Presentation is loading. Please wait.

Presentation is loading. Please wait.

Differences Windows Active Directory and Novell Directory Services

Similar presentations

Presentation on theme: "Differences Windows Active Directory and Novell Directory Services"— Presentation transcript:

1 Differences Windows Active Directory and Novell Directory Services
Donnie Hamlett Technology Specialist Microsoft – New York

2 Agenda Introduction X.500 Directories, History and Terminology
X.500 Implemented with AD and NDS Objects Networking and Services LDAP Directory Design and Partitioning the Directory Programming Summary

3 Introduction Purpose of this session is to get a thorough understanding of the basic differences between the Windows 2000 AD and Novell NDS.

4 X.500 History X.500 is the standard produced by the ISO/ITU defining the protocols and information model for a directory service that is independent of computing application and network platform X.509 Authentication Framework is a series of standards, describes the use of digital certificates and PKI X.525 Replication First released in 1988 and updated in 1993 and 1997 X.500 standard defines a specification for a rich, distributed directory based on hierarchically named information objects (directory entries) that users can browse and search X.500 – Glorified, very logical, electronic yellow pages for X.400 messaging systems

5 X.500 Fundamentals DIB - Directory Information Base
The actual database(s) that store(s) the entries in the directory service Directory Information Tree Dictated by the database schema to present a hierarchical tree objects DIT DIB

6 X.500 Schema Object Classes
Design of the directory store. Defines objects, attributes, and system information Object Classes Define the kinds of objects that can be instantiated in the directory Define the rules for an object Define the attributes that are intended for the object DIB Object Attribute

7 X.500 Objects Attributes Specific entries in the directory store
Are comprise of attributes Attributes Describe certain aspects of the object USER OBJECT Attributes..First Name, Last Name, Phone Number, Address

8 X.500 Directory Services DSA - Directory System Agent
The actual process client applications bind to to search the directory Utilizes DSP - Directory System Protocol DUA - Directory User Agent Client Process that binds to a DSA to retrieve information from the directory Utilizes the Directory Access Protocol Access Protocols DAP – Directory Access Protocol LDAP – Lightweight Directory Access Protocol, developed because DAP is bulky and it didn’t lend itself to the internet. DAP LDAP

9 X.500 Directory Services O=US, O=Microsoft, OU=Development, CN=Thomas
Hierarchy Representation of data in the directory. Is easier to use than flat systems Defined in X.500 (Root) DC – Domain Component C – Country L - Locality O – Organization OU – Organizational Unit CN – Common Name Distinguished Name defines the name and location in the DIT Relative Distinguished Name Uses a reference point, Partial name O=US, O=Microsoft, OU=Development, CN=Thomas

10 X.500 Implemented with AD and NDS
No one used the full set of X.500 definitions to design their directory service. Everyone has their own proprietary take on how X.500 is implemented.

11 Differences – X.500 Names Both Novell and AD use X.500 name schemes but they do not implement all of them. Active Directory DC OU CN Novell Directory Service C O OU CN

12 Differences – Objects Windows – Static Inheritance
More weight on directory at creation, write intensive All Ace's are contained within the object Larger objects increases the size of the DIB Rights controlled by groups Novell – Dynamic Inheritance When the object is called you must aggregate its rights by walking the tree More weight on the directory when read Rights controlled by OU’s (also groups) Must Tree Walk – this can go across WAN – bad

13 Sales Managers read access
Object Access ACE ACEs can apply to specific attributes ACL Sales Managers read access Directory Object Access to directory objects is controlled via Access Control Lists (ACLs) Fine granularity is provided by Access Control Entries (ACEs) that apply to specific attributes

