How to Migrate from Novell E-directory to Microsoft Active Directory


Finally, you have decided to move away from Novell E-directory to a Microsoft Active directory, if you still not sure you may want to read Migrating from E-directory to active directory. If you are committed to make the move, you are reading the correct article. This article will provide detail information, links to other resources and template to migrate from Novell E-directory to Microsoft Active directory with least expensive method for a smooth migration.

Novell E-directory to Active Directory migration steps
Novell E-directory to Active Directory migration steps

1.0 Background

A traditional Novell network may have few OES, GroupWise, DFSW, ZenWorks and NetWare servers. If you don’t know what DFSW is you may want to know it before you migrate, this will significantly impact on the options that you have for your migration?  Before setting up new servers it is important to consider how many users are there in your e-directory environment. Every migration project has some impact on the helpdesk, it is important to consider this to ensure a smooth migration.

There are four components to our migration strategy and seven steps:

  • Create and test new Active Directory environment
  • Create and migrate user accounts and security groups
  • Migrate file servers
  • Migrate emails from GroupWise to Exchange

Important if your environment has more than one thousand users and complex security groups you may want to consider a migration software such as Dell Quest.

2.0 Create & test new Active directory Environment

You need to plan, your plan must include number of virtual servers, storage, DNS, routing, switching, DHCP and print services. I assumed you are using virtualisation if not don’t buy new servers stop and learn how virtualisation can help you.

In a typical setup of 200 to 500 users I will install and setup at least two Active directory servers, I will also install the DNS service on both domain controllers and avoid installing any other services on domain controllers. However, your design depends on the type of organisation, does most of your staff are located on the same site or different sites etc.


Once you have setup the active directory and DNS servers think about how you are going to assign IP addressing to the end machines, if you were using Novell DHCP then it is time for it to go as well. You will need to setup at least one server running DHCP address space. I prefer to use a new subnet and ask your network engineer to create a new VLAN across the organisation for new IP range and make sure the necessary routes are in place.


You need to setup a print server and you can do that on the same server as your DHCP server or on the different server. You will need to add all of your printers into this new windows print server.

Next, you need a couple of test machines running client OS, preferably VMs so you can take snapshots. Join them to the newly created Active Directory domain and test your domain, DHCP and print services. At this point you are ready to copy your users and security groups over to the Active Directory. You may want to setup additional services such as NTP, WSUS and Windows Activation services.

3.0 Migration

When migrating you have two choices:

  1. Migrate users, connect devices to domain and migrate all files from the file servers at the same time. It is possible and a good option for a small environment.
  2. Use staging approach, first migrate users, second connect devices to domain and run hybrid environment for end users for the duration of the project, finally migrate file servers.

You have a decision to make, do you need to redesign some or most of your directory structure? If yes, then do it now, or you can simply clone stuff from your existing infrastructure. In my experience, most of Novell directory structures are old and has many directory objects that are left behind for no good reason. I prefer to do a clean setup, but it all depends on you.

Create an Organisation Unit (OU) for computer objects, it is smart to create an OU structure using location for computer objects. You may also want to change the default location for the computer object.

Create OU’s for users the best practice is to design structure using an organizational structure for users and do the same thing redirect default from container to newly created OU.

Time to Import users

Import users, the best way to do this is to get an Ldap dump from Novell E-directory. Divide the information based on your new OU structure in Active Directory then clean up the fields and update the information if necessary. You can download the CSV template that I have created with Schema fields and fill in the information within this template. Once you have prepared users information in the CSV you can use a power shell command to import all of these users, yes you don’t need to create each user account. If you have not learn PowerShell then start googling it. You can find the command to import with temporary password here, you need to create a temporary password for the users and you can enable or disable the accounts at the creation using PowerShell.

Group Policy Objects

The heart of windows operating system is the power of GPO’s. Group Policy Objects allow you to control user accounts and end devices. I am not going to explain how GPO’s or profile redirection works or setup because that is not the aim of this article. You can find an excellent article for profile redirection by clicking here. I would like to share a PowerShell command that can assist you mapping users to correct Security Groups without having to purchase a tool or going through the pain to map each user separately. For the Security Groups you should create them in separate Organisational Unit structure.


You can Map the printers to the end devices using GPO’s, you can also list printer as network printers and install them manually for particular device. Here is the link that can provide more information about the printers for you, all you need to do is to create empty GPO for Printer management and follow the article.

Hybrid environment and File Access

Most import steps forward is to ensure that your Active Directory users are able to access the files from Novell file server during the migration, if your environment is medium to large and you chose to do two stage migration. You need to ensure:

  • The user name in Active directory is exactly the same as the user name in Novell E-directory. You can have the different domain name, but not the same Account Name.
  • You need to setup DFSW server and enable CIF for all Novell file shares. CIF will allow your users to be able to browse file share using IP address without Novell client on the end machine. You can use the net use command in the login script using GPO to map CIF shares to your users in Active directory. The file rights will stay the same as in Novell environment.

