DOCUMENT:Q183684 09-AUG-2001 [winnt] TITLE :Directory Service Manager for NetWare (DSMN) - An Overview PRODUCT :Microsoft Windows NT PROD/VER:winnt:3.51,4.0 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server versions 3.51, 4.0 - Microsoft Windows NT Server, Enterprise Edition version 4.0 ------------------------------------------------------------------------------- SUMMARY ======= This article discusses how to use the Microsoft Directory Service Manager for NetWare (DSMN) to synchronize user accounts between your Windows NT server and one or more Novell NetWare servers. With NetWare 2.x and 3.x servers, any changes made to user and/or group accounts must be made at each individual server. If there are multiple NetWare servers, changes must be made manually for each of these servers. DSMN allows changes made to domain user accounts to be replicated automatically to all NetWare servers being managed by your Windows NT server. MORE INFORMATION ================ DSMN extends the Windows NT Server directory service features for user and group account management to NetWare servers. With DSMN, you may centrally manage user and group accounts that have access to servers running Windows NT Server and Novell NetWare servers. Each user has a single password to access multiple servers running either Novell or Windows NT. This password stays synchronized for all servers. With DSMN, you can add NetWare servers to be managed with Windows NT Server domains. A domain is a group of several serves that share a single set of user and group accounts. NOTE: DSMN does not require you to install any new software on your NetWare servers or NetWare clients. Adding a NetWare Server for Management -------------------------------------- To add a NetWare server to be managed, use these steps: 1. Click Start, point to Programs, point to Administrative Tools, and then click Directory Service Manager for NetWare. 2. Select NetWare Server from the list at the top of the dialog box, and then select Add Server to Manage from the dropdown menu. NOTE: The Select NetWare Server dialog box will then appear containing a list of all NetWare servers available. 3. Select a NetWare server to add to the domain. NOTE: You must provide a username and password that has NetWare Supervisor or Supervisor Equivalency to log on to the NetWare server. 4. Select the user and group accounts for the domain to manage. Any or all user and group accounts may be selected. NOTE: When a NetWare server is added to a domain for management, the NetWare user and group accounts are moved to the Windows NT domain. If only some of the users and groups are moved to the domain, choose whether to delete or retain the remaining users and groups on the NetWare server. If these accounts are retained, you will need to administer these accounts using NetWare administrative tools. Do not use NetWare administrative tools, such as Syscon, on accounts managed by DSMN to prevent those accounts from becoming unsynchronized with the accounts in the domain. You may propagate up to 2,000 accounts to the NetWare server. It is suggested that you choose only the group containing users that actually need access to the NetWare server. Groups containing users who only use Windows NT server do not need to be copied. You may modify the list of groups that the Windows NT server domain propagates to the NetWare server any time after adding the NetWare server to the domain. The next time the primary domain controller (PDC) updates its backup domain controller (BDC), the accounts of all the users and groups copied to the domain from the NetWare server are replicated to the BDC. Administering NetWare Servers as Part of a Domain ------------------------------------------------- After the NetWare server(s) are added for management with a domain and you have specified NetWare accounts to be maintained by the domain, use User Manager for Domains to administer those accounts. Changes you make are copied automatically to the NetWare server(s). If the NetWare tools are used to modify one of those accounts directly on the NetWare server, the account will become unsynchronized with the Windows NT domain. To make the account identical to the version on the PDC, always use User Manager for Domains to modify the domain account, causing it to be propagated to the NetWare server(s). Similarly, to add a new user account to access the NetWare server(s), add it directly to the domain using User Manager for Domains. You must be certain that the account is NetWare-enabled. A NetWare-enabled account is an account that can be propagated from the Windows NT domain to the NetWare server(s) and can log on from the NetWare client computers. To make an account NetWare-enabled, select the Maintain NetWare Compatible Login checkbox in the user account properties. After an account is propagated to the NetWare server, all subsequent changes to the account are automatically copied to the NetWare server(s). A NetWare client user must use the Chgpass.exe utility included with DSMN to change his/her password. The Chgpass.exe utility implements the new password on all NetWare servers to which the account is propagated, as well as on all Windows NT domains. Using a NetWare utility to change a password changes it only on the NetWare servers to which the user is currently attached and the password becomes unsynchronized with the user's password on the other server(s). To add NetWare server(s) to domains, specify which Windows NT server group to propagate to NetWare server(s), and perform all other tasks to administer the association of NetWare server(s) and Windows NT domains, use the DSMN Synchronization Manager tool. NOTE: After adding a NetWare server to a domain, you still use NetWare administrative tools to manage functions on the NetWare server other than user account management. This is to include shared