Chapter: 1 | 2 | 3 | 4 | 5 | 6
|
MCSE SQL Server 7 Administration Study Guide Syngress, Inc. $49.99 007-211-90-47 |
Certification Objectives
Welcome to an adventure in learning! The Certified Novell Engineer (CNE) is one of the most widely known and respected professional credentials in the information systems industry today. This is a learning adventure because CNEs must have historical knowledge of computing and be familiar with the most recent innovations. Therefore, this book covers a wide variety of subjects, but the central theme of each topic is networking.
Networking is Novell’s core business and it leads the market in server network operating system (NOS) software. Novell’s NetWare servers are the core of networks around the world. NetWare 5 is Novell’s latest network server product. With all the changes and added functionality to this product, even an experienced administrator or engineer will need to brush up. Some of these product additions will change administration methods. What will not change is the need for competent network management and end-user support.
Administrator Responsibilities
Back in the early days of networking, the administrator’s primary responsibility was simply to keep the server up and running. The job has evolved over the years to include many more tasks and responsibilities.
A network used to be a single server and a bunch of workstations. While some workstations were attached to the network and could use server resources, many were standalone. As needs arose for server resources and different functions that the network could provide, enterprise networks included many servers and many workstations, not necessarily all running the same operating system. Now, the administrator adds workstation maintenance to the list of duties, and responsibility for increased numbers and types of servers.
Another change to networking was added distance. Many local area networks (LANs) became wide area networks (WANs). Distribution of network resources required distribution of the administration. Enterprise networks grew and administration needs grew with them. Hierarchical network management is fairly common in large, complex networks. Each administrator handles only a portion of the administration tasks, while other administrators handle the rest. Administrative tasks can be divided into two categories:
Reactive Administration
Reactive administration is the collection of tasks that fix problems as they arise. It is "reactive" to the situation at hand. The types of tasks that fall under this heading include:
Reactive administration includes many more tasks than this, and makes up the bulk of the administrative tasks for a network. In general, when something is not right on the network, and it needs to be corrected, then it is a reactive administrative task.
Proactive Administration
Proactive administration is the collection of tasks that attempts to prevent errors and avoid problems on the network. Proactive administration results in less-reactive administration. Some examples of proactive administration include:
On the Job: Many times, a company will not do proactive administration on a consistent basis, and sometimes not at all. Administrators get caught up in the day-to-day business needs of end users (that is, doing reactive administration) and put off proactive tasks. The result is that reactive administration tasks increase, and end users become dissatisfied. Finally, management throws up its hands and calls in a consultant. A good consultant performs a network analysis and makes recommendations for the network that might have surfaced from proactive network administration. I like to call this preventative computing. The comparison is that in preventative dentistry, the dentist asks you to floss only the teeth that you want to keep. In preventative computing, you need perform proactive tasks on only the network components you want to keep online.
Some enterprises have recognized the need for proactive administration and provide separate administrators to handle these tasks. The proactive administrators are not besieged by end-user requests and can concentrate on preventing serious errors from occurring on the network.
Note that proactive and reactive administrative tasks may affect the same issue. For instance, proactive security planning may set a policy that passwords will be changed every 30 days, and that the account will be locked out if the wrong password is entered more than three times. A reactive task for security is resetting a password when the user is locked out from his account because he entered it incorrectly several times at the login screen.
Network Resources and Services
Sharing resources and services is a powerful method to enhance productivity. The terms resources and services tend to be used interchangeably. However, there is a distinction. A resource is an entity that exists on the network. A service provides access to the resource. For example, a printer is a resource on the network. The program or function that makes it possible for people to print documents on that printer is the printing service. In NetWare 5, the printing service is provided by Novell Distributed Printing Services (NDPS). In order to print on a network, both components are required. Usually both a resource and a service must be up and running in order for the resource to be used.
Table 1-1 lists some common resources and their associated services.
|
Resource |
Service |
|
Printer |
Printing service |
|
Server |
Shared disk space; file service |
|
Modem |
NetWare Connect shared modem service, or third-party FAX service |
|
HTML (Hypertext Markup Language) document |
Web server service |
|
IP address |
DHCP Service (Dynamic Host Control Protocol used to distribute IP addresses dynamically) |
|
CD-ROM drive |
CD-ROM volume-sharing service |
|
Database |
Database service |
Table 1: Network Resources and Their Associated Services
There are many other services and resources than the ones listed in Table 1-1. NetWare typically provides services through NetWare Loadable Modules (NLMs) on the NetWare server. NLMs are applications that run on a NetWare server.
From the Classroom
What Is NDS?
