Presentation on theme: "Differences Windows Active Directory and Novell Directory Services"— Presentation transcript:
1Differences Windows Active Directory and Novell Directory Services Donnie HamlettTechnology SpecialistMicrosoft – New York
2Agenda Introduction X.500 Directories, History and Terminology X.500 Implemented with AD and NDSObjectsNetworking and ServicesLDAPDirectory Design and Partitioning the DirectoryProgrammingSummary
3IntroductionPurpose of this session is to get a thorough understanding of the basic differences between the Windows 2000 AD and Novell NDS.
4X.500 HistoryX.500 is the standard produced by the ISO/ITU defining the protocols and information model for a directory service that is independent of computing application and network platformX.509 Authentication Framework is a series of standards, describes the use of digital certificates and PKIX.525 ReplicationFirst released in 1988 and updated in 1993 and 1997X.500 standard defines a specification for a rich, distributed directory based on hierarchically named information objects (directory entries) that users can browse and searchX.500 – Glorified, very logical, electronic yellow pages for X.400 messaging systems
5X.500 Fundamentals DIB - Directory Information Base The actual database(s) that store(s) the entries in the directory serviceDirectory Information TreeDictated by the database schema to present a hierarchical tree objectsDITDIB
6X.500 Schema Object Classes Design of the directory store. Defines objects, attributes, and system informationObject ClassesDefine the kinds of objects that can be instantiated in the directoryDefine the rules for an objectDefine the attributes that are intended for the objectDIBObjectAttribute
7X.500 Objects Attributes Specific entries in the directory store Are comprise of attributesAttributesDescribe certain aspects of the objectUSER OBJECT Attributes..First Name, Last Name,Phone Number, Address
8X.500 Directory Services DSA - Directory System Agent The actual process client applications bind to to search the directoryUtilizes DSP - Directory System ProtocolDUA - Directory User AgentClient Process that binds to a DSA to retrieve information from the directoryUtilizes the Directory Access ProtocolAccess ProtocolsDAP – Directory Access ProtocolLDAP – Lightweight Directory Access Protocol, developed because DAP is bulky and it didn’t lend itself to the internet.DAPLDAP
9X.500 Directory Services O=US, O=Microsoft, OU=Development, CN=Thomas HierarchyRepresentation of data in the directory.Is easier to use than flat systemsDefined in X.500(Root)DC – Domain ComponentC – CountryL - LocalityO – OrganizationOU – Organizational UnitCN – Common NameDistinguished Namedefines the nameand location in the DITRelative Distinguished NameUses a reference point,Partial nameO=US, O=Microsoft, OU=Development, CN=Thomas
10X.500 Implemented with AD and NDS No one used the full set of X.500 definitions to design their directory service.Everyone has their own proprietary take on how X.500 is implemented.
11Differences – X.500 NamesBoth Novell and AD use X.500 name schemes but they do not implement all of them.Active DirectoryDCOUCNNovell Directory ServiceCOOUCN
12Differences – Objects Windows – Static Inheritance More weight on directory at creation, write intensiveAll Ace's are contained within the objectLarger objects increases the size of the DIBRights controlled by groupsNovell – Dynamic InheritanceWhen the object is called you must aggregate its rights by walking the treeMore weight on the directory when readRights controlled by OU’s (also groups)Must Tree Walk – this can go across WAN – bad
13Sales Managers read access Object AccessACEACEs can apply to specific attributesACLSales Managers read accessDirectory ObjectAccess to directory objects is controlled via Access Control Lists (ACLs)Fine granularity is provided by Access Control Entries (ACEs) that apply to specific attributes
14Global Data Availability - Catalogs Windows 2000 Forestacme.comxyx.comasia.acme.comeurope.acme.com= Global Catalog ReplicaActive Directory Catalogs:Enable efficient cross-domain data sharingUse the same set-up tools as replicasUse same replication mechanisms and the same interval as domain replicasEnforce object and attribute level securitySlide Objective: Compare AD catalog services with NDS catalog services.In addition to the WAN and replication aspects of Global Data Availability are catalogs.Since it is not always practical to store all possible objects in a single partition, both NDS and Active Directory have provided global catalog functionality in their directory services. Catalogs gather, store and organize a subset of the information about all directory objects in the organization that may be of interest throughout the company (like employee names and phone number). Catalogs are useful in customer scenarios where wide areas networking may make replication traffic prohibitively slow (for example across oceans between the USA and Europe) or when multiple partitions are required to support a highly decentralized organizational structure.Active Directory provides a mechanism called the “Global catalog” to allow administrators to build a specialized directory containing a subset of object attributes that are of company-wide interest beyond a single domain.Catalogs are set up by assigning a GC to individual domain controllers and specifying which object attributes will appear and be replicated in the global catalog using the Schema Manager snap-in. When changes are made to objects, those changes are propagated automatically using the same replication technologies used within a domain.As a result of this shared replication technology:GCs require no special set-up and configuration is easy.GCs are updated simultaneously with with the directory to ensure that catalogs are consistent with the directoryGCs enforce the same object and attribute level security settings as exist in the directory.
