Solved

migrating from Novell to Active directory

Posted on 2006-10-27
3
284 Views
Last Modified: 2013-11-29
i would like to know if there is any link that would server as a guide for migration from Novell to microsoft active directory.

thanks
0
Comment
Question by:jskfan
  • 2
3 Comments
 
LVL 9

Accepted Solution

by:
jasonr0025 earned 125 total points
ID: 17823943
Here is a link to several more links that will guide you in the right direction.
http://www.microsoft.com/technet/interopmigration/prodtech/interop/netware/default.mspx
Hope this helps,
Jason
0
 
LVL 34

Assisted Solution

by:PsiCop
PsiCop earned 125 total points
ID: 17829561
Several facts-of-life from migrations I've seen:

0) Be prepared to use 2x to 3x as much hardware. For example, you can perform repairs to Novell's eDirectory on-the-fly. With AD, you'll probably be rebooting the DC into the special "Directory Services Repair" mode, along with its machine-specific password (not administered in AD, naturally). So while there's no issue with a NetWare or OES server hosting an eDirectory replica (or replicas) and also hosting other user-facing services, you don't want to do that in AD. That means more hardware, more licenses (because Novell's products are licensed per-user, the # of servers is not relevant; but with Redmond, you'll pay for every box), more patching, and more costs. Hope your IT budget has plenty of money to spare.

1) You know how standards-based time synchronization (NTP) is important in eDirectory? There is no meaningful time synch in AD. Potentially, changes to multi-valued attributes of an object made between replication cycles on different DCs can result in over change overwriting another. Time synch and transactional timestamps in eDirectory prevent this, but you no longer have that protection in AD. The way to compensate is to set up a "focus" DC, where all admin tools make all changes. Of course, not all software al.lows you to force a "focus DC", and it makes AD the "Master-slave" environment rather than the "multi-Master" it claims to be (and is).

2) eDirectory is an actual, 3-D hierarchical database, based on X.500 standards. AD is really just the flat, 2-D NT 4 Domains, with transitive-trust and an extensible schema bolted on the side. Don't let the management tools fool you - they show AD as a 3-D environment, but it is a flat namespace. Start looking for name collisions.

3) eDirectory allows you to use almost any object in the Directory as a security principal. If you've been smart and leveraged this to make life easier, then your life in AD will be much harder. The *only* security principals in AD are Users and Groups. So if you assigned DS rights to an OU, or filesystem rights to a Profile, or used an Application Object to give certian rights during certain hours, you're hosed. Forget "migration", you'll need to sit down and rethink both your Directory Service and filesystem rights assignments from scratch, because all youn have available is a crude subset of what eDirectory and NSS give you.

4) If you've taken advantage of the included Cluster Services licenses in modern OES or NetWare, then don't forget clustering is extra in Windoze - extra for the clustering software licenses, and usually extra to cluster-enable whatever product you want to cluster. More $$$$.

5) Remember that unlike eDirectory, AD lacks any reliable data integrity mechanisms. In eDirectory, you have Distributed Reference Links (aka Backlinks). All you have in AD is "tombstones", which are fairly lame. If you have business processes/cycles that extend outside the default 60-day tombstone lifespan, better look at jacking it up and dealing with the resultant clutter.

6) ConsoleOne and iManager offer you pretty comprehensive and *integrated* management environments; and iManager is browser-agnostic. MMC is nothing but a shell that calls 35+ separate little programs, so there is little in the way of integrated management. And what few web-based tools are available deliberately lock you into using IE only. Like Firefox? Oh, well.

7) If you rely on the eDirectory LDAP interface for anything, remember that it's LDAP v3-compliant. AD's is not. Make sure whatever external tool/program is using the LDAP interface can deal with that.

8) With eDirectory, you can add and remove Partition replicas from servers pretty much at will. You have to completely re-install to make a Member Server a DC, or a DC into a Member Server. Another reason to make sure all DCs serve no other purpose, and another reason you'll be spending so much more on hardware and licenses and all the "secondary" costs that entails (hardware maintenance, staff time for firmware updates, staff time for OS patching, per-server licensing charges, etc).

9) eDirectory runs on several flavors of Linux, Solaris, AIX, Windoze and NetWare. AD locks you into Windoze only. If you have any other platforms, have fun.

10) If your migration is being driven by a single app, perhaps co-existence is a better route. You can use eDirectory as a meta-directory and synch AD to it. Take a look at Identity Manager --> http://www.novell.com/idm
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 17845422
Typo in 1) above:

I wrote: "makes AD the "Master-slave" environment rather than the "multi-Master" it claims to be (and is)"

I meant: "makes AD the "Master-slave" environment rather than the "multi-Master" it claims to be (and is NOT)"
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now