Docstoc

Migration Netware to win2003

Document Sample
Migration Netware to win2003 Powered By Docstoc
					Migrating Novell NetWare to Windows Server 2003

Microsoft Corporation
Published: August 2003




Abstract
                                                                                      ®                  ™
This document provides an overview of migrating from Novell NetWare to Microsoft Windows Server 2003 as
well as detailed information about planning and implementing a migration. Using the utilities Microsoft developed
                            ®
with the Microsoft Windows Services for NetWare solution, you can facilitate directory management and
improve data availability by establishing directory interoperability. Best practices for planning and preparing for a
migration are discussed and detailed step-by-step instructions for both staged and direct migrations are
provided.
                         Microsoft® Windows Server™ 2003 White Paper



The information contained in this document represents the current view of
Microsoft Corporation on the issues discussed as of the date of
publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information
presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS
TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the
express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights,
or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement
from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual
property.
Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events
depicted herein are fictitious, and no association with any real company,
organization, product, domain name, email address, logo, person, place,
or event is intended or should be inferred.


© 2003 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Windows, Windows Server, and the Windows
logo are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be
the trademarks of their respective owners.
                                                                                             Microsoft® Windows Server™ 2003 White Paper




Contents
Introduction .................................................................................................................................... 1

Overview of Migrating from NetWare to Windows Server 2003 ................................................ 2

   Network Systems and Services Migration ................................................................................... 2
      NetWare 3.x Environments ...................................................................................................... 2

      NetWare 4.x, 5.x, and 6.x Environments .................................................................................. 3

   User and Group Object Migration ................................................................................................ 4
   File and File Access Rights Migration .......................................................................................... 5

Using MSDSS to Support Migration ............................................................................................ 7

   Synchronization............................................................................................................................ 8
      One-Way Synchronization ........................................................................................................ 8

      Initial Reverse Synchronization ................................................................................................ 9

      Regular Forward Synchronization ............................................................................................ 9
      Two-Way Synchronization ........................................................................................................ 9

      Initial Reverse Synchronization Followed by Forward and Reverse Synchronizations ......... 10

      One-Way vs. Two-Way Synchronization ................................................................................ 10

   Staged (Phased) Migration Requires Synchronization .............................................................. 11

   Schema Extensions for Migration .............................................................................................. 11

      Active Directory Schema ........................................................................................................ 12
   MSDSS Password Management ............................................................................................... 12

IT Infrastructure Analysis ........................................................................................................... 14

   LAN and WAN Links .................................................................................................................. 14

      Planning for Directory Synchronization Traffic ....................................................................... 15

   Namespace Design Issues ........................................................................................................ 16

      Working with Naming Conventions ........................................................................................ 17

      Using Partitions and WAN Links ............................................................................................ 18

   Understanding OUs, Groups, and Rights .................................................................................. 18

      Establishing Synchronization Session at Any Container Level .............................................. 19

      Custom Mapping Objects between Different Namespaces ................................................... 19

   Workstations .............................................................................................................................. 20

      Novell NetWare Client for Windows ....................................................................................... 20
                                                                                              Microsoft® Windows Server™ 2003 White Paper



      Microsoft Client Services for NetWare ................................................................................... 21

      Microsoft Client for Microsoft Networks .................................................................................. 21

      Printing Considerations .......................................................................................................... 21

      Novell Workstation Manager .................................................................................................. 22

      ZENworks ............................................................................................................................... 22

      BorderManager ...................................................................................................................... 23

   Servers ....................................................................................................................................... 23

      Windows Server 2003 MSDSS Domain Controller ................................................................ 23

   Non-MSDSS Windows Server 2003 Servers ............................................................................. 24

Mail Systems ................................................................................................................................ 25

   GroupWise Migration Wizard ..................................................................................................... 25

NetWare Migration Preparation Details ..................................................................................... 26

   Planning Deployment Steps ....................................................................................................... 26

   Before You Start......................................................................................................................... 26

Outline of Migration Steps .......................................................................................................... 30

   Direct Migration Steps ................................................................................................................ 30

   Staged (Phased) Migration Steps .............................................................................................. 31

      Beginning a Staged Migration ................................................................................................ 31

      Completing a Staged Migration .............................................................................................. 32

Installing Novell Client for Windows on an Active Directory Domain Controller ................. 33
Installing MSDSS on an Active Directory Domain Controller ................................................. 40

   Installing MSDSS on Windows Server 2003 .............................................................................. 40

Directly Migrating NetWare 3.x Accounts and Groups ............................................................ 46

Directly Migrating NetWare 4.x, 5.x, or 6.x NDS ....................................................................... 60

Migrating NetWare 3.x Files to Active Directory ...................................................................... 75

Migrating NetWare 4.x, 5.x, or 6.x Files to Active Directory .................................................... 90

NetWare to Windows Server 2003 Migration Checklist ......................................................... 105

Related Links ............................................................................................................................. 108
                                                                           Microsoft® Windows Server™ 2003 White Paper




Introduction
This document is intended for network managers and technical staff. In this document, you will learn
                                                                           ®                 ™
about the principles and processes that are involved in deploying Microsoft Windows Server 2003
                                   ®
and the Microsoft Active Directory service in an existing NetWare environment. Additionally, the
migration of NetWare accounts, user files, and Novell Directory Service (NDS) objects to Active
Directory are discussed in detail.

This document assumes that the reader is familiar with both the Novell NetWare and the Windows
Server 2003 network operating systems. For links to in-depth information about Windows Server 2003
Active Directory, Novell NDS and Bindery, and other related topics, see the Related Links section at the
end of this document.




                                Migrating NetWare to Windows Server 2003                                             1
                                                                            Microsoft® Windows Server™ 2003 White Paper




Overview of Migrating from NetWare to Windows Server 2003
When you introduce Windows Server 2003 and Active Directory into an existing Novell network, you
can facilitate directory management and improve data availability by establishing directory
interoperability. In some cases, you will want to immediately and quickly migrate your Novell NetWare
Bindery or NDS to Windows Server 2003 Active Directory. In other cases, you might find it more
convenient and cost-effective to introduce Active Directory while you continue to use your existing
directory investment, including both directory-specific applications and the Novell directory, for a short
period. In this case, you can first synchronize directories—that is, you can access and share
information in both operating system directories, and then migrate the entire network at another time.

To extend the built-in Windows Server 2003 support for interoperability between Windows and
NetWare, Microsoft developed Microsoft Directory Synchronization Services (MSDSS) and the
                                                                                       ®
Microsoft File Migration Utility. These utilities, both included with Microsoft Windows Services for
NetWare product, enable you to implement either of the MSDSS migration strategies outlined in this
document. That is, either an immediate direct migration or a staged (also called a phased) migration.

Note Services for NetWare contains three utilities: MSDSS, File Migration Utility, and File and Print
Services for NetWare.

You can choose to implement directory interoperability between Novell and Microsoft networks for long
periods of time. However, this document focuses on migrating NetWare 3.x, 4.x, 5.x, and 6.x networks
to Windows Server 2003 Active Directory as rapidly as is practical for your particular environment.

Planning is one of the most important functions you can fulfill as a technical professional. The first step
in planning how to use MSDSS with an NDS–based or Bindery–based network is to gain an
understanding of what migration is and how you can use MSDSS to implement it. The first sections of
this document provide an overview of MSDSS, list important MSDSS concepts, and describe common
scenarios in which MSDSS is useful. Later sections include step-by-step guides to installing Novell
Client for Windows, MSDSS, as well as migrating accounts, groups, files and their associated
directories and permissions.

Network Systems and Services Migration
During the planning process, you can plan more effectively if you know which services can be easily
migrated from a given NetWare environment to Windows Server 2003 and which tools you can use to
perform a given migration task.

NetWare 3.x Environments

NetWare 3.x services typically include file, print, and limited Internet services. NetWare 3.x
environments use binderies to store user account and other resource information and are maintained
on each server in the network. However, replication of account information is not provided. Individual
implementations of bindery services normally include file and print services; however, older versions of
messaging, applications, and databases might also be present that rely on NetWare 3.x services.

Migration of Bindery environments is simpler than migration of other Novell environments, because only
a small number of services are subject to migration. Further, migration from NetWare Bindery to
Windows Server 2003 Active Directory is almost always desirable unless some specific application or


                                 Migrating NetWare to Windows Server 2003                                             2
                                                                            Microsoft® Windows Server™ 2003 White Paper



service prevents the migration. Such scenarios could occur when you migrate an application such as
Novell GroupWise. In this situation, some additional planning might be required.

If migration is not an option, you can implement interoperability easily at several levels. The Windows
Server 2003 operating system includes support for connecting to NetWare Bindery servers or for using
MSDSS to synchronize accounts with the Windows Server 2003 Active Directory.

NetWare 4.x, 5.x, and 6.x Environments

Migrating NDS, included with NetWare versions 4.x, 5.x, and 6.x, requires more planning than a
Bindery migration does. You can map the NDS hierarchical directory namespace to the namespace
used in Windows Server 2003 Active Directory. However, in most circumstances, the optimum Active
Directory namespace will not be the one used by NDS. This disjointed mapping is due to differences
between the basic methods of partitioning and replication.

NDS namespace mappings that are similar to an optimal Active Directory namespace might occur if a
geographic namespace model is used for Active Directory. It is common for NDS implementations to
follow this model to accommodate partitioning at the organizational unit (OU) level.

Active Directory and NDS provide a certain level of interoperability due to a common implementation of
standards. However, namespace management is not the only network standard that is handled
differently by NDS and Active Directory. Keep the following similarities and differences in mind when
you plan a migration:
   Replication. NDS and Active Directory both provide replication services for the directory within each
    partition.

   DNS. NDS provides support for basic DNS services while Windows Server 2003’s DNS provides
    enhanced DNS Services including dynamic updates. Windows Server 2003’s DNS offering is extremely
    robust and provides greater unification of name services and Microsoft Windows service offerings.
   DHCP. The primary difference between NetWare and Windows Server 2003 DHCP relates to their
    integration with the DNS dynamic update protocol. However, both DNS services are capable of
    interoperating through standard zone transfers.
   LDAP Services. Both NDS and Active Directory support LDAP version 3. With a few exceptions, the
    implementations are interoperable even though not all NDS services are made available through LDAP.

   Internet Services. From a high level, both NetWare and Windows Server 2003 provide similar Internet
    services, such as Web services. The specific implementations vary significantly and you should take
    great care when you swap Web servers. NetWare assumes a Java-oriented platform, and Windows
    Server 2003 focuses on the .NET Framework.

   Authentication. Both products use completely different methods and protocols for authenticating
    clients. Windows Server 2003 uses Kerberos authentication over IP only. NDS authenticates using
    NetWare Core Protocol over either IP (for NetWare 5.x and later versions) or more commonly IPX.

   Network Security. From a high level, NetWare 5.x and later versions provide a set of network services
    that is similar to Active Directory. These include support for SSL, X.509 digital certificates, and security
    policies. If strategic interoperability is desired, you should focus on the use of secure sockets layer
    (SSL) and public key infrastructure (PKI) to ensure a good level of interoperability. Both platforms
    support many similar security policies such as account lockout, access control, password policies, etc.



                                 Migrating NetWare to Windows Server 2003                                             3
                                                                                  Microsoft® Windows Server™ 2003 White Paper



With a few exceptions, do not attempt to make a direct correlation between NDS partitions (which are
disassociated with namespace) and partitions in Active Directory that map to DNS domains and
namespace. There is an excellent white paper, Comparing Microsoft Active Directory to Novell NDS
         1
Version 8 , which contrasts the concepts and mechanics of NDS and Windows 2000 Active Directory
and explains why a non-direct partition mapping is preferable. Although this paper was written primarily
for Windows 2000 environments, it is a highly useful resource.

With the help of the utilities included with Services for NetWare, you can migrate NDS to Active
Directory with little difficulty. However, some environments might benefit from using third-party utilities
to perform advanced migration tasks or migrating object types other than users, OUs, and groups.
These topics are addressed later in this document.

User and Group Object Migration
If you do not want to maintain multiple network operating system directories, the best choice is to use
MSDSS to help convert quickly to a Windows Server 2003 environment. MSDSS migration enables you
to move directory objects to the Windows Server 2003 platform.

If you have not deployed complex NDS-dependent applications, a quick, complete, one-time migration
is often the best choice. Immediate migration is also feasible if you are setting up a large number of
new desktops or you have an older Bindery or NDS network and need to move to a more sophisticated
operating system. For example, environments that only provide limited services such as account
information and file and print services are relatively simple migration projects.

If your organization has a complex hardware and software environment, choosing to make the transition
from Bindery or NDS to Active Directory could require a migration that proceeds in stages, running both
systems concurrently for an extended period. This option is described in the ―Staged (Phased)
Migration Requires Synchronization‖ section of this document.

MSDSS is designed to migrate those directory objects that typically store the largest amount of
information and the most important information. An immediate, one-time migration moves these Bindery
or NDS objects to Active Directory, specifically: user accounts, groups, and distribution lists (for both
Bindery and NDS), and (for NDS only) OUs. Detailed instructions for migration steps are provided later
in this document. Keep in mind that object classes other than accounts, groups, OUs, files, and
directories must be manually migrated. Objects that must be manually migrated include: computer
accounts, printer objects, and application objects. You must also manually migrate security permissions
for objects that you manually migrate.

Note Because Active Directory does not support a container equivalent to the NDS organization, this
document sometimes uses the term ―container‖ to refer generally to NDS OUs and organizations.

You can use third-party utilities to migrate directory objects other than NetWare users, groups,
distribution lists, and OUs. These vendors deliver accessory products for migrating to Windows Server
2003 and Active Directory. For information regarding GroupWise migrations, see the ―Mail Systems‖
section of this document.




1
    See the Windows 2000 Server Web site at http://www.microsoft.com/windows2000/server/evaluation/compare/adndsv8.asp



                                       Migrating NetWare to Windows Server 2003                                             4
                                                                                   Microsoft® Windows Server™ 2003 White Paper



MSDSS migration creates a structure of Active Directory objects that mirrors the migrated Bindery or
NDS objects. This enables you to retain existing Novell structures and use them immediately after you
migrate to Active Directory. MSDSS migration maps Novell user and group objects to Active Directory
user and group objects, and it maps Novell containers to Active Directory OUs.

However, because Active Directory does not support a container comparable to the NDS organization
and because Active Directory handles security differently than Novell does, MSDSS—in migration
mode only—creates a corresponding domain local security group in Active Directory for each NDS OU
and organization. MSDSS then maps each Novell OU or organization to the corresponding Active
Directory domain local security group. For more information about Active Directory OUs and security
groups, see the section ―OUs, Groups, and Rights‖ in the paper MSDSS Deployment: Implementing
                               2                                                                  3
Synchronization and Migration , and see the paper Active Directory Users, Computers, and Groups .
Although both these papers were written with Windows 2000 in mind, they are highly useful resources
for understanding the base concepts of the products involved.