14 Global Data Availability - Catalogs
Windows 2000 Forest = Global Catalog Replica Active Directory Catalogs: Enable efficient cross-domain data sharing Use the same set-up tools as replicas Use same replication mechanisms and the same interval as domain replicas Enforce object and attribute level security Slide Objective: Compare AD catalog services with NDS catalog services. In addition to the WAN and replication aspects of Global Data Availability are catalogs. Since it is not always practical to store all possible objects in a single partition, both NDS and Active Directory have provided global catalog functionality in their directory services. Catalogs gather, store and organize a subset of the information about all directory objects in the organization that may be of interest throughout the company (like employee names and phone number). Catalogs are useful in customer scenarios where wide areas networking may make replication traffic prohibitively slow (for example across oceans between the USA and Europe) or when multiple partitions are required to support a highly decentralized organizational structure. Active Directory provides a mechanism called the “Global catalog” to allow administrators to build a specialized directory containing a subset of object attributes that are of company-wide interest beyond a single domain. Catalogs are set up by assigning a GC to individual domain controllers and specifying which object attributes will appear and be replicated in the global catalog using the Schema Manager snap-in. When changes are made to objects, those changes are propagated automatically using the same replication technologies used within a domain. As a result of this shared replication technology: GCs require no special set-up and configuration is easy. GCs are updated simultaneously with with the directory to ensure that catalogs are consistent with the directory GCs enforce the same object and attribute level security settings as exist in the directory.

15 Global Data Availability - Catalogs
Dredger Dredger Dredger San Diego Chicago Boston NDS Catalogs: Are based on periodic ‘dredging’ Occur only at scheduled 1-7 day intervals Users are granted/denied access to entire catalog – no attribute/object-level security Are being completely redesigned... Slide Objective: Compare AD catalog services with NDS catalog services. While Active Directory catalogs are tightly integrated with domain replication technologies simplifying set-up and administration, maintaining the same security settings while not experiencing any latency between replicas and GCs, NDS has a very different approach Unlike NDS itself, NDS catalogs are not incrementally updated, but are entirely rebuilt from scratch every 1-7 days using a process known as the “dredger” which reconstructs the catalog from scratch and strips all security setting s from the object and attributes that are stored in the catalog - meaning that catalog users either have access to the entire contents of the catalog or they don’t. Microsoft believes Novell's catalog approach has several weakness in facilitating global; data availability with the enterprise. Because of the time required to dredge every partition individually, Novell recommends that catalogs only be rebuilt periodically (default is 24 hours). This means that catalogs are likely to be out of date with the underlying objects in their partitions. Objects that are dredged lose their access control properties. Because a lot of the value of directories resides in the ability to only present a limited view of directory object information to people who need to see it, customers will tend to only put information in the catalog that they feel comfortable having all people see, making the catalog less useful. To address this attribute level access control settings, Novell does allow you to construct multiple different catalog views for different sets of users, but this requires duplicated effort in set-up and administration and substantially increases catalog dredging time. Finally, it is important to note the Novell has been in the process of reevaluating its entire catalog architecture and may decide to redesign them entirely.

16 Differences – Networking and Services
Active Directory Based on TCPIP DNS Server Resource Records ( MX-Record) LDAP for internal searches, each object has a unique GUID example on following page All Domain Controllers are native LDAP Servers Integrates with DNS NDS Originally based on IPX/SPX Service Advertising Protocol (SAP) to advertise Services Implemented in TCPIP with Service Location Protocol (SLIP) also advertisement based SLIP does not integrate with DNS proprietary When implemented together reduces network performance because routers must support RIP that allows for both SLIP and SAP protocols Not a native LDAP Server – it has a LDAP interface that translates LDAP request to native NDAP protocols

17 Active Directory Global namespace = DNS + LDAP Directories
edu com stanford microsoft aVendor students courses music Domain : Vera Kark MargretJ sarahj thorj Domain : Domain:

