Presentation is loading. Please wait.

Presentation is loading. Please wait.

Differences Windows Active Directory and Novell Directory Services Donnie Hamlett Technology Specialist Microsoft – New York.

Similar presentations


Presentation on theme: "Differences Windows Active Directory and Novell Directory Services Donnie Hamlett Technology Specialist Microsoft – New York."— Presentation transcript:

1 Differences Windows Active Directory and Novell Directory Services Donnie Hamlett Technology Specialist Microsoft – New York

2 Agenda Introduction Introduction X.500 Directories, History and Terminology X.500 Directories, History and Terminology X.500 Implemented with AD and NDS X.500 Implemented with AD and NDS Objects Objects Networking and Services Networking and Services LDAP LDAP Directory Design and Partitioning the Directory Directory Design and Partitioning the Directory Programming Programming Summary Summary

3 Introduction Purpose of this session is to get a thorough understanding of the basic differences between the Windows 2000 AD and Novell NDS. Purpose of this session is to get a thorough understanding of the basic differences between the Windows 2000 AD and Novell NDS.

4 X.500 History X.500 is the standard produced by the ISO/ITU defining the protocols and information model for a directory service that is independent of computing application and network platform X.500 is the standard produced by the ISO/ITU defining the protocols and information model for a directory service that is independent of computing application and network platform X.509 Authentication Framework is a series of standards, describes the use of digital certificates and PKI X.509 Authentication Framework is a series of standards, describes the use of digital certificates and PKI X.525 Replication X.525 Replication First released in 1988 and updated in 1993 and 1997 First released in 1988 and updated in 1993 and 1997 X.500 standard defines a specification for a rich, distributed directory based on hierarchically named information objects (directory entries) that users can browse and search X.500 standard defines a specification for a rich, distributed directory based on hierarchically named information objects (directory entries) that users can browse and search X.500 – Glorified, very logical, electronic yellow pages for X.400 messaging systems X.500 – Glorified, very logical, electronic yellow pages for X.400 messaging systems

5 X.500 Fundamentals DIB - Directory Information Base DIB - Directory Information Base The actual database(s) that store(s) the entries in the directory service The actual database(s) that store(s) the entries in the directory service Directory Information Tree Directory Information Tree Dictated by the database schema to present a hierarchical tree objects Dictated by the database schema to present a hierarchical tree objects DIB DIT

6 X.500 Schema Schema Design of the directory store. Defines objects, attributes, and system information Design of the directory store. Defines objects, attributes, and system information Object Classes Object Classes Define the kinds of objects that can be instantiated in the directory Define the kinds of objects that can be instantiated in the directory Define the rules for an object Define the rules for an object Define the attributes that are intended for the object Define the attributes that are intended for the object DIB Object Attribute

7 X.500 Objects Objects Specific entries in the directory store Specific entries in the directory store Are comprise of attributes Are comprise of attributes Attributes Attributes Describe certain aspects of the object Describe certain aspects of the object USER OBJECT Attributes..First Name, Last Name, Phone Number, Address

8 X.500 Directory Services DSA - Directory System Agent DSA - Directory System Agent The actual process client applications bind to to search the directory The actual process client applications bind to to search the directory Utilizes DSP - Directory System Protocol Utilizes DSP - Directory System Protocol DUA - Directory User Agent DUA - Directory User Agent Client Process that binds to a DSA to retrieve information from the directory Client Process that binds to a DSA to retrieve information from the directory Utilizes the Directory Access Protocol Utilizes the Directory Access Protocol Access Protocols Access Protocols DAP – Directory Access Protocol DAP – Directory Access Protocol LDAP – Lightweight Directory Access Protocol, developed because DAP is bulky and it didnt lend itself to the internet. LDAP – Lightweight Directory Access Protocol, developed because DAP is bulky and it didnt lend itself to the internet. DAP LDAP

