Chapter: 1 | 2 | 3 | 4 | 5 | 6
MCSE SQL Server 7 Administration Study Guide
Syngress, Inc.
 $49.99  007-211-90-47


Chapter 1

Introduction to intraNetWare

Certification Objectives

Welcome to an adventure in learning! The Certified Novell Engineer (CNE) is one of the most widely known and respected professional credentials in the information systems industry today. This is a learning adventure because CNEs must have historical knowledge of computing and be familiar with the most recent innovations. Therefore, this book covers a wide variety of subjects, but the central theme of each topic is networking.

Networking is Novell’s core business and it leads the market in server network operating system (NOS) software. Novell’s NetWare servers are the core of networks around the world. NetWare 5 is Novell’s latest network server product. With all the changes and added functionality to this product, even an experienced administrator or engineer will need to brush up. Some of these product additions will change administration methods. What will not change is the need for competent network management and end-user support.

Administrator Responsibilities

Back in the early days of networking, the administrator’s primary responsibility was simply to keep the server up and running. The job has evolved over the years to include many more tasks and responsibilities.

A network used to be a single server and a bunch of workstations. While some workstations were attached to the network and could use server resources, many were standalone. As needs arose for server resources and different functions that the network could provide, enterprise networks included many servers and many workstations, not necessarily all running the same operating system. Now, the administrator adds workstation maintenance to the list of duties, and responsibility for increased numbers and types of servers.

Another change to networking was added distance. Many local area networks (LANs) became wide area networks (WANs). Distribution of network resources required distribution of the administration. Enterprise networks grew and administration needs grew with them. Hierarchical network management is fairly common in large, complex networks. Each administrator handles only a portion of the administration tasks, while other administrators handle the rest. Administrative tasks can be divided into two categories:

Reactive Administration

Reactive administration is the collection of tasks that fix problems as they arise. It is "reactive" to the situation at hand. The types of tasks that fall under this heading include:

Reactive administration includes many more tasks than this, and makes up the bulk of the administrative tasks for a network. In general, when something is not right on the network, and it needs to be corrected, then it is a reactive administrative task.

Proactive Administration

Proactive administration is the collection of tasks that attempts to prevent errors and avoid problems on the network. Proactive administration results in less-reactive administration. Some examples of proactive administration include:

On the Job: Many times, a company will not do proactive administration on a consistent basis, and sometimes not at all. Administrators get caught up in the day-to-day business needs of end users (that is, doing reactive administration) and put off proactive tasks. The result is that reactive administration tasks increase, and end users become dissatisfied. Finally, management throws up its hands and calls in a consultant. A good consultant performs a network analysis and makes recommendations for the network that might have surfaced from proactive network administration. I like to call this preventative computing. The comparison is that in preventative dentistry, the dentist asks you to floss only the teeth that you want to keep. In preventative computing, you need perform proactive tasks on only the network components you want to keep online.

Some enterprises have recognized the need for proactive administration and provide separate administrators to handle these tasks. The proactive administrators are not besieged by end-user requests and can concentrate on preventing serious errors from occurring on the network.

Note that proactive and reactive administrative tasks may affect the same issue. For instance, proactive security planning may set a policy that passwords will be changed every 30 days, and that the account will be locked out if the wrong password is entered more than three times. A reactive task for security is resetting a password when the user is locked out from his account because he entered it incorrectly several times at the login screen.

Network Resources and Services

Sharing resources and services is a powerful method to enhance productivity. The terms resources and services tend to be used interchangeably. However, there is a distinction. A resource is an entity that exists on the network. A service provides access to the resource. For example, a printer is a resource on the network. The program or function that makes it possible for people to print documents on that printer is the printing service. In NetWare 5, the printing service is provided by Novell Distributed Printing Services (NDPS). In order to print on a network, both components are required. Usually both a resource and a service must be up and running in order for the resource to be used.

Table 1-1 lists some common resources and their associated services.

