanks
0
Comment
Question by:jskfan
  • 2
3 Comments
 
LVL 9

Accepted Solution

by:
jasonr0025 earned 125 total points
ID: 17823943
Here is a link to several more links that will guide you in the right direction.
http://www.microsoft.com/technet/interopmigration/prodtech/interop/netware/default.mspx
Hope this helps,
Jason
0
 
LVL 34

Assisted Solution

by:PsiCop
PsiCop earned 125 total points
ID: 17829561
Several facts-of-life from migrations I've seen:

0) Be prepared to use 2x to 3x as much hardware. For example, you can perform repairs to Novell's eDirectory on-the-fly. With AD, you'll probably be rebooting the DC into the special "Directory Services Repair" mode, along with its machine-specific password (not administered in AD, naturally). So while there's no issue with a NetWare or OES server hosting an eDirectory replica (or replicas) and also hosting other user-facing services, you don't want to do that in AD. That means more hardware, more licenses (because Novell's products are licensed per-user, the # of servers is not relevant; but with Redmond, you'll pay for every box), more patching, and more costs. Hope your IT budget has plenty of money to spare.

1) You know how standards-based time synchronization (NTP) is important in eDirectory? There is no meaningful time synch in AD. Potentially, changes to multi-valued attributes of an object made between replication cycles on different DCs can result in over change overwriting another. Time synch and transactional timestamps in eDirectory prevent this, but you no longer have that protection in AD. The way to compensate is to set up a "focus" DC, where all admin tools make all changes. Of course, not all software al.lows you to force a "focus DC", and it makes AD the "Master-slave" environment rather than the "multi-Master" it claims to be (and is).

2) eDirectory is an actual, 3-D hierarchical database, based on X.500 standards. AD is really just the flat, 2-D NT 4 Domains, with transitive-trust and an extensible schema bolted on the side. Don't let the management tools fool you - they show AD as a 3-D environment, but it is a flat namespace. Start looking for name collisions.

3) eDirectory allows you to use almost any object in the Directory as a security principal. If you've been smart and leveraged this to make life easier, then your life in AD will be much harder. The *only* security principals in AD are Users and Groups. So if you assigned DS rights to an OU, or filesystem rights to a Profile, or used an Application Object to give certian rights during certain hours, you're hosed. Forget "migration", you'll need to sit down and rethink both your Directory Service and filesystem rights assignments from scratch, because all youn have available is a crude subset of what eDirectory and NSS give you.

4) If you've taken advantage of the included Cluster Services licenses in modern OES or NetWare, then don't forget clustering is extra in Windoze - extra for the clustering software licenses, and usually extra to cluster-enable whatever product you want to cluster. More $$$$.

5) Remember that unlike eDirectory, AD lacks any reliable data integrity mechanisms. In eDirectory, you have Distributed Reference Links (aka Backlinks). All you have in AD is "tombstones", which are fairly lame. If you have business processes/cycles that extend outside the default 60-day tombstone lifespan, better look at jacking it up and dealing with the resultant clutter.

6) ConsoleOne and iManager offer you pretty comprehensive and *integrated* management environments; and iManager is browser-agnostic. MMC is nothing but a shell that calls 35+ separate little programs, so there is little in the way of integrated management. And what few web-based tools are available deliberately lock you into using IE only. Like Firefox? Oh, well.

7) If you rely on the eDirectory LDAP interface for anything, remember that it's LDAP v3-compliant. AD's is not. Make sure whatever external tool/program is using the LDAP interface can deal with that.

8) With eDirectory, you can add and remove Partition replicas from servers pretty much at will. You have to completely re-install to make a Member Server a DC, or a DC into a Member Server. Another reason to make sure all DCs serve no other purpose, and another reason you'll be spending so much more on hardware and licenses and all the "secondary" costs that entails (hardware maintenance, staff time for firmware updates, staff time for OS patching, per-server licensing charges, etc).

9) eDirectory runs on several flavors of Linux, Solaris, AIX, Windoze and NetWare. AD locks you into Windoze only. If you have any other platforms, have fun.

10) If your migration is being driven by a single app, perhaps co-existence is a better route. You can use eDirectory as a meta-directory and synch AD to it. Take a look at Identity Manager --> http://www.novell.com/idm
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 17845422
Typo in 1) above:

I wrote: "makes AD the "Master-slave" environment rather than the "multi-Master" it claims to be (and is)"

I meant: "makes AD the "Master-slave" environment rather than the "multi-Master" it claims to be (and is NOT)"
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question