GroupWise Support for Active Directory

Q. CB wrote: When is GroupWise going to to support Active Directory natively, and no longer require eDirectory and Console One to manage?

A. It is on our roadmap for the next version of GroupWise, codenamed “Windermere”. The release date for Windermere is fuzzy right now -- all we know is it will likely release 12 -24 months after the shipping of “Ascot” later this year.


How To-Best Practice
Comment List
  • That is a great shame that we will have to wait until 2013/14 as alot of our customers are migrating away from GW. Even though EDIR does have alot of great benefits with GW.
  • Well yes and no

    No ....
    1) eDir has better platform support - from memory SLES, Red Hat, Solaris, AIX, HP-UX, NetWare and even Windoze.
    2) eDir synchronises deltas only - i.e. any synchronisation event is only of the recent changes, not the entire directory as AD does.
    3) From 2 above consequently AD replication to other servers can be tardy to say the least (i.e. create user on ADServer1 wait 2 hours and the user finally appears on ADServer2). If you want to increase the frequency of synchronisation bear in mind 2 above - you will be synching the entire directory.
    4) You can run multiple instances of eDir on a single server (eDir 8.8+).
    5) eDir has a convenient concept of partitioning to allow for distribution of directory data to appropriate places rather than carrying the entire directory on a server. To allow for separate regions in AD you use forests which is clunky and unreliable in practice.
    6) A failure of AD means you end up trashing and rebuilding your server (I've seen this occur) - eDir is much kinder, on Linux you trash eDir but keep the server and a restore can be as simple as a simple file copy.
    7) AD attributes can be frustratingly dumb: e.g. not allowing certain characters such as line breaks, not allowing NULL values, not allowing multiple values. In AD I don't believe you can have a multi-valued telephone number - but lots of real people do have more than one landline.
    8) According to Novell I think eDir performs better for large numbers of objects - but that's just "talk" I don't know what the truth of it is.

    Yes .....
    a) I agree absence of Kerberos in eDir is a real negative.
    b) Yes eDir requires constant, repetitive maintenance. On one hand eDir is more complex, there is more scope for problems. But AD guys don't touch AD, it apparently just works. For eDir every 3 months or so I have to perform maintenance to keep it in a healthy state.
    c) Novell is dead, they have conceded defeat and are now winding down their business - you wouldn't deploy eDir if you want to deploy something that will still exist and be supported in 5 years. I've even had Novell Platinum partners tell me that Novell has conceded defeat (but that was more specifically for GroupWise not other products). Novell lost their way somewhere and now they are completely irrelevant.
    d) Novell is "The Bug Meister" - their sloppy coding and inadequate quality assurance process has cost me countless hours of stress and frustration. Their software is so loose and flakey it is not fit to be used in ANY enterprise. I once installed eDir on a Linux box (in the eDir 8.7.3 days circa 2004) and bounced eDir on the Linux box in order to apply a patch for Identity Manager. When I bounced eDir on the Linux box 5 NetWare server simultaneously abended and rebooted - that's Novell for yah - real quality - NOT!!!

    If you manage eDir you should be aware of the bad consquences of massive time drifts. If you manage eDir you really ought to monitor NTP/Time synchronisation and if it goes wrong fix it quickly before it causes issues. If you've run into these problems in the past it sounds as though you have been remiss in your job, don't monitor things sufficiently and then start crying and whining when things go wrong?
  • eDir superior to AD?

    Can't agree to be honest. Can you undelete the eDir object deleted by mistake? Do you have SSO (Kerberos) out of the box? Even with DSfW add-on that is ridden with limitations, it is a poor imitation of what AD can do.

    eDir is so fragile that one simple error can cause a total chaos in the services using it. Let me give you an example - ntpd on one of the virtualise replica servers dies, leaving the time to drift (even though the kernel parameters have been updated to prevent the time issues).

    After ntpd is restarted, ndsrepair -E shows everything works fine. You attempt to ldap bind as few users using ldapsearch, , it binds fine and reads the attributes. However, UserApplication (portal) refuses logins with nds error about the time.

    You have to issue new epoch now. This would be fine if the schema was in sync beforehand. There was no reason to believe it was not, as ndstrace said so (I checked, honest).

    However once the issuing new time epoch caused problems on few replicas, the investigation confirmed that schema was not synchronised (using iMonitor schema compare).

    This was fixed, but then one of the removed replicas that turned into subordinate stayed flagged as subordinate even when its parent was removed, which caused it to be stuck when it was re-added as RW, as other servers were thinking it is NEW of type RW, and it was thinking it is NEW of type Subordinate. All attempts to remove it failed.

    Anyway, I fixed this at the end (had to remove the server from the tree, fix the schema issues and put it back and replicate the eDir DB), but this was just to illustrate how eDir is fragile and an ordinary engineer would not be able to sort this out. All this while users were hurting unable to use the User Application.

    The point is, none of the above complications should have occured. I never had AD crumble in the similar situation. Its time service between AD controllers just works. Ntpd on linux may die frequently for a number of reasons and not all of them can be anticipated.

    However, I know this will fall onto deaf ears, as always does...sigh.
  • First, eDirectory is WAY superior to AD so I can't see why there is such a desire for AD support for GroupWise????

    The same way that ED is WAY better than AD, Exchange is WAY better than GroupWise, if you want to use AD (why????), you'd have to be pretty odd to then choose GroupWise over Exchange - I mean seriously weird.

    We use GroupWise, we recognise it is a pretty BAD product but it fits with OES + ED so we, to this date, tolerate its many failings/weaknesses.

    I think the GroupWise team, who are habitually turning out rubbish code these days should do themselves a favour and settle on one platform (for the server that is) - Linux, drop all other server platforms and try much harder to QA the product before releasing to customers. AD support seems like a seriously weird tangent to follow - the product has got much more serious, user-facing problems than that!!!!

    Simon (someone who has sadly grown totally sick of looking after GroupWise and wished it would just die soon rather than having a long dragged out death).
  • Zenworks (zcm) 10 are independant of eDir and AD. Why GW not the same?
    That very tooo slow.

    Make something like Riva (, please you dont have to wait.

  • GroupWise seperating from Console1 and eDir was promised in the Bonsai (2008)release.

    Now we are being told its two more releases away.

    Given Ascot won't be released until Christmas 2011 or New Year 2012 (it in beta till Sept 2011), Windemere might not be out until late 2013 or 2014.

    That is way too slow.