15Global Data Availability - Catalogs DredgerDredgerDredgerSan DiegoChicagoBostonNDS Catalogs:Are based on periodic ‘dredging’Occur only at scheduled 1-7 day intervalsUsers are granted/denied access to entire catalog – no attribute/object-level securityAre being completely redesigned...Slide Objective: Compare AD catalog services with NDS catalog services.While Active Directory catalogs are tightly integrated with domain replication technologies simplifying set-up and administration, maintaining the same security settings while not experiencing any latency between replicas and GCs, NDS has a very different approachUnlike NDS itself, NDS catalogs are not incrementally updated, but are entirely rebuilt from scratch every 1-7 days using a process known as the “dredger” which reconstructs the catalog from scratch and strips all security setting s from the object and attributes that are stored in the catalog - meaning that catalog users either have access to the entire contents of the catalog or they don’t.Microsoft believes Novell's catalog approach has several weakness in facilitating global; data availability with the enterprise.Because of the time required to dredge every partition individually, Novell recommends that catalogs only be rebuilt periodically (default is 24 hours). This means that catalogs are likely to be out of date with the underlying objects in their partitions.Objects that are dredged lose their access control properties. Because a lot of the value of directories resides in the ability to only present a limited view of directory object information to people who need to see it, customers will tend to only put information in the catalog that they feel comfortable having all people see, making the catalog less useful.To address this attribute level access control settings, Novell does allow you to construct multiple different catalog views for different sets of users, but this requires duplicated effort in set-up and administration and substantially increases catalog dredging time.Finally, it is important to note the Novell has been in the process of reevaluating its entire catalog architecture and may decide to redesign them entirely.
16Differences – Networking and Services Active DirectoryBased on TCPIPDNS Server Resource Records ( MX-Record)LDAP for internal searches, each object has a unique GUID example on following pageAll Domain Controllers are native LDAP ServersIntegrates with DNSNDSOriginally based on IPX/SPXService Advertising Protocol (SAP) to advertise ServicesImplemented in TCPIP withService Location Protocol (SLIP) also advertisement basedSLIP does not integrate with DNS proprietaryWhen implemented together reduces network performance because routers must support RIP that allows for both SLIP and SAP protocolsNot a native LDAP Server – it has a LDAP interface that translates LDAP request to native NDAP protocols
17Active Directory Global namespace = DNS + LDAP Directories educomstanfordmicrosoftaVendorstudentscoursesmusicDomain : microsoft.comVera KarkMargretJsarahjthorjDomain :aVendor.comDomain:stanford.edu
18Internet Standards Support - LDAP Active Directory vs Internet Standards Support - LDAP Active Directory vs. NDS – LDAP SearchBetterSlide Objective: Show LDAP Performance of Active Directory as compared to Novell NDSThe next Internet Standard of general importance is LDAP.Now both Active Directory and the most recent version of NDS support LDAP v.3, but each directory supports it in different ways.Microsoft design Active Directory, from the ground up, as a native LDAP server, meaning that LDAP-based requests are processed natively and without translation against the Active Directory data-store. In addition all of Active Directory’s services are published via LDAP for ease of interoperation with other LDAP-based applications. For example, even schema management, change history, and query scoping are published through LDAPIn contrast, NDS is not a native LDAP server and LDAP queries made against NDS must be translated to Unicode and then re-translated back in to LDAP for every LDAP request. This dramatically slows LDAP Query performance as illustrated on this graph.On a single processor server, Windows 2000 Server provides more than twice the number of LDAP queries per second. More important, Active Directory performance scales on SMP servers. On a 4-way server, Windows 2000 Server provides more than 6-times the number of LDAP queries per second when compared to Novell’s NDS. This means that customers can deploy fewer Active Directory servers to service LDAP queries; thus lowering equipment costs and management overhead.In addition to LDAP performance, not all NDS services are published through NDS meaning that:Differences in