Accessing Novell server files from a Windows 2000 Domain

[GeekDrew]

I just started working for one of our local highschools, and I was assigned a very daunting task.

Our existing network is completely Novell Netware based, and all staff and students have accounts, internet access, and their own personal folders on the network. We have a new classroom that is required to run on a Windows 2000 domain environment. Only about 50 people can have accounts on the Windows 2000 domain, but the Novell server hosts hundreds of accounts. The network based on Novell's products is also running BorderManager for internet access control. Here's what has to be done:

Everyone has to be able to access their personal folders from the Novell NetWare server at all times.

The passwords for the accounts on both networks have to be the same. (Since there are so few people, I can force them to keep the same password on both networks manually, if absolutely required)

We need the ability to control internet access from the Windows 2000 domain controller.

We need the ability to "disconnect" the domain from the Novell network (occasionally, the students will be encouraged to "hack" their way in - but we don't want them hacking into the Novell network). We can do this by physically unplugging the cable between the two networks if required.

We need to be able to host our own website, FTP server, and Exchange mail server, accessible from the internet.

The Windows 2000 domain admins cannot control settings on the Novell network (I might be able to change that if need be).

This seems enormous and nearly impossible. I haven't even started building the domain yet. I have done that many times, though, and already have the basic active directory schema in my mind, and that won't take me long to set up. I could do everything inside of a day if it were only MS domains, but I have to deal with the Novell network, and I have never tried using Novell before.

All this, and I have to have it all up and working by Tuesday, August 27!!!

Can anyone help me? If I get it done on time, I'll look into giving a few dollars to the people that help.

Thanks a ton! This means SO much to me.

Andrew

 

[PELarson]

netware client with patches on the workstations - http://support.novell.com/filefinder/14232/index.html

Probably don't need to add gateway services for Netware on the servers. You can sign on to just the workstation and domain without signing into Netware.

 

[GeekDrew]

The only problem with that is then we have to be connected to the Novell network all the time (unless they use local login).

Also, I created a Windows 2000 domain on the Novell network, and no clients could connect to it. They simply could not see it when they tried to join a domain. I was able to use terminal services to connect to the domain controller, though.

I really don't think that installing the software on the client systems is going to be possible. Isn't there any way to do it on the server end?

Thanks!

Andrew

 

[Tallgeese]

Originally posted by: shrinertech
Our existing network is completely Novell Netware based, and all staff and students have accounts, internet access, and their own personal folders on the network. We have a new classroom that is required to run on a Windows 2000 domain environment. Only about 50 people can have accounts on the Windows 2000 domain, but the Novell server hosts hundreds of accounts. The network based on Novell's products is also running BorderManager for internet access control. Here's what has to be done:

Everyone has to be able to access their personal folders from the Novell NetWare server at all times.

Give W2K users accounts on the Novell servers. Install the Microsoft Client Service for Netware (on workstations) or the Gateway Service for Netware (on server)

The passwords for the accounts on both networks have to be the same. (Since there are so few people, I can force them to keep the same password on both networks manually, if absolutely required)

Unless you wanna spring the big $$$ for NDS on W2K, I'd stick with the manual route. It will still be a MAJOR pain, tho.

We need the ability to control internet access from the Windows 2000 domain controller.

NO idea what you mean by this item. Please explain in more detail.

We need the ability to "disconnect" the domain from the Novell network (occasionally, the students will be encouraged to "hack" their way in - but we don't want them hacking into the Novell network). We can do this by physically unplugging the cable between the two networks if required.

I'd use a managed switch, and shut off the pproper port(s) to isolate this, rather than physically unplugging. How often will this happen? Also, will the W2K network still need access to the Internet even when disconnected from the Novell side?

We need to be able to host our own website, FTP server, and Exchange mail server, accessible from the internet.

See previous answer. However, mapping ports through the BorderManager box is doable. KIM that the BM Mail Proxy absolutely STINKS, and is the primary reason we dumped it.

The Windows 2000 domain admins cannot control settings on the Novell network.

Don't give the W2K admins any supervisory or access control rights on Novell.

Not sure whether any other services need to be shared, like: DHCP, DNS, print sharing, etc.