Novell Directory Services (NDS) is a hierarchical database that contains information about all of the "entities" that make up a NetWare 4.x or 5 network. The key word is database; every object below the [Root] is represented in the Directory database by a record that contains the object’s name and properties. If you think of the record identifier as the object name and the field names as the object’s properties (or details), you will have made a major step in understanding the nature of NDS.
For those of you who are not familiar with database structures, take a look at your driver’s license. It has your name (object name), and information about you (details/properties), such as what you look like, what type of vehicles you are authorized to operate (object rights), where you reside, and which state issued the license (context), etc. In the case of a driver’s license, it looks just like a User object in the NDS tree.
—By Dan Cheung, CNI, MCNE, MCT
Introduction to Novell Directory Services
Novell Directory Services (NDS) is the service used by NetWare to organize resources throughout an entire network. It is a database that contains user IDs and network resources such as printers, print queues, servers, and volumes where objects may be granted access to other objects for security purposes. Because all network resources are organized in NDS, this is the most efficient place to manage security among network resources, users, groups, and other objects.
NDS allows users a single login authentication. In older versions of NetWare, resources were organized on an individual server basis. This created the need for multiple loginIDs—one for each server to which a user was granted access. NetWare 4 includes NDS, which combines all resources in one directory and enables each user’s login to check one directory for access information—for example, a single login ID needed for authentication to any resource on the enterprise network.
NDS enables the following:
NDS Structure
NDS stores network resources in a tree structure that is similar to a directory tree. There are two types of objects within the tree:
A container object in NDS is like a directory (or folder) in a directory tree. It can contain leaf objects or other container objects. Container objects are used to organize the tree structure. Table 1-2 defines the [Root] and container objects.
|
Object |
Abbreviation |
Description |
|
[Root] |
The top of the NDS tree. There is only one root object. It is created during the first server installation into the NDS tree. The [Root] can contain only Country objects or the Organization object. It does not contain any leaf objects other than Alias objects, if the Alias represents a Country or an Organization. |
|
|
Country |
C |
Special container object for country locations. Country objects can be placed only in the root. Country objects are optional. |
|
Organization |
O |
A high-level container object placed directly in the root or under country units. This object usually represents the company. |
|
Organizational Unit |
OU |
Container objects placed below the Organization-level unit. This creates a subgroup within the tree in order to organize the network resources. |
Table 2: The [Root] and Container Objects
Leaf objects represent resources in the NDS tree. A leaf object does not contain any other objects. A leaf object is analogous to a file in a directory tree, since it cannot contain any other files or folders. Some developers have created NDS-aware programs that add leaf objects (for example, resources) to the NDS tree.
Exam Watch: Container objects can contain other container objects, as well as leaf objects. Leaf objects are end points in the NDS tree and cannot contain any objects whatsoever.
Leaf Objects
Directory leaf objects are objects that do not contain any other objects. These represent actual network entities such as users, servers, printers, and computers. Table 1-3 describes the different types of leaf objects available in NDS.
|
Leaf Object |
Description |
|
Alias |
The Alias object is essentially a pointer to another leaf object in the tree. An alias is used to ease access to network resources since it makes the leaf object that the alias represents appear as though it exists in the context of the Alias object. |
|
Application |
This object is not part of the base schema, but is added when using the NetWare Application Launcher (NAL). It represents an executable application that the end user must be granted rights to before it appears in the NAL window on the end user’s workstation. |
|
Bindery |
The Bindery object is provided for backward compatibility to older versions of NetWare. It is commonly created during migrations and upgrades of existing NetWare 2.x and 3.x servers, or placed there by bindery-based programs. |
|
Bindery Queue |
The Bindery Queue is a print queue that was migrated from a NetWare 2.x or 3.x server. This object is for backward compatibility. |
|
Computer |
This object is a computer on the network that is not a server, such as a workstation or router. |
|
Directory Map |
An object that represents a directory path in the file system on a volume. Directory Maps can ease administration of files, since files can be moved to other volumes and the move would be transparent to end users since the Directory Map name would not need to be changed. When mapping drives within a login script, using a Directory Map name allows the physical location of the files to change without editing the login script later. |
|
Group |
The Group object represents a list of multiple User objects that can be located in any context within the NDS tree. Group objects are convenient for assigning the same rights to an entire list of individuals, and are useful in login scripts. |
|
NetWare Server |
The NetWare Server object denotes a server running the NetWare operating system on the network. This object is automatically created when a server is installed into the NDS tree. It is useful for storing information about the server, such as physical location and provided services. Other objects, such as Volume and Directory Map, point to their associated NetWare Server object. |
|
Organizational Role |
The Organizational Role object enables the definition of a position that is person-independent. When a person is placed in that position, the User object is associated with the Organizational Role object and automatically receives the Organizational Role object rights. If there is a position that is filled by consistently changing personnel, the creation of this object can facilitate the management of the rights needed for it. |
|
Print Server |
The Print Server object represents a network print server. |
|
Printer |
The Printer object represents a network printer. |
|
Print Queue |
The Print Queue object signifies a network print queue. |
|
Profile |
The Profile object is a login script object that can be assigned to a user property. The script contained in the Profile object is executed when any assigned user logs into the network after the system login script and before the user login script. The Profile object is useful for a group of users that need a common login script function. |
|
Unknown |
The Unknown object is exactly that: an object that NDS cannot validate or identify as belonging to the object classes defined within the schema |
|
User |
The User object must be created for each individual login ID required on the network. This object represents a person who logs in to the network and allows network security to be granted for resources. |
|
Volume |
The Volume object is a volume on a network server. When a NetWare Server is installed, the installation process automatically creates a Volume object for each volume built at installation. Information about the volume’s files and directories is available from within the NetWare administrator program by examining the properties of this object. |
Table 3: Leaf Objects Available in NDS
Exam Watch: An object’s context is a description of the location of that object in the NDS tree.