LDAP and NDS data forms may inhibit 1:1 mapping of class and attribute dataMultiple access methods must be implement in NDS since schema management through LDAP controls is not providedEnabling access to NDS namespaces containing multiple partitions requires companies to either expose their applications to the performance limitations of tree-walking or deal with catalogs that may be out of date.Test and Configuration Information:1 million object database (500K users, 500K contact objects)All data in memoryIndexed base query for given name of a userXeon 400 MHz with 4GB RAMNote: Novell has performed 2 different LDAP tests also at Key Labs which indicate that NDS is the faster directory. However, Novell’s tests are peripheral tests which do not reflect common or a large number of usage scenarios as have been demonstrated with Active Directory. Please see the following market bulletins for more detailed information:NDS Active DirectoryLDAP Requests Processed Translated NativelyServices Published through LDAP Limited AllActive Directory is a faster & more interoperable LDAP Server
19Differences - Design Active Directory Partition the directory by DomainDifferent Administrative view and Replication viewDomainSiteReplication occurs via sites (IP subnets of good connectivity)A server can only host one Domain partitionMulti-master replicationUses update Sequence Numbers to prevent corruptionReplication is controlled and easy to configureA Domain can efficiently span multiple sites
20Replication What is Replicated ? – only changes are replicated Directory InformationConfigurationSchemaThere are two forms of replicationIntrasite ReplicationIntersite ReplicationKnowledge Consistency CheckerAutomatically configures and checks topology for the most efficient replicationToolsSites and Services MMC snap-inReplmon
21SitesA Site separates networks physical topology from the Active Directories logical view of the NetworkSite is a area of “good connectivity”A Site is a collection of subnetsAll directory replication is controlled via SitesA Site can be composed of multiple Domains Clients discover their site based on the subnet mask received from DHCP (or hand-configured)Basis for locality-based resource discovery
22Intrasite Replication Automatically Configured for youReplication occurs whenever there is a directory change or a interval of ~ 7 minutesNot CompressedNot easily controllable
26Site LinksRepresents the Priority of Replication Traffic Between the Sites Identified in the Site LinkHigher Cost Numbers Represent Lower Priority Replication PathsControl Topology by Setting the Costs on Site LinksControl the Replication Frequency by Setting the Number of Minutes Between Replication AttemptsControl Link Availability Using the Schedule on Site LinksCan Link multiple site to create a controlled path of replication called a Site Bridge
27Site Links and Bridges Site Link Bridge XYZ Site X Site Y Site Link XY Site ZSite Link YZ
28Architecture Replication Based on update sequence numbersLocal USN advanced by any writeEach replica knows last USN obtained from each partnerReplication is per propertyProperty versioning for collision detection and resolutionPropagation dampening via “up-to-date” vectorsUses RPC or messagingReplication Units: Domains (in NT 5.0)Not Time BasedEach server has a local, monotonically increasing Update Sequence Number (USN)Any write increments and stores the current USN in the object and property writtenDeletions leave tombstonesProperties are versioned for collision detectionA DC maintains the last USN sent by each partner DCRequests objects with USN greater than saved USN (pull replication)Property Versions maintain consistencyTime used only for arbitration in property update collisionsPer-property replication makes collisions extremely rareForward Optimization: do no transmit changes that have reached the target via another path
31Sites and the AD Site Seattle Site Redmond Site Paris Microsoft Sales MSHQ1MSHQ2MSHQ3SalesHRSales1Sales2Sales3EuropeHR1HR2MSNAMSNA1MSNA2EURO1EURO2MSHQ1HR1Sales1Sales2MSHQ2HR2MSNA1MSNA2EURO1Site SeattleSite RedmondSite ParisMSHQ3Sales3EURO2
32Operation Masters These Roles are These are the following Roles Recoverable – Recovery ConsoleTransferable – Command LineThese are the following RolesRID Master – one per domain, controls relative id’sPDC Emulator – one per domain, allows password updates and backwards compatibility with NT 4.0 BDC’sInfrastructure Master – one per domain, updates group and user information when changes are madeSchema Master – one per forest, controls schema updatesDomain Naming Master – one per forest, controls all additions and removals of domains