File and File Access Rights Migration
You can use the File Migration Utility, part of Services for NetWare, in conjunction with MSDSS to
migrate all or part of your NetWare folders and files to one or more Windows Server 2003-based file
servers. If you migrate files in groups rather than all files at once, File Migration Utility helps you track
the current status by providing an interim status report that shows which files have and have not been
migrated.

File Migration Utility maintains the NetWare structure and carries existing rights and permissions for
NetWare files into the Windows Server 2003 file system, NT File System (NTFS). To migrate file-
system permissions, you must migrate the users before you migrate the file system. That is, to be able
to migrate files with their access rights, you must first use MSDSS to migrate NDS directory or Bindery
objects to Active Directory and you must select the optional Migrate Files check box when you do so.
This creates a migration log that File Migration Utility can use. You then use File Migration Utility to
migrate the files and their access rights to a Windows Server 2003 NTFS share. Detailed instructions
for migrating the different versions of NetWare are provided later in this document.

The Windows Server 2003 NTFS file system governs which users and groups can access individual
files and directories, and it can provide varying levels of access for different users. This file-level
security is then enforced by the core operating system. File Migration Utility translates the NetWare file
system rights and permissions to the equivalent rights and permissions in the NTFS file system.

NetWare file security is similar to NTFS security in that both systems enable you to control the ability of
users and groups to access files by applying permissions to objects. For a table showing exactly how
Novell NDS or Bindery rights are converted to Windows Server 2003 NTFS permissions, in MSDSS
Help, see Understanding how rights are converted. The NDS Modify Right, which does not have an
equivalent NTFS right, is translated by default to Read, but during the migration process you have the
option to select the Write check box to allow Read/Write access. See the step-by-step installation
instructions in this document for more information.



2
    http://www.microsoft.com/WINDOWS2000/techinfo/interop/msdssimp.asp
3
    http://www.microsoft.com/technet/prodtechnol/ad/windows2000/maintain/adusers.asp



                                        Migrating NetWare to Windows Server 2003                                             5
                                                                            Microsoft® Windows Server™ 2003 White Paper




Note You can also migrate files to a FAT file system on Windows Server 2003-based computers. However,
FAT does not support NTFS rights, and this process migrates only the directory structure and files, not the
associated rights.

You map individual NDS or Bindery directories to Windows Server 2003-based directories or shares
(―directories‖ here refers to file-system directories or folders, not to network directories such as NDS,
Bindery, or Active Directory). You can map multiple volumes to a single share or directory by creating
more than one mapping. Multiple mapping entries are used to create one-to-one, many-to-one, and
one-to-many relationships.

Typically, when you perform a migration in stages, there is a period during which clients have been
migrated to the Windows Server 2003 platform but some files that those clients might need to access
are still on NetWare servers. (For details, see the ―Staged (Phased) Migration Requires
Synchronization‖ section of this document.) To help overcome this problem, you could migrate some of
the files to Windows Server 2003-based servers prior to user migration. However, this option is
generally not preferred for two reasons: first, this method does not migrate file-system permissions, and
second, some NetWare clients that need those files might not yet be migrated. File and Print Services
for NetWare (available on the same Services for NetWare CD-ROM that contains MSDSS and File
Migration Utility) enables NetWare clients to access a Windows Server 2003–based file and print
server. Gateway Service for NetWare (included in the Windows 2000 Server operating system) enables
Windows clients to access a NetWare file and print server. Gateway Service for NetWare is not offered
with Windows Server 2003.




                                 Migrating NetWare to Windows Server 2003                                             6
                                                                            Microsoft® Windows Server™ 2003 White Paper




Using MSDSS to Support Migration
When you have an existing Novell NetWare-based network, you can use the MSDSS directory
synchronization and object migration utility, and the related File Migration Utility, in several ways. You
can migrate a legacy NetWare environment to the Windows Server 2003 platform, replacing the NDS or
Bindery directory with the Windows Server 2003 Active Directory as well as migrating files and file
access permissions.

Alternatively, in larger or more complex network environments, you can (temporarily or for the long
term) maintain NDS or Bindery at the same time that you introduce and take advantage of Active
Directory functionality. Do this by using one-way (for either Bindery or NDS) or two-way (for NDS only)
directory synchronization to establish interoperability between the directory services. Both types of
synchronization enable you continue to use existing directory-enabled services and applications. The
following bullets summarize these options:
   Immediate (Direct) migration. You can use MSDSS to perform a quick, one-time migration of NDS or
    Bindery objects and files to Active Directory. See the ―User and Group Object Migration‖ and ―File and
    File Access Rights Migration‖ sections of this document for more information.

   Synchronization. MSDSS provides a variety of options for managing synchronization as part of a
    migration strategy, including:

       One-way synchronization. This option enables you to manage objects in both directories from
        Active Directory.
       Two-way synchronization. This option enables you to manage shared data, such as user account
        information, from either directory.

       Staged (Phased) migration. You can use MSDSS to implement synchronization as a temporary
        strategy, which enables you to access either directory while you perform the full migration in
        convenient stages. By gradually moving from a Novell directory to an Active Directory-based
        network, you can minimize disruption to your users.

The ―Synchronization‖ section of this document explains each of the synchronization options noted
earlier, but it primarily focuses on using synchronization to support full migrations. The strategy that you
choose depends on the size, complexity, current infrastructure, and goals of your organization.
Whichever migration or synchronization option you implement initially, you can easily change to a
different configuration to adapt to changing circumstances or goals.

Microsoft designed MSDSS to provide transparency for complicated tasks such as handling class
definitions that vary between different directories and handling the particular communication protocols
used by different directories. MSDSS uses Novell NetWare Client for Windows and supports all
protocols that it supports, including IPX/SPX and TCP/IP. File Migration Utility supports both the TCP/IP
and the IPX/SPX transport protocols.

MSDSS features differ depending on whether you are establishing directory interoperability between
Active Directory and NDS or between Active Directory and Bindery. For a table listing the differences,
see ―Appendix A. MSDSS Features" of the MSDSS Deployment: Understanding Synchronization and




                                 Migrating NetWare to Windows Server 2003                                             7
                                                                                   Microsoft® Windows Server™ 2003 White Paper



             4
Migration paper. Although this paper was written for Windows 2000 environments, it is a highly useful
resource for understanding MSDSS in Windows Server 2003 environments.

Synchronization
Microsoft designed Windows Server 2003 and Services for NetWare to support both ongoing mixed
deployments and a complete conversion to the new operating system. With Services for NetWare, you
can use MSDSS synchronization to establish a long-term or permanent coexistence between Active
Directory and a Novell directory. When you establish a mixed environment, you can take advantage of
many Active Directory features—such as its enhanced search functions, improved user management,
and delegation capability—without converting the entire network to Windows Server 2003. Using
directory synchronization thus enables you to protect existing investments in hardware, NDS-dependent
software, and organizational logistics.

If you are preparing to migrate to Active Directory and decommission NetWare, you can use
synchronization to implement a temporary mixed network environment. See the ―Staged (Phased)
Migration Requires Synchronization‖ section of this document for more information.

By default, MSDSS synchronization duplicates the Bindery or NDS structure in Active Directory. Also
like migration, synchronization maps Novell user, group, and distribution list objects to Active Directory
user, group, and distribution list objects, and (for NDS only) it maps Novell OUs and organizations to
Active Directory OUs. In addition, MSDSS synchronization optionally provides custom object mapping
(for NDS only) that enables you to map objects in dissimilar directory structures to each other. For more
information, see the ―User and Group Object Mapping‖ section of this document.

The following sections explain more about how MSDSS synchronizes the NetWare and Windows
Server 2003 directories.

For detailed information about synchronization, see MSDSS Deployment: Implementing
                               5
Synchronization and Migration . Although this paper was written for Windows 2000 environments, it is a
highly useful resource for understanding MSDSS concepts.

One-Way Synchronization

As discussed earlier in this document, the easiest choice for some organizations is to preserve their
existing investment by implementing directory interoperability rather than migrating all systems to
Windows Server 2003. MSDSS synchronization enables directories to co-exist, which means that users
can share and access information in either directory and continue to use existing directory-enabled
services and applications.

However, directory coexistence comes at the cost of partially duplicated administration of separate
directories. MSDSS one-way synchronization enables you to retain an existing NDS tree or Bindery
while it helps simplify network management by enabling you to perform object administration solely
from Active Directory. In addition to helping you to eliminate most of the cost of managing two separate
directories, one-way synchronization is the best solution when the long-term goal is to migrate. (You




4
    http://www.microsoft.com/WINDOWS2000/techinfo/interop/msdssund.asp
5
    http://www.microsoft.com/windows2000/techinfo/interop/msdssimp.asp



                                        Migrating NetWare to Windows Server 2003                                             8
                                                                            Microsoft® Windows Server™ 2003 White Paper



must still manage security administration and non-synchronized object administration, such as
computer account objects, from each directory separately.)

Note One-way synchronization should be used if the long-term goal is to migrate. Two-way synchronization
should be used if the long-term goal is to interoperate.

Initial Reverse Synchronization

To configure synchronization between Active Directory and NDS or Bindery, first you perform an initial
reverse synchronization, which is a one-time process that copies existing NDS or Bindery objects to the
Active Directory database. To perform an initial reverse synchronization, you create an MSDSS
session, specify the NDS container or Bindery server from which objects are copied, and then specify
the Active Directory OU into which these NDS or Bindery objects are copied. Before you can perform
this synchronization, you first must create a target Active Directory OU container.

Note The name given to the target Active Directory OU does not have to be the same as the NetWare
source container.

Regular Forward Synchronization

After the initial reverse synchronization has taken place, you schedule MSDSS to perform forward
synchronizations (from Active Directory to NDS or Bindery) on a regular basis. Forward synchronization
queries Active Directory for any new objects or for changes to existing objects and ensures that these
changes are propagated to NDS or Bindery. By default, forward synchronization occurs every 15
minutes. Alternatively, you can schedule synchronization to occur at another specified interval. For
example, you can schedule a forward synchronization from the Accounting OU in Active Directory to the
Acct OU in the NDS tree to occur at 30 minute intervals. Note that the target container ―Acct‖ in this
example has a different name than the source container ―Accounting‖. Although the OUs being
synchronized could have the same name, the name given to the target OU does not have to be the
same as the source.

After you have established one-way synchronization, any future changes that you make to NDS or
Bindery will not be synchronized to Active Directory. Therefore, if you chose one-way synchronization,
you must make all future changes to user, group, distribution list, or OU objects in Active Directory, not
in NDS or Bindery. If you chose to perform a one-way synchronization where you copy only part of the
NDS tree or Bindery to Active Directory, then you must continue to use NetWare NDS or Bindery to
manage directory objects that exist only in the NetWare directory.

One-way synchronization from Active Directory to Bindery or NDS requires no Bindery modification or
schema changes to NDS.

Two-Way Synchronization

Some organizations that choose to implement directory interoperability need the ability to enter new
data or modify existing data in either directory and have that directory then update its partner directory.
For NDS-based networks, MSDSS two-way synchronization provides this functionality. Two-way
synchronization enables you to propagate changes made to objects in either Active Directory or NDS to
the other directory.




                                 Migrating NetWare to Windows Server 2003                                             9
                                                                                   Microsoft® Windows Server™ 2003 White Paper




Note Two-way synchronization is not available for Bindery based implementations.

Initial Reverse Synchronization Followed by Forward and Reverse Synchronizations

You begin establishing two-way synchronization just as you would one-way synchronization: by using
MSDSS to perform an initial reverse synchronization that duplicates NDS objects in Active Directory.
You then establish a schedule for both forward synchronization from Active Directory to NDS and
reverse synchronization from NDS to Active Directory. Reverse synchronization copies new or changed
objects from NDS to Active Directory. Both forward and reverse synchronization are described in more
                                                                               6
detail in the MSDSS Deployment: Understanding Synchronization and Migration paper.

Unlike one-way synchronization, two-way synchronization does require extending the NDS schema.
Extending the NDS schema is required to stamp a globally unique identifier (GUID) on those directory
objects that are involved in synchronization. In Windows Server 2003, Active Directory objects must
have a GUID, which is a unique 128-bit number assigned as an attribute of the object.

If your strategy is long-term directory interoperability and coexistence, you might find two-way
synchronization more convenient than one-way synchronization. However, the cost is that reverse
synchronization requires additional server and network traffic overhead as well as duplicated
administration.

One-Way vs. Two-Way Synchronization

Choose either one-way or two-way synchronization when you initially set up a synchronization session
for a pair of containers. When you evaluate which configuration is best for the given circumstances,
consider the following factors:

Reasons to choose one-way synchronization                       Reasons to choose two-way synchronization

      You want to centralize directory administration              You want to have both Active Directory and NDS
       from Active Directory.                                        administered by two sets of network
      The network is predominantly Windows-based                    administrators.
       (with some NDS-based computers), or the                      The network environment contains NDS as the
       network is currently NDS-based but you plan to                primary directory and you have no plans to
       reduce the number of directories over time.                   consolidate the number of directory platforms.
      You want to administer and update NDS user                   You are planning to maintain and actively
       account passwords to support a single set of                  administer both directory environments for an
       logon credentials that enable users to log on to              extended period of time.
       both a Windows-based and a Novell-based
       network.
      You are preparing to migrate an NDS-based
       directory environment to Active Directory.




6
    http://www.microsoft.com/windows2000/techinfo/interop/msdssund.asp



                                        Migrating NetWare to Windows Server 2003                                             10
                                                                            Microsoft® Windows Server™ 2003 White Paper



Staged (Phased) Migration Requires Synchronization
If your organization is complex and you want to migrate from a Bindery- or NDS-based network to
Windows Server 2003 Active Directory-based network, a staged migration is typically the best choice. A
staged migration entails running the two systems in parallel for a period. During this time, you can
perform migration tasks that are independent of MSDSS object migration and File Migration Utility file
migration, such as replacing programs that are dependent on Novell services with Active Directory-
compatible programs.

Using MSDSS to synchronize the Windows and Novell directories during the changeover period makes
the transition easier for both administrators and users. A phased migration reduces risk because you
proceed in easily managed stages and can reverse the process easily if necessary. For many
organizations, this advantage of reduced risk outweighs the costs in administrative effort and additional
resources.

In a staged migration, you use MSDSS to copy all Bindery or NDS user accounts, groups, and
distribution lists, and (for NDS only) OUs and organizations to Active Directory, while you maintain
these objects—now synchronized with their Active Directory counterparts—in NDS or Bindery. Then,
while you gradually move resources to the Windows Server 2003-based environment the MSDSS-
provided directory synchronization enables users to continue to access those resources that remain on
NetWare servers. As the changeover continues, users begin to access resources on Windows Server
2003-based servers.

If you plan to perform the migration within a relatively short time, one-way synchronization is the
preferred configuration. If your organization is complex and the migration will take several months or
longer, you might prefer two-way synchronization.

Note One-way synchronization should be used if the long-term goal is to migrate. Two-way synchronization
should be used if the long-term goal is to interoperate.

