View NT domains and NDS structures from one interface

Migrating to Windows 2000 (Win2K) means dealing with Active Directory (AD), which will cause migraines for administrators running Novell Directory Services (NDS) as they try to make the two directory services work together. Entevo's DirectManage is a suite of products that helps you manage a mixed network environment. This product lets administrators manage Windows NT domains and NDS trees from one interface, and version 2.0 includes support for AD.

The suite includes DirectAdmin, which is the basic management interface to DirectManage; DirectAdmin Exchange Plus Pack, which lets you comanage NT and Microsoft Exchange Server; DirectAdmin NDS Plus Pack, which lets you comanage NT domains and NDS; DirectMigrate for NDS, which is a dedicated migration tool that lets you quickly move large NDS structures into NT; and DirectMigrate 2000, which is a prereleased component that supports Win2K. The suite also includes Password Synch, which eases the administration of separate NT and Novell NetWare password lists, and Direct-Script, which lets administrators create macro-type scripts to automate repetitive management tasks. These scripts can even take the form of Web pages. We tested DirectAdmin with DirectAdmin NDS Plus Pack.

We tested the product in a switched 100Base-T network consisting of a NetWare 5 server (also running NDS), an NT 4.0 server acting as the PDC, and four NT workstations (two attached to each server). Installation was smooth even though DirectManage is a complex enterprise-class product.

The software is split into server and console portions. DirectManage installs software on the server to make changes in NT domains or NDS directories, but you manage these changes from a central workstation (i.e., the console). One server on the network is the core DirectManage Server (DMS), and network managers can designate additional servers as Backup DirectManage Servers (BDMSs). We strongly recommend that you employ the backup-server option. BDMSs can't make direct management changes, but they automatically receive changes that you make on the DMS. We installed the software on a 266MHz Pentium II server with 64MB of RAM.

Our first complaint is about the online-only documentation. The CD-ROMs have the documentation as Adobe Acrobat documents; you can print them, but one document is about 280 pages. Considering this application's depth and power, printed manuals are necessary.

Our second complaint is about the documentation's accuracy. The documentation's inconsistencies caused some installation problems. The product requires you to download Microsoft's Active Directory Service Interfaces (ADSI), regardless of whether you're running AD. And although the documentation says the software requires Service Pack 3 (SP3), the software requires SP4. Worse, the product makes you install SP4, ADSI, and the intraNetWare Client 2.6 in a specific order on the console and the server. So we spent a few hours reinstalling software.

You access DirectManage via the DirectAdmin Windows Explorer view that shows both NT domain and NDS structures in a hierarchical tree. Similar to NDS, DirectManage lets administrators store management information in organizational units (OUs). The DMS ensures that DirectManage users have proper authentication, and to keep the larger structure secure, DMS lets higher-level administrators assign specific management tasks to lesser administrators. You can assign trustees with specific tasks and specific OUs within the combined NT and NDS network.

When DirectAdmin establishes connectivity between NT and NDS, the software lets you assign roles to trustees from a series of predefined or user-defined roles. To view these functions, you can select specific menu choices or right-click a role or OU and select Properties—a nice touch. You can set predefined roles for department administrators (you can assign them control over select OUs), global administrators, server administrators, and Help-desk technicians. DirectManage lets you have 10 predefined roles that contain more than 60 tasks. To extend functions, you can use user-defined roles and tasks. For example, you can create a sales department administrator with permission to add or delete directory accounts within the Sales OU.

The DMS controls the permissions and functions, which is why you need to maintain at least one BDMS on your network. The DMS builds a Virtual Active Directory Service (VADS) using ADSI. When you consider that DirectManage's purpose is to map NDS objects to NT domains, the reason for the VADS database becomes clear: to provide an NDS equivalent to NT. Including VADS in the product will make NDS-to-AD migration simple because the NT and NDS organizational structures are in an AD-compliant format. Woe to the administrator who loses a VADS database (e.g., in a system crash). In this case, VADS is AD, and you must treat VADS servers with the same respect you'd accord AD.

A side benefit of VADS is that you can perform global network searches. If you're familiar with NDS, you know that you can search for any mixture of users, groups, domains, or other network resources. Now, you can search simultaneously in NT domains and NDS trees. Interactive reports display the results and let you access these users and resources directly from the report to make changes.

To enable comanagement, we installed DMS and the console portion, then ran the DirectAdmin Configuration utility, which examined the network and picked out all available NT domains and NDS trees. DirectAdmin examined the NT domains and moved them into the DirectAdmin Explorer view. Next, we used the NDS Plus Pack, which let us move our NDS tree into the same view. (Our NDS tree popped up next to our NT domain as another series of OU objects.) The NDS Plus Pack also lets you assign new roles and trustees to both NDS and NT views simultaneously. Screen 1, page 133, shows how the product makes migrating NDS directories into NT domains a wizard-driven snap.

DirectManage lets you comanage NT and NDS. The product maps NT OU objects to corresponding NDS OU objects, which lets you make global changes to both structures. For existing objects in either structure, you simply create a corresponding object in the other structure and map the two objects together. DirectManage has a series of wizards that make this process a point-and-click operation. Although we could map NT-domain and NetWare-structure objects to each other for OUs, groups, and users, we couldn't access shared network resources (e.g., printers).

For new OUs that you create after you install DirectManage, the system asks you whether you want to create a corresponding object in either NT or NDS, then the system automatically completes this task if you want it to do so. Although this feature initially impressed us, we quickly had the rug pulled out from under us.

Entevo's product literature says that when you map objects, changes on one side (NT or NDS) are automatically mirrored on the other, but this isn't so. We had limited success with this feature. We used DirectManage's user administration tools to create a user under our Production OU in the NT domain. We created the user within DirectManage, not NT or NetWare. When we created a user within DirectManage, the change automatically appeared in our NDS tree. However, when we used Novell NWAdmin to create a new user under the Production OU in NDS, the change didn't show up in NT. Similarly, when we used the server's User Manager for Domains to create a new NT user, the change didn't show up in NDS. For these changes to work, you need to import them separately into DirectManage. So, to use this product effectively, you lose the ability to use native NT or NetWare management tools. And uninstalling the product can have serious repercussions if NT or NetWare can't recognize new changes without DirectManage hooks.

On the upside, DMS lets you demote an NT domain to non-DMS status, which means you can't access the domain or make changes via DirectAdmin. According to Entevo, this demotion removes all OU changes and settings from DirectManage's VADS database and makes the system autonomous again. When we removed our test NT domain in this fashion, the removal worked fine and all the changes remained that we made while the domain was a DirectAdmin OU. When we considered a similar operation in an enterprise-sized network, we got the willies. During the organizational process, we advise that you use extreme care to keep this demotion and promotion process to a minimum.

DirectManage won't ease the migration hassles of Win2K, but the product simplifies managing NT and NDS management structures. You pay for the product per account—which can add up quickly—but DirectManage is a solid value for administrators who require a smooth transition to AD.

DirectManage
Contact: Entevo * 703-524-1900
Web: http://www.entevo.com
Price: $19 per managed account for DirectManage; prices for optional components vary
System Requirements: 100MHz Pentium II processor or better, Windows NT Workstation 4.0 with Service Pack 4, 32MB of RAM, 20MB of hard disk space, plus data cache requirements