33Differences - Design NDS Partition the directory by OU OU’s are tied to physical locationsMultimaster replicationA server can host multiple partitionsReplication occurs via time stampsReplication is very difficult to configure and is not controllableIt is not recommended to have OU’s span physical boundaries
34Global Data Availability - Searches Windows 2000 DomainAD ReplicaBostonSan DiegoChicagoAD ReplicaBostonChicagoSan DiegoAD ReplicaBostonChicagoSan DiegoFind:‘AllBobs’ReplicationAnswerSlide Objective: Show differences in AD and NDS WAN Replication technologies and the impact on performing directory searches.The first aspect of facilitating global data availability throughout the enterprise are “Searches”. In an enterprise directory environment searches are performed frequently to collect information stored in the directory about users, machines and network resources.In Active Directory a full and complete copy, or “replica”, of the entire Active Directory database for a given domain is located at every site, in this example San Diego, Chicago, and Boston, wherever there is a domain controller. Each replica is a fully write able copy so that changes to the directory can be made in any location with a domain controller. This is known as a mullti-master directory model. The directory replicas are kept in sync, through periodic replication, where only the attribute changes made to each local replica are propagated to all other sites. As a result all sites contain a full replica of the entire directory which can be searched locally, so that searches do not need to cross WAN links to obtain a complete result set. This architectural design improves read performance and provides redundancy in the event that a WAN link is lost.[Advances Slide Build]A simple example of this is shown above where a San Diego user submits a query “looking for all Bobs” against the local Active Directory replica. Instead of crossing to the Chicago and Boston sites to collect this information, the result set can be completely and assembled just from querying the local copy of the directory.These types of searches are very common in enterprises and could have just easily been done for such searches as “Find all color printers” or “Find all Marketing Groups” of Find all users with this phone number”.Active Directory:Partitions map to Windows 2000 domainsPartitions can span many sites and WAN linksOptimizes replication automatically between sites and over slow network linksImpact: Faster and more complete searches
35Global Data Availability - Searches NDS TreeSan DiegoChicagoBostonFind:‘AllBobs’San DiegoSan DiegoSan DiegoWANChicagoChicagoChicagoAnswerBostonBostonBostonNDS ServerNDS ServerNDS ServerSlide Objective: Show differences in AD and NDS WAN Replication technologies and the impact on performing directory searches.NDS is designed differently.In NDS, Novell recommends that partitions do not span WAN links. Therefore each site is its own partition and boundary for replication. Therefore, information about other partitions is not stored locally and the scope of replication is limited to sites.As a result, cross-location searches, like the one illustrated before must tree walk across WAN links every time a query is made against the NDS directory. Using the same example a search for “Find all Bobs” will have to cross a WAN at least four times for the query and the result for each partition.[Advance Slide Build]This is less than ideal since query results must span WAN links which consume bandwidth and take more time to complete. In addition, if just one of the WAN links was down at the time of the search, the result set from the query could be incomplete and would not include the information stored on a given partition, making searches in NDS potentially incomplete.So why does Active Directory and NDS differ so much on how they perform searches? Mostly it’s a result of the way Active Directory and NDS perform replication.NDS Version 8:Partitions cannot span WAN links . . .easilyReplication does not occur on an inter-site basisCross-location searches must ‘tree walk’Impact: Slower and less complete searches; more network traffic