18 Internet Standards Support - LDAP Active Directory vs
Internet Standards Support - LDAP Active Directory vs. NDS – LDAP Search Better Slide Objective: Show LDAP Performance of Active Directory as compared to Novell NDS The next Internet Standard of general importance is LDAP. Now both Active Directory and the most recent version of NDS support LDAP v.3, but each directory supports it in different ways. Microsoft design Active Directory, from the ground up, as a native LDAP server, meaning that LDAP-based requests are processed natively and without translation against the Active Directory data-store. In addition all of Active Directory’s services are published via LDAP for ease of interoperation with other LDAP-based applications. For example, even schema management, change history, and query scoping are published through LDAP In contrast, NDS is not a native LDAP server and LDAP queries made against NDS must be translated to Unicode and then re-translated back in to LDAP for every LDAP request. This dramatically slows LDAP Query performance as illustrated on this graph. On a single processor server, Windows 2000 Server provides more than twice the number of LDAP queries per second. More important, Active Directory performance scales on SMP servers. On a 4-way server, Windows 2000 Server provides more than 6-times the number of LDAP queries per second when compared to Novell’s NDS. This means that customers can deploy fewer Active Directory servers to service LDAP queries; thus lowering equipment costs and management overhead. In addition to LDAP performance, not all NDS services are published through NDS meaning that: Differences in LDAP and NDS data forms may inhibit 1:1 mapping of class and attribute data Multiple access methods must be implement in NDS since schema management through LDAP controls is not provided Enabling access to NDS namespaces containing multiple partitions requires companies to either expose their applications to the performance limitations of tree-walking or deal with catalogs that may be out of date. Test and Configuration Information: 1 million object database (500K users, 500K contact objects) All data in memory Indexed base query for given name of a user Xeon 400 MHz with 4GB RAM Note: Novell has performed 2 different LDAP tests also at Key Labs which indicate that NDS is the faster directory. However, Novell’s tests are peripheral tests which do not reflect common or a large number of usage scenarios as have been demonstrated with Active Directory. Please see the following market bulletins for more detailed information: NDS Active Directory LDAP Requests Processed Translated Natively Services Published through LDAP Limited All Active Directory is a faster & more interoperable LDAP Server

19 Differences - Design Active Directory
Partition the directory by Domain Different Administrative view and Replication view Domain Site Replication occurs via sites (IP subnets of good connectivity) A server can only host one Domain partition Multi-master replication Uses update Sequence Numbers to prevent corruption Replication is controlled and easy to configure A Domain can efficiently span multiple sites

20 Replication What is Replicated ? – only changes are replicated
Directory Information Configuration Schema There are two forms of replication Intrasite Replication Intersite Replication Knowledge Consistency Checker Automatically configures and checks topology for the most efficient replication Tools Sites and Services MMC snap-in Replmon

21 Sites A Site separates networks physical topology from the Active Directories logical view of the Network Site is a area of “good connectivity” A Site is a collection of subnets All directory replication is controlled via Sites A Site can be composed of multiple Domains  Clients discover their site based on the subnet mask received from DHCP (or hand-configured) Basis for locality-based resource discovery

22 Intrasite Replication
Automatically Configured for you Replication occurs whenever there is a directory change or a interval of ~ 7 minutes Not Compressed Not easily controllable

23 Intrasite Replication
Domain Controller Domain Controller Domain Controller Intra-Site Replication Domain Controller Domain Controller

24 Intersite Replication
Compressed 10-1 Configurable Scheduled (15 minutes – 3hours) RPC or SMTP Site Links Site Bridges

25 Intersite Replication
Domain Controller Domain Controller Domain Controller Inter-Site Replication Site 1 Domain Controller Domain Controller Domain Controller Domain Controller Domain Controller Site 2 Domain Controller Domain Controller

26 Site Links Represents the Priority of Replication Traffic Between the Sites Identified in the Site Link Higher Cost Numbers Represent Lower Priority Replication Paths Control Topology by Setting the Costs on Site Links Control the Replication Frequency by Setting the Number of Minutes Between Replication Attempts Control Link Availability Using the Schedule on Site Links Can Link multiple site to create a controlled path of replication called a Site Bridge

27 Site Links and Bridges Site Link Bridge XYZ Site X Site Y Site Link XY
Site Z Site Link YZ

28 Architecture Replication
Based on update sequence numbers Local USN advanced by any write Each replica knows last USN obtained from each partner Replication is per property Property versioning for collision detection and resolution Propagation dampening via “up-to-date” vectors Uses RPC or messaging Replication Units: Domains (in NT 5.0) Not Time Based Each server has a local, monotonically increasing Update Sequence Number (USN) Any write increments and stores the current USN in the object and property written Deletions leave tombstones Properties are versioned for collision detection A DC maintains the last USN sent by each partner DC Requests objects with USN greater than saved USN (pull replication) Property Versions maintain consistency Time used only for arbitration in property update collisions Per-property replication makes collisions extremely rare Forward Optimization: do no transmit changes that have reached the target via another path