Some people may not need this if they are planning to use a cut and shut approach for migration, but for most environments with more than 100 users you can use the CIF share to avoid downtime. Especially if you need to re-image your end devices or replace end devices with the new hardware, this can take weeks and during that time you can run hybrid environment without any down time.  All you need to do is to map drive, using UNC path to CIF share.

Connecting end devices to the domain

You are ready to move to the new system. The best practice is to implement one department at a time, you can simple re-image the machine or follow the following steps:

  • Remove Novell Client
  • Make sure the PC is on the new VLAN to pick up the IP configuration from Windows DHCP
  • Join the PC to the domain

Password Sync

Because we are not using expensive migration software you need to manually sync the password, if your migration is going to take a long time you may need to modify your password policy on both sides to ensure user passwords don’t get expire. If the user name and password is not same in E-Directory and Active Directory during the migration the end users on AD will not be able to access files on the Novell File server using CIF.

Let’s migrate…

Ask the user to login using temporary password and then change the password to exactly the same password they have on the E-directory.

4.0 Citrix

At this point you also need to ensure that if you have other services such as Citrix you need to map the new drives on the Citrix and change the authentication source to Active Directory domain from DFSW. I said DFSW domain because it is not possible to have Citrix with Novell without DFSW unless you are running version 5 or below.

The critical question is when you want to point your Citrix infrastructure to Active directory because if you move it on the first day than most of your users that are not migrated will lose the access to Citrix, this is your call. Alternatively, you can ask each of your users to login to Citrix with their user name and temporary AD password and then change it using Citrix itself to same password as E-Directory at the same time. This means you will migrate all of your users before you migrate their machine. If a user login to Citrix prior to his computer is connected to the domain, then you don’t need to ask the user to change password or use temporary password at the time of migrating his machine.

I found it very confusion to communicate this sort of detail with the users in the larger environment, depending on your needs you may inform the users that Citrix is not available for either the users on old system or on the new system until a certain period to simply the process. However, this depends on the need for your organization. Another approach could be to setup separate Citrix infrastructure using trial license and then migrate over the license once everyone is migrated to ensure Citrix is available for all users at all time.

5.0 Setup File servers

Once all of your computers and users have been migrated to the Active Directory the next step is to migrate your file server to windows file servers. To setup windows file servers I recommend at least setting up two file server with the same capacity. You need to install FSRM to be able to manage quotas, etc. and ideally you should create a DFS name space and replication. DFS will ensure that both file servers have the same copy of files so if you need to update a server or restart you do not need to do that after hour and you will avoid downtime.
Important: Please make sure user profile share is not part of DFS, this will cause problems for you. Use offline file sync instead especially if you have portable devices.

Once your file shares are setup and you have assigned the correct security groups for each file share or sub folder I suggest creating a couple of test users and assign them to the correct security groups for file shares and test the access level to ensure everything is the way it should be.

Few things I would like to highlight here is the concept of offline file access, encryption and access enumeration. Offline access provides access while your server is down, but it increases the storage needs on the end computer and create security risk, if you have confidentiality requirements then be care full with the offline file access however you can secure offline files using encryption. Encryption provides extended security, but increase the processing overhead.

The best way to understand access based enumeration is using an example. Let’s say if you share a folder with two different users A & B and within that folder you have two folders 1 & 2, you would like user A to be able to see folder 1 but not 2 then access based enumeration is your answer. While access based enumeration is help full in hiding folders that users don’t have access to you need to make sure that you allow users to be able have read attribute and read extended attributes writes inherited across all your shared folders. If you do not allow these writes some of your users will not be able to edit files or access share location if you use DNS name space in the UNC path. However, it may work fine if you use IP address and you may think there is a DNS issue, but this particular problem is related to rights.

Migrating Files

Once you have completed creating and testing your shares, the next step is to copy all of your files from Linux share to windows. My approach is to purchase a license for Allway Sync, which is less than 20 dollars. Install this software on one of the machine that is a member of a new Active Directory domain. Map all CIF shares and Windows share on the PC. Use Allway sync to create jobs and copy the stuff during business hours with no impact on the production. Once everything is copied across, aim for short downtime in which you can do the following:

Re-sync changes for each share using Allway sync and disable CIF share on that folder. Meaning your users will not be able to access Novell shares from the new system. This should be a quick process as most of the data is already copied during the day and Allway sync is only copying the changes.

Perform this step for each share and then update your login script, use net use / delete to make sure the mapped network drives are removed and use the net use command to map the Windows share in the next statement.

Advise your users to log out and login back next morning to run the new map script. You have completed file migration and it’s time for you to do the clean-up.

Create a checklist to ensure that none of your application servers, etc. relies on Novell E-directory, DNS, NTP, File Server or DHCP. At this point you may want to shut down some or all of your servers except DNS and E-Directory if you have GroupWise in your environment.

For the GroupWise to exchange migration I will discuss the process in a separate article.