 

[GeekDrew]

Is it possible to have users from more than one context if I use gateway services on the server side? If I were to install MS client for netware on the client PCs, doesn't that require a direct connection to the netware network? This network will not be on the same subnet mask, IP range, etc. We will be using a completely seperate network, and I planned on just having two nics in the server that would act as a gateway to the netware network (one for each network). Is this possible?

I'll suggest a managed switch instead of physically playing with the cables to my boss. Hopefully we can do it your way.

When I said that we needed to be able to control internet access with the 2000 domain controller, I meant that we have to be able to enable/disable internet access on an account-by-account basis. This is more of a software proxy/firewall issue on the 2000 servers.

No, when disconnected from the Novell side, the MS network will not be needing to access the internet.

DHCP, DNS, etc services are not going to be shared - as far as I know. Although it's not of utmost importance, it would be nice if NetWare clients could print to printers on the 2000 network and 2000 clients print to printers on the NetWare network. I can live without that, though. I probably won't bother with that until after I'm sure that everything else is working correctly.

Thanks man, you're a lifesaver!

Andrew

 

[Tallgeese]

Here's a good list of articles from MS' KnowledgeBase to keep you busy for a bit:

MS KnowledgeBase Search for "gateway service for netware multiple contexts"

 

[GeekDrew]

I've been reading in the KB about "Gateway (and client) services for NetWare" for about an hour now

Fun reading...

Andrew

 

[Tallgeese]

Originally posted by: shrinertech
Is it possible to have users from more than one context if I use gateway services on the server side? If I were to install MS client for netware on the client PCs, doesn't that require a direct connection to the netware network? This network will not be on the same subnet mask, IP range, etc. We will be using a completely seperate network, and I planned on just having two nics in the server that would act as a gateway to the netware network (one for each network). Is this possible?

This clears up a LOT about what you guys are planning to do. You specifically need to read MS KnowledgeBase Article Q151236 - CSNW/GSNW Will Only Show Servers on One Network Segment

I'll suggest a managed switch instead of physically playing with the cables to my boss.

Will still need to place it such that you can disable the entire MS side with one port. After understanding a bit more what you are thinking from your earlier statement, you might want to do it a different (maybe cheaper, maybe not) way:

Option 1: Using W2K server as gateway, just disable the Novell side NIC via Terminal Services, when needed.
Option 2: Use a router (instead of a dual-homed server) with access-lists for traffic control.
Option 3: Use a 3rd NIC in your BM box, have it filter/control traffic

When I said that we needed to be able to control internet access with the 2000 domain controller, I meant that we have to be able to enable/disable internet access on an account-by-account basis. This is more of a software proxy/firewall issue on the 2000 servers.

So you want Internet access for the W2K users to be controlled using W2K (AD, I assume). That makes me ask, will the BM box be between the W2K network and the Internet? If so, it will be more suited for doin the access control thing. Of course, you're then up against that "No Novell Privileges for W2K Admins" rule. This could potentially be the biggest headache, unless you used a W2K based proxy, like ISA, to manage access, and then let BM send it on through.

No, when disconnected from the Novell side, the MS network will not be needing to access the internet.

OK

DHCP, DNS, etc services are not going to be shared - as far as I know. Although it's not of utmost importance, it would be nice if NetWare clients could print to printers on the 2000 network and 2000 clients print to printers on the NetWare network. I can live without that, though. I probably won't bother with that until after I'm sure that everything else is working correctly.

Good idea, and I was kinda figuring that a deep separation between networks was the big goal. Best to keep the printing worlds separate at least initially. DNS and DHCP just need to be configured to take into account the other side as well. Make sure stuff is in harmony (thinkin more about DNS internal root servers and secondary servers more than anything).

Thanks man, you're a lifesaver!

Always thought of myself more like a Cert (mmmmmmmm....Retsyn!), but you're welcome!

Good luck. Interesting project, and certainly a LOT to get planned/done before the 27th.

 

[GeekDrew]

> * Using W2K server as gateway, just disable the Novell side NIC via Terminal Services, when needed.

This makes the most sense since the gateway does have the ability to completely stop sharing.

> will the BM box be between the W2K network and the Internet?

Yes, one of our NetWare admins is taking care of that end of everything; our server will be assigned an external IP & I plan on using that for our domain internet access.

> you're then up against that "No Novell Privileges for W2K Admins" rule.

I checked, no 2k admins can have novell privs. I'll have to find a 2k based proxy to use.

> I was kinda figuring that a deep separation between networks was the big goal.

