integrating active directory with edirectory ™ using novell account manager reid oakes technical...
Post on 06-Jan-2018
234 Views
Preview:
DESCRIPTION
TRANSCRIPT
www.novell.com
Integrating Active Directory with eDirectory™ Using Novell Account Manager
Reid OakesTechnical Team ManagerNovell, Inc.roakes@novell.com
Richard MooreConsultantNovell, Inc.RiMoore@novell.com
Scott McCallumConsultantNovell, Inc.rmccallum@novell.com
Introduction• Novell vision• Introduction to NAM for Active Directory (AD)• NAM components• Designing a NAM infrastructure• Managing AD domains using NAM • NAM DirXML™ components• Customer case studies• Question and answer
Vision…one NetA world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries
MissionTo solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world
Introduction to NAM for AD• Point technology which synchronizes Active
Directory to eDirectory™ using DirXML • Includes pre-configured DirXML stylesheets
for simple installation• Adds functionality to synchronize passwords
bi-directionally• Provides synchronization of user accounts• Provides Management of both AD and
eDirectory groups (not synchronization)
NAM for AD Components
• DirXML• Active Directory DirXML Driver• Account Management Setup Wizard• ConsoleOne® Snap-in• Password Synchronization Service• Password Filter
NAM for AD ComponentsDirXML
• Meta-directory solution for eDirectory • Based on DirXML 1.0• Provides the User Account Synchronization• Automatically creates eDirectory accounts
for newly created AD accounts• Bi-directionally synchronizes associated user
objects
NAM for AD ComponentsAD DirXML Driver
• Win32 services which uses ADSI and LDAP to synchronize changes to and from AD
• Runs on Windows 2000 Member Server or Domain Controller
NAM for AD ComponentsSetup Wizard
• Installs preconfigured DirXML components to sync AD to/from eDirectory
• Allows initial import of AD users to eDirectory
Currently can’t be run a subsequent time• Allows initial import of AD Domain structure
into eDirectory Domains OUs
NAM for AD ComponentsConsoleOne Snap-in
• Allows management of both eDirectory and AD users and groups
• Allows configuration of synchronization rules for each AD container
• Allows for password management• Allows for configuration of DirXML
components
NAM for AD ComponentsPassword Synchronization Service
• Responsible for keeping AD and eDirectory passwords synchronized
• Runs on Windows 2000 Member Servers or DCs
• Must have at least one per Active Directory domain
• Recommend multiple for fault tolerance
NAM for AD ComponentsPassword Synchronization Filter
• Intercepts AD password changes, and synchronizes them to eDirectory by connecting to a password synchronization service
• NWPwdFilt.DLL• Must be installed on ALL domain controllers• Control Panel Applet allows configuration and
installation of additional filters• Information on Microsoft Password filters—
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/password_filters_start_page.asp
Designing a NAM Infrastructure
• DirXML driver requirements• Password Synchronization Service
placement• Minimum patch requirements• Password filter considerations
Designing a NAM Infrastructure DirXML Driver Requirements
• Driver must be installed on W2K Member Server (or DC) with eDirectory installed
• eDirectory must contain a replica of all partitions with users you wish to synchronize
May be a filtered replica Must be a master to support user moves
Designing a NAM Infrastructure Password Synchronization Placement
• Driver must be installed on W2K Member Server (or DC) with eDirectory installed
• eDirectory must contain a replica of all partitions with users you wish to synchronize
May be a filtered replica Must be a master to support user moves
• Upgrade to latest version
Designing a NAM InfrastructurePassword Filter Considerations
• Must be installed on ALL domain controllers• Upgrade to latest version
Designing a NAM Infrastructure Minimum Patch Requirements
• Check the product support pages for NAM 2.1• Windows 2000—Service Pack 2• eDirectory 85.23 Patch—edir8523.exe• eDirectory on Win32 Patch—eDirW32.exe• NAM for AD/W2k Patch—AMW2ksp1.exe
• If running NAM for AD on Win32 with eDir 8.6.1DirXML 1.0 Engine patch—dxntp1.exe
Managing AD Domains Using NAM• User Object• AD Forest Object• AD OU Object
Configure eDirectory OU to synchronize also• Keep in mind
New AD users—Automatically created in eDirectory New eDirectory Users—Manually assigned to AD
• eDirectory treats AD domains like a group object • You may assign same eDirectory user to multiple AD
domains
NAM DirXML Components
• DirXML Filtered Replica Filtered replicas contain a filtered set of objects
or object classes along with a filtered set of attributes and values for those objects
A filtered replica can construct a view of eDirectory data onto a single server
The descriptions of the server’s scope and data filters are stored in eDirectory and can be managed through the Server object in ConsoleOne
NAM DirXML Components
• DirXML Filtered Replica Reduce synchronization traffic to the server by
reducing the amount of data that must be replicated from other servers
Reduce the number of events that must be filtered by DirXML
Reduce the size of the directory database
NAM DirXML Components• DirXML Driver
Represents an application being integrated with eDirectory—these are the components and configuration information found on the driver object
• DirXML Stylesheets Used to control workflow—changes to attributes can
be used to trigger other events Can use existing attributes Can extend the schema to add a new “trigger”
attribute
NAM DirXML Components
• NAM Default Stylesheet
ADPublisherPlacementStylesheet• Creates eDirectory user account using
sAMAccountName
• Places new object in eDirectory hierarchy based on the nadDefaultCreateContainer attribute
Improving Performance with Indexes
• Indexing speeds response times on attribute lookups
• Added through ConsoleOne• Three types
Value Substring Presence
NAM for AD Case StudyCustomer #1 Environment• Approximately 1500 users
• Globally deployed Windows platform
• Native Windows 2000 AD and Exchange 2000
• Solaris 2.7 and 8 deployed for applications
NAM for AD Case Study
Customer #1 Business Requirements• Password synchronization (one password to
log in for Active Directory and Solaris)• Easy to administer• Reduce costs
Utilize existing hardware and software Utilize existing personnel for administration
NAM for AD Case StudyProject #1 Overview• Engaged Novell Consulting to deploy NAM for AD• Integrated Solaris Platform using NAM for Solaris• Single password authentication for AD and
Solaris• Further plans to integrate total user provisioning• Success
NAM for AD Case Study
Customer #2 Environment• Approximately 800 users
• Mixture of NetWare, Windows NT, and Solaris
• Moving to Windows 2000 and Active Directory
NAM for AD Case Study
Customer #2 Business Requirements• Password synchronization (one password to
log in for Active Directory and eDirectory)• Easy to administer• Expand usage of eDirectory• Reduce costs
Utilize existing hardware and software Utilize existing personnel for administration
NAM for AD Case Study
Project #2 Overview• Partner engaged to upgrade NT 4 servers to
Windows 2000 and install Active Directory• eDirectory installation on Windows 2000
Server• Novell Clients updated• Novell Account Management 2.1 installation• Success
top related