9 X.500 Directory Services Hierarchy Hierarchy Representation of data in the directory. Representation of data in the directory. Is easier to use than flat systems Is easier to use than flat systems Defined in X.500 Defined in X.500 (Root) (Root) DC – Domain Component DC – Domain Component C – Country C – Country L - Locality L - Locality O – Organization O – Organization OU – Organizational Unit OU – Organizational Unit CN – Common Name CN – Common Name Distinguished Name Distinguished Name defines the name defines the name and location in the DIT Relative Distinguished Name Relative Distinguished Name Uses a reference point, Uses a reference point, Partial name O=US, O=Microsoft, OU=Development, CN=Thomas

10 X.500 Implemented with AD and NDS No one used the full set of X.500 definitions to design their directory service. No one used the full set of X.500 definitions to design their directory service. Everyone has their own proprietary take on how X.500 is implemented. Everyone has their own proprietary take on how X.500 is implemented.

11 Differences – X.500 Names Both Novell and AD use X.500 name schemes but they do not implement all of them. Both Novell and AD use X.500 name schemes but they do not implement all of them. Active Directory DCOUCN Novell Directory Service COOUCN

12 Differences – Objects Windows – Static Inheritance Windows – Static Inheritance More weight on directory at creation, write intensive More weight on directory at creation, write intensive All Ace's are contained within the object All Ace's are contained within the object Larger objects increases the size of the DIB Larger objects increases the size of the DIB Rights controlled by groups Rights controlled by groups Novell – Dynamic Inheritance Novell – Dynamic Inheritance When the object is called you must aggregate its rights by walking the tree When the object is called you must aggregate its rights by walking the tree More weight on the directory when read More weight on the directory when read Rights controlled by OUs (also groups) Rights controlled by OUs (also groups) Must Tree Walk – this can go across WAN – bad Must Tree Walk – this can go across WAN – bad

13 Object Access Access to directory objects is controlled via Access Control Lists (ACLs) Access to directory objects is controlled via Access Control Lists (ACLs) Fine granularity is provided by Access Control Entries (ACEs) that apply to specific attributes Fine granularity is provided by Access Control Entries (ACEs) that apply to specific attributes Directory Object ACL Sales Managers read access ACE ACEs can apply to specific attributes

14 = Global Catalog Replica Global Data Availability - Catalogs Active Directory Catalogs: Active Directory Catalogs: Enable efficient cross-domain data sharing Enable efficient cross-domain data sharing Use the same set-up tools as replicas Use the same set-up tools as replicas Use same replication mechanisms and the same interval as domain replicas Use same replication mechanisms and the same interval as domain replicas Enforce object and attribute level security Enforce object and attribute level security asia.acme.comasia.acme.com acme.comacme.com europe.acme.comeurope.acme.com Windows 2000 Forest xyx.comxyx.com

15 CatalogCatalogCatalog DredgerDredger Global Data Availability - Catalogs NDS Catalogs: NDS Catalogs: Are based on periodic dredging Are based on periodic dredging Occur only at scheduled 1-7 day intervals Occur only at scheduled 1-7 day intervals Users are granted/denied access to entire catalog – no attribute/object-level security Users are granted/denied access to entire catalog – no attribute/object-level security Are being completely redesigned... Are being completely redesigned... DredgerDredgerDredgerDredger San Diego ChicagoBoston

16 Differences – Networking and Services Active Directory Active Directory Based on TCPIP Based on TCPIP DNS Server Resource Records ( MX-Record) DNS Server Resource Records ( MX-Record) LDAP for internal searches, each object has a unique GUID example on following page LDAP for internal searches, each object has a unique GUID example on following page All Domain Controllers are native LDAP Servers All Domain Controllers are native LDAP Servers Integrates with DNS Integrates with DNS NDS NDS Originally based on IPX/SPX Originally based on IPX/SPX Service Advertising Protocol (SAP) to advertise Services Service Advertising Protocol (SAP) to advertise Services Implemented in TCPIP with Implemented in TCPIP with Service Location Protocol (SLIP) also advertisement based Service Location Protocol (SLIP) also advertisement based SLIP does not integrate with DNS proprietary SLIP does not integrate with DNS proprietary When implemented together reduces network performance because routers must support RIP that allows for both SLIP and SAP protocols When implemented together reduces network performance because routers must support RIP that allows for both SLIP and SAP protocols Not a native LDAP Server – it has a LDAP interface that translates LDAP request to native NDAP protocols Not a native LDAP Server – it has a LDAP interface that translates LDAP request to native NDAP protocols