Resource

Service

Printer

Printing service

Server

Shared disk space; file service

Modem

NetWare Connect shared modem service, or third-party FAX service

HTML (Hypertext Markup Language) document

Web server service

IP address

DHCP Service (Dynamic Host Control Protocol used to distribute IP addresses dynamically)

CD-ROM drive

CD-ROM volume-sharing service

Database

Database service

Table 1: Network Resources and Their Associated Services

There are many other services and resources than the ones listed in Table 1-1. NetWare typically provides services through NetWare Loadable Modules (NLMs) on the NetWare server. NLMs are applications that run on a NetWare server.

From the Classroom

What Is NDS?

Novell Directory Services (NDS) is a hierarchical database that contains information about all of the "entities" that make up a NetWare 4.x or 5 network. The key word is database; every object below the [Root] is represented in the Directory database by a record that contains the object’s name and properties. If you think of the record identifier as the object name and the field names as the object’s properties (or details), you will have made a major step in understanding the nature of NDS.

For those of you who are not familiar with database structures, take a look at your driver’s license. It has your name (object name), and information about you (details/properties), such as what you look like, what type of vehicles you are authorized to operate (object rights), where you reside, and which state issued the license (context), etc. In the case of a driver’s license, it looks just like a User object in the NDS tree.

By Dan Cheung, CNI, MCNE, MCT

Introduction to Novell Directory Services

Novell Directory Services (NDS) is the service used by NetWare to organize resources throughout an entire network. It is a database that contains user IDs and network resources such as printers, print queues, servers, and volumes where objects may be granted access to other objects for security purposes. Because all network resources are organized in NDS, this is the most efficient place to manage security among network resources, users, groups, and other objects.

NDS allows users a single login authentication. In older versions of NetWare, resources were organized on an individual server basis. This created the need for multiple loginIDs—one for each server to which a user was granted access. NetWare 4 includes NDS, which combines all resources in one directory and enables each user’s login to check one directory for access information—for example, a single login ID needed for authentication to any resource on the enterprise network.

NDS enables the following:

NDS Structure

NDS stores network resources in a tree structure that is similar to a directory tree. There are two types of objects within the tree:

A container object in NDS is like a directory (or folder) in a directory tree. It can contain leaf objects or other container objects. Container objects are used to organize the tree structure. Table 1-2 defines the [Root] and container objects.

Object

Abbreviation

Description

[Root]

 

The top of the NDS tree. There is only one root object. It is created during the first server installation into the NDS tree. The [Root] can contain only Country objects or the Organization object. It does not contain any leaf objects other than Alias objects, if the Alias represents a Country or an Organization.

Country

C

Special container object for country locations. Country objects can be placed only in the root. Country objects are optional.

Organization

O

A high-level container object placed directly in the root or under country units. This object usually represents the company.

Organizational Unit

OU

Container objects placed below the Organization-level unit. This creates a subgroup within the tree in order to organize the network resources.

Table 2: The [Root] and Container Objects

Leaf objects represent resources in the NDS tree. A leaf object does not contain any other objects. A leaf object is analogous to a file in a directory tree, since it cannot contain any other files or folders. Some developers have created NDS-aware programs that add leaf objects (for example, resources) to the NDS tree.

Exam Watch: Container objects can contain other container objects, as well as leaf objects. Leaf objects are end points in the NDS tree and cannot contain any objects whatsoever.

Leaf Objects

Directory leaf objects are objects that do not contain any other objects. These represent actual network entities such as users, servers, printers, and computers. Table 1-3 describes the different types of leaf objects available in NDS.

Leaf Object

Description

Alias

The Alias object is essentially a pointer to another leaf object in the tree. An alias is used to ease access to network resources since it makes the leaf object that the alias represents appear as though it exists in the context of the Alias object.

Application

This object is not part of the base schema, but is added when using the NetWare Application Launcher (NAL). It represents an executable application that the end user must be granted rights to before it appears in the NAL window on the end user’s workstation.

Bindery

The Bindery object is provided for backward compatibility to older versions of NetWare. It is commonly created during migrations and upgrades of existing NetWare 2.x and 3.x servers, or placed there by bindery-based programs.

