A utility to help get the red out of Novell Directory Services

When Microsoft released Windows NT 4.0, it included the NWConvert utility to help organizations migrate NetWare bindery-based servers to NT. NWConvert was an effective tool that performed well for shops that didn't use Novell Directory Services (NDS). Now, as Microsoft's server market share continues to increase, the company has redrawn the battle lines in its competition with Novell. No longer focused solely on increasing its NT Server sales, Microsoft is fighting for control of the enterprise directory namespace.

Active Directory (AD) is Microsoft's foremost weapon in the fight for directory dominance. Microsoft has positioned AD to be a robust, enterprisewide directory. And NT 5.0 includes Directory Service Migration Tool, a new utility that lets you migrate all or part of an NDS or bindery-based directory to AD. The utility migrates NetWare users, groups, files, rights, and container structures to their counterparts in AD. Directory Service Migration Tool lets you divide migrations into projects, so you can migrate sections of an NDS directory one at a time and make a large migration manageable.

When you run the utility, NT queries selected parts of your NDS tree, obtains necessary data, and writes the data to a local database. You can view and manipulate your NDS data in the Directory Service Migration Tool database before entering the data in AD, and the changes don't affect your production NetWare environment. This ability to manipulate your NDS information before writing it to AD is great because it lets you work at your own pace during a migration. In addition, because this utility transfers your directory data across the network, you don't risk damage to your NDS structure during the migration.

You must decide for yourself whether to migrate your NDS directory to AD. (For more information about NDS and NetWare-to-NT migrations, see "Related Articles in Windows NT Magazine," page 164.) If you decide to make the transition, this utility makes the process less difficult.

Installation
Before you can use Directory Service Migration Tool, you need to install an appropriate protocol on your NT 5.0 server to connect to your NetWare servers and the Gateway Services for NetWare (GSNW) client. Then, select the Add/Remove Programs applet in Control Panel, and choose the Windows NT Setup tab. Double-click Networking Options and select Directory Service Migration Tool. The utility installs as a Microsoft Management Console (MMC) snap-in.

Next, you need to add the snap-in to an MMC file. Run mmc.exe to launch MMC, then select Add/Remove Snap-in from the File menu and select Add, Directory Service Migration Tool, as Screen 1 shows. Save this MMC configuration for easy future access: Select Console, Save As to save the configuration as an MMC (.msc) file. By default, MMC saves the .msc file in the My Administrative Tools directory for the user account you used to log on. If you save the configuration in this directory, MMC puts the utility on your Start menu.

Migrating NDS to AD
After you add the utility to an MMC file, you can start creating projects. The utility lets you add new projects as you work through different phases of your NDS migration. For example, you might create a separate project for each of your company's servers or offices. This feature is important because an enterprise directory migration is a large task. You need to plan, check, and double-check your work every step of the way, and you need to make sure you have reliable backups. To create a new project, right-click Directory Service Migration Tool in MMC and select New, Project.

To start importing NDS information from NetWare, right-click the project you defined and select New, View from NetWare to start Directory Service Migration Tool's Discover Wizard. The wizard prompts you for the information it needs to begin the import process. During step 2, which Screen 2 depicts, the wizard asks you to select one or more contexts (organizations or organizational units--OUs) to import into your project. Select the contexts you want to import, then click Add Context to add them to the Selected Contexts pane of the Discover Wizard window, then click Next. The wizard will finish, and Directory Service Migration Tool will start importing your NDS information into the database.

Screen 2 shows a project in which I asked Directory Service Migration Tool to import the CONSTELLATION organization object, which resides within the CONSTELLATION NDS tree on the ORION intraNetWare server. The organization object consists of a few users and other NDS objects, as Screen 3 shows.

