IT Baseline Protection Manual S 2.151 Design of an NDS concept
S 2.151 Design of an NDS concept
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: IT Security Management, Administrators
One of the most important new features in Novell Netware 4.x are the Novell Directory Services (NDS). NDS are used to manage the logical structure of a network and all the resources contained therein, such as users, groups, printers and Netware servers.
NDS technology replaces the bindery which was used in Netware 2.x and Netware 3.x. The bindery contains a one-dimensional list of all users, groups etc. However, if several Netware 3.x servers are in use, the administrator faces the "problem" of having to manually perform every modification (for example, the addition of a user) on every Netware 3.x server, that is to say on all servers for which a user is to be granted access rights.
In contrast, the Novell directory services are independent of any particular server and based exclusively on the underlying network. This means that administrative activities, such as configuration of a user account, are performed by the Novell directory services on all affected servers, without the need for manual intervention by the administrator.
The resources are managed in a database using a tree structure; this structure is thus also termed NDS tree. In this tree, all users, groups, printers, Netware servers etc. are managed as objects of an NDS directory database. A distinction is made between two types of objects here: container objects and leaf objects. Whereas a leaf object is located at the end of a branch and does not contain any further objects, a container object can contain additional containers or leaf objects.
The following container objects exist, among others:
Root
This is the root of the NDS directory tree. Every NDS directory tree has exactly one such object which is created during installation, after which it can neither be renamed nor deleted. Each NDS directory tree can only contain one such object.
Country
The country object allows a geographical partitioning of the entire structure of the NDS directory tree, i.e. a division of the network by country. However, this object is optional and therefore not specified as default during the installation of the NDS.
Organisation
The organisation object is intended for a hierarchical arrangement of other objects in the NDS directory tree. No fixed rules apply here, as a result of which, for example, an enterprise can designate the organisation with its own name or those of its various offices. Every NDS directory tree must contain at least one organisation.
Organisational unit
An organisational unit can only be created within an organisation and is intended for further partitioning of the NDS. For example, offices, departments and project groups can be divided into organisational units. The organisational unit is an optional item used to improve structuring in accordance with the number of leaf objects involved.
Leaf objects include, for example, users, groups, printers, servers and data volumes. It is not possible to create additional objects under leaf objects. The following leaf objects are used most frequently:
Netware server
This object represents a Netware server in a network, which must contain at least one such server. The object is referred to by many other objects which use the services provided by the server, and is created by the installation program.
printer
This object represents a printer present in the network, and is always accompanied by the printer queue and print server objects.
Users
This object is intended to manage and store information on network users, particularly their rights to access network resources.
Groups
Although several users can be assigned to a group, it represents a leaf object, not a container object. It is intended to simplify administration, as the rights of a group can be transferred to its members.
Volume
This object represents a physical volume for storing data. As a rule, volume objects are created by the installation program.
A detailed description of the remaining leaf objects is provided in Netware manuals. There are no restrictions on the number of objects, as objects can be added or deleted by applications.
As already mentioned, the directory objects and their attributes are managed in a database which constitutes an essential element of the NDS. In networks possessing WAN links, it is advisable to partition this database into logical segments which are then copied to various Netware servers. When planning the replications, it is important to take slow WAN links into account.
This logical segmentation is termed partitioning. The process of copying logical segments to Netware servers is termed replication.
Every partition consists of at least one container object and any additional objects contained therein. Additionally, several read or read/write copies of a partition, but only one master partition, can exist.
The physical partitioning of the NDS is transparent for users, i.e. internal Netware mechanisms ensure that this partitioning is not noticed by the users.
In principle, the design of a NDS directory tree is not subject to any restrictions, so that any type of form and degree of complexity is possible. However, careful and thorough planning is required here in compliance with the following basic guidelines:
A clearly configured NDS should have a maximum depth of between 4 and 8 levels.
An organisation or organisational unit should contain no more than 1500 objects.
Several small departments should be grouped into one organisational unit, in order to reduce numbers and improve clarity.
Descriptive yet reasonably short names should be used (e.g. "R&D" instead of "Research and Development"), as the total path length in an NDS tree must not exceed 255 characters. This restriction is only implemented indirectly, as DOS line commands do not allow longer commands to be entered. This path is termed Context.
In addition to the main partition, each partition should have two read/write partitions. This results in redundancy, which means that a loss of NDS information is highly unlikely. However, backup of the NDS is still obligatory.
The same version of the Directory Service (DS.NLM) Netware Loadable Module (NLM) should be used on all servers within an NDS tree, in which the same Netware versions are installed. Otherwise, synchronisation problems may arise. In NDS trees in which, for example, servers with Netware versions 4.10, 4.11 and 5.0 are installed, the versions of the DS.NLM must be different for the individual Netware servers. Only the DS.NLM for all Netware servers in versions 4.10, 4.11 and 5.0 must be installed in the same version to avoid unnecessary problems. Although it is possible to use a combination of versions, experience shows that the most stable and easily-manageable servers are those which only use Netware versions 4.10, 4.11 or 5.0.
Planning of the NDS is decisively influenced not by the size of the network, but by the characteristics of the environment, such as the hardware, communications links, LAN/WAN topology and organisational structure. For example, a greater amount of planning is required for a small network with several WAN links than for a large network without any WAN links, as unique physical attributes are related to the different types of WAN architecture. At least the following items should be covered during planning:
Specification of a standard for naming objects (in particular, naming conventions for user IDs and printer IDs)
Structuring of the NDS tree
Determination of the location of network resources (e.g. printers and servers) within the directory tree or container, in order to provide users and administrators with a clear overview of the network
The NDS tree should reflect the organisational structure of the company
Standard and co-ordinated positioning of network resources at various locations in order to minimise the training period for users who frequently change locations
Determination of the partition and replication strategy which, amongst other things, are highly dependant on WAN links.
For more information on NDS planning, refer to Novell's Manual on Netware 4 networks, which provides a detailed description of the implementation of a Netware 4.x network.
Additional controls:
Is regular co-ordination performed between the administrators of the individual locations?
Have all planning guidelines been observed?
Are the NDS planning guidelines and the decisions of the administrators documented?