When you establish directory synchronization over an extended period, you can reduce migration
impact costs. As the existing NetWare technologies age, you can replace them with the latest
comparable Microsoft technologies. Larger, more complex environments usually involve longer
transition periods than small environments require.
After you have moved all resources to Windows Server 2003, converted all Novell services and
applications to Active Directory-based counterparts, and moved object security permissions and objects
that MSDSS does not migrate (such as computer accounts, printer objects, and application objects),
synchronization of the two directory services is no longer necessary. This allows you to delete the
synchronization sessions and decommission remaining NetWare servers.

For a detailed discussion of factors that you need to consider when you determine whether a phased
migration or permanent mixed network synchronization is the appropriate strategy for your organization,
see the ―IT Infrastructure Analysis‖ section of this document.

Schema Extensions for Migration
The directory schema provides a description of what can be placed in the directory—that is, a
description of its object classes (the various types of objects) and their associated attributes. For each
class of object, the schema defines the attributes that the object class must have, the additional




                                 Migrating NetWare to Windows Server 2003                                             11
                                                                            Microsoft® Windows Server™ 2003 White Paper



attributes that it might have, and the object class that can be its parent. Schema extensions are done
only once and are irreversible.

Migration, one-way synchronization, and two-way synchronization all require extensions to the Active
Directory schema. Two-way synchronization also requires extending NDS.

Active Directory Schema

MSDSS automatically updates the Active Directory schema during the setup process. The schema
update is required only once for each Active Directory forest. If the user who will be installing MSDSS
does not have the necessary permissions to extend the schema, the schema can be updated manually.
To manually update the schema, log on to the schema master in the Active Directory forest in which
MSDSS is to be installed with the appropriate schema credentials, then open a Command Prompt and
type:
msiexec /I Path \msdss.msi SCHEMAONLY=1

To support two-way synchronization, you must extend the NDS schema. If you are required to extend
the NDS schema when you create a new session, the wizard prompts you. Extending the NDS schema
requires the following:
   Installation of Novell NetWare Client for Windows (also required by MSDSS)

   Supervisor permission to access the root object of the NDS tree

   Access to the server that holds the master replica of the root partition (this server propagates the
    changes to all the servers in the NDS tree)

You can also extend the NDS schema manually by using the MSDSS command-line NDS schema
extension tool NDSext.exe (available in the systemroot\System32\Directory Synchronization\Client
folder). Use the following syntax:
ndsext extend Treename Username.Context Password

This command enables you to extend the NDS schema of a specified tree.

MSDSS Password Management
Passwords are encrypted and stored in different formats in the Windows and Novell operating system
directories. Because MSDSS cannot retrieve the encrypted passwords that are stored in an NDS or
Bindery directory, MSDSS creates new passwords for each user who is migrated to Active Directory or
whose account will be synchronized between Active Directory and NetWare.

You must have administrator privileges to the NDS or Bindery directory to be able to specify the
password scheme that MSDSS uses. MSDSS handles the mapping of passwords between Active
Directory and NDS or Bindery without compromising security by providing several options for creating
new passwords. You can specify the following password options either when you create a new MSDSS
session or by modifying existing session properties:
   Set passwords to blank. Clears all passwords so that users logging on to Active Directory for the first
    time do not need to specify a password.

   Set passwords to the user name. Sets passwords to the user name after migration or initial reverse
    synchronization has taken place. This is the default option.




                                 Migrating NetWare to Windows Server 2003                                             12
                                                                          Microsoft® Windows Server™ 2003 White Paper



   Set passwords to a random value. Creates random passwords for each user who will be migrated to
    or synchronized with Active Directory. The password assignments are listed in a log file. The default
    location of this log is in the %systemroot%\System32\Directory Synchronization\Session Logs folder. A
    text file with a .pwd extension is created for each session that uses this option.

   Set all passwords to the following value. Provides an option to specify the password value for all
    users migrating to Active Directory or for all users whose accounts will be synchronized between Active
    Directory and NDS or Bindery.

For example, assume that you accept the default option: Set passwords to the user name. After users
are copied from NDS or Bindery to Active Directory through initial reverse synchronization, they are
each prompted to change their password the next time they log on. The new password is then
synchronized with the password attribute in NDS or Bindery during the next scheduled forward
synchronization—that is, the new password overwrites the existing NDS or Bindery password.

The preferred method is to control passwords from Active Directory (you can control passwords from
Active Directory in both one-way and two-way synchronization). This requires that clients log on to
Active Directory.




                               Migrating NetWare to Windows Server 2003                                             13
                                                                            Microsoft® Windows Server™ 2003 White Paper




IT Infrastructure Analysis
When you plan how to implement a NetWare to Windows Server 2003 migration, in addition to
analyzing the organization from an information perspective, you must also analyze and document the
network infrastructure. Analyzing the full IT infrastructure will help you to choose between a direct
migration and a staged migration.

The IT infrastructure analysis assesses the current NetWare context, including details such as:
   Local or wide area network links.
   The existing namespace design, including how objects and files are organized and managed.

   Existing hardware.

   Applications that require Novell.

During this analysis, you must also determine the network design elements that you want to introduce
or modify along with the introduction of Windows Server 2003. These elements might include network
traffic optimization, a different namespace design, a Windows Server 2003 domain controller on which
to install MSDSS, a workstation from which to remotely administer MSDSS, and Active Directory-
enabled applications. The sections immediately below address the following IT infrastructure analysis
issues:
   LAN and WAN links

   Namespace design issues

   Workstations

   Servers

LAN and WAN Links
The first IT infrastructure issue that affects how you decide to use MSDSS is whether you have a local
area network (LAN) or wide area network (WAN). A small network typically consists of a LAN with no
WAN links, one or two NetWare servers, and usually not more than 200 users. Medium-sized networks
are characterized by the presence of WAN links. WAN links add complexity to the physical network.
Additionally, in an NDS environment, WAN links affect how the NDS database is partitioned. See
―Using Partitions and WAN Links‖ in the ―Namespace Design Issues‖ section of this document for more
information. In medium-sized networks, the user base is also typically larger, which can lead to longer
migration times for the network.

The decision to use directory migration or coexistence can be influenced by many factors:
   Migration. A LAN is easy to migrate from the server point of view because it can include only a few
    servers at one location. In a LAN environment, you can quickly install Windows XP on all the desktops
    using the Windows Server 2003 Remote Installation Services feature. In a WAN environment, when the
    goal is migration rather than ongoing coexistence, a period of temporary coexistence is probably
    required. MSDSS synchronization enables users to access both the new and the old systems while you
    perform the migration in stages. In a medium-sized organization, a period of coexistence of up to three
    months before a migration is complete is not uncommon. This is because you must allocate time for
    planning, training, implementation, and decommissioning NetWare.


                                 Migrating NetWare to Windows Server 2003                                             14
                                                                           Microsoft® Windows Server™ 2003 White Paper



   Coexistence. Larger organizations might choose directory coexistence, rather than migration, as a
    long-term or permanent strategy. Even in a small network, the absence of WAN links and the small
    number of servers are not the only infrastructure issues to weigh. Migrating users, groups, and files is
    part of the equation. You must also take into account the necessity of maintaining user access to
    current services or, if necessary, replacing those services. For more information about this issue, see
    the ―Workstations‖ section in this document.

Planning for Directory Synchronization Traffic

One factor to consider when you plan directory synchronization is how server locations affect network
traffic. If Active Directory and NetWare information exists on servers in the same location,
synchronization traffic will be inexpensive. If the Active Directory and Novell servers are physically
separated across a low bandwidth or non-persistent WAN connection, replication traffic will be more
expensive. In the latter case, consider locating both the MSDSS server and the NDS server within the
same site or NDS partition.

You must also plan for any additional network bandwidth requirements that might arise from the
introduction of periodic directory synchronization between Active Directory and NDS or Bindery.
Although each environment is unique, it is important to understand that the following factors affect
directory synchronization traffic:
   Number of objects. The number of objects that are synchronized affects traffic.

   Object size. The average object size affects traffic. The larger the object, the more information is
    transferred (particularly from NDS to Active Directory, which synchronizes whole objects, not just
    changed object attributes).

   Number of changes. The average number of directory object and attribute additions, deletions, and
    modifications that occur between synchronization intervals affects traffic. The more changes that are
    made to each directory between synchronization sessions, the more synchronization traffic will occur.

   Frequency of synchronization. By default, a session synchronizes Active Directory with NDS or
    Bindery every 15 minutes, and, if two-way synchronization is used, it synchronizes NDS with Active
    Directory every 24 hours. Frequency of synchronization does not have a large impact on forward
    synchronization (from Active Directory to NDS) regardless of how you set the synchronization interval.
    However, frequency of synchronization does increase bandwidth use for reverse synchronization (from
    NDS to Active Directory). In reverse synchronization, MSDSS reads all objects in the synchronized
    container (except those that are filtered), which increases traffic from the NDS computer to the MSDSS
    computer. After the object gets to the MSDSS machine, MSDSS checks it to see whether it has
    changed. If it has, then MSDSS writes it to Active Directory; if not, MSDSS just discards it.

   One-way or two-way configuration. One-way configuration often results in substantially less
    synchronization traffic than two-way synchronization. This is because one-way synchronization (Active
    Directory to NDS or Bindery) is done at the attribute level—only those attribute values in Active
    Directory that have changed are synchronized with NDS. In two-way synchronization, the reverse
    synchronization process from NDS to Active Directory is done at the object level—the entire object is
    synchronized with Active Directory even if only a single NDS attribute has changed. (For more about




                                Migrating NetWare to Windows Server 2003                                             15
                                                                                  Microsoft® Windows Server™ 2003 White Paper



       attribute-level and object-level synchronization, see ―MSDSS Sessions and the Session Database‖ in
                                                                             7
       the MSDSS Deployment: Understanding Synchronization and Migration paper.)



Keeping these factors in mind, use the following equation to estimate the aggregate impact of forward
synchronization (Active Directory to NDS or Bindery) on network traffic:
            ADST = N × AOS × XO × XA, where
            ADST = average daily synchronization traffic
            N = number of objects in NDS container or Bindery server
            AOS = average size of objects in NDS container or Bindery server per day
            XO = percentage of objects changed per day
            XA = percentage of attributes changed per day

The amount of traffic for an individual forward synchronization session can be determined by using the
forward synchronization formula with a time interval equal to the synchronization interval for variables
XO and XA. For example, you could adjust the formula to reflect hourly traffic rather than daily traffic by
changing ADST to AHST (average hourly synchronization traffic) and changing AOS, XO, and XA from
―per day‖ to ―per hour.‖

Use the following equation to estimate the aggregate impact of reverse synchronization (NDS to Active
Directory) on network traffic:
            ADST = N × AOS × f, where
            ADST = average daily synchronization traffic
            N = number of objects in NDS container
            AOS = average size of objects in NDS container per day
            f = frequency of reverse synchronization every day

The amount of traffic for a reverse synchronization session can be determined by using the reverse
synchronization formula for a time interval equal to the synchronization interval. You could, for example,
adjust the formula to measure hourly rather than daily traffic.

Namespace Design Issues
The second IT infrastructure issue that you need to consider is namespace design. This section refers
only to NDS, not Bindery. Because Bindery is a much simpler directory service than either NDS or
Active Directory, namespace design issues are not relevant for a Bindery network.

The primary difference between the NDS and Active Directory namespaces is that Active Directory
relies on the Domain Name System (DNS) for resource location. DNS is a hierarchical naming system
that is used for locating domain names on the Internet and on private TCP/IP networks. The DNS
service maps DNS domain names to IP addresses, and vice versa. However, NetWare uses its Service
Location Protocol (SLP) as its main locator. Unlike DNS, which is the worldwide standard for mapping
domain names to IP addresses, SLP is unique to Novell. Although the NDS and Active Directory
namespaces are thus quite different at a technical level, MSDSS can synchronize directory objects
between them.

You do not have to structure the Active Directory namespace identically to NDS in order for them to be
synchronized by MSDSS. You do, however, have to plan whether you want the two namespace
structures to differ, and if so, how.


7
    http://www.microsoft.com/windows2000/techinfo/interop/msdssund.asp



                                       Migrating NetWare to Windows Server 2003                                             16
                                                                                    Microsoft® Windows Server™ 2003 White Paper



The sections below cover the following namespace-related topics:
      Working with naming conventions.

      Using partitions and WAN links.

      Understanding OUs, groups, and rights.

      Establishing a synchronization session at any container level.

      Custom mapping objects between different namespaces.

A detailed discussion of NDS and Active Directory namespace design is beyond the scope of this
paper. See the ―Designing and Deploying Directory and Security Services‖ section of the Windows
                               8                                                  9
Server 2003 Deployment Guide for more information. Also see the Novell Web Site to find more
information about NDS namespace design.

Working with Naming Conventions

When you design a namespace, you must understand how a given system handles user names. Most
medium-sized organizations that use NDS use unique common names (CNs). This solves some tricky
e-mail setup problems. However, in NDS, it is the distinguished name and not the common name that
uniquely identifies the user. The common name for objects, including User objects, is the name that you
specify when you create them. An example of a common name is Jack. An NDS distinguished name is
a text string that uniquely identifies a directory object. An example of an NDS distinguished name is
Jack.Sales.Msft.

The fact that many NDS-based organizations use unique common names but that in NDS the
distinguished name uniquely identifies the user means that a user’s common name can appear in more
than one OU. For example, Jack.Sales.Msft and Jack.Marketing.Msft are two different people. In Active
Directory, the user’s account name must be unique per domain. Therefore, in Windows Server 2003,
you would have to create the two ―Jacks‖ with different account names if they both belong to the same
domain.

If both example user objects are synchronized from NDS to the same Active Directory domain, MSDSS
will create the first user (Jack.Sales.Msft) as Jack and the second one (Jack.Marketing.Msft) as Jack0.
Notice the logon name (account name) change. You can ensure that the logon names stay the same in
two ways:
      Change NDS logon names. Change all logon names to be unique before you use MSDSS to
       synchronize or migrate networks. The user will become familiar with the new name and will find
       migrating to Windows Server 2003 easier.

      Use more than one Active Directory domain. Synchronize or migrate the NDS structure to different
       Active Directory domains. You might decide to have a marketing domain and a sales domain. Both
       ―Jacks‖ can then exist in Active Directory as Jack.




8
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/evaluate/cpp/reskit/adsec/default.asp
9
    http://www.novell.com/



                                         Migrating NetWare to Windows Server 2003                                             17
                                                                            Microsoft® Windows Server™ 2003 White Paper



Using Partitions and WAN Links

When you decide whether or not to create an Active Directory namespace that duplicates the NDS
namespace, it is important to understand differences in the number of partitions required by NDS as
compared with Active Directory. The more partitions you use, the higher the administrative costs. It is
highly likely that you will need far fewer Active Directory domains than NDS partitions. This is primarily
because Active Directory replicates data over WANs more efficiently than does NDS, which tends to
use partitions to reflect geographical divisions.

