2001: the year of AD?

Implementing Microsoft's Active Directory will challenge most organisations. Brian Betts checks out some of the pros and cons of...

Implementing Microsoft's Active Directory will challenge most organisations. Brian Betts checks out some of the pros and cons of heading down the AD route

Anyone implementing Windows 2000 on the desktop would be advised to begin planning for Active Directory (AD) and the changes it will bring in the way domains and users are managed.

Microsoft has built AD into Windows 2000 and in a number of ways it is the operating system's integral deployment and management tool.

From the administrator's perspective, AD should not be expected to achieve anything specific in its own right. It is part of the Windows 2000 experience, complementing the operating system and making it easier to administer centrally.

The question is whether you spread the directory across the enterprise or use it just for your Windows 2000 resources. AD is not the only way to build and implement a directory-based environment, and if you have other systems besides Windows 2000 it might not be sufficient for your total needs.

Microsoft is, in effect, using AD to push people into adopting Windows 2000. The directory assumes a pure Windows 2000 environment, and while it is possible to use it and existing NT servers side by side, that multiplies the administrative workload and gives another reason to migrate everything to Windows 2000.

Microsoft is also encouraging other software developers to use the directory service to store information. This not only allows users to find and use applications, it also means the applications can all read the same information, says Dan House, a member of the IBM team that is responsible for ensuring that all the company's applications work with AD.

"This means that when a new person starts with the company, it becomes much easier to do lots of things for them at once - entering them into the HR application, making sure the payroll application knows about them, giving them security privileges on the corporate intranet, and so on," says House. Perhaps more importantly, it could also ensure that their e-mail access is revoked as soon as they leave the company.

There are lots of other good reasons for using AD, according to Paul Robinson, business development director at thin-client supplier NCD, which has been involved in several AD implementations. They include managing group policies, user rights and application distribution on a centralised basis.

"Active Directory is a searchable store for corporate information that is centrally located and is replicable across domain controllers on the network," Robinson says.
"AD mirrors your company's organisational structure. The benefit over NT4 is that the central store is held on many machines that are synchronised and editable at the same time. With NT4, only one machine has edit rights to the security of the whole network." The problems facing anyone implementing AD are significant, though.

"Active Directory is quite in-depth; it is not a thing you can jump into. You have to know how it works," notes Dan Rose, a contractor who worked on an AD project at telecoms provider NTL.

"We came across a few problems with replication. We put them to Microsoft and Microsoft was still at the stage of learning the product too. They wrote some Knowledgebase articles as a result of us."

AD works well but suffers from poor documentation, says Pete Lindsay from the IT division at Dundee City Council, which is implementing it in its secondary schools. "I had to do set-ups and user take-ons semi-manually because I could not find documentation of necessary calls, objects and methods to use Windows Scripting Host to do things automatically," Lindsay says.

"This is improving but it is still a matter of searching Web sites which are poorly indexed at best. Replication between the 10 sites, each with its own domain controller server, is giving minor problems too. It seems to work well but error and warning messages are not well enough documented to judge the seriousness of the problems I see."

"I usually rely on Technet, but the answer was never there," agrees Rose, "so it always meant a support call to Microsoft." He added that NTL's answer was to buy in AD-specific tools from FastLane Technologies to help the process. "I dread to think how migration would have gone without them," Rose adds.

FastLane managing director Richard Mosely says organisations will face problems long before installation. A major issue is that many do not know what systems they have installed and where, so it is essential to start with an audit.

"We set out a five-step methodology: planning, consolidation of domains and hardware, migration, clean-up, and ongoing administration," Mosely explains. "The planning stage is probably half of the total.

"The biggest challenge is the question, 'what have I got and how on earth can I get to Active Directory?' so we have a reporting tool, called DM/Reports, to go and find what is out there on the network. For many organisations, it is a shock in terms of what information comes back - the number of accounts, where the users are, what rights they have and so on."

Not only can there be non-Windows systems out there, such as Unix or Netware, which will need to be ported into AD, but some NT servers will not have the hardware resources to run Windows 2000. And the migration has to be done while retaining security and without shutting down the existing environment.