36Global Data Availability - Replication NDSWANSite 1Site 2Active DirectoryWANSite Site 2Slide Objective: Show the greater complexity and higher cost of NDS WAN replication and why Novell recommends against partitions that span WANs.In NDS, Novell recommends that partitions not span WAN links because cross-site replication occurs so inefficiently.For example, in the case where there are just 2 sites with 5 replica servers in each site, NDS would create a one-way point-to-point replication session between each pair of servers, or 90 connections in total. While connections within a site are not expensive due to the speed on LAN-based networking, there will be 25 connections that cross the WAN between the sites. Since WAN links are often both slower, less reliable and more expensive this is a costly replication mechanism. This situation only becomes more complex as additional sites are added. For example just adding a third site with 5 replicas would increase the number of WAN connections from 25 to 75.[Advance Slide Build]In contrast, Active Directory’s design is more efficient with regard to both replication and WAN bandwidth usage. Using the same two site 5 replicas/site example, Active Directory only requires 13 connections, rather than 90, and only a single WAN connection, rather than 25. This is due to Active Directory’s use of the Knowledge Consistency Checker (or KCC) which automatically analyzes the network topology and configures inter-site bridgehead servers. This ensures that a single replication event will only be sent across the WAN only once.Further, Active Directory uses a spanning tree algorithm to reduce the number of connections required within a site, supports replication scheduling to minimize the usage of WANs and automatically compresses all data sent across a WAN link by a factor of 8-10 times.Note:Now using Novell’s WAN Manager technology administrators can hand-configure replication topologies to simulate bridgehead and spanning tree behavior, but:Routing tables must be maintained manually on each replica serverThere is no data compressionOnly rudimentary replication scheduling servicesBecause of these reasons, WAN Manager is not widely used in practice by NDS administrators, and Novell recommends that partitions not be configured to span WAN links for this reason alone.RBReplicaBridgehead ServerConnectionNDS: 90 Connections; 25 WAN crossingsActive Directory: 13 Connections; 1 WAN crossing
37Internet Standards Support - PKI AuthorizationAuthenticationKerberosFileSystemWindows2000Smart CardX.509/PKIActive DirectoryCertificatesActive Directory Advantages:Better PKI Managementintegrated key recovery mechanism and revocable certificatesweb-based access and managementintegrated client-side distribution of keysComprehensive OS Integration (IIS, EFS, IPSec)Application Integration (CryptoAPI)Slide Objective: Show better PKI management and integration with Active Directory as compared to Novell NDSThe final component of Internet Standard support is support for PKI technologies.Microsoft believes that public key technologies will form the basis for the majority of security infrastructures deployed over the Internet.Uses range from simplifying Virtual Private Networking within a company to enabling secure transactions in business to consumer e-commerce scenarios. Because directory services are an integral part of making public key technologies easy to use and manage, it is important to evaluate the degree of integration between a given directory service and the Internet security technologies that a company plans to use.Microsoft believes there are 3 key areas in which the PKI technologies of Windows 2000 are superior to Novell’s PKI offering:Management. Windows 2000 PKI provides for:Integrated recovery key mechanisms. Novell’s PKI does not support tools for the recovery, archival or escrow of encryption keys.Revocable Certificates. Novell’s PKI does not provide a mechanism for revoking certificates once issued. – for example there is no way in NDS to disable a certificate issues to a fired employee.Web-based Access and Management. There is no way to access Novell’s PKI through a web browser as an admin or user.Client-side distribution. The PKI in Win2000 is integrated to automatically distribute root keys to clients. Novell’s PKI is not integrated with ZENWorks to distribute keys – this means that every user needs to manually request, download and manage certificates using a ConsoleOne client.Operating System IntegrationWindows 2000 PKI is integrated into the core operating system functions such as EFS, IIS web server, IE and IPSEC support and provides a platform for smartcard ISVsNovell’s PKI lacks comprehensive integration with its NetWare operating system, or any other OS. Further Novell’s PKI is layered onto NDS and is not integrated with its core authorization and authentication functions.Application IntegrationMicrosoft provides a comprehensive API called CryptoAPI that enables ISVs and customers to PKI-enable their applications.In contrast, NDS does not provide a similar API to enable ISV or customer applications with PKI services.In summary both Novell and Microsoft directories support PKI, but as we’ve seen with other internet standard support areas: it’s the degree and extent of integration and management tools that most distinguish the two directory services.
