Upgrading and Repairing Networks (5th Edition)
Microsoft's Services for NetWare Version 5.0 (SFN)
Besides the client and gateway services (and the NWLink-compatible transport protocols) that come with Windows 2000, you can purchase an additional product called Services for NetWare Version 5.0 (SFN). The CSNW and GSNW products enable your Windows clients to connect to and use resources that reside on NetWare servers. SFN does the opposite . It enables you to let NetWare clients access resources that reside on Windows NT/2000 servers. When you first start to introduce Windows clients into your NetWare environment, CSNW and GSNW make replacing desktop systems for your users an easy task. When it comes time to begin migrating files and other services from NetWare servers to Windows servers, SFN gives you the capability to do this. You can use SFN to grant access to NetWare clients to newly created services in the Windows domain, and you can finish off the migration by using the File Migration Utility to move any files that remain on NetWare servers to Windows 2000 servers. SFN gives you the following features:
Of these, the first two are intended mainly for use with Windows NT 4, whereas the last three are exclusively for use on Windows 2000/2003. Version 5 of SFU contains the earlier versions of FPNW and the Directory Services Manager for NetWare so that you don't have to buy both versions 4 and 5 of this product. It's all on the 5.0 CD. Comparison of Windows 2000/2003 and NetWare File Permission Rights
When using FPNW 5.0, trustee rights for directories for NetWare clients can be mapped to those used on Windows 2000/2003 systems, as shown in Table 60.1. Table 60.2 shows the same thing in reverse, or how FPNW5 translates Windows 2000/2003 permissions for directories to NetWare directory rights. Table 60.1. Mapping NetWare Trustee Rights to Windows 2000/2003 Permissions in FPNW5 for Directories
Table 60.2. Mapping Windows 2000/2003 Permissions to NetWare Trustee Rights in FPNW 4.0 for Directories
For files, Table 60.3 shows the mapping done by FPNW from Windows 2000/2003 to NetWare, and Table 60.4 shows the mapping done from NetWare to Windows 2000/2003. Note that Windows 2000/2003 Server uses directory permissions to grant the Create and File Scan equivalent rights that NetWare uses as file rights. Table 60.3. Mapping NetWare File Trustee Rights to Windows 2000/2003 Server File Permissions
Table 60.4. Mapping Windows 2000/2003 Server File Permissions to NetWare File Trustee Rights
Besides having to translate between the rights and permissions used on each system, FPNW5 also translates between the different kinds of file attributes that both systems use at the file level. Table 60.5 shows the translation mapping that FPNW performs . Table 60.5. Mapping File Attributes Between Windows 2000/2003 and NetWare
However, FPNW 5.0 does not provide support for the following NetWare attributes:
The Shareable attribute can be set only on a per-server or global basis when using FPNW 5, and cannot be set on an individual file. You should carefully examine how security is currently enforced for clients on the existing NetWare network before beginning to decide how to offer file shares from a Windows NT Server. Understanding the mapping between the two systems can prevent unexpected access violations or errors from compromising security on the network. Installing File and Print Services for NetWare Version 5.0 (FPNW 5.0)
To install FPNW 5.0 on a Windows 2000 server, follow these steps:
You'll find an icon in the Control Panel titled FPNW that can be used to manage the service. In Figure 60.12, you can see the File and Print Services for NetWare dialog box used in version 5. Figure 60.12. The FPNW dialog box, accessed from the FPNW Control Panel icon, enables you to manage the FPNW service.
Statistical information is displayed in the File Server Information section, showing data about the current connections, open files, and so on. You also can use the fields under this section to set up a print queue, a home directory path, or a description for the service on this server. Three buttons at the bottom allow you to view more information about users, volumes , and files:
Microsoft Directory Synchronization Services (MSDSS)
This utility improves on Directory Service Manager for NetWare (DSMN) but is for use with the Active Directory instead of the Windows NT 4.0 SAM database. MSDSS provides for a one-way synchronization with NetWare 3.x binderies and the Active Directory (AD). MSDSS also gives you the capability for either one- or two-way support for synchronization between NDS and AD. Finally, MSDSS allows you to create a file that can be used by the File Migration Utility (FMU), discussed later in this chapter, so that NetWare trustee rights and ACLs are propagated to Windows 2000 servers when you decide to move files from NetWare servers to complete the migration to Windows 2000. However, to use MSDSS there are a few prerequisites:
Novell has released several versions of its client for Windows NT/2000. Because differences exist from one version to another, read the release notes supplied with the file you download from Novell and follow the instructions for installing the client. For the most part, you simply need to extract the files to a temporary directory and run a setup program that takes only a few minutes, after which you'll need to reboot the server.