The NDS schema is the structure of objects that can be stored within the directory tree, as illustrated in Figure 1-1. The schema defines the following information about objects:
Figure 1: NDS tree structure
Object classes contain the above information within the schema. An object class is the type of object that can be within the tree, such as a User object or an Organizational Unit object. For example, a User object has the following elements:
On the Job: The NDS schema is expandable. Some NDS-aware applications will change the schema to suit their own purposes—adding object classes to the schema and then the objects to the tree for use. This does not harm existing servers in the directory nor does it affect servers installed into the tree after the schema has changed. However, when merging two NDS trees, the schemas must be identical. This can be a problem if a program was installed and changed the schema of one tree, but was never installed into the other tree. When NDS was new, there were no tools to manage the schema, maintain the directory, or even merge trees. Now there are DSREPAIR and DSMERGE utilities to handle tree and schema issues.
Object Properties and Values
The attribute information of NDS objects is a collection of properties. The data contained within each property is its value. This information is stored within the NDS tree and can be viewed for each object through the NetWare administrator in the form of dialog boxes, as shown in Figure 1-2.
Figure 2: Dialog box showing values of an object’s properties
Each NDS object consists of various properties that have corresponding values. Some values must be input into NDS upon object creation. Other values are optional. The properties for an object always exist and can be modified in the future. One benefit of NDS is the maintenance of an inventory of all network resources and users. Since NDS allows searching of its database, an administrator can easily locate all User objects that have a specific value for a property. This is convenient if, for example, the administrator is managing a building move for a group of users, and the inventory is readily available. Some User properties and values are given in Table 1-4.
|
Property |
Value |
Editable? |
Required at Object Creation? |
|
Login name |
Eng1.ENG.PHX.MA |
No |
Yes |
|
Given name |
Engineer One |
Yes |
No |
|
Last name |
Engineer |
Yes |
Yes |
|
Full name |
E.O. Smith |
Yes |
No |
|
Generational qualifier |
III |
Yes |
No |
|
Middle initial |
Yes |
No |
|
|
Other name |
Yes |
No |
|
|
Title |
Sr. Systems Engineer |
Yes |
No |
|
Description |
Yes |
No |
|
|
Location |
MicroAge |
Yes |
No |
|
Department |
Professional Services |
Yes |
No |
|
Telephone |
Yes |
No |
|
|
Fax number |
Yes |
No |
Table 4: Example of Some User Properties and Values from Figure 1-2
The NDS Database
NDS is actually a database that contains objects, their properties and values, and their organization in the tree structure. The NDS database is in a file format, just like any other database. These files can be found in the SYS volume under the _NETWARE directory. You can access this directory and view file sizes:
Figure 3: NDS Database file scan
An important concept to understand is that the NDS database can be distributed across multiple servers. Not only can it be split into parts, but also each part can be copied. This is beneficial because when one server with a part of the NDS database (called a replica) on it goes down, the resources in that replica can still be accessed. For example, users may still log in, and printers can print. The process of dividing the database into multiple parts is called partitioning.
Introduction to a Tree Structure
Figure 1-4 illustrates an NDS tree structure viewed from within the NetWare Administrator. Throughout this book, various tree structures will be depicted in order to demonstrate different NDS-related concepts. They all share a common hierarchical structure, but can be set up in different ways to suit the enterprise environment that they represent.
