LETTERS TO THE EDITOR


High Praise for NetWare Connection

Thank you for Blaine Homer's informative article, "NDS for NT: Rounding Out Your Company's NDS Tree" (NetWare Connection, Dec. 1997/Jan. 1998, pp. 6-12). NetWare Connection is the only magazine that consistently offers superior product reviews and other excellent articles. Each issue focuses on providing practical solutions that network administrators can use in their jobs every day. Keep up the good work!

Jimmy Castro

NDS Tree Design for COMDEX

In the article "COMDEX Intranet--Novell Connecting Points: Mission Impossible?" (NetWare Connection, Dec. 1997/Jan. 1998, pp. 24-32), Linda Boyer outlines the design of the Novell Directory Services (NDS) tree created for COMDEX Intranet--Novell Connecting Points (NCP). The Organizational Units (OUs) in the NDS tree appear to be based on groups of network resources, such as servers, printers, and applications. This design contradicts published Novell guidelines to avoid resource OUs, relying instead on departmental OUs. Novell explains that OUs based on groups of network resources lead to several problems. For example, when you are using resource OUs, the flexibility of partitions and replicas is limited, and resource OUs do not benefit from inheriting rights. As a result, you must grant rights between OUs, complicating network management and generating external references that add overhead to NDS operations.

Because of these reasons, I would be hesitant to implement such a design, especially for 270,000 User objects. I am currently working for a customer who wants to implement this type of design, and I am advising against it.

Can you provide more detailed information about the design of the NDS tree at COMDEX Intranet--NCP? Please explain why this design was used, and indicate how the problems associated with the design were overcome. Thank you.

Audrius Dundzila

When designing your company's NDS tree, you must evaluate all aspects of the company, including the number of departments and users, the interaction between departments, and the job functions of each user. Typically, logical divisions occur at organizational levels within the company because users in different departments may require access to different network resources. For example, users in the Marketing department might require access to a different server, printer, and set of applications than users in the Engineering department. In addition, users in the Marketing department might require different file system rights than users in the Engineering department.

To accommodate these special needs, you should generally distribute network resources among the OUs that require the most frequent access to the resources. These guidelines prevent unnecessary tree walking and simplify network management.

Although the NDS tree for COMDEX Intranet--NCP seems to contradict the guidelines, a closer look at this tree shows that we did not abandon these guidelines; rather, we modified the guidelines to meet the needs of COMDEX users. At COMDEX, all users were created equal: These users accessed the same servers, printers, and applications and received the same file system rights. In essence, everyone was part of one logical organization, which is why we created one Organization object.

Because of the number of COMDEX users, we created OUs below the Organization object, and we created partitions based on these OUs to optimize performance, enable load balancing, and provide fault tolerance. We then granted rights at the Organization level and allowed these rights to flow down the NDS tree.

If we had placed the network resources for COMDEX Intranet--NCP into the same OU as the User objects, the external references would have been reduced only for that OU. Other OUs would have been forced to walk up the NDS tree to the parent partition and then walk back down. Aliasing network resources would have created additional administrative overhead. As a result, the same number of hops, but even more network management, would have been required to access network resources.

As you can see, we evaluated all aspects of COMDEX before designing the NDS tree. We then modified the guidelines to achieve our goals: allowing rights to flow down the NDS tree; partitioning this tree for performance, load balancing, and fault tolerance; using a maximum of three hops for authentication; and keeping network management simple.

Gary Norton, Novell Corporate Events systems architect

NetWare Connection,March 1998 , p.4