17 com microsoft edu stanford courses Domain:stanford.edu aVendor music students sarahj thorj Vera Kark MargretJ Domain : aVendor.com Domain : microsoft.com Active Directory Global namespace = DNS + LDAP Directories

18 Internet Standards Support - LDAP Active Directory vs. NDS – LDAP Search Better NDS Active Directory NDS Active Directory LDAP Requests ProcessedTranslated Natively Services Published through LDAPLimited All Active Directory is a faster & more interoperable LDAP Server Active Directory is a faster & more interoperable LDAP Server

19 Differences - Design Active Directory Active Directory Partition the directory by Domain Partition the directory by Domain Different Administrative view and Replication view Different Administrative view and Replication view Domain Domain Site Site Replication occurs via sites (IP subnets of good connectivity) Replication occurs via sites (IP subnets of good connectivity) A server can only host one Domain partition A server can only host one Domain partition Multi-master replication Multi-master replication Uses update Sequence Numbers to prevent corruption Uses update Sequence Numbers to prevent corruption Replication is controlled and easy to configure Replication is controlled and easy to configure A Domain can efficiently span multiple sites A Domain can efficiently span multiple sites

20 Replication What is Replicated ? – only changes are replicated What is Replicated ? – only changes are replicated Directory Information Directory Information Configuration Configuration Schema Schema There are two forms of replication There are two forms of replication Intrasite Replication Intrasite Replication Intersite Replication Intersite Replication Knowledge Consistency Checker Knowledge Consistency Checker Automatically configures and checks topology for the most efficient replication Automatically configures and checks topology for the most efficient replication Tools Tools Sites and Services MMC snap-in Sites and Services MMC snap-in Replmon Replmon

21 Sites A Site separates networks physical topology from the Active Directories logical view of the Network A Site separates networks physical topology from the Active Directories logical view of the Network Site is a area of good connectivity Site is a area of good connectivity A Site is a collection of subnets A Site is a collection of subnets All directory replication is controlled via Sites All directory replication is controlled via Sites A Site can be composed of multiple Domains A Site can be composed of multiple Domains Clients discover their site based on the subnet mask received from DHCP (or hand-configured) Clients discover their site based on the subnet mask received from DHCP (or hand-configured) Basis for locality-based resource discovery Basis for locality-based resource discovery

22 Intrasite Replication Automatically Configured for you Automatically Configured for you Replication occurs whenever there is a directory change or a interval of ~ 7 minutes Replication occurs whenever there is a directory change or a interval of ~ 7 minutes Not Compressed Not Compressed Not easily controllable Not easily controllable

23 Intrasite Replication Intra-Site Replication Intra-Site Replication Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller

24 Intersite Replication Compressed 10-1 Compressed 10-1 Configurable Configurable Scheduled (15 minutes – 3hours) Scheduled (15 minutes – 3hours) RPC or SMTP RPC or SMTP Site Links Site Links Site Bridges Site Bridges

25 Intersite Replication Site 2 Inter-Site Replication Site 1 Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller

26 Site Links Represents the Priority of Replication Traffic Between the Sites Identified in the Site Link Represents the Priority of Replication Traffic Between the Sites Identified in the Site Link Higher Cost Numbers Represent Lower Priority Replication Paths Higher Cost Numbers Represent Lower Priority Replication Paths Control Topology by Setting the Costs on Site Links Control Topology by Setting the Costs on Site Links Control the Replication Frequency by Setting the Number of Minutes Between Replication Attempts Control the Replication Frequency by Setting the Number of Minutes Between Replication Attempts Control Link Availability Using the Schedule on Site Links Control Link Availability Using the Schedule on Site Links Can Link multiple site to create a controlled path of replication called a Site Bridge Can Link multiple site to create a controlled path of replication called a Site Bridge