When the server reboots, you are presented with the Novell logon box instead of the familiar Windows logon box. When using MSDSS to perform synchronization between NDS and AD, you create sessions that specify the NDS and corresponding AD objects that will be kept in sync. You can create a one-way session in which changes made to the Active Directory object will be propagated to the NDS object. However, one-way synchronization does not work in reverse. That is, with a one-way synchronization, changes made to an NDS object do not get copied back to AD. In this type of setup, you should use the Active Directory administrative tools and utilities to perform directory management. From a migration standpoint, this allows you to keep NDS on the network while you gradually educate your network administrators on using the AD tools. After your staff is comfortable using AD, you can use MSDSS to migrate all the required NDS information to AD, and then decommission the NDS servers. Installing MSDSS
To install MSDSS after you've installed the NetWare client from Novell, follow these steps:
After you've installed MSDSS, you'll find that the Active Directory server now has a new program in the Administrative Tools folder called Directory Synchronization. Creating One-Way Synchronization Sessions
You create sessions that define the synchronization between NDS and AD objects. The objects must be container objects, such as organizational units (OUs), and not individual leaf objects, such as a single user in the AD. Before you start the New Session Wizard, you should decide which NDS and AD container objects you want to synchronize. This does not create these objects for you. For example, suppose you have an existing NDS object that contains user accounts for the manufacturing department of your business that you want to eventually migrate to AD. You should create a new OU and give it a meaningful name before you start the New Session Wizard. Or you can simply choose to use a container object that already exists in your AD database. To create a one-way synchronization session, follow these steps:
The remaining dialog boxes for the New Session Wizard prompt you to do several things. First, the Initial Reverse Synchronization dialog box can be used if you want to import NDS objects into the Active Directory (a reverse synchronization) after the wizard finishes. Using this dialog box, you first can import NDS information so that you do not have to enter it manually into AD. Because we're just setting up a one-way synchronization, this initial reverse synchronization can be used to populate your AD database with NDS objects that then will be managed using AD administrative tools and utilities. Because NDS passwords cannot be imported into AD during a reverse synchronization, you can select one of the following methods to set user passwords for user accounts that are initially added to AD during a reverse synchronization:
The default is to set all the user account passwords imported into AD to the user account's username. Another dialog box can be used to create specific mappings between AD and NDS objects. This can be useful when the child objects of an AD container object are not organized under the parent object in the same order as they are in the AD object. You can create an object mapping table that stores these relationships. The New Session Wizard finally asks you to enter a name for this session, which you can use later to manage the session, or make changes to it. After you enter a name to use for the session, click the Finish button. Creating Two-Way Synchronization Sessions
In the preceding section, you learned how to create a one-way synchronization that could be used to import NDS objects into the Active Directory. From that point forward, you should use the AD administrative tools to manage the objects. However, you also can use the New Session Wizard to set up a two-way synchronization process. To do so, use the same Directory Synchronization utility found in the Administrative Tools folder, and start the New Session Wizard. When the Synchronization and Migration Tasks dialog box pops up (refer to Figure 60.14), select two-way synchronization (from Active Directory to NDS and back) instead of the one-way synchronization. You will have to supply similar information for the AD and NDS containers, as well as access information, just like you did for a one-way synchronization. You also can choose to perform an initial reverse synchronization, or you can elect to do this later. One-Time Migration
Using a one- or two-way synchronization enables you to import NDS objects into AD so that you can manage your network resources (users, printers, and so on) using the administrative tools designed to work with the Active Directory. After you no longer have any need to keep NDS servers on your network, you can use the one-time migration option to simply import the data from NDS (or from bindery servers). The process is just about the same as a one-way synchronization, but after you have imported the data, changes made to objects in the Active Directory will not be propagated back to the NDS or bindery servers. Using the synchronization method, you can gradually migrate your network from NDS to AD. Using the one-time migration option, you can complete the process and turn off your NDS servers. Again, you use the MMC MSDSS snap-in Directory Synchronization that is found in the Administrative Tools folder to begin a one-time migration. Use the New Session Wizard, as described earlier, to start the process. However, when the Synchronization and Migration Tasks dialog box appears (refer to Figure 60.14), select the Migration (from NDS or Bindery to Active Directory) radio button. You'll have to supply the same type of access information for the AD and NDS objects that will be migrated, and you can select an additional option: Migrate files from the NDS or Bindery servers to Windows 2000 servers. The check box for this function, also shown in Figure 60.14, does not actually perform the file migration , but instead creates a file that is used by the File Migration Utility, which we'll get to next. When you've decided it's time to get rid of those NDS servers, use this option to create the file, and then invoke the File Migration Utility. File Migration Utility (FMU)
This is the second tool that Services for NetWare 5.0 provides that you can use only on Windows 2000 Server. FMU is used to migrate files and directories from NetWare volumes to Windows 2000 disks, while keeping intact security permissions. You can use this tool with both the IPX/SPX and TCP/IP protocols. When you migrate files from NDS to Windows 2000, the MSDSS utility discussed in the preceding sections can be used to create a file that FMU uses to maintain user and group relationships and rights associated with files and directories. Before using FMU, be sure to read these sections! MSDSS maps organizational units (OUs) and organizations from NDS to the Active Directory by creating local security groups for every NDS OU and organization. FMU is installed when you install MSDSS. To start the actual file migration process, click Start, Programs, Administrative Tools, and then File Migration Utility. The File Migration Utility Wizard, shown in Figure 60.16, pops up and performs some preliminary functions. When it has finished, the Next button becomes available. Click Next and you'll see a large property sheet that has tabs (see Figure 60.17), each of which can be used to perform a step in the migration process. Figure 60.16. The File Migration Utility performs a few preliminary functions before you begin the migration process.