29 Architecture Replication
Before replication R1 R2 R1 USN:5 R2 USN:273 R1 USN:3 R2 USN:305 R3 USN:54 R3 R2 USN:273 R3 USN:62

30 Architecture Replication
After replication R1 R2 R1 USN:5 R2 USN:305 R1 USN:5 R2 USN:305 R3 USN:62 R3 R2 USN:305 R3 USN:62

31 Sites and the AD Site Seattle Site Redmond Site Paris Microsoft Sales
MSHQ1 MSHQ2 MSHQ3 Sales HR Sales1 Sales2 Sales3 Europe HR1 HR2 MSNA MSNA1 MSNA2 EURO1 EURO2 MSHQ1 HR1 Sales1 Sales2 MSHQ2 HR2 MSNA1 MSNA2 EURO1 Site Seattle Site Redmond Site Paris MSHQ3 Sales3 EURO2

32 Operation Masters These Roles are These are the following Roles
Recoverable – Recovery Console Transferable – Command Line These are the following Roles RID Master – one per domain, controls relative id’s PDC Emulator – one per domain, allows password updates and backwards compatibility with NT 4.0 BDC’s Infrastructure Master – one per domain, updates group and user information when changes are made Schema Master – one per forest, controls schema updates Domain Naming Master – one per forest, controls all additions and removals of domains

33 Differences - Design NDS Partition the directory by OU
OU’s are tied to physical locations Multimaster replication A server can host multiple partitions Replication occurs via time stamps Replication is very difficult to configure and is not controllable It is not recommended to have OU’s span physical boundaries

34 Global Data Availability - Searches
Windows 2000 Domain AD Replica Boston San Diego Chicago AD Replica Boston Chicago San Diego AD Replica Boston Chicago San Diego Find: ‘All Bobs’ Replication Answer Slide Objective: Show differences in AD and NDS WAN Replication technologies and the impact on performing directory searches. The first aspect of facilitating global data availability throughout the enterprise are “Searches”. In an enterprise directory environment searches are performed frequently to collect information stored in the directory about users, machines and network resources. In Active Directory a full and complete copy, or “replica”, of the entire Active Directory database for a given domain is located at every site, in this example San Diego, Chicago, and Boston, wherever there is a domain controller. Each replica is a fully write able copy so that changes to the directory can be made in any location with a domain controller. This is known as a mullti-master directory model. The directory replicas are kept in sync, through periodic replication, where only the attribute changes made to each local replica are propagated to all other sites. As a result all sites contain a full replica of the entire directory which can be searched locally, so that searches do not need to cross WAN links to obtain a complete result set. This architectural design improves read performance and provides redundancy in the event that a WAN link is lost. [Advances Slide Build] A simple example of this is shown above where a San Diego user submits a query “looking for all Bobs” against the local Active Directory replica. Instead of crossing to the Chicago and Boston sites to collect this information, the result set can be completely and assembled just from querying the local copy of the directory. These types of searches are very common in enterprises and could have just easily been done for such searches as “Find all color printers” or “Find all Marketing Groups” of Find all users with this phone number”. Active Directory: Partitions map to Windows 2000 domains Partitions can span many sites and WAN links Optimizes replication automatically between sites and over slow network links Impact: Faster and more complete searches

35 Global Data Availability - Searches
NDS Tree San Diego Chicago Boston Find: ‘All Bobs’ San Diego San Diego San Diego WAN Chicago Chicago Chicago Answer Boston Boston Boston NDS Server NDS Server NDS Server Slide Objective: Show differences in AD and NDS WAN Replication technologies and the impact on performing directory searches. NDS is designed differently. In NDS, Novell recommends that partitions do not span WAN links. Therefore each site is its own partition and boundary for replication. Therefore, information about other partitions is not stored locally and the scope of replication is limited to sites. As a result, cross-location searches, like the one illustrated before must tree walk across WAN links every time a query is made against the NDS directory. Using the same example a search for “Find all Bobs” will have to cross a WAN at least four times for the query and the result for each partition. [Advance Slide Build] This is less than ideal since query results must span WAN links which consume bandwidth and take more time to complete. In addition, if just one of the WAN links was down at the time of the search, the result set from the query could be incomplete and would not include the information stored on a given partition, making searches in NDS potentially incomplete. So why does Active Directory and NDS differ so much on how they perform searches? Mostly it’s a result of the way Active Directory and NDS perform replication. NDS Version 8: Partitions cannot span WAN links . . .easily Replication does not occur on an inter-site basis Cross-location searches must ‘tree walk’ Impact: Slower and less complete searches; more network traffic