For example, for a U.S.-based organization, NDS typically requires a separate partition for the Los
Angeles site, the Chicago site, and the New York site because they use WAN connections to bridge
these sites. However, for the same organization, Active Directory would typically be deployed as a
single partition (Active Directory domain) with replicas of the same data in each city. This is because
Active Directory automatically compresses data that flows across a WAN, automatically uses
bridgehead servers to eliminate duplicate traffic, and supports traffic scheduling. NDS does not
compress data, requires complex manual configuration on each replica server to simulate bridge
heading, and does not enable scheduled replication. Therefore, although NDS administrators ordinarily
do not implement single partitions that span WAN connections, Active Directory administrators can do
this.

Because most NDS implementations follow a geographic model while Active Directory has no such
constraint, in most cases the optimal Active Directory namespace design will differ from the existing
NDS namespace design. Take this advantage of Active Directory into consideration when creating an
MSDSS plan.

Understanding OUs, Groups, and Rights
Both NDS and Active Directory use OUs, but they have important functional differences. One major
difference is the role that OUs play—or do not play—in security:
   NDS OUs. In NDS, you use an OU for partitioning and for security. An NDS OU is a security principal
    that can be associated with a network resource (such as a file). A user who is a member of an NDS OU
    is automatically granted access rights to any resource that lists the OU as an entity permitted to have
    those rights. For example, everyone who is a member of the Marketing OU—from the group assistant
    to the product manager—can access a file that has the Marketing OU listed in its access control list
    (ACL).

   Active Directory OUs and Security Groups. By contrast, you use Active Directory OUs for delegation
    of administration and for applying group policy, but they are not security principals. In the Windows
    Server 2003 operating system, Active Directory user and computer accounts and groups are security
    principals. The security group, not the OU, is the Active Directory mechanism for granting access rights
    to resources to a collection of users. When you use security groups, access to resources is always
    granted explicitly and is unaffected by users moving between OUs. The benefit of Active Directory
    group-based (rather than NDS OU-based) security is that Active Directory makes organizational re-
    structuring easier—administrators do not have to reset security permissions every time changes are
    made to the organizational hierarchy.

When you plan how to use MSDSS, consider how Active Directory namespace design features differ
from NDS namespace design capabilities. These differences can affect your decision whether to
duplicate the NDS namespace or to create a different Active Directory namespace. Often, when an


                                 Migrating NetWare to Windows Server 2003                                             18
                                                                            Microsoft® Windows Server™ 2003 White Paper



NDS namespace uses separate partitions, you can install Active Directory as a single domain with
multiple OUs to simplify administration. OUs in both directories group people together to ease
administration. It is therefore easy to map an object that is in one area of one directory to an object that
is in a differently named area of the other directory.

For a step-by-step demonstration of migrating an NDS container and its contents to an Active Directory
container, see the ―Directly Migrating (Non-Staged) NetWare 4.x, 5.x, or 6.x NDS‖ section of this
document.

For more information about Active Directory OUs and security groups, see the ―Related Links section of
this document.

Establishing Synchronization Session at Any Container Level

When you configure a synchronization session, you can choose to root the synchronization session at
any container level in the directory hierarchy. For example, the tree structure might have one root
container with four sub-containers. You can choose to have a single session rooted at the root level, or
you can choose to have four sessions, one for each sub-container. When you decide what to do in a
particular environment, ask yourself if you want to apply the same set of synchronization parameters for
all objects and sub-containers. If yes, you should root the synchronization session at the highest level
possible in the tree, subject to the constraint described earlier. If no, synchronize at the container level
at which you want to apply a common set of synchronization parameters (such as frequency of
synchronization, one- or two-way synchronization, and objects that are filtered).

Custom Mapping Objects between Different Namespaces

If you perform a one-time migration from NDS or Bindery to Active Directory, MSDSS creates an Active
Directory namespace that duplicates and replaces the NDS or Bindery structure. However, with Active
Directory-to-NDS synchronization (either one-way or two-way), you have the option to use custom
object mapping to synchronize objects when the Active Directory namespace differs from the NDS
namespace. These options are:
   Modify existing NDS namespace and/or create new Active Directory namespace. You cannot
    create Active Directory OUs and NDS containers while you are running the MSDSS Synchronization
    Wizard. Therefore, before you initiate synchronization, use NetWare administrative tools to create any
    new NDS containers you might want, and use the Windows Server 2003 Active Directory Users and
    Computers snap-in to create Windows Server 2003 Active Directory OUs.

   Map relationship between specific objects. If you have created an Active Directory namespace that
    is not identical to the NDS namespace, you can use the MSDSS custom object-mapping feature to map
    objects between the two different namespaces. When the MSDSS Synchronization Wizard displays the
    Object Mapping Scheme page, specify the Active Directory and NDS objects between which you want
    to establish a one-to-one relationship independent of the object locations in either directory tree. For
    example, in NDS an OU called Sales contains five user accounts, as follows:
                 OU=Sales

                         CN=Joe
                         CN=Tom
                         CN=Jody
                         CN=Mike
                         CN=Cathy


                                 Migrating NetWare to Windows Server 2003                                             19
                                                                            Microsoft® Windows Server™ 2003 White Paper



        You want to move over only the first three users. Therefore, you custom object map Joe, Tom,
        and Jody, synchronizing these three objects with the corresponding objects in Active Directory
        OU, which does not have to be named Sales.

Workstations
The third IT infrastructure issue that influences how you decide to implement MSDSS is how
workstations are set up. You obtain the fullest benefit of Active Directory for a workstation only when
you migrate it to the Windows XP Professional operating system. This is true for earlier version
Windows workstations installed in a NetWare environment and for other Novell clients.

However, NetWare networks typically have networking components and application software running
                                                        ®
on their workstations (including Microsoft Windows NT 4.0 workstations incorporated into the NetWare
network) that are integrated with NDS (or, less often, with Bindery). Therefore, if a computer is running
a service that requires NDS (or Bindery), you must consider replacing that service. Replacing existing
directory-enabled services or applications with new Active Directory-enabled software is a project that
you should perform independently of the MSDSS migration of NetWare users, groups, distribution lists,
OUs, and organizations, and the File Migration Utility migration of files.

If you do choose to migrate all services, another factor is the size of your organization. The larger your
environment, the more complex the secondary migration projects will be, and the more time you will
need.

If you choose to retain the operating system software that is already in place on your workstations and
all or some of the NDS-integrated components on those workstations, you can use MSDSS to
synchronize the two directory services. MSDSS gives you the option of maintaining a mixed network in
which Active Directory and NDS co-exist.

When you decide which strategy is appropriate for your environment, consider the workstation-related
topics discussed in the following sections:
   Novell NetWare Client for Windows (Client32)

   Microsoft Client Services for NetWare
   Microsoft Client for Microsoft Networks

   Printing considerations

   Novell Workstation Manager

   ZENworks

   BorderManager

Novell NetWare Client for Windows

In NetWare environments, most Windows-based workstations can use Novell NetWare Client for
Windows (also called Novell Client or Client32) to access NDS. (For software included with Windows
that can also provide NDS access, see the next section, ―Microsoft Client Services for NetWare.‖)
Novell NetWare Client for Windows software enables Windows clients to use file, print, and other
services that are available on NetWare servers.




                                 Migrating NetWare to Windows Server 2003                                             20
                                                                           Microsoft® Windows Server™ 2003 White Paper



The following are important to keep in mind regarding Novell NetWare Client for Windows in relation to
MSDSS synchronization or migration:
   Synchronization. In a synchronized environment where Active Directory forms the core directory, you
    might be able to restrict the use of Novell NetWare Client for Windows and use it on only a limited
    number of workstations. Novell NetWare Client for Windows software is required on workstations in a
    synchronized environment if any of the following are true:

       You want to use the workstation to administer an MSDSS session from a remote computer.

       You want to use the workstation to administer NDS partition and replication configurations with
        NDS Manager or if you want to perform any NWAdmin/Console1 operations.

       You need to authenticate into an NDS network to access or use NDS-enabled applications.

   Staged migration. If you choose to perform a staged migration from NetWare to Windows Server
    2003, you might want to have Novell NetWare Client for Windows deployed on clients during the
    migration period, and then remove it when the migration is completed. This enables clients to use both
    Windows Server 2003 Kerberos and NetWare Core Protocol (NCP) authentication.

Microsoft Client Services for NetWare

Windows workstations in NetWare environments can use Client Services for NetWare (CSNW), which
is included with Windows workstation operating systems, to gain access to NDS. CSNW is sometimes
used for this purpose as an alternative to Novell NetWare Client for Windows. CSNW provides access
to NetWare 5.x and earlier environments using the IPX/SPX protocol. After you complete a migration
and decommission NetWare, you can uninstall CSNW.

Microsoft Client for Microsoft Networks

Most Windows desktops in a NetWare environment already have the Microsoft Client for Microsoft
Networks installed. On these computers, when Windows installed the network card, it also installed and
configured Microsoft Client for Microsoft Networks, which is redirector software that intercepts client
(workstation) requests for files and printers and routes them to the appropriate remote device, such as
a network server, another workstation, a printer, or a directory share.

Note Do not uninstall the Microsoft Client for Microsoft Networks software after a migration.

Printing Considerations

Larger NetWare environments typically use HP JetDirect print services or a similar product that enables
clients to print to the printer. Smaller environments often use NetWare’s queue-based print services. If
you have not migrated NetWare print servers, workstations can continue to use either of these print
services to access printers on NetWare servers, and, therefore, you should not uninstall them until you
do migrate NetWare print servers.

Novell Distributed Print Services (NDPS) combines printer, print queue, and print server functions and
is backwardly compatible with queue-based print services. It is important to understand that MSDSS
migrates or synchronizes user-related information, not services such as NDPS. If you use NDPS,
deciding whether you want to migrate the NDPS printing environment to Windows Server 2003 printing
or to retain NDPS can be a major factor in deciding between migration and long-term synchronization.



                                Migrating NetWare to Windows Server 2003                                             21
                                                                            Microsoft® Windows Server™ 2003 White Paper



With NDPS, the client does not print to a local port that is then redirected to a print queue. Instead, the
client prints to a virtual printing port created on the workstation. This means that the workstation must
have Novell NetWare Client for Windows installed. All print jobs are then handled by the NDPS system
on the server. The recommended solution is to create a print queue on the server and to reconfigure
NDPS to service the queue. This enables you to use queue-based printing from the client with the
existing NDPS print server, which means that you can remove the NDPS drivers from the workstations.

Novell Workstation Manager

Novell Workstation Manager is a snap-in for Novell NetWare Administrator that you can use to
administer both NDS and Windows NT accounts from one administrative point. If you migrate to Active
Directory, or if you use one-way synchronization and use Active Directory to manage all user objects,
you should uninstall this component.

ZENworks

Older versions of Novell desktop management suite, ZENworks, are integrated with NDS and require
Novell NetWare Client for Windows. Fully deployed ZENworks environments are uncommon. If an
organization does use ZENworks, you must decide between two options:
   Migrate from ZENworks. A complete migration from NDS to Active Directory also requires moving to
    Microsoft desktop management services. Windows Server 2003 includes built-in desktop management
    features, such as remote operating-system installation, application distribution, data and settings
    mirroring, and industry-standard management instrumentation (WMI), each of which can be used by
    Windows Server 2003 management tools. If you want additional desktop management solutions (or
    solutions that can run on a mixed network), you can purchase Microsoft Systems Management Server
    2.0, which can manage Windows-based clients in a Windows NT 4.0, Windows 2000 Server, Windows
    Server 2003 or an NDS-based Novell NetWare environment, regardless of the directory service in use.
    Also note that there are third-party tools that can be used to migrate users from ZENworks. Windows
    Server 2003 Policies can also assist greatly in desktop management scenarios.

   Keep ZENworks by synchronizing. If you choose to continue to use ZENworks, understand that
    because it is NDS-integrated and needs Novell NetWare Client for Windows, it places an additional
    resource requirement on the desktop.

If you do migrate from ZENworks to Microsoft desktop management, you can then also easily migrate
Dynamic Host Configuration Protocol (DHCP) services from NetWare to Windows Server 2003. In
NetWare, the DHCP networking protocol dynamically registers the client’s IP address in the NDS
database with the associated computer name. Similarly, in Windows Server 2003, DHCP provides
dynamic configuration of IP addresses for computers, ensuring that address conflicts do not occur.
Because Windows Server 2003 DHCP is integrated with the Windows Server 2003 implementation of
DNS (which is itself a central component of Active Directory), consider migrating both of these primary
network services.

For more information about migrating DNS and DHCP to Windows-based servers and a discussion of
client-services issues relevant to migrations from ZENworks, see the white paper NetWare to Windows




                                 Migrating NetWare to Windows Server 2003                                             22
                                                                                    Microsoft® Windows Server™ 2003 White Paper



                                                10
2000 Server Migration Planning Guide . Although this paper was written with Windows 2000
environments in mind, it contains information that will be useful in a Windows Server 2003 scenario.

BorderManager

Novell BorderManager is another major NDS-integrated application to consider when you choose
between synchronization and migration. If your environment currently uses BorderManager to manage
and protect your intranet and Internet borders, it is likely that your long term plan will include the
replacement of BorderManager with Microsoft Internet Security and Acceleration Server. If replacing
your proxy systems is not in your budget, implementing directory synchronization will enable you to use
BorderManager as your proxy server until such replacement is desired.

Servers
The fourth IT infrastructure issue that you need to consider when you decide how to use MSDSS is how
to handle servers. If you choose to implement MSDSS synchronization, you will need one or more
Windows Server 2003 servers in addition to the existing NetWare (or other) servers, depending on the
size and structure of your network. If you choose to perform a complete migration, after the migration
you will have replaced all NetWare servers with Windows Server 2003 servers. The following sections
describe what you need to know about servers when you plan to deploy MSDSS.

Windows Server 2003 MSDSS Domain Controller

To implement MSDSS, you must install the Windows Server 2003 operating system and the MSDSS
software on at least one server. When you install Active Directory on a Windows Server 2003 server, it
becomes a domain controller. You use this domain controller to configure Active Directory, to install
MSDSS, and then to import information from your existing NetWare environment.

The larger your environment, the more new servers you will need. If you are planning to have more
than one domain, you will need new hardware for the first domain controller in each domain.

Using MSDSS to import the NetWare information into Active Directory saves the administrative
overhead that you would otherwise expend in creating new users and groups on the new Windows
Server 2003 domain controller.
You must also install Novell NetWare Client for Windows software on the MSDSS server or servers.
MSDSS uses Novell NetWare Client for Windows to authenticate and to gain access to NDS. While
accessing NDS, MSDSS authenticates, but it does not use a license. MSDSS also uses Novell
NetWare Client for Windows to map one directory’s contents to another, accounting for the fact that the
object classes in Novell NDS or Bindery directories are different from Active Directory object classes.
Novell NetWare Client for Windows is also required to use File Migration Utility to migrate files.
You can install Novell NetWare Client for Windows in four modes: IP only, IPX only, IP and IPX
combined, and IP with IPX Compatibility Mode. For more information on Novell Compatibility Mode and
SLP, see ―Appendix A. Configuring the Compatibility Mode‖ and ―Appendix B. Service Location
                                                                              11
Protocol‖ in MSDSS Deployment: Implementing Synchronization and Migration . A significant number


10
     http://www.microsoft.com/windows2000/techinfo/planning/incremental/netmigrate.asp
11
     http://www.microsoft.com/windows2000/techinfo/interop/msdssimp.asp



                                         Migrating NetWare to Windows Server 2003                                             23
                                                                                   Microsoft® Windows Server™ 2003 White Paper



of NetWare environments still use IPX today. MSDSS works in all these modes because it uses Novell
NetWare Client for Windows to access the lower layers.