Bindery Queue

The Bindery Queue is a print queue that was migrated from a NetWare 2.x or 3.x server. This object is for backward compatibility.

Computer

This object is a computer on the network that is not a server, such as a workstation or router.

Directory Map

An object that represents a directory path in the file system on a volume. Directory Maps can ease administration of files, since files can be moved to other volumes and the move would be transparent to end users since the Directory Map name would not need to be changed. When mapping drives within a login script, using a Directory Map name allows the physical location of the files to change without editing the login script later.

Group

The Group object represents a list of multiple User objects that can be located in any context within the NDS tree. Group objects are convenient for assigning the same rights to an entire list of individuals, and are useful in login scripts.

NetWare Server

The NetWare Server object denotes a server running the NetWare operating system on the network. This object is automatically created when a server is installed into the NDS tree. It is useful for storing information about the server, such as physical location and provided services. Other objects, such as Volume and Directory Map, point to their associated NetWare Server object.

Organizational Role

The Organizational Role object enables the definition of a position that is person-independent. When a person is placed in that position, the User object is associated with the Organizational Role object and automatically receives the Organizational Role object rights. If there is a position that is filled by consistently changing personnel, the creation of this object can facilitate the management of the rights needed for it.

Print Server

The Print Server object represents a network print server.

Printer

The Printer object represents a network printer.

Print Queue

The Print Queue object signifies a network print queue.

Profile

The Profile object is a login script object that can be assigned to a user property. The script contained in the Profile object is executed when any assigned user logs into the network after the system login script and before the user login script. The Profile object is useful for a group of users that need a common login script function.

Unknown

The Unknown object is exactly that: an object that NDS cannot validate or identify as belonging to the object classes defined within the schema

User

The User object must be created for each individual login ID required on the network. This object represents a person who logs in to the network and allows network security to be granted for resources.

Volume

The Volume object is a volume on a network server. When a NetWare Server is installed, the installation process automatically creates a Volume object for each volume built at installation. Information about the volume’s files and directories is available from within the NetWare administrator program by examining the properties of this object.

Table 3: Leaf Objects Available in NDS

Exam Watch: An object’s context is a description of the location of that object in the NDS tree.

The NDS schema is the structure of objects that can be stored within the directory tree, as illustrated in Figure 1-1. The schema defines the following information about objects:

Figure 1: NDS tree structure

Object classes contain the above information within the schema. An object class is the type of object that can be within the tree, such as a User object or an Organizational Unit object. For example, a User object has the following elements:

On the Job: The NDS schema is expandable. Some NDS-aware applications will change the schema to suit their own purposes—adding object classes to the schema and then the objects to the tree for use. This does not harm existing servers in the directory nor does it affect servers installed into the tree after the schema has changed. However, when merging two NDS trees, the schemas must be identical. This can be a problem if a program was installed and changed the schema of one tree, but was never installed into the other tree. When NDS was new, there were no tools to manage the schema, maintain the directory, or even merge trees. Now there are DSREPAIR and DSMERGE utilities to handle tree and schema issues.

Object Properties and Values

The attribute information of NDS objects is a collection of properties. The data contained within each property is its value. This information is stored within the NDS tree and can be viewed for each object through the NetWare administrator in the form of dialog boxes, as shown in Figure 1-2.

Figure 2: Dialog box showing values of an object’s properties

Each NDS object consists of various properties that have corresponding values. Some values must be input into NDS upon object creation. Other values are optional. The properties for an object always exist and can be modified in the future. One benefit of NDS is the maintenance of an inventory of all network resources and users. Since NDS allows searching of its database, an administrator can easily locate all User objects that have a specific value for a property. This is convenient if, for example, the administrator is managing a building move for a group of users, and the inventory is readily available. Some User properties and values are given in Table 1-4.

Property

Value

Editable?

Required at Object Creation?

