Integrating NT and NDS User Accounts
NAdminNT's integration utility (igrate.exe) is an NT program that lets
you transfer object information from one directory service to the other. The
program displays twin directory browsers, with NDS on the left and NT on the
right, as you see in Screen 3. Before you manipulate individual accounts, you
must select the NT domain to assimilate into NDS and click the Update NT
Objects button to copy all domain user and group account information to the
corresponding objects in the NDS database.
Outside the integration utility, account information can move between the
directory services in one direction only. Changes you make to domain user and
group object properties in the NDS tree automatically propagate to the NT SAM,
but not the reverse. The fundamental purpose of NAdminNT is to let you manage
all your user accounts with the NetWare Administrator utility. If you modify
domain accounts with NT's User Manager, NAdminNT doesn't propagate the changes
to NDS unless you manually update NT objects again with igrate.exe. If you have
large domains, this process can be lengthy.
After you assimilate your NT objects into NDS, you see a domain container
object in the NDS tree including all domain users and groups, as shown in
Screen 4.
A right-facing icon represents users who exist only in the domain; other
icons stand for the NT domain (a server box), the domain group (PC with two
users), hybrid users (left-facing icon), NT system (a PC), and an NDS user. You
can manage all the standard domain properties for your NT users and groups from
the details dialog box in the NetWare Administrator, as you see in
Screen 5.
When you add domain users to the NDS tree, NAdminNT synchronizes NDS
usernames with names that exist in the context, to create hybrid users. You can
also synchronize accounts manually by selecting an NDS user and a domain user on
the integration utility screen and clicking Synchronize.
When you create a hybrid user, NAdminNT combines the properties of the NDS
and NT accounts (the NDS information takes precedence over the equivalent NT
account properties). NAdminNT changes the NT username to that of the NDS user
(if necessary) and establishes a link between the NDS user object and the domain
user.
The details dialog box for a hybrid user object, as you see in
Screen 6,
page 156, is different from that of a nonsynchronized NT user. Only properties
exclusively involved with NT logons and access restrictions, such as NT group
memberships and user profile locations, remain in the domain user object. You
must configure properties that duplicate functions in NDS user objects, such as
logon time restrictions and account expiration dates, in the NDS user's dialog
box.
Creating New Users
You can use igrate.exe to manually integrate NT domain users into NDS and
NDS users into an NT domain, thus granting a user of one network rights to the
other. Igrate.exe creates a hybrid user in the NDS domain container and
transfers the original object's properties (except the password) to the new
object.
Passwords don't transmit across the data link between NetWare and NT. You
can configure the User Properties options in the integration utility to specify
a password for all new accounts or leave the password field empty. By default,
NAdminNT creates new accounts with no passwords but requires that the user
specify a password during the next logon.
Although useful, hybrid users are not an essential element of NAdminNT's
functionality. You can choose to maintain separate user accounts for your
NetWare and NT networks and just take advantage of the ability to manage all
your users and groups with one utility.
If you deintegrate a hybrid user with igrate.exe, the utility separates the
domain user and NDS user accounts, and you can specify different values for the
equivalent properties in each one. You can also create new users and groups in
an NT domain with the NetWare Administrator utility just as you'd create any
other object in the NDS tree.
To create a new account that consists of a standard NDS user object and a
hybrid user in an NT domain, you don't need to create two objects and integrate
them. Instead, you can use an NDS user template to create a fully functional
user account providing access to both networks. A user template is a collection
of properties that an administrator uses to create multiple new accounts with
the same capabilities.
The schema extensions in NAdminNT add an Application Server screen to every
user object in the NDS tree. An NT domain object on this screen signifies that a
hybrid user object exists in that domain. Manually adding a domain object to a
user template's Application Server screen automatically creates a hybrid user in
the domain when you create a user object with the template.
What's Next?
Novell's campaign to bring NDS's functionality to NT has concentrated on
heterogeneous networks running both operating systems. The next step is to
address NT networks exclusively. Novell has ported NDS to UNIX operating systems
such as HP/UX and SCO, and an NT version of NDS should soon be available. NDS
for NT will run natively on NT networks, eliminating the need for NetWare
servers.
With Microsoft's Active Directory on the horizon, Novell's push to assert
the viability of its own directory service, which has had four years of
debugging and is installed at 20 million sites, comes as no surprise. NAdminNT
is a preemptive strike against Active Directory; it won't work with Microsoft's
directory service. If NDS can prove itself on NT, its chances of continuing to
be the directory service of choice are excellent, especially when compared with
a fledgling product that will require lengthy evaluation.
Register
