Active Directory is the directory service included in the Windows 2000 Server
family. It allows for presentation of a network in a precise and unique manner,
allowing system administrators to manage complex systems. It also allows
searching and locating objects when asked; permits communication between
all of the system's parts including those outside the system's scope. In
addition it supports security features and control user access to network
objects.
Active Directory makes a transparent view distinction between inside and outside
the local network (or domain) to present an identical view of content, regardless
of location.(A)
Directory Service:
A service that maintains the logical order in a network that
interconnects many sites and supports many users with countless network objects.
(A)
Directory: a container of information about objects people, places, and
things. A directory gives users a logical view of these projects, but in
a form that makes the information searchable, useful and reusable.
(D)
DNS
Active Directory uses the organization and naming schemes of the Internet
to bring to the network the same hierarchical order that is used on the
Internet. The DNS function of Active Directory joins the external (the
internet) with the internal (local network) in a common naming scheme. It
does this by "naming" every object on the network, and mapping each one's
relationship to other (with domains).
It also serves as the network's road map (because the network's map
emulates the structure of the business itself). Therefore the Active
Directory can be a powerful tool for modeling and mapping the business
itself.
Replication
Active Directory allows for replication between two domain controllers.
Usually when installing a Windows 2000 Server OS the first domain
controller created will be the primary domain controller. In order to have
a copy of the file system of this domain controller replication of the
server is implemented.
Replication between a primary and a secondary domain controller allows for
replication of information frequently and automatically.
The Evolution of the LDAP
The University of Michigan developed Lightweight directory access protocol (LDAP) in 1998. The
University of Michigan wanted to free clients from the heavyweight access protocol (DAP) for the X.500
directory access. So what they did was place a LDAP server between the client and the X.500 directory.
The LDAP server translated a directory request from an LDAP client on a TCP/IP network from the client's
language to that used by X.500 directory. Then the LDAP server sends the request to an X.500 server.
Without the need of a X.500 the LDAP can supply a complete LDAP directory running on a TCP/IP
network without the need of X.500. LDAP is now a directory service and not just a protocol.
X.500:
The Directory System Agent (DSA), also known as X.500 is the database in which directory information is
stored. This database is hierarchical in form, for fast and accurate search and retrieval.
DAP:
The directory Access Protocol is a protocol used in X.500 Directory Services for controlling
communications between the Directory User Agent (DUA) and Directory System Agent (DSA) agents. The agent
represents the directory and program or the user.
What is DUA?
The Directory User Agent (DUA) provides functionality that can implement in different types of
interfaces. Some examples of the interfaces are DUA clients, Web server gateways, or e-mail
applications.
LDAP is the primary access method for Active Directory. LDAP combine routing and transport services in
a faster way than do traditional networks and transport layer protocols. This is more effective in
transporting over high-speed lines such as fiber-optic cables.
LDAP is a subset of the X.500 protocol. This means that the clients are smaller, faster and easier to
implement than the X.500 clients. LDAP is vendor independent and works with, but does not require an
X.500. Unlike the X.500 the LDAP supports TCP/IP, which is need to support any Internet access. The
LDAP is an open protocol and applications are independent of the server platform hosting the directory.
The Impact of LDAP
Ldap had a huge impact on the industry about six years ago. Back then products worked in isolated
environments, with there own data sets. When LDAP came along it introduced and openness to the
industry. Not only did it affect the X.500 and other directory products but it also affected
applications and operating systems now supporting at least an access protocol that facilitated data
sharing.
Industry
Key Players
As server operating system technologies go Active Directory, patterned
after Novell's NDS (NetWare Directory System), is the market leader of the
directory system world.
"Microsoft's Active Directory is the front-runner, but by no means the
contestant", reads the headline from a June article found @ computer.com.
Other contesters are directory service products put out by Netscape,
Novell, & iPlanet.
Novell (NDS)
Novell created the enterprise networking market by implementing directory
services before Microsoft even knew what the term meant. And to its credit,
Novell ported its NDS product to NT two years before Microsoft began developing
its proprietary Active Directory product. With this in mind you can see how
Novell's product could be inferior to AD since it is based on older technologies
and standards.
Novell offers a different security and management model than AD, and if you are
accustomed to the metadata level of user/group-member management with Novell
solutions, you may not want to switch over from eDirectory to AD. You will not be
able to deploy AD in your NDS infrastructure (or any other non-Windows system).
NDS is geared towards administering tighter security control, and a fuller
management. When you want to deny access to a group while using of NDS, you
don't have to branch out a new tree, you just create a filter.
With NDS the user gets the benefit of Exchange server directory services without
logging on to the Exchange host NT server itself, Active Directory can not do
this.
NDS includes automatic and completely transitive trust, as does AD. But; in
order to keep Access Control Lists (ACL's) updated NDS uses dynamic inheritance,
while AD makes use of static inheritance. This difference plays a huge role in
the amount of data created for each object.
Where there is replication there is a transport method. NDS uses a proprietary
method of transport that opens new ports in firewalls in order to let replication
traffic through, as opposed to AD which uses SMPT & RPC (Remote Procedural
Protocol) which allows AD to e-mail updates to another server.
