Interoperability with NetWare |
Because connectivity is a cross-platform issue, whether you choose to use Gateway Service for NetWare or Client Service for NetWare to establish and maintain connectivity between Windows 2000 and NetWare, it is necessary to configure both the Windows 2000–based network and the NetWare network.
For both Gateway Service for NetWare and Client Service for NetWare, it is necessary to create accounts and set up access rights on the NetWare network. You can use the NetWare Syscon utility or the NetWare NDS NWadmin utility to do so.
Important
Neither Gateway Service for NetWare nor Client Service for NetWare support access to the NetWare NWAdmin utility. To use the NetWare NWAdmin utility you need to log on to the NetWare NDS server through a client-based computer that has NetWare client software installed, such as Novell Client for Windows 2000.
The following sections explain which accounts you need to set up.
To establish connectivity to NetWare resources for a Windows 2000 Server–based computer running Gateway Service for NetWare, you need to create user and group accounts.
You must first create a unique user account on the NetWare network to serve as the NetWare interface for the Windows 2000 Server–based gateway computer running Gateway Service for NetWare. The password for the NetWare user account must be identical to the password used to enable the Windows 2000 Server gateway, described in "Configuring a Gateway on the Windows 2000 Server–Based Computer" later in this chapter.
You must also create a unique NetWare group account named NTGATEWAY. You must create this account on the NetWare network. The NTGATEWAY group account acts as a common access point to NetWare resources for all Windows 2000 Server gateway users; therefore, you must set appropriate trustee access rights on the NTGATEWAY group account for all the NetWare resources that the group must access.
Finally, make the NetWare user account that you created a member of the NTGATEWAY group account.
To establish connectivity to NetWare resources for a Windows 2000 Professional computer running Client Service for NetWare, you need to create a unique user account on the NetWare network and set the necessary rights for the user's resource needs. You or the user must also synchronize the passwords.
Once the NetWare user account is a member of the NetWare NTGATEWAY group account, and you have administrative permission to create a share on the local Windows 2000 Server–based computer, you can create a Windows 2000 Server gateway.
Caution
Before you install Windows 2000 Gateway Service for NetWare, you must remove any existing NetWare redirectors installed previously on your Windows NT–based server computer, such as Novell Client for Windows 2000. If prompted, restart your computer.
Install Gateway Service for NetWare on the Windows 2000 Server–based computer in order to use it as a gateway.
To install Gateway Service for NetWare
Click Gateway (and Client) Services for NetWare if you are installing a server gateway, and then click OK.
– Or –
Click the Default Tree and Context button and type the correct tree and context names, if you are running an NDS version of NetWare. Select the Run Login Script option if you are running a login script, and then click OK.
Note
Although Gateway Service for NetWare and Client Service for NetWare enable access to NetWare file, print, and directory services from Windows 2000, the correct user accounts, necessary rights for resources, appropriate group rights, and associated login scripts need to be configured on the NetWare servers. Contact your NetWare administrator or see your NetWare documentation for more information.
For more information about the preferred server, the default tree, and context and how to choose between them, see "Selecting the Default Tree and Context or the Preferred Server" later in this chapter.
After you have installed Gateway Service for NetWare, you can change your configuration from the Gateway Service for NetWare icon in Control Panel. The Gateway Service for NetWare dialog box, as shown in Figure 12.13, appears.
Figure 12.13 Gateway Service for NetWare Dialog Box
Within this dialog box, you can also specifyprint options. You can also select Run Login Script if you choose to execute a NetWare login script when you log on to the NetWare network through Gateway Service for NetWare.
To enable the Windows 2000 Server gateway, click Gateway on the Gateway Service for NetWare dialog box. The Configure Gateway dialog box, shown in Figure 12.14, is displayed. Select Enable Gateway in the Configure Gateway dialog box. Enter the gateway account name you wish to call this gateway connection and enter the password. The password must be identical to the password for the user account that you previously created on the NetWare server. You need to do this only once for each server that acts as a gateway.
Note
If your account is an NDS account, you must enter the full distinguished name for the user account. For example, you would need to add Jdoe.Sales.Milan.Eu.Reskit rather than Jdoe.
Figure 12.14 Configure Gateway Dialog Box
After you have installed Gateway Service for NetWare and configured the gateway, you can establish shares and permissions. To create a share, click Add in the Configure Gateway dialog box. In the appropriate text boxes, type the share name, network path, drive mapping, and the user limit for that particular share. To complete the configuration, set user permissions on the share for an appropriate access level to NetWare resources.
In the Configure Gateway dialog box you can set up multiple shares to accommodate user access needs. By setting appropriate shares and permissions on the Windows 2000–based gateway, you can control which directories, files, and print queues a user can access on the NetWare server.
When the appropriate user and group accounts are established, the necessary rights are set on the NetWare servers, and Gateway Service for NetWare is installed correctly on the Windows 2000–based server, you can configure and establish a connection to a NetWare-based printer through the Windows 2000 Server–based gateway. For more information about setting up a gateway printer share, click the Overview button on the Gateway Service for NetWare dialog box.