Login name

Eng1.ENG.PHX.MA

No

Yes

Given name

Engineer One

Yes

No

Last name

Engineer

Yes

Yes

Full name

E.O. Smith

Yes

No

Generational qualifier

III

Yes

No

Middle initial

 

Yes

No

Other name

 

Yes

No

Title

Sr. Systems Engineer

Yes

No

Description

 

Yes

No

Location

MicroAge

Yes

No

Department

Professional Services

Yes

No

Telephone

 

Yes

No

Fax number

 

Yes

No

Table 4: Example of Some User Properties and Values from Figure 1-2

The NDS Database

NDS is actually a database that contains objects, their properties and values, and their organization in the tree structure. The NDS database is in a file format, just like any other database. These files can be found in the SYS volume under the _NETWARE directory. You can access this directory and view file sizes:

  1. Launch NetWare Administrator.
  2. Click the Tools menu.
  3. Select Remote Console.
  4. Select the Server from the Available Servers window. If the server does not appear, make sure that the REMOTE.NLM and RSPX.NLM have been loaded on the server.
  5. Press Alt-F1.
  6. Select Directory Scan.
  7. Type SYS:\_NETWARE in the space provided. The files in that directory will appear in a blue dialog box, as shown in Figure 1-3.

Figure 3: NDS Database file scan

An important concept to understand is that the NDS database can be distributed across multiple servers. Not only can it be split into parts, but also each part can be copied. This is beneficial because when one server with a part of the NDS database (called a replica) on it goes down, the resources in that replica can still be accessed. For example, users may still log in, and printers can print. The process of dividing the database into multiple parts is called partitioning.

Introduction to a Tree Structure

Figure 1-4 illustrates an NDS tree structure viewed from within the NetWare Administrator. Throughout this book, various tree structures will be depicted in order to demonstrate different NDS-related concepts. They all share a common hierarchical structure, but can be set up in different ways to suit the enterprise environment that they represent.

Figure 4: Example of an NDS tree structure

How the Directory Tree Affects Resource Access

Resources are stored within the directory tree in the form of objects. Because all resources are included in that tree, the most efficient method of associating access rights to an object is by handling it within the tree. NDS enables an administrator to grant access to network resources by adjusting properties of the NDS objects.

Rights Within NDS

Rights is the term used for security access to various network resources. The following rights are available in NetWare:

File system directory and file rights are much the same as they were in older bindery-based NetWare systems. Users and groups can be granted the rights to perform various actions on files and directories, such as to browse the directory or file in their Explorer, or modify or delete the file. These rights are examined in greater detail in Chapter 6.

NDS is a hierarchical tree. Any NDS rights assigned will flow down through the tree. This should be carefully considered when designing an NDS tree.

A trustee is any object within NDS that is granted rights to another object. Most often, the trustee is a User or Group object, which makes it easier to understand. However, a trustee can also be any NDS object. Rights can be granted to NetWare Server objects and container objects just as easily as to users and groups.

Object rights enable a trustee to perform actions on an NDS object. The object rights are Browse, Create, Delete, Rename, and Supervisor. Except for the Supervisor rights, these object rights allow a trustee to browse, create, delete, and rename any object, but not edit the properties of the object. The Supervisor rights allow a trustee to edit properties as well as perform all other object actions.

Exam Watch: The [Public] trustee is not an object, but is a way to assign rights to users who have not yet logged into the NetWare network.

Property rights allow a trustee to access the values of the property information stored within NDS. The property rights are Compare, Read, Write, Add or Delete Self, and Supervisor. If some information about an object is confidential, such as a user’s home telephone number, then users can be prevented from seeing that property by denying all Read rights to it. At the same time, other information, such as the user’s business telephone number, can be allowed.

Inherited Rights Filter (IRF) is the system used to prevent rights from flowing down the tree from a parent container object. The IRF lists those rights that should not be inherited.

Security Equivalence is the ability to grant an object all the rights that another object has, simply by making them equivalent. The practice of making an object equivalent to the root of the tree grants that object all administrative and supervisory rights to every object in the tree, although this is not considered good practice.

Effective rights are the actual rights that an object has, which include rights that have been inherited, rights that have been filtered, and rights that have been directly granted to the object or granted through Security Equivalence.