36 Global Data Availability - Replication
NDS WAN Site 1 Site 2 Active Directory WAN Site Site 2 Slide Objective: Show the greater complexity and higher cost of NDS WAN replication and why Novell recommends against partitions that span WANs. In NDS, Novell recommends that partitions not span WAN links because cross-site replication occurs so inefficiently. For example, in the case where there are just 2 sites with 5 replica servers in each site, NDS would create a one-way point-to-point replication session between each pair of servers, or 90 connections in total. While connections within a site are not expensive due to the speed on LAN-based networking, there will be 25 connections that cross the WAN between the sites. Since WAN links are often both slower, less reliable and more expensive this is a costly replication mechanism. This situation only becomes more complex as additional sites are added. For example just adding a third site with 5 replicas would increase the number of WAN connections from 25 to 75. [Advance Slide Build] In contrast, Active Directory’s design is more efficient with regard to both replication and WAN bandwidth usage. Using the same two site 5 replicas/site example, Active Directory only requires 13 connections, rather than 90, and only a single WAN connection, rather than 25. This is due to Active Directory’s use of the Knowledge Consistency Checker (or KCC) which automatically analyzes the network topology and configures inter-site bridgehead servers. This ensures that a single replication event will only be sent across the WAN only once. Further, Active Directory uses a spanning tree algorithm to reduce the number of connections required within a site, supports replication scheduling to minimize the usage of WANs and automatically compresses all data sent across a WAN link by a factor of 8-10 times. Note: Now using Novell’s WAN Manager technology administrators can hand-configure replication topologies to simulate bridgehead and spanning tree behavior, but: Routing tables must be maintained manually on each replica server There is no data compression Only rudimentary replication scheduling services Because of these reasons, WAN Manager is not widely used in practice by NDS administrators, and Novell recommends that partitions not be configured to span WAN links for this reason alone. R B Replica Bridgehead Server Connection NDS: 90 Connections; 25 WAN crossings Active Directory: 13 Connections; 1 WAN crossing

37 Internet Standards Support - PKI
Authorization Authentication Kerberos File System Windows 2000 Smart Card X.509/PKI Active Directory Certificates Active Directory Advantages: Better PKI Management integrated key recovery mechanism and revocable certificates web-based access and management integrated client-side distribution of keys Comprehensive OS Integration (IIS, EFS, IPSec) Application Integration (CryptoAPI) Slide Objective: Show better PKI management and integration with Active Directory as compared to Novell NDS The final component of Internet Standard support is support for PKI technologies. Microsoft believes that public key technologies will form the basis for the majority of security infrastructures deployed over the Internet. Uses range from simplifying Virtual Private Networking within a company to enabling secure transactions in business to consumer e-commerce scenarios. Because directory services are an integral part of making public key technologies easy to use and manage, it is important to evaluate the degree of integration between a given directory service and the Internet security technologies that a company plans to use. Microsoft believes there are 3 key areas in which the PKI technologies of Windows 2000 are superior to Novell’s PKI offering: Management. Windows 2000 PKI provides for: Integrated recovery key mechanisms. Novell’s PKI does not support tools for the recovery, archival or escrow of encryption keys. Revocable Certificates. Novell’s PKI does not provide a mechanism for revoking certificates once issued. – for example there is no way in NDS to disable a certificate issues to a fired employee. Web-based Access and Management. There is no way to access Novell’s PKI through a web browser as an admin or user. Client-side distribution. The PKI in Win2000 is integrated to automatically distribute root keys to clients. Novell’s PKI is not integrated with ZENWorks to distribute keys – this means that every user needs to manually request, download and manage certificates using a ConsoleOne client. Operating System Integration Windows 2000 PKI is integrated into the core operating system functions such as EFS, IIS web server, IE and IPSEC support and provides a platform for smartcard ISVs Novell’s PKI lacks comprehensive integration with its NetWare operating system, or any other OS. Further Novell’s PKI is layered onto NDS and is not integrated with its core authorization and authentication functions. Application Integration Microsoft provides a comprehensive API called CryptoAPI that enables ISVs and customers to PKI-enable their applications. In contrast, NDS does not provide a similar API to enable ISV or customer applications with PKI services. In summary both Novell and Microsoft directories support PKI, but as we’ve seen with other internet standard support areas: it’s the degree and extent of integration and management tools that most distinguish the two directory services.

