NDS Delivers Single-Point User Administration
Novell's NDS could provide the single-point administration solution for organizations that have made a commitment to NetWare. NDS for Windows NT 2.0 is shipping and Novell promises support for additional platforms, including Solaris. NDS offers powerful unified administration of users, groups and servers, all from a single console.

By migrating your Windows NT Servers to NDS, you will gain unified management, eliminate the possibility of some SAM (Security Accounts Manager) hacks and simplify user administration--particularly across multiple domains. You can even manage Windows NT shares from NetWare Administration. Though most enterprise security features are not extended by the move to NDS, they are unified by your existing NetWare and NDS infrastructure, reducing the number of security problems that are caused by administrator error.

We installed NDS for Windows NT 2.0 Beta 2 on a Windows NT 4.0 Service Pack 3 server and added the machine to our NDS infrastructure in a matter of minutes. The installation migrates all of Windows NT's existing SAM information into the NDS tree and then replaces the SAM server library (SAMSRV.DLL) with a module that hooks into NDS.

NDS for Windows NT 1.0 allowed integration of an Windows NT server into the NDS structure. But with version 2.0, Windows NT servers can actually host NDS partition replicas, manage Windows NT shares and keep user passwords synchronized. Adding a read/write replica to your network's Windows NT server increases fault tolerance against incidences of disrupted network access to other NDS servers. In addition, Microsoft Exchange mailboxes can be migrated into the NDS directory and managed from the standard NWAdmin utility.

User accounts in NDS can be added to the domain using the NWAdmin utility (to add new or existing users) or via NT User Manager for Domains. That couldn't be much simpler. But be careful: We were shocked to find that when we added an existing NDS user to a domain, we couldn't migrate the user's NDS password into the NT Domain--which means the user could log in with no password at all until we found and corrected the problem. This is because NDS must store the user's password in RSA hash (for NetWare) and MD4 hash (for Windows NT). Then, because you cannot extract the existing password and "re-hash" it, the entry ends up with no password for the NT Domain.

NDS for Windows NT can spare a mixed Novell-Windows NT shop many hours of work. Probably one of the biggest headaches with Windows NT is establishing users with accounts in multiple domains; NDS for Windows NT makes this easy.

In the NT Domain world, you have two options for users on multiple domains--you can create multiple accounts for the single user, or you can permit trust relationships between the domains. Multiple accounts are an administrative nightmare, and trust relationships not only allow every user to access the other domain, but become difficult to manage as the number of relationships grows.

With NDS for Windows NT, you can give a single user access to multiple domains, while keeping a single store for security and passwords.

Windows NT Server (and Workstation) shares can be managed from within NWAdmin as well, but only when using a Windows NT machine to administer them. By integrating some of Windows NT's native tools into NWAdmin, shares can be completely managed from within the NDS utility. In addition, Novell has added a share and printer wizard that will ease the configuration of NT resources.

--Robert J. Kohlhepp