Other issues will surface once the migration is over, says FastLane systems engineer Sanjeev Kamboj. "Active Directory has no good monitoring and warning tools to say if a fileserver is about to run out of disc space," he says.

"The whole delegation model is built around organisational units - holding areas. It is difficult to see what is in a unit unless you go and look there. So you need a tool to see security roles without clicking all the way down through the tree.

"And the basic security model is so secure that you do not know who has what rights and where. The delegation model makes it hard to assign rights rather than group policies, so you could end up writing a lot of group policies," adds Kamboj.
FastLane's solution is to add tools that take facts and store them within AD, showing users' delegated rights and how they got them.

"Management rights are domain-based, so if the domain controller goes down you cannot do any admin until it comes back up," Kamboj explains. "But we hold things in AD so we are not dependent on the domain controller."

AD offers advantages over the NT domain model, but it introduces new problems and dependencies, and implementation requires planning and forethought. Its integration within Windows 2000 means they have to be overcome - but the learning curve can be steep.

On the positive side, many skills AD requires are the same for ambitious directory systems. AD is not the only directory solution and directories can be useful for other reasons besides Windows 2000 management.

What is a directory?
A directory is a database used to store information about certain objects, in the same way a telephone directory stores information about subscribers or a file directory holds knowledge about files.

In a public or private distributed computer network, such objects might include printers, fax servers, applications, databases and other users. Users want to find these objects and use them and administrators want to manage them.

The terms directory and directory service are sometimes used interchangeably, but a directory service differs from a directory because it is both the information source and the services that make the information available and usable.

Alternatives to Active Directory
The best-known competitor of Active Directory is the Novell Directory Service (NDS), but desktop and server management is not the only area where directories are becoming important.

Increasingly, companies are looking to directories to solve problems in areas such as customer relationship management, e-commerce and security.

"We split the market into four areas," says Brian Green, product manager responsible for directory services at Novell. "Those are: network management; providing a directory service for application suppliers to write to for policy and profile-based management; a metadirectory to link directories, business processes and databases; and, in the e-business space, to categorise customers and create the profile that gives them access to different applications."

Green claims that the far greater maturity of NDS gives it significant advantages, one being its ability to embrace NT, Netware, Linux, Solaris and Compaq's Tru64, as well as Windows 2000, and another being scalability. "Microsoft says the maximum number of users per group is 5,000, which is a severe limitation for Internet applications," Green says.

"We have demonstrated a Sun box with one billion users arranged in four organisational units of 250 million each. AD supports the ability to nest groups, which gets it past the 5,000 limit, but then every desktop and server has to be Windows 2000. We can deliver the same benefits on NT with Zenworks."

With Microsoft mainly competing in the network and desktop management areas, other competitors see big opportunities in the metadirectory market, where multiple directory services must work together, making use of the industry standard Lightweight Directory Access Protocol (LDap).

"Microsoft appears to be focusing initially on taking over the Novell installed base," says Stephen Borcich, vice president and general manager for directory and security products at iPlanet, the collaborative organisation formed by Sun and Netscape. "That has led Microsoft to develop a product that does not move well into other areas.

"We have a customer who has to have Active Directory for Windows 2000 deployment but does not want to deploy it over the enterprise. So he can have a single LDap that pulls information from AD and other directories. Another customer uses Windows 2000 but wants password synchronisation across its applications so it built a metadirectory to link AD and LDap."

AD's lack of scalability is another problem, says Karl Klessig, vice-president of business development at Critical Path, a directory developer whose Injoin metadirectory can propagate data from one directory, database or application to others.

"We scale to 10 or 20 million objects - Active Directory is in the range of 50,000 to 100,000," Klessig explains." As you get into the connected world, those numbers add up quickly. For example, in a bank it is not just the customers; every account is a separate object too.

"We have built and deployed a metadirectory product, but in reality it is a join engine that works with directories such as AD, iPlanet and us. It does not synchronise, it joins directories and forms relationships. For example, it takes HR information and updates NT, Notes and so on. It is a fairly complex process because information is stored differently in each system, but it is important."

Read more on Business applications