38 Internet Standards Support - Summary
Active Directory Native LDAP server Full namespace integration with DNS Integrated support for PKI technologies NDS LDAP requests are translated No Namespace Integration with DNS Limited Integration with PKI On the second of the four key directory solution requirements for customers, Internet Standards support, Microsoft delivers a directory that best integrates with and leverages the three key internet standards: Active Directory provides: A native LDAP server that publishes all of its services through LDAP for faster performance and simplified integration with other LDAP services. NDS in contrast has just recently added LDAP support to NDS and must translate LDAP requests slowing performance and has yet to publish all NDS services through LDAP complicating administration and integration. Full namespace integration with DNS, the location mechanism for the Internet. Because domains have a 1:1 relationships with Active Directory partitions, Active Directory namespaces can be located directly through DNS. NDS, in contrast,using an entirely separate locator mechanism, SLP, to locate internal resources which is unrelated to DNS used externally, increasing management and making service location much more difficult. Integrated support for PKI technologies for simpler security administration of extranet transactions and services, automatic distribution of public keys to clients, and a better platform on which to PKI-enable applications. NDS, in contrast lacks any application-level PKI support, no OS integration, and lacks key PKI management capabilities like revocable certificates, encryption key recovery, and client-side distribution making Novell’s PKI more costly to administer due to its greater dependence on manual administration Finally, its important to summarize the directory solution requirement of Internet Standards support as one that goes beyond surface level support but the the degree to which the standard is integrated in to the directory and how it reduces management, enables interoperability, and allows an enterprise to transact and communicate over the Internet. On all counts Microsoft believes the Windows 2000 Active Directory meets these requirement far better than NDS.

39 Application Integration
NT-DS Application Active Directory A D S I O L E D B NDS Application A D O LDAP Application Databases Active Directory Services Interface Provides a consistent, simple way for COM-enabled apps to access directory services Usable for any LDAP server (including NDS) Leverages COM Windows Development tools Greatly simplifies development of directory-enabled applications Slide Objective: Show the Unique Value of ADSI in easily enabling applications with directory functionality. Since the Windows platform is the richest for application developers and is supported by over 8,000 applications, the Active Directory feature set is extensive, Microsoft invested considerable effort in making those features as accessible and leverageable as possible by making it easier to write directory-enabled applications that access the Active Directory and other LDAP-enabled directories. The culmination of this effort is the Active Directory Services Interface (or ADSI). ADSI is a set of extensible easy-to-use programming interfaces based on Microsoft COM that can be used to to write applications that can access and manage: Active Directory Any other LDAP-based directories And other directory services, including NDS. ADSI abstracts the capabilities of directory services from different network providers to present a single set of directory service interfaces for managing network resources. As a result ADSI greatly simplifies the development of directory-enabled applications. Developers and administrators can use this single set of directory service interfaces to manage network resources no matter which network environment contains the resource. Combined with the wealth of tools that support COM such as Visual Basic, Visual C++, and Visual J++ development systems ADSI makes it easy for developers to directory enable their applications.