Precisely

> DNS and DHCP just need to be configured to take into account the other side as well. Make sure stuff is in harmony (thinkin more about DNS internal root servers and secondary servers more than anything).

Yeah, I need to verify that too.

> certainly a LOT to get planned/done before the 27th.

No kidding...

From what I've gathered I will have to install Novell's NetWare client on all of the clients, but also install gateway services, eventually, for printer sharing.

I'm sure that I'm going to come up with a lot more questions in the very near future.

Thanks for your help!

Andrew

 

[GeekDrew]

I think that I have the basic idea of what all has to be done now. I know that this will be time consuming, but if I'm understanding things correctly, it won't be that difficult.

See if I have this right.
I will be able to create our domain, and then add a member server, which I'll probably call GCSNW (unique, isn't it?), which will be the gateway between the networks. I will install gateway and client services on that box, and then the gateway should be active.
I will build a client box, join it to the domain, and then install Novell NetWare client.

From there, will the gateway server automatically forward the requests to the NetWare network?
Will the clients be able to access their personal files on the NetWare server directly?

I'm still a bit confused as to how I'm going to get internet connectivity to the client box. I know that it will be handled through the gateway, but I don't know how. e.x. BM is set to 10.130.131.3 on the NetWare network. How will I tell the gateway to pass off internet requests to BM?

Thanks!

Andrew

 

[xfactordomine]

Hmm.. I work with netware and nt domains as well, and it seems like you're doing a helluva lotta work for something that worked really simple for me
Here's how my network is set up basically:

Netware 5.11 Servers: e.g. IP: 10.230.0.2 - 6 : (Master Servers) pretty much handles everything, Pserver, DHCP (with a few reserved IP's), Groupwise, File server, Internet gateway, etc..
NT 4 Enterprise PDC: e.g. IP: 10.230.0.7 : handles some files, using roaming profiles so no need to create hundreds of local accounts on every workstation, also a print server
NT 4 Enterprise BDC: e.g. IP: 10.230.0.8 : just a BDC
Various Linux boxes as webservers - blah blah

Every workstation we have as part of the domain only needed the Novell Client to be installed and everything worked fine.. (as long as you run the script
Only difference (maybe I didn't read what you wrote right) is the Netware Servers are outside of the NT Domain, but with the Netware Client installed, it doesn't matter..

Your Win2k admins should be able to administer the Netware servers fine, as long as they have supervisor rights, via nwadmn32
Passwords can be the same across both logins by checking that little option in Win2k login (forget the exact wording - Match passwords or something)

I might be a bit unclear on what you're talking about.. but hopefully this may help

-X

 

[Santa]

I second xfactordomine's confusion. We too do the same thing. Novell doesn't actually work with Windows Domain model. It adds a seperate type of authentication.

So if you want to use the Client for Microsoft Network along with Novell Client that is fine.

You would select how you want to log into the network whether Domain first or NDS first. As xfactordomine pointed out there is a checkmark box to make sure to syncronize passwords.

The gateway seems way to complicated and perhaps is more used for when you are on disparet networks.

As long as you are able to communicate via IPX/SPX to your Novell boxes and TCP/IP and UDP to your Windows boxes you are fine.

You don't need a seperate machine, seperate NICS yadda yadda..

Since you may disconnect from the Novell network you may want to make sure you log into the Microsoft Domain first that way you should be able to cancel through the Novell login.

 

[Tallgeese]

Both xfactor and Santa are correct in pointing out a complexity that is really unnecessary in this project.
Based on the offline chat shriner and I had last night tho, there are a couple of "political" issues that are dictating this complexity, primarily:

* That the W2K machines be on their own unique subnet, so the Novell side and the MS side ARE disparate networks.
* That the gateway to the W2K subnet be a server, rather than a router or firewall.
* That Internet access for the W2K side be managed by a W2K box, and not by the existing BorderManager proxy.

Personally, I think the pissing contests make this project MUCH more expensive and difficult than it needs to be (and don't they always!),
but sometimes you just gotta do what you gotta do.

 

[GeekDrew]

I talked to several of the NW admins today. Now they're saying that client internet access must be routed through BorderManager, but that the FTP, IIS, and Exchange servers are to be controlled and routed by the Windows 2000 domain.

This is soo freaking frustrating...

