Services for Netware 5.0 Schema question

  • Thread starter Thread starter Andy S
  • Start date Start date
A

Andy S

Hello, wondering if anyone can help with this query?

We have a new AD infrastructure, which is controlled by our head
office (we are not Enterprise Admins of the forest, but are Domain
Admins for our subsidiary).

Our query concerns migration from our old NT4.0/Netware 3.12
environment (we use DSMN 4.0 to allow synchronisation of passwords for
users between the NT SAM and the various Netware binderies). In the
absence of DSMN, password sync would be a pain to manage.

We would like to replicate this functionality in the AD domain (unless
anyone knows a way that we can make the Microsoft Client for Netware
ignore the Netware password?).

Firstly, will Services for Netware 5.0 actually provide this password
sync functionality for AD -> NW3.12 Bindery (or is it just for AD ->
NDS)?

Secondly, our Enterprise Admins at head office will not install SFN
for us without knowing what schema modifications SFN will make to the
AD. Is this documented anywhere, and are the schema extensions
reversable after our 2000 Server migration is complete and we remove
our Netware servers completely?

I have a concern that the schema extension will add Netware specific
options to all users in the forest (so would appear in all users
worldwide, when only our subsidiary have Netware servers to migrate
from).

The other option open to us is to migrate our Netware environment to
an interim NT environment within our existing NT 4.0 domain.

Either way, a lot of work, but would appreciate if you can shed any
light on this!

Thanks in advance,
Andy
 
Hi Andy,

I to have been looking into how FPNW works and whether it
makes any changes
to the Schema.

My conclusions are that it doesn't as I was successfully
able to install
and use it without Enterprise or Schema Admin rights. I
have also searched
the Schema extensively looking for any objects /
attributes that may have
something to do with it and can find none.

This causes me a problem as I have over 4000 users in AD
and I need to tick
the 'maintain NW compatible login box' in the user
properties on every one
of them. I was hoping to script this, but as I can find
no mention of this
attribute anywhere in AD I'm not sure how I'm going to
approach this.

Any ideas.

Cheers

Matt Bradshaw
 
SFN 5.0 is two products - FPNW and MSDSS.

MSDSS is NDS only - so I doubt it will be of use to you. Also - it does modify
the schema extensively.

Schema changes are almost always NOT reversible.

I suspect FPNW must also modify the schema as it adds user attributes.

Couple of thoughts:

What's stopping you leaving DSMN running on an NT4 box? It should work OK in a
mixed-mode w2k domain.

Why is password sync such an issue? DSMN can only change passwords when you
change them manually - any client will allow you to change passwords at the
same time - just as you can with DSMN

Mike Crabtree MVP

MS Services for NetWare - http://www.microsoft.com/windows2000/sfn/
 
I agree with you on not being able to find any schema attributes for FPNW.

However - I don't understand how it can add the Netware Compatible attributes
to each user WITHOUT modifying the schema....

Any chance you or someone else had already run FPNW against your forrest?
Schema mods only happen the once...

Mike Crabtree MVP

MS Services for NetWare - http://www.microsoft.com/windows2000/sfn/
 
MSDSS is NDS only - so I doubt it will be of use to you. Also - it does modify
the schema extensively.
Schema changes are almost always NOT reversible.
I suspect FPNW must also modify the schema as it adds user attributes.

Couple of thoughts:
What's stopping you leaving DSMN running on an NT4 box? It should work OK in > mixed-mode w2k domain.

Why is password sync such an issue? DSMN can only change passwords when you
change them manually - any client will allow you to change passwords at the
same time - just as you can with DSMN
Click to expand...

Hi Mike, thanks for the feedback. Sorry, I am not quite following your
last piece. Basically, we will need to run an interim environment for
around 6-9 months where our user accounts will be migrated to Active
Directory but they will not be running fully (apps etc) from Windows
servers. So we will have existing NT 4.0 Workstations and XP Laptops
which will need to authenticate to the AD and ALSO connect to existing
NT4.0 domain member servers PLUS our old Netware 3.12 servers to
deliver the applications.
We have a two-way trust in place between our AD and our NT domain, so
Windows authentication isn't a problem. However, we use the Microsoft
Client for Netware, so it is not clever enough to pass through
seamlessly onto the Netware server's bindery. We have used DSMN 4.0
for a few years now purely to manage the password sync between the NT
4.0 domain and Netware (thereby avoid any authentication issues for
end users). We'd like to replicate this in the enviornment described,
so (we speculated) that existing NT 4.0 desktop which is a member of
our NT domain can log on instead to our 2000 AD via the trust, but
STILL get the seamless authentication to Netware.
I think I am perhaps missing something, but I can't see how we could
have the desktop authenticate against the AD, but still use DSMN 4.0
on our NT PDC to handle the Netware pass sync (unless there is some AD
to NT password sync available?)

However, your first point about MSDSS being NDS only appears to nail
it for us.

The whole angle we are coming from is to allow relatively seamless
migration to our interim desktop environment without requiring all our
apps on the Netware servers to be migrated to an interim NT 4.0
solution (we can't migrate them straight to 2000 servers yet, because
we are way behind on MSI packaging).

Any further insight would be greatly appreciated.

Regards,
Andy
 
Back
Top