If you are migrating NDS, you can import the user and group information from one NDS server to the
MSDSS server because you have one user database per tree. You can then migrate the file system.
Remember that each Novell server has its own file system, which is not replicated to other servers (this
contrasts with NDS, where the directory is replicated to other servers). After the files are migrated, you
can uninstall NDS from the server to free the hardware for the Windows Server 2003 operating system.
For more information, see ―Appendix C. Maintaining Novell Directory Services‖ in MSDSS Deployment:
                                             12
Implementing Synchronization and Migration .

Non-MSDSS Windows Server 2003 Servers
An Active Directory forest can have multiple trees with multiple servers. All the servers in one forest
belong to one directory and need only the standard Microsoft client portion of the Windows Server 2003
operating system. When you plan to implement MSDSS, keep the following points about non-MSDSS
Windows Server 2003 servers in mind:
      Remote MSDSS administration. If you install MSDSS on a non-domain controller server or on a
       Windows workstation, only the MSDSS console is installed (installing MSDSS on a Windows Server
       2003 domain controller installs both MSDSS itself and the MSDSS console). You must also install
       Novell NetWare Client for Windows on this computer. The console enables you to view MSDSS
       sessions. Novell NetWare Client for Windows enables you to remotely access a domain controller
       running MSDSS and thus perform all MSDSS administration tasks.

      File and Print Services for NetWare. During a staged migration, you can offer file and print services
       that are available on a Windows Server 2003 server to NetWare clients by installing File and Print
       Services for NetWare (FPNW) on the Windows Server 2003 server. FPNW is available on the same
       Services for NetWare CD-ROM that contains MSDSS and File Migration Utility.

      NetWare servers. To complete a migration, the final task is to decommission the NetWare servers. If
       the hardware can be utilized as a server or workstation install Windows Server 2003 or Windows XP
       Professional respectively.




12
     http://www.microsoft.com/windows2000/techinfo/interop/msdssimp.asp



                                        Migrating NetWare to Windows Server 2003                                             24
                                                                                  Microsoft® Windows Server™ 2003 White Paper




Mail Systems
When you consider whether to choose migration or synchronization, the size of existing services in your
network environment is a major factor. One of the most important large services for most organizations
is the mail system. Novell GroupWise mail system and its GroupWare component (for scheduling,
document management, and so on) rely on NDS.

To migrate the mail system from NDS-dependent Novell GroupWise to Microsoft Exchange is a major
project that you must implement separately from the MSDSS migration of users, groups, containers,
and files. If you want to continue using GroupWise, then long-term directory synchronization is the
appropriate strategy.

If you do choose to migrate Novell GroupWise to Microsoft Exchange and use directory synchronization
during the transition period, you can continue to use GroupWise during the time that NDS is still
available. Windows clients use TCP/IP and will therefore find it easier to migrate if all post office agents
(POAs) are set up to use only TCP/IP. Setting up POAs to use only TCP/IP will enable users to retrieve
mail as before.

Keep in mind that on a Windows workstation in a mixed network, GroupWise uses the Messaging
Application Programming Interface (MAPI), a Microsoft API that supports messaging applications.
GroupWise also uses the Windows Messaging system, an electronic mail system that enables you to
share information with other people using online services. During a clean install of Windows XP
Professional, you must install MAPI and Windows Messaging on the workstation to enable GroupWise
to work.

GroupWise administration is done from NetWare Administrator 32 (Nwadmin32) and, up to version 5.5,
GroupWise does not use DNS directly. GroupWise maintains a separate directory and synchronizes
this directory with NDS. Therefore, when you want to remove NetWare from the network, you must also
perform a mail system migration.
                                                                                                                    13
For a competitive comparison of Exchange and GroupWise, see Perspectives on GroupWise 5.5 .

GroupWise Migration Wizard
Exchange Server includes the Migration Wizard, which migrates content from servers running Novell
GroupWise versions 4.1 through 5.5.
You can use the Migration Wizard to extract the following data:
      Mailbox contents including e-mail, phone, and discussion messages, along with the mailbox folder
       structure and any associated attachments.

      Calendar contents including any personal or group appointments, notes, or tasks.

      Account directory information, such as phone number, office, company, or address.

For more information on Microsoft Exchange or the GroupWise Migration Wizard, see the Microsoft
                   14
Exchange Web site .



13
     http://www.microsoft.com/exchange/evaluation/compare/GroupWise.asp



                                       Migrating NetWare to Windows Server 2003                                             25
                                                                                    Microsoft® Windows Server™ 2003 White Paper




NetWare Migration Preparation Details
Planning Deployment Steps
After you gain an understanding of the data and infrastructure analysis factors covered earlier, you
should assess those factors, determine which are relevant to your network environment and goals, and
decide which MSDSS migration strategy is best.

The information in this section provides additional detail for the steps included in the migration checklist
included later in this document. You can refer to the checklist for a quick guide to preparing and
performing a migration. Refer to this and the following sections for more information about checklist
items.

Use the checklist included in this document as a basis for developing your own list of tasks to be
performed, noting what is to be delivered and when. Identify the primary and secondary areas of
implementation, especially if you must meet a specific deadline. It is essential to understand the
implications of features that you plan to deploy in the future in order to develop a directory architecture
that will be able to incorporate these features with minimal or no redesign. It is important to understand
that your migration from NetWare to Active Directory might involve additional steps or requirements not
covered in this document. For that reason, it is important to carefully assess your needs and your
existing network before proceeding with a migration.

After you develop a list of tasks, sketch out the specific steps that you need to take to prepare for the
migration. The following section provides a general outline of those preparatory steps.

Before You Start
This section summarizes the MSDSS deployment preparation issues covered in this document and
translates them into a list of steps. This section also assumes that you are familiar with the information
                                                                                               15
presented in the paper MSDSS Deployment: Understanding Synchronization and Migration .

Before you implement an MSDSS migration, decide which tasks you can do concurrently and which you
must do sequentially (depending on your situation, the order in which you do these steps might or might
not correspond to this list). Refer to the ―NetWare to Windows Server 2003 Migration Checklist‖ section
at the end of this document for a listing of the following items in a Checklist format:
      Diagram the network including hardware and software. Diagram the network and all its
       components. Identify which servers are file and print servers, Internet servers, mail servers, and
       database servers. Document servers thoroughly, including NetWare versions, transport protocols, and
       directory versions (Bindery or NDS).

      Identify all types of information stored on the network, including its owners, users, locations,
       and its security. Identify all types of information stored on the NetWare network (not just NDS or
       Bindery information), where it is stored, who is responsible for which information, which subsets of
       users have access to which data, and what the associated security requirements are.



14
     http://www.microsoft.com/exchange
15
     http://www.microsoft.com/windows2000/techinfo/interop/msdssund.asp



                                         Migrating NetWare to Windows Server 2003                                             26
                                                                           Microsoft® Windows Server™ 2003 White Paper



   Identify all Novell-dependent software. Before the migration begins, decide whether you will replace
    all Bindery-, NDS-, or NLM-dependent software (such as NDS-compliant DNS, DHCP, ZENworks, etc.)
    with Active Directory-compatible software (leading to a direct migration, or whether you want to
    continue to use some or all of the Bindery- or NDS-integrated services or applications (leading to a
    phased or staged migration). Be sure to include the e-mail system in this list. See the ―Mail Systems‖
    section of this document for more information on e-mail migration.

   Determine the systems to be migrated. Determine which systems will be migrated or
    decommissioned. Determine the affected users, groups, objects, folders, files, databases, and e-mail
    systems (GroupWise or others).

   Review WAN/LAN links, and their available bandwidth. Decide whether you can use fewer Active
    Directory domains than there are Novell partitions in the existing network.

   Plan for future hardware, software, and network bandwidth needs. Research what additional
    functionality your organization plans to implement in the future. Factor these features into your
    migration planning (for example, when you plan namespace design, WAN links, application software
    needs, etc.)

   Analyze the current and future namespace design. Familiarize yourself with the current Novell
    namespace design and with Active Directory namespace design principles.

   Create a test lab for design and migration testing. Set up a test lab that includes a restored copy of
    the Bindery or NDS Server and a Windows Server 2003 domain controller with the Novell Client for
    Windows and the latest version of MSDSS.

       Include examples of current and planned client workstations in the lab.

       Install any Novell-dependent applications in the test lab and test their compatibility with your
        migration plans.
       Perform a test migration of accounts, groups, and files.

       Configure and test printing in the lab.

       Review and adjust your migration plans as appropriate. It is expected that problems will arise in the
        test lab. The test lab will help to mitigate risks from the real migration to the live network.

       Repeat a test migration to hone the process until you are comfortable with the results.

   Modify namespace design if necessary. Decide whether you want the new Active Directory
    namespace to be identical to or different from the existing Novell namespace. If necessary, use
    NetWare administrative tools to update NDS containers and use Windows Server 2003 Active Directory
    Users and Computers to create Active Directory OUs. Evaluate your choices in the test lab.

   Evaluate custom directory object mapping (optional). If you will be using the MSDSS custom
    object-mapping feature to synchronize objects between NDS and Active Directory namespaces that are
    structured differently, decide how you want the relationships mapped. Evaluate your choices in the test
    lab. Keep in mind that custom object mapping is not supported for Bindery.

   Acquire new hardware and software. If necessary, acquire new server hardware. Buy Windows
    Server 2003 (which includes CSNW) and the latest version of Services for NetWare version 5.x (which
    includes MSDSS). Acquire any Active Directory-compliant software that will replace the Novell services-



                                Migrating NetWare to Windows Server 2003                                             27
                                                                           Microsoft® Windows Server™ 2003 White Paper



    dependent software. Obtain the latest version of Novell NetWare Client for Windows from the Novell
    Web site.

   Choose an installation location for MSDSS. Decide whether you will install MSDSS and Novell
    NetWare Client for Windows on one or more domain controllers, and whether you will remotely
    administer MSDSS sessions. If you choose remote administration, install MSDSS and Novell NetWare
    Client for Windows on a Windows Server 2003 (non-domain controller server) or a Windows XP
    Professional workstation. Evaluate your choice in the test lab.

   Choose a direct or staged (phased) migration. Decide whether you will perform an immediate, one-
    time migration, or a staged migration over time (synchronizing Active Directory and your Novell
    directory during the transitional period). Evaluate your choice in the test lab. If you choose a staged
    (phased) migration:

       List migration priorities. List the departments or other groupings, the software, and the hardware
        that you must migrate immediately, and which resources can be migrated over time. List the order
        in which you want to accomplish each stage

       Choose one- or two-way synchronization. Decide whether one-way synchronization (using
        Active Directory to manage objects in both directories) or two-way synchronization (using either
        Active Directory or NDS to manage shared data) is appropriate to the situation. Take network traffic
        into account. Decide the timetable for replacing any of the Bindery- or NDS-dependent software
        with Active Directory-enabled counterparts.

   Identify containers and servers to migrate or synchronize. Identify the containers that you want to
    migrate or synchronize and the Active Directory and NDS or Bindery servers between which you wish
    to establish those relationships. Evaluate your choice in the test lab.

   Calculate the required number of migration sessions and servers. Calculate the number of
    sessions needed to synchronize the desired NDS or Bindery objects. You can specify only one NDS
    container or Bindery server per session. All objects within that OU or Bindery server will be
    synchronized. You can have up to 50 simultaneous sessions running on one domain controller and
    each session can point to a different NDS or Bindery server source.

   Identify and obtain administrator accounts with sufficient permissions to successfully complete
    the migration. If you will use synchronization, ensure that you have the required accounts with
    permissions to extend the Active Directory schema (even though MSDSS does this automatically, you
    must have schema-extending administrative authority). If you will use two-way synchronization, ensure
    that you have the necessary permissions to extend the NDS schema.

    Important When you set up a two-way synchronization session, you must have full administrator
    privileges to the entire NDS container in which you are creating the session. Ensure that these
    privileges are maintained for the life of the session—if these privileges are changed, objects may be
    deleted from one or both of the directories.

   Choose the migration administrators. Decide who you will add as a member of the MSDSS Admins
    group that is created automatically when you install MSDSS. Choose the users to whom you will
    delegate specific MSDSS administrative tasks.




                                Migrating NetWare to Windows Server 2003                                             28
                                                                            Microsoft® Windows Server™ 2003 White Paper



   Recruit a pilot group. Unless your organization is small and you are sure you can implement migration
    or synchronization without help, recruit and train a group of technically oriented users willing to help test
    a pilot implementation and to support other users.

   Educate users. Explain to the main body of users what to expect and schedule any necessary training.
    Ensure that they understand how passwords will be handled. The preferred method for password
    management is to administer passwords from Active Directory only. This requires that clients log on to
    Active Directory. You can control passwords from Active Directory in both one-way and two-way
    synchronization.

   Back up and test restore the NetWare system and user data. Backup and then perform a test
    restore to ensure that the backup media will be functional if a system restore is required.

   Install and configure a Windows Server 2003 domain controller. This will be the computer on which
    MSDSS is installed. After you install Windows Server 2003, apply the latest Service Packs and hot
    fixes.

   Install the Novell Client for Windows. Install the client on the Windows Server 2003 Active Directory
    domain controller on which MSDSS will be installed. You can download the client from the Novell Web
    site . For detailed step-by-step installation instructions, including screen shots and screen-by-screen
    explanations for installation on the domain controller, see the ―Installing Novell Client for Windows on
    an Active Directory Domain Controller‖ section of this document.

   Install MSDSS. Install MSDSS on the same Windows Server 2003 domain controller on which Novell
    Client for Windows was installed. MSDSS can be found on the Services for NetWare version 5.x CD-
    ROM. For detailed step-by-step installation instructions including screen shots and screen-by-screen
    explanations, see the ―Installing MSDSS on an Active Directory Domain Controller‖ section of this
    document.




                                 Migrating NetWare to Windows Server 2003                                             29
                                                                           Microsoft® Windows Server™ 2003 White Paper




Outline of Migration Steps
The next two sections provide detail on the steps for implementing MSDSS in a smaller (LAN-only) or
larger (WAN) network. You will need to adapt the guidelines to suit your environment and goals.

Direct Migration Steps
If your organization is small to medium-sized with a LAN-based and uncomplicated network, you are a
likely candidate for a quick, direct migration.

