We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


migrating from Novell to Active directory

Medium Priority
Last Modified: 2013-11-29
i would like to know if there is any link that would server as a guide for migration from Novell to microsoft active directory.

Watch Question

Here is a link to several more links that will guide you in the right direction.
Hope this helps,

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Several facts-of-life from migrations I've seen:

0) Be prepared to use 2x to 3x as much hardware. For example, you can perform repairs to Novell's eDirectory on-the-fly. With AD, you'll probably be rebooting the DC into the special "Directory Services Repair" mode, along with its machine-specific password (not administered in AD, naturally). So while there's no issue with a NetWare or OES server hosting an eDirectory replica (or replicas) and also hosting other user-facing services, you don't want to do that in AD. That means more hardware, more licenses (because Novell's products are licensed per-user, the # of servers is not relevant; but with Redmond, you'll pay for every box), more patching, and more costs. Hope your IT budget has plenty of money to spare.

1) You know how standards-based time synchronization (NTP) is important in eDirectory? There is no meaningful time synch in AD. Potentially, changes to multi-valued attributes of an object made between replication cycles on different DCs can result in over change overwriting another. Time synch and transactional timestamps in eDirectory prevent this, but you no longer have that protection in AD. The way to compensate is to set up a "focus" DC, where all admin tools make all changes. Of course, not all software al.lows you to force a "focus DC", and it makes AD the "Master-slave" environment rather than the "multi-Master" it claims to be (and is).

2) eDirectory is an actual, 3-D hierarchical database, based on X.500 standards. AD is really just the flat, 2-D NT 4 Domains, with transitive-trust and an extensible schema bolted on the side. Don't let the management tools fool you - they show AD as a 3-D environment, but it is a flat namespace. Start looking for name collisions.

3) eDirectory allows you to use almost any object in the Directory as a security principal. If you've been smart and leveraged this to make life easier, then your life in AD will be much harder. The *only* security principals in AD are Users and Groups. So if you assigned DS rights to an OU, or filesystem rights to a Profile, or used an Application Object to give certian rights during certain hours, you're hosed. Forget "migration", you'll need to sit down and rethink both your Directory Service and filesystem rights assignments from scratch, because all youn have available is a crude subset of what eDirectory and NSS give you.

4) If you've taken advantage of the included Cluster Services licenses in modern OES or NetWare, then don't forget clustering is extra in Windoze - extra for the clustering software licenses, and usually extra to cluster-enable whatever product you want to cluster. More $$$$.

5) Remember that unlike eDirectory, AD lacks any reliable data integrity mechanisms. In eDirectory, you have Distributed Reference Links (aka Backlinks). All you have in AD is "tombstones", which are fairly lame. If you have business processes/cycles that extend outside the default 60-day tombstone lifespan, better look at jacking it up and dealing with the resultant clutter.

6) ConsoleOne and iManager offer you pretty comprehensive and *integrated* management environments; and iManager is browser-agnostic. MMC is nothing but a shell that calls 35+ separate little programs, so there is little in the way of integrated management. And what few web-based tools are available deliberately lock you into using IE only. Like Firefox? Oh, well.

7) If you rely on the eDirectory LDAP interface for anything, remember that it's LDAP v3-compliant. AD's is not. Make sure whatever external tool/program is using the LDAP interface can deal with that.

8) With eDirectory, you can add and remove Partition replicas from servers pretty much at will. You have to completely re-install to make a Member Server a DC, or a DC into a Member Server. Another reason to make sure all DCs serve no other purpose, and another reason you'll be spending so much more on hardware and licenses and all the "secondary" costs that entails (hardware maintenance, staff time for firmware updates, staff time for OS patching, per-server licensing charges, etc).

9) eDirectory runs on several flavors of Linux, Solaris, AIX, Windoze and NetWare. AD locks you into Windoze only. If you have any other platforms, have fun.

10) If your migration is being driven by a single app, perhaps co-existence is a better route. You can use eDirectory as a meta-directory and synch AD to it. Take a look at Identity Manager --> http://www.novell.com/idm

Typo in 1) above:

I wrote: "makes AD the "Master-slave" environment rather than the "multi-Master" it claims to be (and is)"

I meant: "makes AD the "Master-slave" environment rather than the "multi-Master" it claims to be (and is NOT)"
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.