38Internet Standards Support - Summary Active DirectoryNative LDAP serverFull namespace integration with DNSIntegrated support for PKI technologiesNDSLDAP requests are translatedNo Namespace Integration with DNSLimited Integration with PKIOn the second of the four key directory solution requirements for customers, Internet Standards support, Microsoft delivers a directory that best integrates with and leverages the three key internet standards:Active Directory provides:A native LDAP server that publishes all of its services through LDAP for faster performance and simplified integration with other LDAP services. NDS in contrast has just recently added LDAP support to NDS and must translate LDAP requests slowing performance and has yet to publish all NDS services through LDAP complicating administration and integration.Full namespace integration with DNS, the location mechanism for the Internet. Because domains have a 1:1 relationships with Active Directory partitions, Active Directory namespaces can be located directly through DNS. NDS, in contrast,using an entirely separate locator mechanism, SLP, to locate internal resources which is unrelated to DNS used externally, increasing management and making service location much more difficult.Integrated support for PKI technologies for simpler security administration of extranet transactions and services, automatic distribution of public keys to clients, and a better platform on which to PKI-enable applications. NDS, in contrast lacks any application-level PKI support, no OS integration, and lacks key PKI management capabilities like revocable certificates, encryption key recovery, and client-side distribution making Novell’s PKI more costly to administer due to its greater dependence on manual administrationFinally, its important to summarize the directory solution requirement of Internet Standards support as one that goes beyond surface level support but the the degree to which the standard is integrated in to the directory and how it reduces management, enables interoperability, and allows an enterprise to transact and communicate over the Internet. On all counts Microsoft believes the Windows 2000 Active Directory meets these requirement far better than NDS.
39Application Integration NT-DSApplicationActiveDirectoryA DSIOLEDBNDSApplicationADOLDAPApplicationDatabasesActive Directory Services InterfaceProvides a consistent, simple way for COM-enabled apps to access directory servicesUsable for any LDAP server (including NDS)Leverages COM Windows Development toolsGreatly simplifies development of directory-enabled applicationsSlide Objective: Show the Unique Value of ADSI in easily enabling applications with directory functionality.Since the Windows platform is the richest for application developers and is supported by over 8,000 applications, the Active Directory feature set is extensive, Microsoft invested considerable effort in making those features as accessible and leverageable as possible by making it easier to write directory-enabled applications that access the Active Directory and other LDAP-enabled directories.The culmination of this effort is the Active Directory Services Interface (or ADSI). ADSI is a set of extensible easy-to-use programming interfaces based on Microsoft COM that can be used to to write applications that can access and manage:Active DirectoryAny other LDAP-based directoriesAnd other directory services, including NDS.ADSI abstracts the capabilities of directory services from different network providers to present a single set of directory service interfaces for managing network resources. As a result ADSI greatly simplifies the development of directory-enabled applications. Developers and administrators can use this single set of directory service interfaces to manage network resources no matter which network environment contains the resource.Combined with the wealth of tools that support COM such as Visual Basic, Visual C++, and Visual J++ development systems ADSI makes it easy for developers to directory enable their applications.