After you complete all the preparations described in the ―NetWare Migration Preparation Details‖
section of this document, perform these steps (adjusted, if necessary, to your situation):

1. Log on to the NDS tree or Bindery server with administrative credentials.

2. Log on to the appropriate Windows Server 2003 domain as a member of the Domain Admins
   group. Start MSDSS.

3. Depending on your version of NetWare, follow the step-by-step instructions depending on your
   version of NetWare to migrate in the ―Direct (Non-Staged) NetWare 3.x Accounts and Groups
   Migration to Windows Server 2003 Active Directory‖ or the ―Direct (Non-Staged) NetWare 4.x, 5.x,
   or 6.x NDS to Windows Server 2003 Active Directory Migration‖ section of this document. For
   additional information on the migration, on the MSDSS server, start MSDSS, open Help from the
   MSDSS console, and then print out the steps for the topics To perform a one-time migration and To
   migrate files.

4. After the user accounts are migrated, you can migrate the file system (migrating the users before
   the files enables you to migrate file-system permissions). Follow the step-by-step instructions in the
   ―NetWare 3.x File Migration to Windows Server 2003 Active Directory‖ or the ―NetWare 4.x, 5.x, or
   6.x File Migration to Windows Server 2003 Active Directory‖ sections of this document. For
   additional information on the migration, on the MSDSS server, start MSDSS, open Help from the
   MSDSS console, and then print out the steps for the topic To migrate files.

5. Manually migrate (or use third-party utilities to migrate) object security permissions and computer
   accounts, printer objects, application objects, and other objects that MSDSS does not migrate from
   Bindery or NDS to Active Directory. (MSDSS migrates NetWare user accounts, groups, and
   distribution lists for Bindery and NDS, and, for NDS only, MSDSS also migrates NDS OUs and
   organizations.)

6. Replace software that is dependent on Novell services with equivalent software compatible with
   Windows Server 2003 and Active Directory. Only fully tested, easy to migrate applications should
   be included in a direct migration. It is highly recommended that you confirm application functionality
   in a Windows Server 2003 Active Directory test lab before you begin the direct migration. If you
   require greater flexibility, a staged or phased migration is recommended.
7. On each Windows desktop in the NetWare network, uninstall Novell NetWare Client for Windows.
   (In a moment, you will configure the desktops to join the Windows Server 2003 domain.)

8. Optionally, upgrade NetWare clients (workstations) to the Windows XP Professional operating
   system.




                                Migrating NetWare to Windows Server 2003                                             30
                                                                           Microsoft® Windows Server™ 2003 White Paper



9. Configure all client computers (both Windows and non-Windows), to join the Windows Server 2003
   domain. Be sure that the users know how to enter their password for the first time that they log on.
   (For possible password options, see the ―MSDSS Password Management‖ section earlier in this
   document for more information regarding password choices during migration.)

10. Decommission your NetWare server(s).

Staged (Phased) Migration Steps
If your organization has multiple locations with WAN links, you will probably choose to synchronize the
mixed Novell/Windows Server 2003 network temporarily while you perform a staged (phased) migration
over time. If you plan a staged migration, one-way synchronization is often the appropriate choice.

Beginning a Staged Migration

After you complete all the preparations described in the ―NetWare Migration Preparation Details‖
section of this document, perform these steps (adjusted, if necessary, to your situation):

1. Log on to the NDS tree or Bindery server with administrative credentials.

2. Log on to the appropriate Windows Server 2003 domain as a member of the Domain Admins
   group.

3. For additional information on the migration, on the MSDSS server, start MSDSS, open Help from
   the MSDSS console, and then print out either of the topics To perform a one-way synchronization
   or To perform a two-way synchronization. (The one-way and two-way synchronization steps are
   similar in nature to the ―Direct Migration Steps" section in this document. You can use those screen
   shots as a guide, substituting the following steps on the appropriate screens).

4. Start MSDSS and let the prompts guide you through the following tasks:

        a. Start the New Session Wizard. To open the New Session Wizard, in the MSDSS console
           tree right-click MSDSS (Your Active Directory Forest Name), and then click New Session
           on the shortcut menu. The Welcome to the New Session Wizard welcome screen
           appears. Click Next to continue.

        b. Click Novell Bindery or Novell Directory Services (NDS) for one-way synchronization –
           OR – click Novell Directory Services (NDS) for two-way synchronization.

        c.   Click One-way synchronization (from Active Directory to NDS or Bindery) – OR – click
             Two-way synchronization (from Active Directory to NDS and back).
        d. In the Active Directory container box, specify the container into which you want to copy
           items.
        e. To Accept the default domain controller in which to store the session database, click Next.

        f.   In the NDS Container or Bindery Container box, specify the container from which to copy
             items.
        g. Under Novell administrative account, enter an appropriate user name and password.

        h. On the Initial Reverse Synchronization page, click Perform an initial reverse
           synchronization.



                                Migrating NetWare to Windows Server 2003                                             31
                                                                            Microsoft® Windows Server™ 2003 White Paper



        i.   Still on the Initial Reverse Synchronization page, under Password Options, select the
             appropriate check box (such as Set passwords to the user name).
        j.   On the Object Mapping Scheme page, click Default (to accept the default mapping for
             each source and target directory pair) – OR – for NDS only, click Custom and then click
             Object Mapping Table (to specify objects for which you want to establish a one-to-one
             relationship, regardless of the object location in either directory tree). Keep in mind that
             MSDSS does not support custom object mapping for Bindery.

        k.   On the Object Mapping Scheme page, if you want to configure a filter for this
             synchronization session, click Filters.

        l.   On the Session Name page, accept the default session name or specify a new name.

        m. Click Finish.

5.   If you chose one-way synchronization, you should now perform all user, group, and OU object
     management from Active Directory. If you chose two-way synchronization, you can now manage
     user, group, and OU objects from either Active Directory or NDS.

Completing a Staged Migration

When you are ready to finish the migration from NetWare to Active Directory, perform the following
steps in the time frame that is convenient for you:

1. Install and configure File and Print Services for NetWare (to enable NetWare clients to access files
   and printers on Windows Server 2003 servers) and Client Services for NetWare on Windows clients
   (to enable Windows clients to log on to NetWare servers and access their resources).

2. Replace Novell-dependent software with equivalent Windows Server 2003 Active Directory-
   compatible software. Only fully tested applications should be included in the migration. It is highly
   recommended that you confirm application functionality in a test lab before you begin the migration.
   Implement large conversions (such as GroupWise to Exchange) as separate projects.

3. To migrate the pilot group of users and their files, adapt instructions of the migration steps provided
   in the appropriate direct migration section of this document. Get the pilot group’s feedback and, if
   necessary, update your process for this migration step according to feedback. Then set a schedule
   to migrate additional groups of users according to the priorities that you have established.

4. Migrate the rest of the users as appropriate (for example, if you migrate the set of applications they
   use, it is time to migrate them as well).

5. Decommission the NetWare servers.




                                 Migrating NetWare to Windows Server 2003                                             32
                                                                                 Microsoft® Windows Server™ 2003 White Paper




Installing Novell Client for Windows on an Active Directory Domain
Controller
To install Novell Client for Windows on a Windows Server 2003 Active Directory domain controller,
follow these steps:
1. To begin the Novell Client for Windows installation, insert the CD into the appropriate drive.

            If you do not have a CD with the software, you can download a copy of the Novell Client for
                                              16
            Windows from the Novell Web site .
2. Execute SETUPNW.EXE.

3. The Software License Agreement dialog box appears. Read and then confirm the Novell software
   license to continue the installation.




4. On the first Network Client Installation page, click View Readme to read updated information that
   is not available in the product documentation.




16
     http://www.novell.com/download



                                      Migrating NetWare to Windows Server 2003                                             33
                                                                          Microsoft® Windows Server™ 2003 White Paper



5. After you review the Readme information, click Custom Installation, and then click Next.




                               Migrating NetWare to Windows Server 2003                                             34
                                                                          Microsoft® Windows Server™ 2003 White Paper



6. The second Network Client Installation page appears. Because the Novell Client for Windows is a
   required component, the check box for it is selected by default. If you want to install any of the
   optional components, select the appropriate check box(es), then click Next.




                               Migrating NetWare to Windows Server 2003                                             35
                                                                          Microsoft® Windows Server™ 2003 White Paper



7. On the Protocol Preference page, the default IP and IPX option is selected. Accept the default,
   and click Next.




   Installing both the IP and IPX protocols provides maximum flexibility. The Windows Server 2003
   servers will be able to use either IP or IPX communication protocols with the NetWare server(s) in
   the environment.




                               Migrating NetWare to Windows Server 2003                                             36
                                                                          Microsoft® Windows Server™ 2003 White Paper



8. On the Login Authenticator page, you can select the NetWare server version that the client will
   connect to. Click either Bindery (NetWare 3.x) or NDS (NetWare 4.x or later) to configure the
   software for connectivity to your software environment. Click Next to continue.




                               Migrating NetWare to Windows Server 2003                                             37
                                                                          Microsoft® Windows Server™ 2003 White Paper



9. The custom installation of Novell Client for Windows has completed. Click Finish to complete the
   installation.




                               Migrating NetWare to Windows Server 2003                                             38
                                                                           Microsoft® Windows Server™ 2003 White Paper



10. After you finish the installation, you are prompted to reboot the server. You must reboot for the
    changes to take effect.




11. After you reboot, a Novell Ctrl-Alt-Del logon prompt appears on the server. The Novell login prompt
    enables you to enter a NetWare Server supervisor login ID and valid password. Enter the ID and
    password, log on to the system, and test connectivity.

    a. After you log on to the NetWare server, confirm functionality of the client installation by mapping
       a drive to the NetWare 4.x, 5.x, or 6.x Server or by running FCONSOLE from the Command
       Prompt to connect to a NetWare 3.x Server.

        Note If you click Workstation Only on the logon screen, you will only log on locally to the Windows
        Server 2003 and not the NetWare Server.

    b. Both the Windows Server 2003 and NetWare logon IDs and passwords need to be correct to
       connect to their respective servers. After credentials for both systems have been correctly
       entered, the new logon screen enables you to connect to both the Windows and NetWare
       networks simultaneously.




                                Migrating NetWare to Windows Server 2003                                             39
                                                                           Microsoft® Windows Server™ 2003 White Paper




Installing MSDSS on an Active Directory Domain Controller
MSDSS is easy to install on a Windows Server 2003 Active Directory domain controller and to use.
There are a few items to consider before installation:
   To install MSDSS, you must be a member of both the Enterprise Administrators and the Schema
    Administrators Active Directory groups.

   Quit all programs, including any antivirus software, before you install MSDSS.

   If two-way synchronization between the Active Directory and NDS is desired, the NDS schema must
    also be extended. The account used to connect to NDS must have the right to extend the NDS schema.

       See the ‖Schema Extensions for Migration‖ section of this document for more information about
        extending the schema for Windows Server 2003 Active Directory or NetWare NDS.
       MSDSS requires the Novell client and cannot interoperate with solutions that use Gateway Service
        for NetWare (GSNW).

   It is recommended that you install MSDSS on a Windows Server 2003 domain controller. If you install
    MSDSS on a computer that is not a domain controller and the computer is running Windows XP
    Professional or Windows Server 2003, only the MSDSS console is installed, not the Directory
    Synchronization service.
   When you install MSDSS on a Windows Server 2003–based domain controller, Setup detects the
    domain controller and attempts to update the schema even if you are attempting to install only the
    MSDSS console. However, when you are installing MSDSS on a Windows XP Professional-based or
    Windows Server 2003-based computer that is not a domain controller, you do not need to update the
    schema as part of the installation process.

   Active Directory OUs and NDS containers cannot be created by using this wizard. Use the Windows
    Server 2003 Active Directory Users and Computers snap-in to create OUs and use NetWare
    administrative tools to create NDS containers.

   NDS and Bindery do not allow user passwords to be read. Therefore, you need to choose a password
    assignment scheme to specify how passwords will be assigned in Active Directory after they have been
    migrated from NDS or Bindery.

   The wizard displays all NDS trees on the network, even if no common protocol is available between that
    tree and Windows Server 2003. For example, a computer that is running Windows Server 2003 with
    only TCP/IP displays IPX-only trees, but you cannot browse them.

Installing MSDSS on Windows Server 2003
To install MSDSS on Windows Server 2003:

1. Locate the CD-ROM drive or directory that contains the Services for NetWare version 5.x software,
   and then double-click the Msdss.msi file to start the installation.

    The Services for NetWare Setup Wizard starts.




                                Migrating NetWare to Windows Server 2003                                             40
                                                                          Microsoft® Windows Server™ 2003 White Paper




2. On the Welcome page of the wizard, click Next.

3. On the End User License Agreement page, read the license agreement.
4. To continue the installation, click I accept the terms in the License Agreement, and then click
   Next.




                               Migrating NetWare to Windows Server 2003                                             41
                                                                         Microsoft® Windows Server™ 2003 White Paper



5. On the Services for NetWare Product Selection page, click Microsoft Directory Synchronization
   Services, and then click Next.




6. On the Identification page, in the User Name box, type your name. In the Organization box, type
   the name of your organization. Click Next to continue the installation.




                              Migrating NetWare to Windows Server 2003                                             42
                                                                           Microsoft® Windows Server™ 2003 White Paper



7. On the Setup Type page, click Typical, and then click Next to continue the installation.




8. On the Begin Installation page, click Next to continue the installation.




                                Migrating NetWare to Windows Server 2003                                             43
                                                                          Microsoft® Windows Server™ 2003 White Paper



9. In the Microsoft Directory Synchronization Services Setup dialog box, click OK to update the
   Active Directory schema for Directory Synchronization.




10. On the Completing the Microsoft Directory Synchronization Services Setup Wizard page, click
    Open Readme. The latest information regarding the product appears.




                               Migrating NetWare to Windows Server 2003                                             44
                                                                            Microsoft® Windows Server™ 2003 White Paper



11. After reviewing the Readme file, on the Completing the Microsoft Directory Synchronization
    Services Setup Wizard page, click Finish.
12. In the Microsoft Directory Synchronization Services Setup dialog box, click Yes to restart your
    server immediately, or No to delay rebooting the system.




    If you click No, the system must be rebooted prior to continuing the installation of a Services for
    NetWare Service Pack (if available) or the use of the MSDSS.

This completes the installation of MSDSS on your Windows Server 2003 Active Directory domain
controller-based computer.




                                 Migrating NetWare to Windows Server 2003                                             45
                                                                         Microsoft® Windows Server™ 2003 White Paper




Directly Migrating NetWare 3.x Accounts and Groups
To perform a direct (non-staged) Accounts and Groups migration from a Novell NetWare 3.x Server
Bindery to Windows Server 2003 Active Directory using MSDSS, follow these steps:
1. On a Windows Server 2003 computer with MSDSS installed, click Start, point to All Programs,
   point to Administrative Tools, and then click Directory Synchronization. MSDSS starts.

   The MSDSS Microsoft Management Console (MMC) snap-in appears, with your Active Directory
   Forest name in parenthesis on the title bar.
2. To open the New Session Wizard, in the MSDSS console tree, right-click MSDSS (Your Active
   Directory Forest Name), and then click New Session on the shortcut menu. The New Session
   Wizard starts.




