www.novell.com

Integrating Active Directory with eDirectory™ Using Novell Account Manager

Reid OakesTechnical Team ManagerNovell, Inc.roakes@novell.com

Richard MooreConsultantNovell, Inc.RiMoore@novell.com

Scott McCallumConsultantNovell, Inc.rmccallum@novell.com

Introduction• Novell vision• Introduction to NAM for Active Directory (AD)• NAM components• Designing a NAM infrastructure• Managing AD domains using NAM • NAM DirXML™ components• Customer case studies• Question and answer

Vision…one NetA world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries

MissionTo solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

Introduction to NAM for AD• Point technology which synchronizes Active

Directory to eDirectory™ using DirXML • Includes pre-configured DirXML stylesheets

for simple installation• Adds functionality to synchronize passwords

bi-directionally• Provides synchronization of user accounts• Provides Management of both AD and

eDirectory groups (not synchronization)

NAM for AD Components

• DirXML• Active Directory DirXML Driver• Account Management Setup Wizard• ConsoleOne® Snap-in• Password Synchronization Service• Password Filter

NAM for AD ComponentsDirXML

• Meta-directory solution for eDirectory • Based on DirXML 1.0• Provides the User Account Synchronization• Automatically creates eDirectory accounts

for newly created AD accounts• Bi-directionally synchronizes associated user

objects

NAM for AD ComponentsAD DirXML Driver

• Win32 services which uses ADSI and LDAP to synchronize changes to and from AD

• Runs on Windows 2000 Member Server or Domain Controller

NAM for AD ComponentsSetup Wizard

• Installs preconfigured DirXML components to sync AD to/from eDirectory

• Allows initial import of AD users to eDirectory

Currently can’t be run a subsequent time• Allows initial import of AD Domain structure

into eDirectory Domains OUs

NAM for AD ComponentsConsoleOne Snap-in

• Allows management of both eDirectory and AD users and groups

• Allows configuration of synchronization rules for each AD container

• Allows for password management• Allows for configuration of DirXML

components

NAM for AD ComponentsPassword Synchronization Service

• Responsible for keeping AD and eDirectory passwords synchronized

• Runs on Windows 2000 Member Servers or DCs

• Must have at least one per Active Directory domain

• Recommend multiple for fault tolerance

NAM for AD ComponentsPassword Synchronization Filter

• Intercepts AD password changes, and synchronizes them to eDirectory by connecting to a password synchronization service

• NWPwdFilt.DLL• Must be installed on ALL domain controllers• Control Panel Applet allows configuration and

installation of additional filters• Information on Microsoft Password filters—

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/password_filters_start_page.asp

Designing a NAM Infrastructure

• DirXML driver requirements• Password Synchronization Service

placement• Minimum patch requirements• Password filter considerations

Designing a NAM Infrastructure DirXML Driver Requirements

• Driver must be installed on W2K Member Server (or DC) with eDirectory installed

• eDirectory must contain a replica of all partitions with users you wish to synchronize

May be a filtered replica Must be a master to support user moves

Designing a NAM Infrastructure Password Synchronization Placement

• Driver must be installed on W2K Member Server (or DC) with eDirectory installed

• eDirectory must contain a replica of all partitions with users you wish to synchronize

May be a filtered replica Must be a master to support user moves

• Upgrade to latest version

Designing a NAM InfrastructurePassword Filter Considerations

• Must be installed on ALL domain controllers• Upgrade to latest version

Designing a NAM Infrastructure Minimum Patch Requirements

• Check the product support pages for NAM 2.1• Windows 2000—Service Pack 2• eDirectory 85.23 Patch—edir8523.exe• eDirectory on Win32 Patch—eDirW32.exe• NAM for AD/W2k Patch—AMW2ksp1.exe

• If running NAM for AD on Win32 with eDir 8.6.1DirXML 1.0 Engine patch—dxntp1.exe

Managing AD Domains Using NAM• User Object• AD Forest Object• AD OU Object

Configure eDirectory OU to synchronize also• Keep in mind

New AD users—Automatically created in eDirectory New eDirectory Users—Manually assigned to AD

• eDirectory treats AD domains like a group object • You may assign same eDirectory user to multiple AD

domains

NAM DirXML Components

• DirXML Filtered Replica Filtered replicas contain a filtered set of objects

or object classes along with a filtered set of attributes and values for those objects

A filtered replica can construct a view of eDirectory data onto a single server

The descriptions of the server’s scope and data filters are stored in eDirectory and can be managed through the Server object in ConsoleOne

NAM DirXML Components

• DirXML Filtered Replica Reduce synchronization traffic to the server by

reducing the amount of data that must be replicated from other servers

Reduce the number of events that must be filtered by DirXML

Reduce the size of the directory database

NAM DirXML Components• DirXML Driver

Represents an application being integrated with eDirectory—these are the components and configuration information found on the driver object

• DirXML Stylesheets Used to control workflow—changes to attributes can

be used to trigger other events Can use existing attributes Can extend the schema to add a new “trigger”

attribute

NAM DirXML Components

• NAM Default Stylesheet

ADPublisherPlacementStylesheet• Creates eDirectory user account using

sAMAccountName

• Places new object in eDirectory hierarchy based on the nadDefaultCreateContainer attribute

Improving Performance with Indexes

• Indexing speeds response times on attribute lookups

• Added through ConsoleOne• Three types

Value Substring Presence

NAM for AD Case StudyCustomer #1 Environment• Approximately 1500 users

• Globally deployed Windows platform

• Native Windows 2000 AD and Exchange 2000

• Solaris 2.7 and 8 deployed for applications

NAM for AD Case Study

Customer #1 Business Requirements• Password synchronization (one password to

log in for Active Directory and Solaris)• Easy to administer• Reduce costs

Utilize existing hardware and software Utilize existing personnel for administration

NAM for AD Case StudyProject #1 Overview• Engaged Novell Consulting to deploy NAM for AD• Integrated Solaris Platform using NAM for Solaris• Single password authentication for AD and

Solaris• Further plans to integrate total user provisioning• Success

NAM for AD Case Study

Customer #2 Environment• Approximately 800 users

• Mixture of NetWare, Windows NT, and Solaris

• Moving to Windows 2000 and Active Directory

NAM for AD Case Study

Customer #2 Business Requirements• Password synchronization (one password to

log in for Active Directory and eDirectory)• Easy to administer• Expand usage of eDirectory• Reduce costs

Utilize existing hardware and software Utilize existing personnel for administration

NAM for AD Case Study

Project #2 Overview• Partner engaged to upgrade NT 4 servers to

Windows 2000 and install Active Directory• eDirectory installation on Windows 2000

Server• Novell Clients updated• Novell Account Management 2.1 installation• Success