volumes, file permissions, trustee rights, accounting, and printing. A NetWare server can participate in only one Windows NT domain. Once a NetWare server has been added for management with a domain, you cannot add it to another domain without removing it from the first domain. Adding Multiple NetWare Servers to a Domain ------------------------------------------- Multiple NetWare servers can be added to a single Windows NT domain. To ensure good performance, it is recommended that no more than 32 NetWare server be added to any one Windows NT domain. For performance reasons, if you have more than 32 NetWare servers to add to domains, divide the NetWare servers into smaller groups and add each group to a different domain. When dividing NetWare servers into groups, consider what servers need to be used by the same people. It is best if all the servers used by a particular group of users are in the same domain. Then you can put that group of servers and users into a single domain. When each NetWare server is added, you specify which NetWare users and groups to transfer from that server to the domain. The security accounts manager (SAM) for the domain then contains a sum of all the users and groups that you copied from each NetWare server, plus the users and groups created directly in the Windows NT domain. The list of users and groups being propagated may differ for each NetWare server participating in the domain. If a NetWare user needs access only to a specific NetWare server(s), then you can propagate the user's account to only those server(s). This enables you to minimize network traffic, making DSMN more efficient. For example, suppose that members of the ACCNT group need access to NetWare servers NW1 and NW3, while members of SALES need access only to NW1. When you specify which group to propagate to NW1, you select both ACCNT and SALES. When you specify the users to propagate to NW3, you select only ACCNT. How to Handle Identical User Names ---------------------------------- If you add multiple NetWare servers to be managed by the same domain, and each of those servers has a user or group account with identical names, the accounts are basically merged into the same account in the domain. For example, suppose that there is a JOHND account on both the NetWare servers NW1 and NW3. When NW1 is added for management with the domain, a JOHNC account is created in the Windows NT domain. Further, that Windows NT account is given all rights and permissions on NW1 that the JOHNC NetWare account had. Then, when NW3 is added to the domain, DSMN recognizes that JOHNC already has an account in the domain, and gives the account the rights and permissions of the NW3 JOHND account. The domain's JOHND account then has all rights and permissions that were previously assigned to both the NW1 and NW3 JOHND accounts. DSMN can also merge user accounts on multiple NetWare servers into a single account in the domain, with all the rights previously held by both accounts. For example, if JOHND also has an account on another server with a user name of JOHNDOE, you can merge this account into the domain's JOHND account, which would then have all rights previously held by both JOHND and JOHNDOE. NOTE: If there is an account on a NetWare server that has the same name as an account already existing in the Windows NT domain, the rights and permissions of the NetWare account are given to the existing Windows NT server account. If the existing Windows NT server account is NetWare- enabled, the account is given a new password to enable it to be propagated to NetWare servers. How NetWare Servers are Kept Synchronized ----------------------------------------- When DSMN is installed in a domain, an account synchronization database is created on the PDC. This information stores the following pieces of information: - The users and groups being propagated to each NetWare server in the domain. - The update status of all user and group accounts on each NetWare server. The update status of an account states which account modifications made to the account have been copied to the appropriate NetWare server(s). If the account is copied to more than one server, the update status may be different on each server. Whenever an account on the Windows NT domain is modified, DSMN detects the change, updates the account synchronized database, and attempts to send the change to all NetWare servers to which this account is propagated. This attempt will succeed for all NetWare servers that are currently running. If a NetWare server is not running, it will be updated later. The account synchronization database keeps track of what account updates are still needed at each NetWare server. When the account is updated on a NetWare server, only the changed information is sent over the network to minimize network traffic. Using DSMN in an Enterprise --------------------------- If you have a trusted domain structure using the master domain model and you have 32 or fewer NetWare servers to add to domains, consider adding all servers to the master domain. The accounts from the NetWare servers will be in the same domain as your other accounts, simplifying account management. DSMN does not operate across domains. A user can be propagated only to NetWare serves that have been added to the domain that contains the user's account. For additional information, please see the following article in the Microsoft Knowledge Base: ARTICLE-ID: Q145589 TITLE : How to Add NetWare 4.x Servers to Windows NT Domain Additional query words: ====================================================================== Keywords : Technology : kbWinNTsearch kbWinNT351search kbWinNT400search kbWinNTSsearch kbWinNTSEntSearch kbWinNTSEnt400 kbWinNTS400search kbWinNTS400 kbWinNTS351 kbWinNTS351search Version : winnt:3.51,4.0 Issue type : kbinfo ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.