                              Migrating NetWare to Windows Server 2003                                             46
                                                                           Microsoft® Windows Server™ 2003 White Paper



3. On the Welcome to the New Session Wizard page, click Next to continue with the accounts and
   groups migration.




4. On the Synchronization and Migration Tasks page, choose the following three settings:

   a. On the Synchronization and Migration Tasks page, click the Select NDS or Bindery arrow,
      and then click Novell Bindery.
   b. Under Select a task, click Migration (from NDS or Bindery to Active Directory).

   c.   Under Select a task, select the Migrate Files check box. This will create the file migration log
        required by File Migration Utility.

   Note The third check box (Migrate Files) is selected. This setting does not force you to immediately
   migrate the files, but rather creates a text log file to be used later for the file migration when you are
   ready to migrate files. It is recommended that you select Migrate Files, even if the timeframe for file
   migration is not yet decided.




                                Migrating NetWare to Windows Server 2003                                             47
                                                                            Microsoft® Windows Server™ 2003 White Paper



    Your screen should look like this:




5. If files will be migrated with directory objects, you must select the Migrate Files check box. In a
   default settings installation of Windows Server 2003 and MSDSS, the file migration logs will be
   placed in the systemroot\system32\Directory Synchronization\Session Logs folder. The file
   migration logs are sequentially named ―1.txt; 2.txt; 3.txt,‖ etc.

6. Record the Migrate Files log locations. When you use the File Migration Utility, you are prompted
   for the file names and their locations. You can also search for them later on the hard drive.




                                 Migrating NetWare to Windows Server 2003                                             48
                                                                         Microsoft® Windows Server™ 2003 White Paper



7. On the Active Directory Container and Domain Controller page, click Browse to select the
   Active Directory Container in which you want to place the migrated NetWare Users and Groups.




                              Migrating NetWare to Windows Server 2003                                             49
                                                                           Microsoft® Windows Server™ 2003 White Paper



8. In the Select an Active Directory Container dialog box, browse to select the object container that will
   store the NetWare Users and Groups.




    Note You cannot use MSDSS to migrate the NetWare Users and Groups into the Active Directory
    Domain Users object. If you have not already created the object container that the NetWare Users and
    Groups will be placed into, you can do so now by opening the Active Directory Users and Computers
    MMC snap-in and creating it, and then re-opening the Select an Active Directory Container dialog
    box to select the new object container.




                                Migrating NetWare to Windows Server 2003                                             50
                                                                            Microsoft® Windows Server™ 2003 White Paper



9. On the Active Directory Container and Domain Controller page, under Active Directory
   container, type the path to the Active Directory container to which you want to copy items, or click
   Browse to locate the container.




    Note All subcontainers of the selected containers will be copied.

10. Under Domain controller, accept the default domain controller in which you want to store the
    migration log, or click Find to locate a different domain controller to store the log, and then click
    Next.




                                 Migrating NetWare to Windows Server 2003                                             51
                                                                        Microsoft® Windows Server™ 2003 White Paper



11. On the Bindery Container and Password page, click Browse to select the NetWare Bindery
    Server that you want to migrate.




                             Migrating NetWare to Windows Server 2003                                             52
                                                                          Microsoft® Windows Server™ 2003 White Paper



12. In the Browse for Bindery Server dialog box, browse to select the Bindery Server that you want to
    migrate, and then click OK.




                               Migrating NetWare to Windows Server 2003                                             53
                                                                         Microsoft® Windows Server™ 2003 White Paper



13. After you select the Bindery Server, the Bindery Container and Password page fully reappears.




14. Under User name and Password, type the Novell Administrator account and password that you
    want to use for synchronization, and then click Next.




                              Migrating NetWare to Windows Server 2003                                             54
                                                                        Microsoft® Windows Server™ 2003 White Paper



15. On the Initial Reverse Synchronization page, click Password Options.




                             Migrating NetWare to Windows Server 2003                                             55
                                                                         Microsoft® Windows Server™ 2003 White Paper



16. In the Password Synchronization Options dialog box, click the appropriate option, and click OK.




   Note NDS and Bindery do not allow user passwords to be read. Therefore, you need to choose a
   password assignment scheme to specify how passwords will be assigned in Active Directory once they
   have been migrated from NDS or Bindery.

   For an extended description of the four password options, see the ―MSDSS Password
   Management‖ section of this document.

17. On the Initial Reverse Synchronization page, click Next.




                              Migrating NetWare to Windows Server 2003                                             56
                                                                         Microsoft® Windows Server™ 2003 White Paper



18. To complete the migration of NetWare Bindery User Accounts and Groups to Active Directory, on
    the Completing the New Server Wizard page, click Finish.




                              Migrating NetWare to Windows Server 2003                                             57
                                                                         Microsoft® Windows Server™ 2003 White Paper



19. The Synchronize dialog box informs you when the migration is complete. For more information on
    the migration, click View Logs, or click OK to complete the migration.




                              Migrating NetWare to Windows Server 2003                                             58
                                                                         Microsoft® Windows Server™ 2003 White Paper



20. To confirm the migration of accounts and groups, start Active Directory Users and Computers.




21. In Active Directory Users and Computers, click the Active Directory object into which the
    Accounts and Groups were migrated. Confirm their existence and their proper group memberships.
22. Close Active Directory Users and Computers.




                              Migrating NetWare to Windows Server 2003                                             59
                                                                          Microsoft® Windows Server™ 2003 White Paper




Directly Migrating NetWare 4.x, 5.x, or 6.x NDS
The following procedure illustrates a direct, non-staged, step-by-step migration of a NetWare 5.x NDS
object container to Windows Server 2003 Active Directory. The NetWare 4.x and 6.x migration is similar
as well. In this example procedure, an NDS object that contains user accounts and groups is migrated
into a similar OU structure in Active Directory. The user accounts and groups are migrated to Active
Directory by using MSDSS.

To perform an Accounts and Groups migration from a Novell NetWare 4.x, 5.x, or 6.x NDS Server to a
Windows Server 2003 Active Directory using MSDSS, follow these steps:
1. On the Windows Server 2003 Active Directory server with MSDSS installed, click Start, point to All
   Programs, point to Administrative Tools, and then click Directory Synchronization.

    The MSDSS management console appears, with your Active Directory Forest name in parenthesis
    on the title bar.




2. To start the New Session Wizard, in the MSDSS console tree, right-click MSDSS (Your Active
   Directory Forest Name), and then click New Session on the shortcut menu.




                               Migrating NetWare to Windows Server 2003                                             60
                                           Microsoft® Windows Server™ 2003 White Paper




Migrating NetWare to Windows Server 2003                                             61
                                                                        Microsoft® Windows Server™ 2003 White Paper



3. To continue with the accounts and groups migration, on the Welcome to the New Session Wizard
   page, click Next.




                             Migrating NetWare to Windows Server 2003                                             62
                                                                            Microsoft® Windows Server™ 2003 White Paper



4. On the Synchronization and Migration Tasks page, click Select NDS or Bindery, and click
   Novell Directory Services (NDS) in the list.




5. On the Synchronization and Migration Tasks page, under Select a task, click Migration (from
   NDS or Bindery to Active Directory).

6. On the Synchronization and Migration Tasks page, under Select a task, select the Migrate
   Files check box.

    Note When you select the Migrate Files check box, the file migration log that is required by File
    Migration Utility will be created. Creating the migration log does not force you to immediately migrate
    the files; the text log file is created for later use during the file migration. It is recommended that you
    select the Migrate Files check box, even if the timeframe for file migration is not yet decided. If you
    intend to migrate files with directory objects, then you must select the Migrate Files check box.

7. Record the Migrate Files log locations. When you use File Migration Utility, you will be prompted for
   the file names and their locations. You can also search for them later on the hard drive.

    Note In a default settings installation of Windows Server 2003 and MSDSS, the file migration logs will
    be placed in the system\system32\Directory Synchronization\Session Logs folder. The file migration
    logs are sequentially named ―1.txt, 2.txt, 3.txt,‖ etc.

8. On the Synchronization and Migration Tasks page, click Next.




                                 Migrating NetWare to Windows Server 2003                                             63
                                                                         Microsoft® Windows Server™ 2003 White Paper



9. On the Active Directory Container and Domain Controller page, select the Active Directory
   container in which you want to place the migrated NetWare Users and Groups by clicking Browse.




                              Migrating NetWare to Windows Server 2003                                             64
                                                                           Microsoft® Windows Server™ 2003 White Paper



10. In the Select an Active Directory Container dialog box, select the Active Directory object that you
    created to contain the NetWare Users and Groups.




    Note The New Session Wizard does not permit you to migrate the NetWare Users and Groups into the
    Active Directory Domain Users object container. If you have not already created an object container into
    which you want to place the NetWare Users and Groups, you can do so without canceling the New
    Session Wizard by opening the Active Directory Users and Computers MMC snap-in and creating it,
    and then re-entering the Select an Active Directory Container screen to select the new object
    container.




                                Migrating NetWare to Windows Server 2003                                             65
                                                                           Microsoft® Windows Server™ 2003 White Paper



11. On the Active Directory Container and Domain Controller page, click Browse to select the
    Active Directory container into which you want to copy items.




    Note All subcontainers of the selected containers will be copied.

12. Under Domain Controller, accept the default domain controller to store the migration log, or click
    Find to select a different domain controller to store the log, and then click Next.




                                Migrating NetWare to Windows Server 2003                                             66
                                                                        Microsoft® Windows Server™ 2003 White Paper



13. On the NDS Container and Password page, click Browse to select the NDS container that you
    want to migrate.




                             Migrating NetWare to Windows Server 2003                                             67
                                                                          Microsoft® Windows Server™ 2003 White Paper



14. In the Browse for NDS Container dialog box, select the NDS container that you want to migrate.
    Click OK.




   Note All subcontainers of a selected NDS container will be copied to the specified Active Directory OU.




                               Migrating NetWare to Windows Server 2003                                             68
                                                                         Microsoft® Windows Server™ 2003 White Paper



15. On the NDS Container and Password page, in the User name box, type the Novell Administrator
    account name, and in the Password box, type the password that you want to use for
    synchronization. Click Next to proceed.




   Important The NDS administrative account must be typed using the NDS context. The account id
   syntax must be entered as follows:

   Where the account to be used is admin, the Container it is a member of is Sales, and the NDS Tree is
   CompanyTree:

   Enter admin.sales, not admin.sales.companytree.




                              Migrating NetWare to Windows Server 2003                                             69
                                                                        Microsoft® Windows Server™ 2003 White Paper



16. On the Initial Reverse Synchronization page, click Password Options.




                             Migrating NetWare to Windows Server 2003                                             70
                                                                          Microsoft® Windows Server™ 2003 White Paper



17. In the Password Synchronization Options box, click the appropriate password scheme. For an
    extended description of the four password synchronization options, see the ―MSDSS Password
    Management‖ section of this document.




   Note NDS and Bindery do not allow user passwords to be read. Therefore, you need to choose a
   password assignment scheme to specify how passwords will be assigned in Active Directory once they
   have been migrated from NDS or Bindery.

18. After you have selected a password scheme, click OK, and then click Next.




                               Migrating NetWare to Windows Server 2003                                             71
                                                                         Microsoft® Windows Server™ 2003 White Paper



19. On the Completing the New Session Wizard page, click Finish to complete the migration of
    Novell NDS User Accounts and Groups to Active Directory.




                              Migrating NetWare to Windows Server 2003                                             72
                                                                          Microsoft® Windows Server™ 2003 White Paper



20. The Synchronize dialog box informs you that the migration is complete.




21. In the Synchronize dialog box, click View Logs for more information on the migration, or click OK
    to complete the migration.




                               Migrating NetWare to Windows Server 2003                                             73
                                                                         Microsoft® Windows Server™ 2003 White Paper



22. To confirm the migration of accounts and groups, start Active Directory Users and Computers.




23. In Active Directory Users and Computers, click the Active Directory object into which the
    Accounts and Groups were migrated. Confirm their existence and their proper group memberships.
24. Close Active Directory Users and Computers.




                              Migrating NetWare to Windows Server 2003                                             74
                                                                              Microsoft® Windows Server™ 2003 White Paper




Migrating NetWare 3.x Files to Active Directory
To migrate NetWare 3.x files to Windows Server 2003 Active Directory, follow these steps:

1. Start File Migration Utility.

    The server performs an initial check for connectivity and logon ids.




2. Click Next to continue the file migration.




                                   Migrating NetWare to Windows Server 2003                                             75
                                                                          Microsoft® Windows Server™ 2003 White Paper



3. On the Migration Log Selection page, click Browse to select the migration log to use as the
   template for file migrations.




   Note The migration log is the log file generated during the previous migration of accounts and groups.

   In a default settings installation of Windows Server 2003 and MSDSS, the file migration logs should
   be located in the ―system\system32\Directory Synchronization\Session Logs‖ folder. The file
   migration logs are sequentially named ―1.txt, 2.txt, 3.txt,‖ etc.




                               Migrating NetWare to Windows Server 2003                                             76
                                                                          Microsoft® Windows Server™ 2003 White Paper



4. On the Migration Log Selection page, select the Validate Active Directory maps check box, and
   then click Load Data.




   This step confirms that the user mappings will work with the file migrations. See the following
   screen shot for more detail.




                               Migrating NetWare to Windows Server 2003                                             77
                                                                          Microsoft® Windows Server™ 2003 White Paper



5. To display the Novell to Active Directory user mapping, click View Maps.




                               Migrating NetWare to Windows Server 2003                                             78
                                                                         Microsoft® Windows Server™ 2003 White Paper



6. Confirm the mappings and then click the Close button.




7. To make adjustments to the Novell to Windows Active Directory permissions mapping, click
   Access Rights.




                              Migrating NetWare to Windows Server 2003                                             79
                                                                         Microsoft® Windows Server™ 2003 White Paper



8. To increase the Modify permission mapping to include Read with Write, in the Access Rights
   dialog box, select the Write check box, and then click OK.




   Note Because Novell file permissions do not identically map to Windows Server 2003 file permissions,
   you have the option of changing the extent of rights that the Novell Modify file permission has.

   By default, the Windows Read permission is made equivalent to Novell Modify. The Novell Modify
   command can also be made equivalent to the Windows Read with Write permission combination.




                              Migrating NetWare to Windows Server 2003                                             80
                                                                          Microsoft® Windows Server™ 2003 White Paper



9. To skip the Security Accounts for Migration (Optional) page, click Next.




   Note This optional page enables you to verify the NetWare Server you are attached to and change the
   NetWare supervisor account information you will use to attach to the server. It also displays the Active
   Directory user account with which you are logged on to the Windows domain, enables you to change
   Novell login script behavior, and enables you to attach to the system via dial-up connections.




                               Migrating NetWare to Windows Server 2003                                             81
                                                                            Microsoft® Windows Server™ 2003 White Paper



10. On the Source and Target Volume Migration page, browse for and select the NDS or Bindery
    source object and the Active Directory target object.

    The following screen illustrates a partially expanded Novell Bindery to Windows Server 2003 Active
    Directory migration screen. The left side of the screen shows the Novell NetWare 3.x Server SYS
    volume view, partially expanded. On the right side is the Windows Server 2003 Active Directory
    Forest view, partially expanded.