Netscape (Directory Service)
Netscape's Directory Service was the first to commercially implement Lightweight
Directory access Protocol (LDAP) standard. This standard specifies how to
communicate with directory-service databases to add, change, or request resource
information. Although Netscape doesn't call Directory Server a metadirectory
product, you can set up a limited metadirectory for NT networks running Netscape
Internet and intranet services.
Variations in Product and Service
While it is no small task to deploy any directory system, Microsoft boasts
that it is the most user friendly of the bunch, it also appears to be the
best investment choice for medium size companies that are expecting to
expand or grow in the short run. "Novell and Netscape's directory-service
applications are third-party solutions to integrate directory services
across various network operating systems. They create a directory
management foundation for heterogeneous networks while Microsoft is the
first to bind directory services with a network operating system." As long
as there are NetWare and Unix systems at the core of enterprise
networking, these third-party solutions will maintain their position.
Solutions & Resolutions
The key players in helping resolve issues regarding directory service are the
consumers who correspond with the manufacturers of the products, as they detect
flaws or bugs within the software.
The key players in helping resolve issues regarding directory service are
the consumers who correspond with the manufacturers of the products, as
they detect flaws or bugs within the software.
As stated earlier, Microsoft is the leader, and it possesses the resources
to research this product and develop it. Microsoft's integration of
Active Directory with the Windows 2000 operating system, and the growth of
Windows networking overall, will be enough to give Active Directory the
lead role in a number of installed AD servers over the next couple of
years. Cisco is trying to get Active Directory ported to Sun's Solaris
operating system. If this is achieved, than the Unix Active Directory
will penetrate market for directory services in growing numbers--both
because of Cisco's presence in most of the Internet-connected enterprises
and because of the need to integrate network solutions. These are expected
to be new deployments rather than replacements for existing directory
services.
Outlook
Where do we go from here?
With so many directory services available how does a company choose on
that is best for their business? The first question that needs to be
addressed is whether the upgrade in necessary for business functions. When
asking that question it is important to anticipate the future needs of the
business. Active Directory is good for large-scale corporations that NT
could not satisfy as well as small businesses. It is important to develop
a planning and implementation scheme for Active Directory once it has been
chosen. If this is not done administrators may find that the upgrade from
NT to Win2K may be a painful transition.
Netware has the advantage of being on the market already and Netscape was
the first to implement the latest version of LDAP. These companies have
sustained considerable market share, but that may simply be due to the
unavailability of Active Directory. According to International Data
Corporation (IDC), one in five Netware users will replace their server in
the next year and 85 percent of these users will choose Win2K as a
replacement. It seems that Microsoft will corner this market as well.
The Future of LDAP
In July of 1999 the Directory Interoperability Forum (DIF) merged various
directory services into a standard based on LDAP. Microsoft has
incorporated these standards into Active Directory.
DIF has launched its second integration of standards for LDAP, WWL2.
"Open Brand for LDAP 2000 requires specific conformity for server products
and the directory servers that meet that criteria gain the right to carry
the LDAP 2000 brand logo. WWL2 goes beyond LDAP 2000 standards and
certifies applications that will work with any Open Brand for LDAP 2000
server (Kearns 2001). This application certification will ease the minds
of network managers. Products that carry the label will be more
marketable. Will Microsoft seek the certification of WWL2? Our
predictions are that yes, Microsoft, will incorporate the requirements
into their applications if the market demands it.
It seems that with the new release of LDAP 3 and the implementation of
standards for the protocol the technology will be around for a while.
There are no significant competitors in the directory protocol arena and
the definitions of standards will deter any from coming along until a real
need is identified. Active Directory has been in the works for several
years and is about to become available to businesses. Microsoft retains
the majority of the market of operating systems and will continue to do
so. The release of Active Directory will reinforce this position and
perhaps increase market share. NT was less than desirable for large
corporations and Active Directory resolves this problem making a new
market sector available.
Bibliography
Aspinwall, Jim http://www.computeruser.com "Who will be Your Directory
Services?"
Chowdhury, Pankaj ZDNet http://www.zdnet.com "Windows NT Guide
(Replication)"
Kearns, Dave Network World Fusion http://www.nwfusion.com/ "Has Active Directory
Won the War?"
Kearns, Dave Network World Fusion http://www.nwfusion.com/ "Has Active
Directory Won the War?"
Kearns, Dave Network World Fusion http://www.nwfusion.com/ "Announcing
Recipients of LDAP 2000 Standard
Goodman, David and Colin Robbins Nexor http://www.nexor.com "LDAP-Moving
Forward"
Network Computing Internet Site
http://www.networkcomputing.com "Network Design Manual,Directory Services:
"The Active Directory"
Madden, Finnel, Sheldon, Wilansky MCSE Training Kit Windows 2000 Server.
Microsoft http://msdn.microsoft.com/ "Microsoft Windows Active Directory:
An Introduction to the Next Generation Directory Services"
Microsoft Product Support Service http://support.Microsoft.com
"Introduction to Lightweight directory Access protocol"
Sosinsky, Barrie Windows 2000 Magazine http://www.win2000mag.com/
"Novell's Window of Opportunity"
Windows 2000 Magazine http://www.win2000mag.com/ "Directory Services Heats
Up"
Zhou, Tao Windows 2000 Magazine http://www.winntmag.com "The Evolution of
LDAP"
|