An Access Control List (ACL) is the information about who has rights to access the NDS object information. It is stored as a property within the object and contains both trustee assignments and the Inherited Rights Filter. To change the trustees of an object, simply edit the ACL property of the object as indicated in Exercise 1-1:

Exercise 1-1 Viewing the Access Control List

  1. Right-click an object in the NDS tree within the NetWare Administrator program.
  2. Select Trustees of this Object.
  3. The dialog box in Figure 1-5 will appear. Note that you may view both the Effective rights and the Inherited Rights Filter by clicking the designated buttons.
  4. Figure 5: Access Control List (ACL) dialog box showing properties list

  5. To add or remove an object from the ACL, click the Add Trustee or Delete Trustee buttons.
  6. In order to change the property rights, such as removing the Read property rights for the Telephone number property, click the Selected Properties radio button, and then select the Telephone property. After the property is selected, click the Read check box so that it is unchecked.
  7. Click OK when changes to the ACL are complete.

Certification Summary

A network administrator’s many responsibilities fall into two categories:. reactive administration and proactive administration. Reactive duties address problems as they occur. Proactive duties plan changes to the network in order to avoid problems. Examples of reactive administration are

Examples of proactive administration are

A network resource is an entity on the network, such as an HTML web page or a printer. A network service is the way that this resource can be accessed, often in the form of a server application, such as a web server program, or the Novell Distributed Printing Services (NDPS).

Novell Directory Services (NDS) is the database of all network resources, users, and other network objects. It is organized in a hierarchical tree structure. There are three types of objects: [Root], container, and leaf objects. The [Root] is a placeholder that delineates the top of the NDS tree. Container objects are used to organize the network resources into the tree structure. They can contain leaf objects and other container objects. Leaf objects are end points in the tree and cannot contain any other object. Some container objects are Organization, Organizational Unit, and Country. Some of the most common leaf objects are User, Group, NetWare Server, Volume, Directory Map, and Profile.

There are other types of leaf objects that can exist in a directory tree, as well. The list of the container and leaf object types, plus their associated properties, in an NDS database is called the schema. The schema can change, since developers may create other NDS objects for application use.

The attribute types for each object are called properties. The information for a property is called the property’s value. For example, a property of a User object is a First Name. For a User object HHarris (representing a network user named Heather Harris), the value of the First Name property would be Heather.

NDS allows objects to be granted access to other objects within the tree. The object rights grant an object the ability to perform actions such as creating, browsing, or deleting the object. The property rights grant an object the ability to edit or browse property values. To view the Access Control List of an object, right-click the object inside the NetWare Administrator program and select Trustees of this Object.

Two-Minute Drill

Self Test

The following Self-Test questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully, as there may be more than one correct answer. Choose all correct answers for each question.