Figure 4: Example of an NDS tree structure
How the Directory Tree Affects Resource Access
Resources are stored within the directory tree in the form of objects. Because all resources are included in that tree, the most efficient method of associating access rights to an object is by handling it within the tree. NDS enables an administrator to grant access to network resources by adjusting properties of the NDS objects.
Rights Within NDS
Rights is the term used for security access to various network resources. The following rights are available in NetWare:
File system directory and file rights are much the same as they were in older bindery-based NetWare systems. Users and groups can be granted the rights to perform various actions on files and directories, such as to browse the directory or file in their Explorer, or modify or delete the file. These rights are examined in greater detail in Chapter 6.
NDS is a hierarchical tree. Any NDS rights assigned will flow down through the tree. This should be carefully considered when designing an NDS tree.
A trustee is any object within NDS that is granted rights to another object. Most often, the trustee is a User or Group object, which makes it easier to understand. However, a trustee can also be any NDS object. Rights can be granted to NetWare Server objects and container objects just as easily as to users and groups.
Object rights enable a trustee to perform actions on an NDS object. The object rights are Browse, Create, Delete, Rename, and Supervisor. Except for the Supervisor rights, these object rights allow a trustee to browse, create, delete, and rename any object, but not edit the properties of the object. The Supervisor rights allow a trustee to edit properties as well as perform all other object actions.
Exam Watch: The [Public] trustee is not an object, but is a way to assign rights to users who have not yet logged into the NetWare network.
Property rights allow a trustee to access the values of the property information stored within NDS. The property rights are Compare, Read, Write, Add or Delete Self, and Supervisor. If some information about an object is confidential, such as a user’s home telephone number, then users can be prevented from seeing that property by denying all Read rights to it. At the same time, other information, such as the user’s business telephone number, can be allowed.
Inherited Rights Filter (IRF) is the system used to prevent rights from flowing down the tree from a parent container object. The IRF lists those rights that should not be inherited.
Security Equivalence is the ability to grant an object all the rights that another object has, simply by making them equivalent. The practice of making an object equivalent to the root of the tree grants that object all administrative and supervisory rights to every object in the tree, although this is not considered good practice.
Effective rights are the actual rights that an object has, which include rights that have been inherited, rights that have been filtered, and rights that have been directly granted to the object or granted through Security Equivalence.
An Access Control List (ACL) is the information about who has rights to access the NDS object information. It is stored as a property within the object and contains both trustee assignments and the Inherited Rights Filter. To change the trustees of an object, simply edit the ACL property of the object as indicated in Exercise 1-1:
Exercise 1-1 Viewing the Access Control List
Figure 5: Access Control List (ACL) dialog box showing properties list
Certification Summary
A network administrator’s many responsibilities fall into two categories:. reactive administration and proactive administration. Reactive duties address problems as they occur. Proactive duties plan changes to the network in order to avoid problems. Examples of reactive administration are
Examples of proactive administration are
A network resource is an entity on the network, such as an HTML web page or a printer. A network service is the way that this resource can be accessed, often in the form of a server application, such as a web server program, or the Novell Distributed Printing Services (NDPS).
Novell Directory Services (NDS) is the database of all network resources, users, and other network objects. It is organized in a hierarchical tree structure. There are three types of objects: [Root], container, and leaf objects. The [Root] is a placeholder that delineates the top of the NDS tree. Container objects are used to organize the network resources into the tree structure. They can contain leaf objects and other container objects. Leaf objects are end points in the tree and cannot contain any other object. Some container objects are Organization, Organizational Unit, and Country. Some of the most common leaf objects are User, Group, NetWare Server, Volume, Directory Map, and Profile.
There are other types of leaf objects that can exist in a directory tree, as well. The list of the container and leaf object types, plus their associated properties, in an NDS database is called the schema. The schema can change, since developers may create other NDS objects for application use.
The attribute types for each object are called properties. The information for a property is called the property’s value. For example, a property of a User object is a First Name. For a User object HHarris (representing a network user named Heather Harris), the value of the First Name property would be Heather.
NDS allows objects to be granted access to other objects within the tree. The object rights grant an object the ability to perform actions such as creating, browsing, or deleting the object. The property rights grant an object the ability to edit or browse property values. To view the Access Control List of an object, right-click the object inside the NetWare Administrator program and select Trustees of this Object.
Two-Minute Drill
Self Test
The following Self-Test questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully, as there may be more than one correct answer. Choose all correct answers for each question.
Compile the script. Create an Application object that points at the compiled script. Grant each of the designated users access rights to the Application object by right-clicking it, selecting Trustees of this Object, and then clicking the Add Trustee button.
| Chapter: 1 | 2 | 3 | 4 | 5 | 6 |