40 Application Integration
Active Directory enables powerful directory-enabled applications Group Policy Integration Service Publication Directory Object Extension ADSI Extension Model Active Directory Class Sore AD-enabled Applications Baan, J.D. Edwards, SAP, Cisco & others BackOffice 2000, MSMQ, MTS and most others Slide Objective: Describe the Management and functionality benefits enabled by Active Directory application integration. Active Directory was designed to provide developers with the features they need to build powerful directory-enabled applications that provide greater functionality and lower TCO. Active-Directory-enabled applications can provide: Group Policy Integration: that allow administrators to define sets of applications, including specific configurations, that users should have available based on their role in the company, the domain of which they are a member and the security groups to which they belong. Service Publication: that enables applications to publish the names and locations of services they provide so that client s can access and use those services dynamically – which in turn allows administrators to reconfigure servers for optimal response tikes and availability without having to update clients. Directory Object Extension. provides the ability for applications to add new types of objects and to extend existing objects with new attributes. This enables Active Directory to be a consolidation point for reducing the number of directories that companies have. Benefits include improved information sharing and common management of users, computers, applications, and directory-enabled devices. The ADSI Extension Model. enables application developers to associate COM-based business rules with objects stored in Active Directory. This provides a consistent and simple way for developers and administrators to interact with an application and its objects. The Extension Model also makes it easy to invoke methods across groups of objects, such as ‘all users in the Accounting department’ to simplify administration. The Active Directory Class Store. is used to store the names (for instance, Class ID or Program ID) and locations of COM objects installed on the network. COM uses the Class Store to locate and install the COM objects that users are allowed to use on their machines automatically. This can lower the TCO of COM-based applications by simplifying client configuration and administration. Windows 2000 Server and Active Directory together provide a full-featured platform for building directory-enabled applications. As a testament to the power of this platform leading vendor like Baan, JD Edwards, SAP and Cisco have added support for Active Directory within their products. Moreover the Windows 2000 Server logo program requires applications to integrate with Active Directory where appropriate. In addition, Microsoft itself is AD-enabling its next generation of BackOffice and Front Office applications either natively, as in the case of Exchange 2000, or through integration to provide richer and more integrated directory-enabled services to the Microsoft family of applications.

41 Application Integration - Summary
Windows 2000 & Active Directory COM, ADSI, Logo programs LDAP-based access to all features Rich Development Environment (VB,C++,Java) Supports Distributed Applications over WANs Large ISV Support: 8,000+ Windows Applications NetWare & NDS ADSI support not available on NetWare Incomplete LDAP-based access to NDS features Java-only development environment Partitions limit application functionality Poor ISV Support - GroupWise not even NDS-enabled In summary, Active Directory has provided compelling reasons for developers to write AD-enabled applications including: A simplified development environment for doing so through ADSI and COM LDAP-based access to all Active Directory features A rich development environment supporting Visual Basic Visual C++ and Java development environment Support for distributed applications over WAN so that developers don’t have to build enterprise-wide applications that must be aware of the partitions and WAN boundaries of the customer’s network topology. Which has resulted in large ISV support to AD-enable their applications. The Windows code-base today supports over 8,000 applications. Scores of which are being logo-certified every month for use on Windows 2000 that are Active Directory-aware. In contrast the NetWare platform and NDS directory service have almost no application integration support for enterprise customers: ADSI support is not available on NDS – making the development of NDS-enabled applications time-consuming and difficult Only a limited number of NDS service are available through LDAP – meaning fewer opportunities for developers to build functionality into their applications The development environment is limited to Java with no support for other and more common development environments – limiting the pool of developers who could potentially write NDS-enabled applications NDS partitions are limited to the boundaries of the LAN and are not recommended to span a WAN - forcing every developer to build applications that have to be aware of how each NDS directory is partitioned in order to avoid doing cross-WAN searches that would involve tree-walking. As a result of these inherent limitations imposed on developers there are very few enterprise applications that are truly NDS-enabled after several years of NDS availability on the market. As testimony to the difficulty of developing NDS-enabled applications, not even Novell’s own GroupWise applications product is NDS-aware and uses its own database. It is becoming increasingly apparent that a directory that lacks simple application integration capabilities and a rich underlying platform does not interest many developers and lowers the value of a directory-enabled network environment.