40Application Integration Active Directory enables powerful directory-enabled applicationsGroup Policy IntegrationService PublicationDirectory Object ExtensionADSI Extension ModelActive Directory Class SoreAD-enabled ApplicationsBaan, J.D. Edwards, SAP, Cisco & othersBackOffice 2000, MSMQ, MTS and most othersSlide Objective: Describe the Management and functionality benefits enabled by Active Directory application integration.Active Directory was designed to provide developers with the features they need to build powerful directory-enabled applications that provide greater functionality and lower TCO.Active-Directory-enabled applications can provide:Group Policy Integration: that allow administrators to define sets of applications, including specific configurations, that users should have available based on their role in the company, the domain of which they are a member and the security groups to which they belong.Service Publication: that enables applications to publish the names and locations of services they provide so that client s can access and use those services dynamically – which in turn allows administrators to reconfigure servers for optimal response tikes and availability without having to update clients.Directory Object Extension. provides the ability for applications to add new types of objects and to extend existing objects with new attributes. This enables Active Directory to be a consolidation point for reducing the number of directories that companies have. Benefits include improved information sharing and common management of users, computers, applications, and directory-enabled devices.The ADSI Extension Model. enables application developers to associate COM-based business rules with objects stored in Active Directory. This provides a consistent and simple way for developers and administrators to interact with an application and its objects. The Extension Model also makes it easy to invoke methods across groups of objects, such as ‘all users in the Accounting department’ to simplify administration.The Active Directory Class Store. is used to store the names (for instance, Class ID or Program ID) and locations of COM objects installed on the network. COM uses the Class Store to locate and install the COM objects that users are allowed to use on their machines automatically. This can lower the TCO of COM-based applications by simplifying client configuration and administration.Windows 2000 Server and Active Directory together provide a full-featured platform for building directory-enabled applications.As a testament to the power of this platform leading vendor like Baan, JD Edwards, SAP and Cisco have added support for Active Directory within their products. Moreover the Windows 2000 Server logo program requires applications to integrate with Active Directory where appropriate.In addition, Microsoft itself is AD-enabling its next generation of BackOffice and Front Office applications either natively, as in the case of Exchange 2000, or through integration to provide richer and more integrated directory-enabled services to the Microsoft family of applications.
41Application Integration - Summary Windows 2000 & Active DirectoryCOM, ADSI, Logo programsLDAP-based access to all featuresRich Development Environment (VB,C++,Java)Supports Distributed Applications over WANsLarge ISV Support: 8,000+ Windows ApplicationsNetWare & NDSADSI support not available on NetWareIncomplete LDAP-based access to NDS featuresJava-only development environmentPartitions limit application functionalityPoor ISV Support - GroupWise not even NDS-enabledIn summary, Active Directory has provided compelling reasons for developers to write AD-enabled applications including:A simplified development environment for doing so through ADSI and COMLDAP-based access to all Active Directory featuresA rich development environment supporting Visual Basic Visual C++ and Java development environmentSupport for distributed applications over WAN so that developers don’t have to build enterprise-wide applications that must be aware of the partitions and WAN boundaries of the customer’s network topology.Which has resulted in large ISV support to AD-enable their applications. The Windows code-base today supports over 8,000 applications. Scores of which are being logo-certified every month for use on Windows 2000 that are Active Directory-aware.In contrast the NetWare platform and NDS directory service have almost no application integration support for enterprise customers:ADSI support is not available on NDS – making the development of NDS-enabled applications time-consuming and difficultOnly a limited number of NDS service are available through LDAP – meaning fewer opportunities for developers to build functionality into their applicationsThe development environment is limited to Java with no support for other and more common development environments – limiting the pool of developers who could potentially write NDS-enabled applicationsNDS partitions are limited to the boundaries of the LAN and are not recommended to span a WAN - forcing every developer to build applications that have to be aware of how each NDS directory is partitioned in order to avoid doing cross-WAN searches that would involve tree-walking.As a result of these inherent limitations imposed on developers there are very few enterprise applications that are truly NDS-enabled after several years of NDS availability on the market. As testimony to the difficulty of developing NDS-enabled applications, not even Novell’s own GroupWise applications product is NDS-aware and uses its own database.It is becoming increasingly apparent that a directory that lacks simple application integration capabilities and a rich underlying platform does not interest many developers and lowers the value of a directory-enabled network environment.