Luckily, I'm going to be building the domain tomorrow, which the NW admins aren't around, so I'll just see what works and worry about company policy on Monday. After I get client connectivity up and working, then I can worry about orders.

But yes, the networks have to be completely seperate. There is way too many people involved in this who have no idea what would be the best way to do all of this. :disgust:

Thanks, everyone.

Andrew

 

[xfactordomine]

Hey shiner

My network IS on 2 different subnets .. the Netware is 255.255.254.0 while the Windows is 255.255.255.0. Make sure that the Windows subnet is under the "umbrella" of the Netware subnet or filesharing between the two networks will not work properly. To clarify my "not work properly" statement, i'll tell you what happened in my case.
Formerly the Windows network's IP and subnet was 10.0.0.1-4: 255.255.0.0 and the Netware was (and still is) 10.230.0.2- x Subnet: 255.255.254.0
Basically people were having problems logging in/staying logged in/ and sharing files due to NetBIOS over TCP/IP protocol statistics (nbtstat) on the Windows servers not flushing and refreshing properly due to the "seperate" networks, thus the servers would NOT communicate with each other correctly. It remained that way until the Windows Domains IP address and subnet were changed to 10.230.0.x and 255.255.255.x that everything worked properly.

I have to be honest, I feel your pain and would be just as frustrated as you, because what "they" want for you to do is going to be a HUGE PAIN IN THE A$$. To me, it seems kind of silly that they insist on keeping the NW Supervisors and Win2k Admins separate, since one person (you for instance) should be able to handle the whole thing. From what you've written.. it seems like your Netware Admins are kinda clueless, making your job even more difficult.

Good Luck

-X

P.S. You know.. you could always propose to get rid of the Netware servers altogether.. Windows can handle all that stuff, and you'll be infinitely happier The files are easy to port across and you might be able to transfer the NDS user objects using RADIUS (correct me if i'm wrong?)... if not... Users are easy to make with a template.. and in Windows it's even easier.. just copy

 

[GeekDrew]

Well, right now the NetWare IP specs are 10.130.x.x using 255.255.255.0
Which ones should I use? 255.255.254.0?

I have proposed that everything be changed to 2K. Unfortunately, the "powers that be" are not allowing that this year. It will be converted next summer, though, if all goes according to plan. Those same people are denying me NWAdmin access. I act as an admin, and just have an admin unlock it whenever I need to do anything. It's a bunch of B.S. All of our district admins and techs want to move to 2k. The director is the only person that wants to stay with Novell. I'd personally like to run him over for that one. (I have to point out that I'm exaggerating on that, just in case anyone I know reads that)

I'm going in to work tomorrow (yes, on a weekend), and I'm going to set up the domain. I'm going to install 2K ADV server on all of the server boxes. I'll have one domain controller and many member servers until everything is working, and then I'll starting promoting the member servers. Hopefully I'll get a lot done tomorrow.

Andrew

 

[mobogasm]

you should try letting your "superior" know that migrating everything to win2k now will save a lot of time and money then trying to do it next summer. also, you might want to get used to working on weekends as a network admin hehe .

 

[Santa]

Realistically if this is something for a school or for even a small to medium sized business its too late to think about it this late in the game. There hasn't been enough planning because of the "powers that be" pushing it back.

I would hold tight for next year and just plan till your fingers bleed.

I don't see why they insist on a gateway server either. A router and or firewall would do the job much more efficiently. I don't see why even if you are on disparet networks why it shouldn't work? All you would have to do is just make sure that your broadcast data is passing from one network to the other but xfactordomine has a weird fix for that by having the Win2K machines be a small subnet inside the bigger subnet. I have never tried this but I apparently it works or he wouldn't be recommending it.

If they want to do such a task I would make them setup the Win2K machine as the gateway that way they don't have any excuses later about "well you messed up the gateway box thats why it doesn't work" It appears they want you to do extra work for no reason. Are the netware people also the router people? If not then buddy up to the routing people and make it happen behind their back and they won't know the difference.

 

[xfactordomine]

Originally posted by: Santa

xfactordomine has a weird fix for that by having the Win2K machines be a small subnet inside the bigger subnet. I have never tried this but I apparently it works or he wouldn't be recommending it.

A weird fix for a weird situation. I still don't exactly know what the problem was, but the fix worked so I ain't complaining. heh

Hope everything went ok Shrinertech

-X

 

[GeekDrew]

A) Yes, I've been working long hours recently.