Figure 60.17. The File Migration Utility steps you through the migration process.
In the Step 1 tab, you must enter the full path for the migration log that you created using MSDSS. You can use the Browse button to locate the file if you don't recall where it was created. After you locate the file, click the Load Data button to read in the file. Note that at the bottom of the screen you'll see a display called Steps Completed, with boxes numbered 1 through 5. If you do not have time to complete the entire migration process in one session, or if you have to stop and rethink the process, you can look here to see what you've done so far. You can use the Allow Step Completion in Any Order check box if you want to perform steps out of order. Each time you click the Next button you move to another step. Using this check box, you can bring up any of the steps. The View Maps and Access Rights buttons enable you to view how access rights are mapped between Windows 2000 and NetWare access rights. This might be necessary, for example, if you have a file that has the NDS Modify right associated with it. By default, this maps to the Windows Read right. You can change this to the Write right if you want to by using the Access Rights button. Click the Next button to continue.
The Step 2 tab shows you the Active Directory account that you used to log in to the Windows 2000 server (see Figure 60.18). Use the NetWare Connections button to show any current connections you have made to NetWare resources. If you have yet to log on to NDS or a bindery server, use the Log On to Novell button to do so at this time. Enter the required NDS or bindery account name and password, and click Next. Figure 60.18. In Step 2 you review your Windows logon and can log on to the Novell network if you have not yet done so.
Step 3 enables you to select the source and target of the migration task (see Figure 60.19). Use this step to select the NDS or bindery volume or directories that you want to migrate to the Windows 2000 server. Under Target, select the Windows 2000 file shares or directories that will be used as the location for the files to be migrated. When you've finished making selections, click on Map and then, of course, click the Next button. Figure 60.19. In Step 3 you select the source and target for the files and directories you want to migrate.
Step 4 enables you to create a log file and select options for generating the log file that will be created during the migration process (see Figure 60.20). Use the check box labeled Enable Logs, and then you can fill in the remaining fields shown in this figure. Figure 60.20. You can configure how the log file will be generated during the migration using Step 4.
If the migration will involve a lot of files, you can help reduce the size of the log file by using the Enable Compression (NTFS only) check box. If you want to append a date and timestamp in the logfile to determine when a file was actually migrated, use the next check box. The Stop Migration If Disk Reaches Capacity check box does just what it says! You also can set a maximum size for the log file in the Maximum File Size field, or leave it at the default of zero to allow the file to grow to any size. If you set a value for this field, the check box underneath it, Overwrite Log File When Maximum Size Is Reached, should be used so that the process will continue if the log file exceeds the size you set. The radio buttons under New Log Entries enable you to elect to either append new entries or overwrite existing entries when you use the same log file to perform migrations at different times. The Log Detail Level drop-down menu enables you to select the amount of information that is logged for each file. When you've finished configuring the log file, click Next to proceed to the next step. Step 5 is used to scan the volumes and directories you selected as sources from NDS or NetWare for the migration (see Figure 60.21). Click the Scan button and the program counts the directories and the files within them, and checks that the correct access rights are associated with each volume (or directory/file). Figure 60.21. Step 5 allows you to perform a scan to check for errors before you do the actual migration.
If any errors occur, you can choose to continue and simply use a manual method for copying the files or directories. However, if a large number of errors is encountered , the FMU utility will stop and you'll need to rethink your migration. Go back to the previous steps in the process to see whether you've entered any incorrect information or ignored access rights required to access the NDS or bindery data. Another thing that can cause errors during the migration process is opened or locked files on the NetWare server. You might want to perform Steps 1 through 5 and save the actual migration (Step 6) until a time when you can obtain downtime for your NetWare servers to ensure that all files and directories that are to be migrated are accessible. For example, to perform the migration, you must be logged on to the Windows 2000 server with an account that is a member of the Domain Admins group. Finally, when you are ready to perform the actual data transfer, Step 6 enables you to start the process. On the Step 6 tab (see Figure 60.22), click the Migrate button. Depending on how much data is to be transferred from NetWare to Windows 2000, the process can take just a few minutes or many hours. Figure 60.22. Use Step 6 to perform the actual file migration.
After you've migrated your files to Windows 2000 servers, you should perform testing to be sure that your clients can connect to the Windows 2000 servers and that the files and directories are set up as you planned. After everything checks out, consider the migration a success and decommission those NDS servers! |