When you have set up the NetWare user account, you can install and configure Client Service for NetWare on the Windows 2000 Professional computer.
Caution
Before you install Windows 2000 Client Service for NetWare, you must remove any existing NetWare redirectors, such as Novell Client for Windows 2000, and then restart your computer.
Install Client Service for NetWare on the computer running Windows 2000 Professional.
To install Client Service for NetWare
– Or –
Click the Default Tree and Context button and type the correct tree and context names, if you are running an NDS version of NetWare. Select the Run Login Script option if you are running a login script, and then click OK.
Note
Although Gateway Service for NetWare and Client Service for NetWare enable access to NetWare file, print, and directory services from Windows 2000, the correct user accounts, necessary rights for resources, appropriate group rights, and associated login scripts need to be configured on the NetWare servers.
Contact your NetWare administrator or see your NetWare documentation for more information.
After you have installed Client Service for NetWare, you can change your configuration from the Client Service for NetWare icon in Control Panel. The Client Service for NetWare dialog box appears.
Within this dialog box, you can also specify print options. You can also select Run Login Script if you choose to execute a NetWare login script when the gateway service is initiated.
To access NetWare services through Gateway Service for NetWare or Client Service for NetWare, you must specify either the correct default tree and context for the user or workgroup or the correct preferred server.
If users need to connect to NDS resources, you should specify the tree and context.
– Or –
If users need to connect to bindery-based resources, you should specify a preferred server.
In Novell Directory Services (NDS), tree refers to the NDS hierarchical Directory structure, and context refers to the location of an object in the Directory tree. If there is only one tree in an organization, the tree is easy to select and specify. The context, on the other hand, is not so obvious. However, in order to locate the necessary network resources for the particular user object, you must define the context correctly when accessing NDS servers through Client Service for NetWare or Gateway Service for NetWare.
Note
When accessing an NDS environment, the most frequent problem with accessing files or services results from setting an incorrect context. If you set an incorrect context, you cannot authenticate.
As shown in Figure 12.15, for example, Reskit, located at the top of the NDS Directory tree, is the actual name of the root object.
You specify the context in the Client Service for NetWare or Gateway Service for NetWare dialog box. You can type in either the typefull name or typeless name formats.
Within the tree, the context in typefull name format for the user JDOE is ou=sales.ou=milan.ou=eu.o=reskit, and the context in the typeless name format is sales.milan.eu.reskit.
Both the typefull name and the typeless name formats are valid entries in the Client Service for NetWare or Gateway Service for NetWare dialog box.
Figure 12.15 NDS Directory Tree
In a NetWare bindery-based server environment, you must direct the Windows 2000–based computer running Gateway Service for NetWare or Client Service for NetWare to the NetWare server where the Windows 2000 user and group accounts with the appropriate rights are located. To direct the Windows 2000–based computer to the NetWare server, select the appropriate NetWare server as the preferred server. Your computer can then log on to the NetWare server. Once you are logged on to a bindery server, you can attach to another server.
If you do not want to set a preferred server in the Client Service for NetWare dialog box, click None. Your computer sends out a get nearest server request, and the first server that responds becomes a SAP agent. You are not authenticated to this server, but you can use it for browsing (viewing other servers attached on the network), as when you enter the NetWare slist command.
If you use Gateway Service for NetWare and you have a high volume of traffic, you can install multiple gateways, as shown in Figure 12.16, to balance the traffic load. However, the NTGATEWAY group account is still the only access point on the NetWare network. To administer each gateway account separately, you must create individual NetWare user accounts for each gateway, then make those user accounts members of the NetWare NTGATEWAY group account.
Figure 12.16 Multiple Windows 2000 Gateways
When you install Gateway Service for NetWare on a computer running Windows 2000 Server and connect it to the NetWare NTGATEWAY group account, you can control security for that connection at two different locations:
For simplest management, consider adding trustee rights on the NTGATEWAY group account. Because the NTGATEWAY group account is the single interface to the NetWare network, trustee rights set up on NTGATEWAY apply to all users using that account. Therefore, you must set up trustee rights that satisfy the access needs of all users going through that account. For additional security, you can then set all security restrictions by adjusting access permissions at the Windows 2000 gateway.
Suppose you have several different users who want to have home directories on the NetWare server, and each user wants to limit access for the home directory. The best way to provide separate security is to use a client such as Client Service for NetWare. However, you could provide separate security for a few users by creating a separate share for each user on the Windows 2000 gateway server, then assigning trustee rights for each share.
Keep in mind that each share uses one drive letter, as shown in Figure 12.14. Thus, each share you create uses at least one drive letter. To determine how many gateways you can create, determine the number of available drive letters.
For information about how to add trustee rights to the NetWare server, consult your NetWare documentation or contact Novell.