B) The NetWare people are the router people also.

After working all day Saturday, with no good results, nor progress made, I was frustrated and put the clients back on the NetWare network for now. I'll go in on weekends until I get the domain running.

On Saturday, I wasn't able to log in to the NetWare network from the room I was working on. I hadn't tried before I started working on the domain. Afterwards, I tried, to no avail. I couldn't get the gateway, nor the clients, to see the NetWare tree. I couldn't figure out what in the world was going on. I shut down the 2K servers and left. After going in today, I discover that nobody in the room can see the NetWare tree. After banging my head against a brick wall for about an hour, I deduced that one of the switches or the NetWare server is rejecting everything from the IP range/subnet mask that I was assigned to use. The NetWare people gave me the IP addy and subnet mask to use on their side (assigning it to the NIC that their network is connected to). From there, I was to keep increasing the IP one by one for all of the equipment needed. I found it odd that today, I could get a few computers to log in to NetWare, but most would not. I finally figured out that I have to enable DHCP client services on the clients. I was told by the NetWare people to disable DHCP and manually set the IPs, but they blocked me then. I enabled DHCP, rebooted, and then the clients could function properly on the NetWare network.

I'm going to raise hell at work tomorrow. I didn't know that I would be blocked if I used those IPs. They were assigned to me. That's the reason I wasn't able to see the NetWare network on saturday, I think. Some please correct me ASAP if I'm wrong.

I'm going to work on that network as much as I can tomorrow (which probably won't be much, since I also have classes starting).

Thanks all,

Andrew

 

[GeekDrew]

Latest update :disgust:

Here's what I've done so far.

I created the domain (FairfieldCST) on a 2000 Advanced Server. I named it masterdc.
I built a server that is to be the gateway between FairfieldCST and FCC. I named it GCSNW.
I have two NICs in GCSNW. One to FairfieldCST, one to FCC. FCC is running on DHCP, FairfieldCST is manually assigned to 10.0.150.5.
I placed both servers and a client on a switch by themselves. GCSNW and the client are members of FairfieldCST.
I installed "Gateway (and Client) Services for NetWare" on GCSNW.
I installed "Gateway (and Client) Services for NetWare" on masterdc.
I installed "Client services for NetWare" on the client, workstation1.

From here, I'm not sure what to do. I can log on to the NetWare network from GCSNW, but not from anywhere else.
What should I do? I'm absolutely clueless and very frustrated.

Andrew

 

[Tallgeese]

If your clients are requiring total Novell support, then your gateway server will have to route IPX for them.
If it does this, then the gateway server does NOT need GWSN loaded on it at all.
Neither will the DC.

The workstations will require a Netware client, either Microsoft- or Novell-supplied.

Here are some KnowledgeBase articles you might want to check:
Q222059 - Windows 2000 GSNW and CSNW Do Not Support NetWare 5 IP
Q203051 - Description of Microsoft NWLINK IPX/SPX-Compatible Transport
Q316019 - HOW TO: Install and Configure the NWLink IPX/SPX/NetBIOS-Compatible Transport Protocol in Windows 2000 Server
Q235225 - GSNW and CSNW Only Support the IPX/SPX Protocol
Q150546 - NWLink IPX/SPX: Network Number vs. Internal Network Number
Q254113 - Cannot Communicate with Some Computers on Network When Using Autodetect to Configure IPX Frame Type

 

[xfactordomine]

By the way.. what version of Netware are you guys running? 6.0 doesn't require IPX at all. It's pure TCP/IP. Nor does it require a Netware Client, you can use NFAP (Native File Access Protocol). So, if 6.0, might it be a problem with network architecture?

If Netware 5.11, the info Tallgeese gave you is great, and should work.

Good Luck,

-X

P.S: If that didn't make sense.. don't mind me.. i'm tired

 

[GeekDrew]

I know that it's not 6. I believe that it is 5.11, but I'm not sure.

Yes, that made sense.

TTYL

Andrew

 

[GeekDrew]

So if I eliminate gateway, and install routing, will my clients be able to access servers by IP address on the remote network?
For example, one of my clients might be using IP addy 10.0.150.75, but it will have to access the internet through BorderManager, which is running on a server at 10.130.131.3:8080.
Is this possible?
Thanks!
Andrew