CMPnet
ChannelWEBComputer Reseller NewsVARBusinessEnterprise Partner
SPACER
MAIN TAB BAR
SPACER
CURVE
  SPECIAL REPORTS HEADER


ChannelWEB
Sales Accelerator

Message Center  E-mail this article
Latest Promotions  Print this article
   DISCUSSION FORUMS
 Join the Discussion!
 Most recent comments:
• Re: The MS Monopol...
• Re: Application Pr...
• Re: Successful E-C...
• Successful E-Com S...
• Successful E-Biz S...

 Most popular topics:
• Microsoft vs. DOJ (47)
• Financial, Corporate News (20)
• Windows 2000 (17)

   DEPARTMENTS
 HOME
 DAILY ARCHIVE
 THIS WEEK'S CRN
 APPS & TOOLS
 BUSINESS
 TELEPHONY
 WEEKLY FEATURE
 GOV. & EDUCATION
 INTERNETWORKING
 LOGISTICS
 ASSEMBLY
 POINT OF SALE
 SERVICE
 INTEGRATION
 E-BUSINESS
 INDUSTRY
 HALL OF FAME
 CRN MUTUAL FUND
 SOURCING
 SYSTEMS
 PERIPHERALS
 CRN TEST CENTER
 SPECIAL REPORTS
 RESEARCH CENTER
 
   COMMUNITY
 COLUMNISTS
 SHADOWRAM
 ONE-ON-ONE
 
   RADIO / TV
 CRN NEWS RADIO
 SMALL BIZ REPORT
 TECH TALK
 
   EDIT SERVICES
 CRN DIRECT
 SEARCH
 SUBSCRIBE TO CRN
 LETTER TO
   THE EDITOR
 MEET THE EDITORS
 TIP OFF
   SHADOWRAM
 INFOPAC
 CALENDAR
 
   SALES
 AD INFO
 CAREERS
 
   RESOURCES
 CHANNEL ADVOCATE
   PROGRAM
 CIS RESEARCH
 XCHANGE
   CONFERENCES
 

CMPnet
BANNER IMAGE

TEST CENTER ANALYSIS

New Twist For Network Upgrades
With Windows 2000 Looming, Migration Issues Are Critical For VARs, Users
By John Yacono

CONTENTS

  • Editor's Letter New OS Equals Opportunity, Big Benefits

  • Planning The Migration

  • Getting In Early

  • Nordstrom.com Committed To Windows; Will Wait On Win 2000

  • Prepping For Windows 2000

  • Test Center Analysis New Twist For Network Upgrades

  • ISVs And VARs See Great Things

    Previous Special Report Archive

  • Novell Inc. and Microsoft Corp. would have resellers believe that one network operating system (NOS) fits all, but technically speaking, Windows 2000 and NetWare 5 take different approaches to solve enterprise challenges. Which techniques are better depend on the application and the company in question.

    The legacy NOS also is important since customers are unlikely to switch NOSes. This begs the question: How does upgrading a NOS compare with crossing platforms?

    UPGRADING NETWARE
    Networks that have not migrated all servers to NetWare 5 will be unable to use important improvements included in Novell Directory Services (NDS) 8. Without full NDS 8 support, sections of the NDS namespace need to be partitioned for best performance. Additional partitions require additional management, increasing maintenance costs.

    Since NDS partitions cannot see one another, catalogs must be established between partitions to expose network objects. Unfortunately, catalogs are not incrementally updated; they are recreated from scratch at each replication interval, wasting CPU time. Also, the default replication interval is so long it can lead to inconsistencies between a catalog and its partition.

    Surprisingly, objects in catalogs do not carry the access restrictions they have in their native partition. Instead, they inherit the restrictions placed on the catalog.

    That complicates management. Consider a partition that contains objects with a salary attribute that only a human-resources user group is allowed to see from within a partition. Anyone with access to a catalog that contains those objects can view salary attributes, unless the catalog has restrictions placed on it. The duplication of effort is compounded when multiple catalogs must be established to offer different groups varying levels of access.

    Another issue affecting mixed NetWare networks is that legacy NDS servers do not handle Lightweight Directory Access Protocol (LDAP) requests natively. In earlier versions of NDS, LDAP calls had to be converted to and from NDS format by an LDAP-server software layer. The translation slows data access.

    The weakness of older versions of NDS and NetWare's inability to use the improvements in NDS 8 in heterogeneous environments make a strong case for upgrading. The selection of NetWare 5 or Windows 2000 depends on whether a company can delay implementation and the match between their needs and the NOS' features.

    UPGRADING WINDOWS
    By contrast, since Active Directory Service (ADS) is new, there are no legacy-namespace concerns.

    One major problem with upgrading Windows NT systems to Windows 2000 is the lack of compatibility between the naming conventions of Windows NT Domains and Domain Name Service (DNS). Domains traditionally have allowed underscores and other characters not supported by standard DNS conventions. While the DNS server in Windows 2000 will not have problems with the additional characters, legacy DNS servers will.

    Also, domains using Windows NT 4.0 and Windows 2000 Server lack features supported by a pure Windows 2000 network. The most important improvement that cannot be used in heterogeneous environments is group nesting: the ability to arrange users and groups in a hierarchy.