When the Directory Service Migration Tool discovery process finishes, the utility lets you know whether it generated any error messages or warnings during the discovery process. You need to look into any problems the utility reports. Click Log Viewer to look through an Event Viewer-type log to investigate problems that the utility encountered while importing your NDS directory. Directory Service Migration Tool logged two errors and four warning events during my migration of CONSTELLATION. One warning event reported that Directory Service Migration Tool didn't support the NDS object for the queue LASERJET, so the utility couldn't import LASERJET. Screen 4 shows this warning.

After you import your NDS data into Directory Service Migration Tool, you can evaluate and manipulate the data, if necessary. At this step in the migration process, you'll really appreciate the utility. For example, suppose your NDS structure uses the letters NW (for NetWare) in some object names. Such a naming scheme might be misleading in an NT directory structure, so you need to find all occurrences of NW in your directory object names and replace the NW with NT. Directory Service Migration Tool can perform this global find-and-replace task automatically and commit the changes to its copy of your NDS data.

You can also tell Directory Service Migration Tool to globally apply a certain type of password to each user account it imports. It can apply random passwords to user accounts, apply a password you choose to every account, remove passwords from accounts, or use a user's logon name as the password.

If you change your mind about alterations you make to the directory data, just delete the project you're manipulating, create a new project with the same NDS data, and start your changes over on the new copy of the data. When you're satisfied with Directory Service Migration Tool's copy of your NDS data, you're ready to write that directory information to AD. Make sure you know where in your AD structure you want to place the NDS data. You might want to import the NDS data into new OUs within AD so that you can keep it separate from your existing AD structure until you're sure Directory Service Migration Tool migrated all the NDS data correctly. When you're confident that all your data migrated correctly, you can move the new objects within AD to place them in the proper OUs. I created an OU called NDS to import my NDS data into, then moved the data to its final location when I was confident that my migration was successful.

Microsoft gave the AD-import function the not-so-intuitive name Configure Objects to NTDS. To open the function, right-click an object within your project and select Task, Configure Objects to NTDS, as Screen 5 shows. The Configure Objects to NTDS window will open. This window lets you select a destination container in AD to import the NDS directory data into, as Screen 6, page 164, shows. After you select a destination container, Directory Service Migration Tool writes directory information to AD. Screen 7 shows the outcome of my sample migration: Directory Service Migration Tool successfully migrated my OUs and user objects from NDS to AD.

Almost Ready
Directory Service Migration Tool is a powerful feature of NT 5.0, but the version that came with NT 5.0 beta 1 isn't complete. For example, I added user attributes including a telephone number, account expiration date, and title to the NDS record for DougT. However, the utility didn't migrate my telephone number or account expiration information. I'm not sure where the NDS Title field should have appeared in my AD user record, but that property didn't survive the migration either. Losing such important information in a migration is a problem, but I'm confident that this failure is a result of the beta 1 Directory Service Migration Tool's incompleteness.

The beta 1 version of the utility is also light on documentation, but because of the complexity of NDS and AD, I expect Microsoft to have thorough documentation for this utility by the time the company releases NT 5.0. I hope that the documentation will include a translation table that shows which NDS objects and properties Directory Service Migration Tool can migrate, which objects and properties it can't migrate, and which AD field NDS properties (such as the Title property) end up in. No large-scale enterprise migration plan can be complete if administrators can't access such a table.

Finally, the beta 1 version is missing a feature that will benefit administrators. No migration to NT is complete without data migration, so Directory Service Migration Tool (like its predecessor, NWConvert) lets you migrate all your files. Unlike NWConvert, the new tool migrates file permissions and security, so it keeps your security configuration intact when it migrates your data from NDS to AD. This functionality isn't in the beta 1 version of the utility, but documentation in beta 1 states that it will be in the final NT 5.0 release.

Directory Service Migration Tool is useful. You can migrate entire branches of your NDS directory to NT with just a few mouse clicks and keystrokes. The final version's inclusion of a security configuration migration feature will make migrations fast and easy. File permission structures on large enterprise networks are usually complex, and when Directory Service Migration Tool makes migrating security information as easy as migrating user accounts, the utility will save administrators a lot of time.