  1. What is not a proactive responsibility of a network administrator?
  1. Planning for a new storage system
  2. Resetting a user’s password because he forgot it
  3. Installing a new server into the tree
  4. Monitoring server performance
  1. Joel has a new job as Desk-side Support Administrator in an enterprise network of over 5,000 users. He has the responsibility of being dispatched to help end users with computer problems that the help desk cannot resolve over the phone. There are two other administrative groups: Server Support and Network Planning. Mary, a Phoenix end user, has approached Joel about redesigning the Novell Directory Services tree so that she can be in the same Organizational Unit as her New York counterpart and have instant access to the same resources. Joel has the administrative ability to make the change. What should he do? (Select the best answer.)
  1. Make the change; he has the ability.
  2. Do not make the change; he doesn’t believe it is good for the tree design.
  3. Hand it to the Server Support group, since Mary needs server resource access.
  4. Hand it to the Network Planning group, since it will make a change to the NDS design at the Organizational Unit level.
  1. Which of the following is a network resource?
  1. Novell Storage Services
  2. Printer attached to the server
  3. Novell Distributed Printing Services
  4. Netscape Web Server program
  1. What is needed in order to gain access to an IDE CD-ROM on a NetWare server from another network station?
  1. One thing: the CD-ROM hardware must be installed and working on the server.
  2. One thing: the CD-ROM sharing program must be loaded on the server.
  3. Two things: both the CD-ROM hardware and the sharing program must be installed on the server.
  4. Nothing. It cannot be done.
  1. What is NDS?
  1. Novell Distributed Storage—a new service to distribute files transparently between servers and mainframes
  2. NetWare Database Security—a C2-level secured database
  3. Novell Directory Services—the distributed database used to store userIDs, printers, servers, and other objects, and organize them for security on an enterprise network
  4. New Directory Storage—a technology to store directories of network resources on workstations
  1. Which of the following network resources cannot be organized in NDS?
  1. Files and directories
  2. Printers
  3. Applications
  4. Workstation computers
  5. None of the above
  6. All of the above
  1. Gene is a user on a NetWare network. Because of the network setup, the administrator gave Gene four userIDs in order to access four separate servers, all on the same Ethernet network segment. Is Gene using NDS on a NetWare 5 network to gain network access?
  1. Yes. However, the four separate servers are in four separate NDS trees.
  2. No. He is using a NetWare 2.x or 3.x network for at least three of the servers.
  3. No. He may be using NetWare 5 servers, but he must be using a bindery-based login to require a separate ID per server.
  4. Any of the above.
    1. None of the above.
  1. The root object is a special _____________ object in NDS. It cannot contain any ___________ objects other than an Alias object, but can contain either a __________ or ______________ object.
  1. Container-like, leaf, country, organization
  2. Leaf, container, user, NetWare Server
  3. Container, leaf, organization, organizational unit
  4. Container, container, user, group
  1. Jan is adding a new business unit to her NDS tree. It will receive its own Organizational Unit and a new NetWare Server. In this business unit, there are several students who share an auditing position for the server training files on a rotating basis. How should Jan plan for the constantly changing access needs?
  1. Jan should create a Directory Map object to give the students a shortcut to the training files.
  2. Jan should create an Organizational Role object to have the auditing access, and assign the students to the role whenever their turn comes up.
  3. Jan should create a Group and grant them all the same access.
  4. Jan should create two Groups and change the members of both groups as the auditing role changes.
  1. Patti is an end user who created her own login script within her User object in the NDS tree. She showed her boss, Ed, the way the script automated various functions for her and he has asked you, the network administrator, to make sure that twelve other people in his department are given the same script. It is possible that he may add more users in the future with this requirement. How should you manage this request?
  1. Speak with Patti about her script so that you can rewrite it in each of the user's objects.
  2. Create an Organizational Role and add to it the users who need the script.
  3. Create a Profile object. Open up Patti’s User object, open the Login Script property, highlight the script and press Ctrl-C to copy it, then open the Profile object and press Ctrl-V to paste the script. Open each of the designated end users’ User objects and assign the Profile to the user.

Compile the script. Create an Application object that points at the compiled script. Grant each of the designated users access rights to the Application object by right-clicking it, selecting Trustees of this Object, and then clicking the Add Trustee button.

  1. What is a schema?
  1. A new kind of printer
  2. A special Directory Map object
  3. A template for a profile script
  4. The structure of NDS objects
  1. A _______ represents a network resource. A ______ is a field available in the object to store information. The ______ is the information stored in the _______.
  1. Object, property, value, property
  2. Property, object, value, object
  3. Value, property, object, value
  4. Object, value, property, container
  1. What are rights?
  1. Correct network procedures
  2. Security access that can be granted in NDS
  3. Schema control factors
  4. User object trustees
  1. What rights are available to be granted to objects in NDS?
  1. Property rights and file system rights
  2. File and directory rights
  3. NDS object rights and NDS property rights
  4. NDS object rights, NDS property rights, file, and directory rights
  1. Jack is a network administrator. He has been notified by Human Resources (HR) of a new policy that all home telephone numbers stored in the Novell Directory are no longer allowed to be seen by any users other than HR and the network administrator. How will Jack enable the correct security?
  1. He will edit the object rights of the User objects.
  2. He will create an Inherited Rights Filter.
  3. He will edit the property rights of the Telephone property of the User objects.
  4. It cannot be done.
Backward Forward
Chapter: 1 | 2 | 3 | 4 | 5 | 6