    That drawback is particularly notable when comparing ADS to NDS because group nesting is the only method that allows ADS users and groups to inherit rights and privileges from a hierarchy. In NDS, users and groups can be arranged in a hierarchy composed of Organizational Units (OUs), which have rights and privileges that can be inherited by the users, groups and child OUs they contain. Windows 2000 Server also has hierarchical OUs, but they are used for the delegation of network administration and user policies.

    The NDS method is suitable for companies where user rights map to the business-management hierarchy. Companies where access to data increases with an employee's position would be an example.

    The ADS scheme works better when companies must spread administrative responsibilities across a hierarchy. That is especially true when the delegation hierarchy does not match the hierarchy needed for the assignment of user and group rights,campus-based schools and businesses being one example.

    MULTIPLATFORM SUPPORT
    In a network, it is common to find not only different NOS version numbers but entirely different NOSes as well. A robust directory service must integrate well into such cross-platform environments for ease of management.

    According to Microsoft, Windows 2000 Server will use connectors, a variant of DirSync and other tools to share information between directory services. Microsoft published API standards for the ADS namespace years ago to muster ISV support.

    To date, Microsoft has not supplied the CRN Test Center with synchronization technology despite being far enough into the NOS' development to issue a second release candidate.

    After acquiring Zoomit Technology, Microsoft said it would repackage Zoomit's Via meta-directory software to allow single-point administration of multiple directory types. However, the meta-directory software will not be made available until at least the middle of next year. That is cold comfort for resellers who must wait at least six more months for single-point administration of a heterogeneous networks.

    Novell's approach is to build versions of NDS for each NOS. In addition to NetWare, there are flavors of NDS for Windows NT and Unix. Deploying NDS across platforms eliminates directory compatibility issues. On the downside, if NDS must replace an existing directory service in the name of uniformity, the applications that used the old directory service must either be NDS-friendly, possibly reinstalled or replaced.

    Novell promised to release a tool for XML-based synchronization of differing directories. However, although XML is supported by Lotus Notes, SAP and PeopleSoft, the technology is in early stages of adoption.

    NDS has broader client support to date. NDS supports DOS, Windows 3.x, Windows 95 and 98, Windows NT Workstation 3.51, Windows NT Workstation 4.0, Windows 2000 Professional, IBM OS/2, Apple MacOS and Caldera Linux. ADS clients include Windows 3.x, Windows 95 and 98, Windows NT Workstation 3.51, Windows NT Workstation 4.0 and Windows 2000 Professional.

    Again, the choice between the NOSes depends on the legacy environment and if the customer can wait for a particular technology.

    INHERITANCE
    The plumbing used to calculate user privileges is very different in NDS and ADS, although both allow objects such as users, computers and OUs to inherit properties from the OUs they occupy.

    For NDS, inheritance is dynamic: A server walks through every OU along the NDS tree between the user and the root, adding the effect of restrictions at each level to calculate the user's ability to perform an operation. The process is repeated every time a resource is accessed. On the downside, that takes up CPU time and slows access every time access to an object is requested. On the other hand, if an administrator makes a security change at some level in the hierarchy, it is effective the next time an object is accessed.

    ADS inheritance is static: The sum effect of all the rules of inheritance have been calculated and stored during the object's creation or the last time it was administered. When a user logs on, he or she is granted a token, based on all the groups to which he or she belongs. When a user accesses a network object, the token is compared to the security information stored for that object to determine the user's privileges. No tree walking is required because the calculations are done in advance and the result was stored.

    Since computations are performed in advance, access is quicker. Also, since objects are accessed more often than they are created or administered, CPU utilization is lower than that needed for servicing the same number of end users through dynamic inheritance.

    One drawback is that more disk space is required to hold complete inheritance information for each object. Another is that security changes will not affect a currently logged-in user until they log off and log back on, because they already have been offered a token at last logon that grants them a certain level of access. Windows 2000 features a command line program called SecEdit to force users to receive new tokens, but it does not operate automatically.

    Dynamic inheritance is useful in high-security environments in which quick execution of lockdowns is more important than the money that could otherwise be saved by using slower or fewer CPUs. Static inheritance is useful when immediate lockdown is less of a concern than the need to use inexpensive disk space in place of expensive CPU time.

    Administrative inheritance across partitions also distinguishes NDS from ADS. Administrative privileges in ADS cannot be inherited across domain boundaries. That creates security boundaries but limits multidomain administration of Web farms.

    For more on Windows 2000, go to: www.crn.com/thisweek

    text here


    click for Computer Reseller News online subscription servicesclick for VAR Business online subscription servicesclick for Enterprise Partner online subscription servicesGet Channel News delivered to your desktop!
     

    Copyright 1999 CMP Media Inc. All rights reserved. Do not duplicate or redistribute in any form.
    ResearchSubscriptionsTraining - Online and Offline for Product, Sales and ManagementRadio and TVCalendar of Upcoming EventsChat, Forums and DiscussionSmall / Medium Business SupersiteManufacturers' PromotionsProduct ReviewsFree Email Newsletters from the ChannelWEB NetworkProduct InformationNews