27 Site Links and Bridges Site Z Site Y Site X Site Link XY Site Link YZ Site Link Bridge XYZ Site Link Bridge XYZ

28 Architecture Replication Based on update sequence numbers Based on update sequence numbers Local USN advanced by any write Local USN advanced by any write Each replica knows last USN obtained from each partner Each replica knows last USN obtained from each partner Replication is per property Replication is per property Property versioning for collision detection and resolution Property versioning for collision detection and resolution Propagation dampening via up-to-date vectors Propagation dampening via up-to-date vectors

29 R1 R2 R3 R1 USN:5 R2 USN:273 R1 USN:3 R2 USN:305 R3 USN:54 R2 USN:273 R3 USN:62 Architecture Replication Before replication Before replication

30 R1 USN:5 R2 USN:305 R1 USN:5 R2 USN:305 R3 USN:62 R2 USN:305 R3 USN:62 Architecture Replication After replication After replication R1 R2 R3

31 HR Sales MSNA Europe MSHQ1MSHQ2 MSHQ3 HR1HR2 Sales1Sales2Sales3 MSNA1 MSNA2 EURO1EURO2 MSHQ1HR1Sales1 MSNA1EURO1 MSHQ2HR2 Sales2 MSHQ3 MSNA2 Sales3EURO2 Site Redmond Site Seattle Site Paris Sites and the AD Microsoft

32 Operation Masters These Roles are These Roles are Recoverable – Recovery Console Recoverable – Recovery Console Transferable – Command Line Transferable – Command Line These are the following Roles These are the following Roles RID Master – one per domain, controls relative ids RID Master – one per domain, controls relative ids PDC Emulator – one per domain, allows password updates and backwards compatibility with NT 4.0 BDCs PDC Emulator – one per domain, allows password updates and backwards compatibility with NT 4.0 BDCs Infrastructure Master – one per domain, updates group and user information when changes are made Infrastructure Master – one per domain, updates group and user information when changes are made Schema Master – one per forest, controls schema updates Schema Master – one per forest, controls schema updates Domain Naming Master – one per forest, controls all additions and removals of domains Domain Naming Master – one per forest, controls all additions and removals of domains

33 Differences - Design NDS NDS Partition the directory by OU Partition the directory by OU OUs are tied to physical locations OUs are tied to physical locations Multimaster replication Multimaster replication A server can host multiple partitions A server can host multiple partitions Replication occurs via time stamps Replication occurs via time stamps Replication is very difficult to configure and is not controllable Replication is very difficult to configure and is not controllable It is not recommended to have OUs span physical boundaries It is not recommended to have OUs span physical boundaries

34 AD Replica Boston San Diego San DiegoChicago San Diego AD Replica Boston Boston BostonChicago San Diego Global Data Availability - Searches Active Directory: Active Directory: Partitions map to Windows 2000 domains Partitions map to Windows 2000 domains Partitions can span many sites and WAN links Partitions can span many sites and WAN links Optimizes replication automatically between sites and over slow network links Optimizes replication automatically between sites and over slow network links Impact: Faster and more complete searches Impact: Faster and more complete searches ReplicationReplication Windows 2000 Domain Find:AllBobsFind:AllBobs AnswerAnswer AD Replica Boston Chicago ChicagoChicago San Diego

35 Global Data Availability - Searches NDS Version 8: NDS Version 8: Partitions cannot span WAN links...easily Partitions cannot span WAN links...easily Replication does not occur on an inter-site basis Replication does not occur on an inter-site basis Cross-location searches must tree walk Cross-location searches must tree walk Impact: Slower and less complete searches; more network traffic Impact: Slower and less complete searches; more network traffic NDS Server Boston San Diego San Diego Chicago San Diego NDS Server Boston Boston Chicago NDS Server Chicago Chicago NDS Tree Boston San Diego WANWAN Find:AllBobsFind:AllBobs Boston Chicago AnswerAnswer

36 Global Data Availability - Replication Active Directory Active Directory WAN Site 1 Site 2 NDS: 90 Connections; 25 WAN crossings NDS: 90 Connections; 25 WAN crossings Active Directory: 13 Connections; 1 WAN crossing RB Replica Bridgehead ServerConnection NDS WAN Site 1 Site 2