42 Active Directory vs. NDS
Active NDS Comparison Directory Version 8 Storage technology Indexed Indexed Max objects/partition Millions Millions Partition Boundary Geo/Political WAN Partition-spanning groups? Yes Not Advised Same store for catalogs? Yes No Catalog update interval Continuous Scheduled Attribute security in catalog? Yes No Native LDAP support? Yes No Global change LDAP interface? Yes No DNS naming integration Yes No Integrated PKI support? Yes No ADSI provider support? Yes Yes* Java Support Yes (JADSI) Yes (JNDI) VB, C, C++ Support Yes No Interoperability Tools Yes No Slide Objective: While Active Directory and NDS8 share similar functionality and scalability, Active Directory exceeds NDS in providing an Enterprise-class directory service. To recap the main differences between Active Directory and Novell’s NDS in meeting the directory solution requirements of enterprise customers today it is important first to note that: Both Active Directory and NDS have an indexed storage technology and scale to met he requirements of any environment easily. However, its in meeting the more advanced directory solution requirements of today’s and tomorrow’s enterprise customers where the differences between the two directories come in stark relief. Regarding Global Data Availability AD does much more efficient replication and can afford to replicate the entire name space on every DC meaning fewer partitions and less administration. AD therefore does not force customers to partition ‘artificially’ around WAN boundaries (geo/political boundaries are non-technical limits). In contrast both NDS partitions and groups don’t span WAN links. Active Directory’s catalog architecture using the same replication mechanisms as domain replicas so that global catalogs are continuously up-to-date and maintain both the same object and attribute level security permissions set in the directory itself. In contrast NDS catalogs use an entirely separate replication mechanism that actually rebuilds the catalog from scratch on a scheduled basis which means that the catalog and underlying directory are out of sync. Moreover the catalog strips all security permissions set on objects and attributes meaning that the NDS catalog needs to be manually maintained. As far as support for Internet Standards support is concerned. Both directories support LDAP, DNS and PKI technologies but Active Direcot4r implements these standards in a more integrated manner that improves performance and reduces management. First Active Directory is a native LDAP server improving performance by 2-6 times that of NDS and publishes all of its services through LDAP to simplify interoperability and application integration. In contrast, NDS LDAP support is only translated which slows down performance and only provides a limited set of NDS services through LDAP. Second Active Directory provides DNS namespace integration to facilitate extranet management and the location of intranet services. While NDS 8 does allow the use of a DNS-style syntax, they have not integrated DNS naming into their scheme the way AD does and instead uses its own proprietary implementation of SLP, vastly complicating the location of resources . There is no DNS-based ‘global root’ capability and there is no guarantee of universal object name uniqueness. Third, Active Directory has extensively integrated PKI technologies to provide such useful management time savers as integrated key recovery mechanism and revocable certificates, web-based access and management and integrated client-side distribution of keys. NDS provides none of this. In the area of application integration, Active Directory provides A rich tool and development environment that allows vendors and customers to easily directory-enable their applications and devices to reduce management and enhance functionality. NDS in contrast provides few tools and only a Java development environment to do the same. NDS also provides no single place that applications can obtain information about object changes in the tree. Each partition can report changes but apps need to put a listener in each partition and ‘roll up’ the events themselves. Moreover, Netware lacks the application services found in Windows 2000 that would make Netware an attractive platform to host applications since Netware lacks SMP, transaction, component, queuing, and universal language support Finally Active Directory provides a flexible set of interoperability services that consolidate directory management with synchronization and meta-directory services as well as application integration and full LDAP support. Novell in contrast lacks synchronization tools, has an unclear meta-directory strategy while providing few application integration tools and only limited LDAP service publishing support and instead chooses to recommend that customers just simply rip and replace their directories with a on-size-fits all NDS service. * Not available to NetWare applications

43 This document is for informational purposes only
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.   © 2000 Microsoft Corporation. All rights reserved.     Microsoft, Active Directory, Where do you want to go today?, Windows, the Windows logo and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.   The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

44 Closing In today’s marketplace, organizations need to carefully manage their costs in order to stay competitive. Windows 2000 Server has been designed to provide powerful management through its integrated Active Directory service. Active Directory enables customers to increase the value of their existing investments and lower their overall costs of computing by making the Windows network operating system more manageable, secure and interoperable. For more information on the Windows 2000 Active Directory see:

Download ppt "Differences Windows Active Directory and Novell Directory Services"

Similar presentations

Ads by Google