    Note If the Bindery volume you that select in the source tree indicates Unavailable, then you are not
    currently logged on to that Bindery server. Log on, and then continue with the migration.

11. Identify and select the appropriate source and target locations for each user to be migrated. After
    you select each user’s source and target directory, you will click the Map button in the center of the
    page.

    In the following screen, the Novell Server and Windows Server 2003 Forest is expanded, and the
    sample user ANNEPA’s source directory in NetWare as well as the Windows Server 2003 Active
    Directory target directory are selected.




                                 Migrating NetWare to Windows Server 2003                                             82
                                                                       Microsoft® Windows Server™ 2003 White Paper



The source directory is user ANNEPA’s home directory; the target directory was created in a
shared folder on a Windows Server 2003 domain controller before or during the migration process.




To the right of View computers of type, select the type of computer that the user’s files will be
migrated to. In the figure shown, the selections made for View computers of type (Domain
Controllers and Member Servers) affect the selections shown for Target (Active Directory).

The following screen shows an example of a completed user mapping.




                            Migrating NetWare to Windows Server 2003                                             83
                                                                          Microsoft® Windows Server™ 2003 White Paper



12. In the following screen, the source and target for the user ANNEPA have been selected and the
    Map button selected.




13. Under Migration order of maps, you can confirm the data mapping that has occurred.




                               Migrating NetWare to Windows Server 2003                                             84
                                                                          Microsoft® Windows Server™ 2003 White Paper



14. Assume that after the user ANNEPA was mapped, two more sample users, DONHA and
    FUKIKOOG, have been mapped for migration by selecting both their unique source and target
    directories.

    As the users are mapped, their data mapping information is displayed at the bottom of the screen.
    The data mappings can be reordered or even deleted and remapped if necessary.




15. When all of the user mappings are complete, click Next to continue.




                               Migrating NetWare to Windows Server 2003                                             85
                                                                           Microsoft® Windows Server™ 2003 White Paper



16. On the Log Settings (Optional) page, select the Enable logs check box.




    Note It is recommended that you enable logging for the migration. You can then select other options,
    such as the file naming attributes. The results from the logs can be reviewed at a later time if needed.

17. Click Next to continue with the migration.




                                Migrating NetWare to Windows Server 2003                                             86
                                                                           Microsoft® Windows Server™ 2003 White Paper



18. On the scanning Source File and Target Verification page, click Scan to confirm that the system
    is ready to migrate the files.




    Note The system will verify that the target roots and source objects are valid, and that the target disks
    have enough space available. Although there is an option to bypass errors during a scan, it is not
    recommended that you use it on the first scan, if at all.

19. After the scan is complete and you have reviewed the results, click Next to proceed with the file
    migration.




                                Migrating NetWare to Windows Server 2003                                             87
                                                                            Microsoft® Windows Server™ 2003 White Paper



20. On the Start Migration page, click Migrate to begin the file migration.

    The following screen shows the results of a completed migration.




21. Review the results, and then click Next to finish.




                                 Migrating NetWare to Windows Server 2003                                             88
                                                                          Microsoft® Windows Server™ 2003 White Paper



22. On the Completing Migration with File Migration Utility page, review the results of the file
    migration, and then click Finish to close the utility.




                               Migrating NetWare to Windows Server 2003                                             89
                                                                             Microsoft® Windows Server™ 2003 White Paper




Migrating NetWare 4.x, 5.x, or 6.x Files to Active Directory
To migrate NetWare 4.x, 5.x, or 6.x files to Windows Server 2003 Active Directory, follow these steps:

1. Start the File Migration Utility.

    The Server performs an initial check for connectivity and logon ids.




2. Click Next to continue the file migration.




                                  Migrating NetWare to Windows Server 2003                                             90
                                                                          Microsoft® Windows Server™ 2003 White Paper



3. On the Migration Log Selection page, click Browse to select the migration log that will be used as
   the template for file migrations.




   Note The migration log is the log file generated during the previous migration of accounts and groups.

   In a default installation of Windows Server 2003 and MSDSS, the file migration logs are placed in
   the ―system\system32\Directory Synchronization\Session Logs‖ directory. The file migration logs
   are sequentially named ―1.txt, 2.txt, 3.txt,‖ etc.




                               Migrating NetWare to Windows Server 2003                                             91
                                                                     Microsoft® Windows Server™ 2003 White Paper



4. On the Migration Log Selection page, select the Validate Active Directory maps check box,
   and then click Load Data. This will confirm that the user mappings will work with the file
   migrations. See the next screen shot for more detail.




                          Migrating NetWare to Windows Server 2003                                             92
                                                                          Microsoft® Windows Server™ 2003 White Paper



5. To display the Active Directory map information, click Load Data.




6. To display the Novell to Active Directory user mapping, click View Maps.

7. To adjust the Novell to Windows Server 2003 Active Directory permissions mapping, click Access
   Rights.




                               Migrating NetWare to Windows Server 2003                                             93
                                                                         Microsoft® Windows Server™ 2003 White Paper



8. To display the NDS to Windows Server 2003 Active Directory Accounts Mappings, click View
   Maps.




9. Confirm the mappings and then click Close.




                              Migrating NetWare to Windows Server 2003                                             94
                                                                         Microsoft® Windows Server™ 2003 White Paper



10. To increase the Modify permission mapping to include Read with Write, in the Access Rights
    dialog box, select the Write check box, and then click OK.




   Note Because Novell file permissions do not identically map to Windows Server 2003 file permissions,
   you have the option of changing the extent of rights that the Novell Modify file permission has.

   By default, the Windows Read permission is made equivalent to Novell Modify. The Novell Modify
   command can also be made equivalent to the Windows Read with Write permission combination.




                              Migrating NetWare to Windows Server 2003                                             95
                                                                           Microsoft® Windows Server™ 2003 White Paper



11. The Security Accounts for Migration (Optional) page enables you to verify the NetWare Server
    to which you are attached and to change the NetWare supervisor account information that you will
    use to attach to the server.




    This page also displays the Windows Server 2003 Active Directory user name that you used to log
    on and it enables you to change Novell login script behavior and to attach to the system via dial-up
    connections.
12. Click Next to continue.




                                Migrating NetWare to Windows Server 2003                                             96
                                                                         Microsoft® Windows Server™ 2003 White Paper



13. The Source and Target Volume Migration page appears. In the boxes, select the source(s) and
    target(s) of the files that you want to migrate from Novell to Windows Server 2003.
   As the following screen shows, in the Source (NDS/Bindery) box, you can see a partially
   expanded view of a Novell NetWare 5.x NDS tree. In the Target (Active Directory) box, you can
   see a partially expanded view of a Windows Server 2003 Active Directory forest.




   Note If the NDS volume you selected in the source tree indicates Unavailable, you are not currently
   logged on to that tree. Log on, and then continue the migration.




                              Migrating NetWare to Windows Server 2003                                             97
                                                                            Microsoft® Windows Server™ 2003 White Paper



14. Identify and select the appropriate source and target locations for each user to be migrated. After
    you select each user’s source and target directory, you will click the Map button in the center of the
    page.

    The following screen shows the Novell NDS Tree and Windows Server 2003 Active Directory
    Forest expanded. The user Luisbo’s source directory is selected for migration to the Windows
    Server 2003 Active Directory target directory.




    The source directory is user Luisbo’s home directory; the target directory was created in a shared
    folder on a Windows Server 2003 domain controller before or during the migration process. To the
    right of View computers of type, select the type of computer that the user’s files will be migrated
    to. In the figure, the selections shown for View computers of type (Domain Controllers and
    Member Servers) affect the selections under Target (Active Directory).

    See the following screen for an example of a completed user mapping.




                                 Migrating NetWare to Windows Server 2003                                             98
                                                                          Microsoft® Windows Server™ 2003 White Paper



15. Assume that you selected the source and target directories for the user Luisbo and you clicked
    Map. Under Migration order of maps, you can see the actual data mapping that occurred.




                               Migrating NetWare to Windows Server 2003                                             99
                                                                           Microsoft® Windows Server™ 2003 White Paper



16. As the following screen shows, after the user Luisbo’s directory is mapped, two more sample users,
    Mengph and Paulwe, are also mapped for migration by selecting both their unique source and
    target directories.




    As the users are mapped, their data mapping information is displayed at the bottom of the Source
    and Target Volume Migration page.

    The data mappings can be reordered or even deleted and remapped if necessary.
17. After all of the user mappings are complete, click Next to continue.




                                Migrating NetWare to Windows Server 2003                                             100
                                                                           Microsoft® Windows Server™ 2003 White Paper



18. On the Log Settings (Optional) page, select the Enable logs check box.




    Note Although it is optional, it is recommended that you enable logging for the migration. You can then
    select other options that are available on the page, such as the file naming attributes. The results from
    the logs can be reviewed at a later time if needed.

19. Click Next to continue.




                                Migrating NetWare to Windows Server 2003                                             101
                                                                           Microsoft® Windows Server™ 2003 White Paper



20. On the scanning Source Files and Target Verification page, click Scan to verify that the target
    roots and source objects are valid and that the target disks have enough space available. The
    following screen shows the results of a scan.




    Note Although there is an option to bypass errors while scanning, it is not recommended that you use it
    on the first scan, if at all.

21. After the scan is complete and you have reviewed the results, click Next to continue.




                                Migrating NetWare to Windows Server 2003                                             102
                                                                            Microsoft® Windows Server™ 2003 White Paper



22. On the Start Migration page, click Migrate. The following screen shows the results of a completed
    migration.




23. Review the results, and then click Next to finish.




                                 Migrating NetWare to Windows Server 2003                                             103
                                                                           Microsoft® Windows Server™ 2003 White Paper



24. The results of a File Migration Utility migration are displayed as shown below. Review the results of
    the file migration, and then click Finish.




                                Migrating NetWare to Windows Server 2003                                             104
                                                                              Microsoft® Windows Server™ 2003 White Paper




NetWare to Windows Server 2003 Migration Checklist
You can refer to this checklist for a quick guide to preparing and performing a migration. For details
about migration steps, see ―NetWare Migration Preparation Details,‖ ―Outline of Migration Steps,‖ and
the step-by-step sections earlier in this document.



                         Analyze and Evaluate Existing Environment Phase
Perform an IT infrastructure analysis of the following
    LAN and WAN links
    Namespace design issues
    Workstations
    Servers
Evaluate mail system migration strategy
    Plan mail system migration as separate project
Identify network components and systems to be migrated
    Diagram and identify all network components, including hardware and software
    Identify all types of information stored on the network, including its owners, users, locations, and
     associated security settings
    Identify all Novell services-dependent software
    Determine the systems and version(s) of NetWare to be migrated
    Review WAN/LAN links and their available bandwidth
    Plan for future hardware, software, and network bandwidth needs
    Analyze the current and future namespace design



                             Planning the Migration (Deployment) Phase
Create a migration plan and test lab
    Familiarize yourself with one-way and two-way synchronization
    Familiarize yourself with MSDSS functionality
    Create an overall migration plan that will be tested in the lab
    Determine tests to be performed
    Determine expected test results
    Determine tools used to perform tests
    Determine the success criteria for tests
    Create a test lab for design and migration testing
Perform a test migration
    Perform a test migration from NetWare to Windows Server 2003
    Document any additional notes
    Review and adjust migration plans as appropriate



                                   Migrating NetWare to Windows Server 2003                                             105
                                                                               Microsoft® Windows Server™ 2003 White Paper



    Repeat a test migration to hone the process if necessary
    Modify namespace design if necessary
    Evaluate custom directory object mapping (optional)
    Acquire new hardware and software (if necessary)
    Choose an installation location for MSDSS
    Choose a direct or staged (phased) migration
    Identify containers and servers to migrate or synchronize
    Calculate the required number of migration sessions and servers
Develop a recovery plan
    Determine steps needed to recover
    All team members review and sign-off on Recovery Plan



                                          Pre-Migration Phase
Pre-migration steps
    Identify and obtain administrator accounts with sufficient permissions to successfully complete the
     migration
    Decide who will be the migration administrators
    Recruit a pilot group (optional)
    Educate users
    Back up and test restore the NetWare system and user data
    Install and configure a Windows Server 2003 domain controller
    Install the Novell Client for Windows
    Install MSDSS
    Pre-migration steps are complete, continue to either direct migration or staged (phased) migration
     steps




                                    Migrating NetWare to Windows Server 2003                                             106
                                                                               Microsoft® Windows Server™ 2003 White Paper




                                         Direct Migration Steps
    Follow the step-by-step instructions to migrate user accounts
    Follow the step-by-step instructions to migrate the file system
    Manually migrate other objects
    Replace Novell-dependent software
    Uninstall Novell NetWare Client for Windows from workstations
    (Recommended) Upgrade NetWare workstations to Windows XP Professional
    Configure all client computers to join the Windows Server 2003 domain
    Decommission NetWare server(s)



                                   Staged (Phased) Migration Steps
Beginning a staged migration
    Log on to the NDS tree or Bindery server with administrative credentials
    Log on to the appropriate Windows Server 2003 domain
    Print out MSDSS help topics
    Re-familiarize yourself with directory synchronization methods
    Start MSDSS and configure one-way or two-way synchronization
Completing a staged migration
    Install and configure File and Print Services for NetWare (optional)
    Replace software dependent on Novell services
    Migrate the pilot group of users and their files (optional)
    Manually migrate other objects
    Migrate the rest of the user accounts and their files as appropriate
    Uninstall Novell NetWare Client for Windows from workstations
    (Recommended) Upgrade NetWare workstations to Windows XP Professional
    Configure all client computers to join the Windows Server 2003 domain
    Decommission the NetWare server(s)




                                    Migrating NetWare to Windows Server 2003                                             107
                                                                          Microsoft® Windows Server™ 2003 White Paper




Related Links
The following resources will help you in Migrating NetWare to Windows Server 2003:
   For links to technical and how-to content for Windows Server 2003, see Windows Server 2003
    Resources, How-Tos and Communities for the IT Pro at
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/.

   For the latest information about Services for NetWare, see Services for NetWare on the Windows
    Server 2003 Web site at http://www.microsoft.com/windowsserver2002/technologies/sfn/default.mspx.
   For guidelines and recommended processes for designing and deploying Windows Server 2003 family
    technologies, see Microsoft Windows Server 2003 Deployment Kit at
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/datacenter/deployrk_overv
    iew.asp

   For a comparison of Windows 2000 and NetWare 6 network operating systems, see Comparing
    Windows 2000 Server to NetWare 6.0 at http://www.microsoft.com/windows2000/sfn/w2knw6.asp
   For information about Services for NetWare 5.0, see Services for NetWare 5.0 on the Windows 2000
    Web site at http://www.microsoft.com/windows2000/sfn/default.asp.



For the latest information about Windows Server 2003, see the Windows Server 2003 Web site at
http://www.microsoft.com/windowsserver2003.




                               Migrating NetWare to Windows Server 2003                                             108

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:111
posted:3/24/2010
language:English
pages:112
Mario Paschke Mario Paschke http://
About Informatikstudent