37 Windows2000Windows2000FileSystemFileSystem Kerberos Smart Card X.509/PKI Certificates AuthenticationAuthorization Active Directory Internet Standards Support - PKI Active Directory Advantages: Active Directory Advantages: Better PKI Management Better PKI Management integrated key recovery mechanism and revocable certificates integrated key recovery mechanism and revocable certificates web-based access and management web-based access and management integrated client-side distribution of keys integrated client-side distribution of keys Comprehensive OS Integration (IIS, EFS, IPSec) Comprehensive OS Integration (IIS, EFS, IPSec) Application Integration (CryptoAPI) Application Integration (CryptoAPI)

38 Internet Standards Support - Summary Active Directory Active Directory Native LDAP server Native LDAP server Full namespace integration with DNS Full namespace integration with DNS Integrated support for PKI technologies Integrated support for PKI technologies NDS NDS LDAP requests are translated LDAP requests are translated No Namespace Integration with DNS No Namespace Integration with DNS Limited Integration with PKI Limited Integration with PKI

39 Application Integration Active Directory Services Interface Active Directory Services Interface Provides a consistent, simple way for COM-enabled apps to access directory services Provides a consistent, simple way for COM-enabled apps to access directory services Usable for any LDAP server (including NDS) Usable for any LDAP server (including NDS) Leverages COM Windows Development tools Leverages COM Windows Development tools Greatly simplifies development of directory-enabled applications Greatly simplifies development of directory-enabled applications ActiveDirectoryActiveDirectory ApplicationApplication NT-DSNT-DS LDAPLDAP NDSNDS ADADSSIIADADSSIISI OLEDB DatabasesDatabases ApplicationApplication ApplicationApplication ADO

40 Application Integration Active Directory enables powerful directory-enabled applications Active Directory enables powerful directory-enabled applications Group Policy Integration Group Policy Integration Service Publication Service Publication Directory Object Extension Directory Object Extension ADSI Extension Model ADSI Extension Model Active Directory Class Sore Active Directory Class Sore AD-enabled Applications AD-enabled Applications Baan, J.D. Edwards, SAP, Cisco & others Baan, J.D. Edwards, SAP, Cisco & others BackOffice 2000, MSMQ, MTS and most others BackOffice 2000, MSMQ, MTS and most others

41 Application Integration - Summary Windows 2000 & Active Directory Windows 2000 & Active Directory COM, ADSI, Logo programs COM, ADSI, Logo programs LDAP-based access to all features LDAP-based access to all features Rich Development Environment (VB,C++,Java) Rich Development Environment (VB,C++,Java) Supports Distributed Applications over WANs Supports Distributed Applications over WANs Large ISV Support: 8,000+ Windows Applications Large ISV Support: 8,000+ Windows Applications NetWare & NDS NetWare & NDS ADSI support not available on NetWare ADSI support not available on NetWare Incomplete LDAP-based access to NDS features Incomplete LDAP-based access to NDS features Java-only development environment Java-only development environment Partitions limit application functionality Partitions limit application functionality Poor ISV Support - GroupWise not even NDS-enabled Poor ISV Support - GroupWise not even NDS-enabled

42 Active Directory vs. NDS ActiveNDS ComparisonDirectoryVersion 8 Storage technologyIndexedIndexed Max objects/partitionMillionsMillions Partition BoundaryGeo/PoliticalWAN Partition-spanning groups?YesNot Advised Same store for catalogs?YesNo Catalog update intervalContinuousScheduled Attribute security in catalog?YesNo Native LDAP support?YesNo Global change LDAP interface?YesNo DNS naming integrationYesNo Integrated PKI support?YesNo ADSI provider support?YesYes* Java SupportYes (JADSI)Yes (JNDI) VB, C, C++ SupportYesNo Interoperability ToolsYesNo * Not available to NetWare applications

43 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2000 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Where do you want to go today?, Windows, the Windows logo and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

44


Download ppt "Differences Windows Active Directory and Novell Directory Services Donnie Hamlett Technology Specialist Microsoft – New York."

Similar presentations


Ads by Google