42Active Directory vs. NDS Active NDSComparison Directory Version 8Storage technology Indexed IndexedMax objects/partition Millions MillionsPartition Boundary Geo/Political WANPartition-spanning groups? Yes Not AdvisedSame store for catalogs? Yes NoCatalog update interval Continuous ScheduledAttribute security in catalog? Yes NoNative LDAP support? Yes NoGlobal change LDAP interface? Yes NoDNS naming integration Yes NoIntegrated PKI support? Yes NoADSI provider support? Yes Yes*Java Support Yes (JADSI) Yes (JNDI)VB, C, C++ Support Yes NoInteroperability Tools Yes NoSlide Objective: While Active Directory and NDS8 share similar functionality and scalability, Active Directory exceeds NDS in providing an Enterprise-class directory service.To recap the main differences between Active Directory and Novell’s NDS in meeting the directory solution requirements of enterprise customers today it is important first to note that:Both Active Directory and NDS have an indexed storage technology and scale to met he requirements of any environment easily.However, its in meeting the more advanced directory solution requirements of today’s and tomorrow’s enterprise customers where the differences between the two directories come in stark relief.Regarding Global Data AvailabilityAD does much more efficient replication and can afford to replicate the entire name space on every DC meaning fewer partitions and less administration. AD therefore does not force customers to partition ‘artificially’ around WAN boundaries (geo/political boundaries are non-technical limits). In contrast both NDS partitions and groups don’t span WAN links.Active Directory’s catalog architecture using the same replication mechanisms as domain replicas so that global catalogs are continuously up-to-date and maintain both the same object and attribute level security permissions set in the directory itself. In contrast NDS catalogs use an entirely separate replication mechanism that actually rebuilds the catalog from scratch on a scheduled basis which means that the catalog and underlying directory are out of sync. Moreover the catalog strips all security permissions set on objects and attributes meaning that the NDS catalog needs to be manually maintained.As far as support for Internet Standards support is concerned.Both directories support LDAP, DNS and PKI technologies but Active Direcot4r implements these standards in a more integrated manner that improves performance and reduces management.First Active Directory is a native LDAP server improving performance by 2-6 times that of NDS and publishes all of its services through LDAP to simplify interoperability and application integration. In contrast, NDS LDAP support is only translated which slows down performance and only provides a limited set of NDS services through LDAP.Second Active Directory provides DNS namespace integration to facilitate extranet management and the location of intranet services. While NDS 8 does allow the use of a DNS-style syntax, they have not integrated DNS naming into their scheme the way AD does and instead uses its own proprietary implementation of SLP, vastly complicating the location of resources . There is no DNS-based ‘global root’ capability and there is no guarantee of universal object name uniqueness.Third, Active Directory has extensively integrated PKI technologies to provide such useful management time savers as integrated key recovery mechanism and revocable certificates, web-based access and management and integrated client-side distribution of keys. NDS provides none of this.In the area of application integration, Active Directory providesA rich tool and development environment that allows vendors and customers to easily directory-enable their applications and devices to reduce management and enhance functionality. NDS in contrast provides few tools and only a Java development environment to do the same. NDS also provides no single place that applications can obtain information about object changes in the tree. Each partition can report changes but apps need to put a listener in each partition and ‘roll up’ the events themselves. Moreover, Netware lacks the application services found in Windows 2000 that would make Netware an attractive platform to host applications since Netware lacks SMP, transaction, component, queuing, and universal language supportFinally Active Directory provides a flexible set of interoperability services that consolidate directory management with synchronization and meta-directory services as well as application integration and full LDAP support. Novell in contrast lacks synchronization tools, has an unclear meta-directory strategy while providing few application integration tools and only limited LDAP service publishing support and instead chooses to recommend that customers just simply rip and replace their directories with a on-size-fits all NDS service.* Not available to NetWare applications
44ClosingIn today’s marketplace, organizations need to carefully manage their costs in order to stay competitive. Windows 2000 Server has been designed to provide powerful management through its integrated Active Directory service. Active Directory enables customers to increase the value of their existing investments and lower their overall costs of computing by making the Windows network operating system more manageable, secure and interoperable.For more information on the Windows 2000 Active Directory see: