Keeping an eye on directory services
- By Brian Robinson
- May 23, 1999
As federal agencies' networks have grown larger and more complex, the need for tools to manage them has become urgent.
A key development in network management has been the rise of enterprise-level directory services, which have garnered much interest following Microsoft Corp.'s development of its next-generation Windows NT product, Windows 2000.
Set for release this year, Windows 2000 will include Active Directory as an integral component, representing Microsoft's answer to the demand for directory services.
A directory basically is an address book that ties down the location of such things as files, printers and applications that reside on the network. Such a directory is relatively easy to maintain for a small network, but it can become unwieldy for a network that includes thousands of users and devices. And as organizations find different uses for their networks, the number of directories that must be managed has steadily grown, creating an administrative tangle.
The introduction of the Internet, with its promise of extensive intranets and extranets, has dramatically complicated the situation.
The new crop of directory services, including Active Directory, aims to put a cap on the administrative effort needed for these extended networks by coordinating management of the directories at a single point. All of the directories on the network can be viewed and manipulated on one screen through the same interface.
Novell Inc., which controls most of the directory services market with its Novell Directory Services solution, pre-empted Microsoft's play by announcing this month the release of NDS Version 8. Capable of storing at least 1 billion network objects, it is the flagship of Novell's directory-centered business strategy.
"We are going from a time when directory services were a nice thing to have to where they are becoming essential," said Samm DiStasio, director of marketing for directory products at Novell.
Novell hopes the scalability of NDS 8 will move it out of the local-area network space into the high-end enterprise market. According to DiStasio, the most important thing is not that NDS 8 can store a billion objects but that performance is not affected as it scales.
"For directory searches between 100 million and 1 billion records, the performance stays the same," he said. "And that's a significant factor for such things as electronic commerce because, usually, the higher the capacity of a search, the slower the performance."
NDS also is the only directory services product that supports a wide range of platforms. NDS 8 for Sun Microsystems Inc.'s Solaris operating system and NDS 8 for Windows NT are in development, and NDS 8 for Active Directory will be delivered at a later date.
Eyes on Active Directory
Despite NDS' attributes, Microsoft and Active Directory are catching a lot of the early attention. With Windows NT increasingly taking up much of the networking space in federal agencies, particularly in the military, the chance to move to Active Directory's hierarchical scheme is proving attractive.
The Navy's Atlantic Fleet, the Marine Corps and the Army are planning this kind of migration, as are civilian agencies such as the Social Security Administration and the Agriculture Department.
"Manageability was a big requirement of our users," said Lance Horne, senior technology specialist at Microsoft Federal. "The distributed directory provided by Active Directory gives the user the ability to perform a granular level of administration. And that in turn enables distributed directory-enabled applications, group policy management, better application deployment and so on. And all of that leads to a lower total cost of operation."
Windows NT's traditional directory system works by creating domains for each functional area of an organization: one for accounting, another for resources and so on. However, each domain has to be administered separately. So if users want access to several domains, they need a separate ID for each. In large networks with many domains, this becomes a nightmare. It also becomes difficult to provide more granular control by splitting domains into segments in order for control to be delivered to a more local level on the network.
Active Directory, which is in its third beta version, aims to solve these problems by putting all domains under the control of a single administrator using hierarchical trees in which each network resource can be addressed individually.
Active Directory is compatible with the Domain Naming System to allow organizations to translate network domains into Internet Protocol addresses. It also supports the Lightweight Directory Access Protocol, a standard protocol for accessing information directories, and Active Directory will use a directory synchronization manager so that it can work in mixed environments with NDS, Solaris and others. In addition, it incorporates such features as public-key infrastructure and enterprise policy-level management for security.
Active Directory's major drawback is that it will not be commercially available until later this year.
To help prepare agencies that are planning to move to Active Directory, several companies are providing products that construct Active Directory-like hierarchy schemes with current Windows NT networks so that users can learn how to manipulate directories this way. When users finally migrate to Active Directory, the system they have set up will more or less map directly to Active Directory's structure.
The Social Security Administration, for example, is planning to consolidate its 10 Windows NT domains and has evaluated Arlington, Va.-based Entevo Corp.'s DirectManage suite to aid in this effort. Eventually, SSA will migrate all its user names and passwords to Active Directory.
"We use Microsoft's Active Directory Service Interfaces to get access to the current version of NT and Novell's NetWare," said Dale Gardner, director of product marketing for Entevo. "We'll also use it to access Active Directory when it rolls out."
Wright-Patterson Air Force Base, Ohio, is using Enterprise Administrator, a similar product from Houston-based Mission Critical Software Inc., to organize its Windows NT domains, although the base has no timetable to migrate to Active Directory.
"We are using Enterprise Administrator to cut the central accounts domain into smaller chunks," said Jim Wrench, computer specialist with the 88th Communications Group at the base. "It means [managers] don't have to see all of the 10,000 or so people in the domain. They can just see those they are interested in."
Wrench said directory services will become more important as base operations are consolidated into a corporate network. "For example, we have people who move around the base all of the time and end up with three or four different e-mail accounts," he said. "With directory services, they need just one mailbox that can move with them."
Although the base's Microsoft Exchange program controls many of these issues, Active Directory will make management much easier.
FastLane Technologies Inc., Halifax, Ontario, Canada, also offers an Active Directory upgrade service using products that consolidate Windows NT 4.0 environments and move them directly to Active Directory or incrementally migrate users into an Active Directory structure while also maintaining a fully operational Windows NT 4.0 network as backup.
Keith Millar, product manager for FastLane, believes that most organizations will opt for the incremental approach because they will be nervous about moving their operations completely into a new, untried environment. Although organizations with mixed networking environments, such as with Windows NT and NetWare, may want to move wholly to Windows 2000, dissimilar operating systems and their related directories will coexist for some time, Millar said.
Banyan Systems Inc., whose VINES operating system holds a sizable share of the government networking market, already has a mature directory service for VINES with its StreetTalk product. But Banyan struck a deal with Microsoft at the beginning of the year to increase interoperability of the two companies' products, including moving from VINES and StreetTalk to Windows 2000 and Active Directory. The company also will provide support for migration to NetWare and NDS.
"We told our installed base that they would have a choice," said Scott Silk, vice president of marketing and business development at Banyan. "We would support them as Banyan, they could co-exist, or they could migrate off Banyan. We made it plain to them that we are not walking away from VINES, and we will continue to develop and support StreetTalk."
Silk did concede that StreetTalk eventually may disappear. "But that will be some years down the road," he said.
An Uncertain Future
It remains to be seen whether Microsoft and Active Directory will be the front-runner in the directory services arena. Dan Kuznetsky, director of operating environments for market researcher International Data Corp., sees the federal government moving toward Windows NT, though with some trepidation.
"People say they are uncomfortable with the fact that the current version of NT is not that reliable, interoperable or scalable," he said.
Kuznetsky said Active Directory will be a successful product because of Windows NT's popularity. But he added that Novell, with its true cross-platform product in NDS, "has a window of opportunity to exploit its strength in directory services."
It is difficult to gauge the government's overall demand for the newer set of directory services. Most agencies have been dealing with directories for some time, although their focus has been on increasing the performance of applications, particularly e-mail. The National Oceanic and Atmospheric Administration, for example, four years ago began to combine directories for five e-mail systems into one based on Unix using Control Data Systems Inc.'s X.500 directory services standard.
"We have looked at both Active Directory and NDS," said Rob Swisher, chief of NOAA's computer division and acting director of the Information Services Office. "But we believe the Control Data mail hub acting as a unified directory is very effective, as it also allows our various operating units to retain their independent networks."
FastLane Technologies' Millar said the real advances will come when users begin to link directories. "People are just beginning to realize how powerful that can be," he said.
-- Robinson is a free-lance journalist based in Portland, Ore. He can be reached at firstname.lastname@example.org.
AT A GLANCE
* Status: Interest in directory services is growing, with the expected release of Microsoft Corp.'s Active Directory and recent announcements related to Novell Inc.'s Novell Directory Services Version 8. These systems coordinate management of the directories at a single point and allow managers to view and manipulate them on one screen through the same interface.
* Issues: Active Directory, part of the forthcoming Windows 2000 release, has been released only in beta versions, so it is unclear whether it can live up to its promise. Observers expect that many users will operate in environments that mix operating systems and their associated directories for months before moving completely to Windows 2000.
* Outlook: Uncertain. NDS 8 has made a strong showing among commercial users, and it is uncertain whether Active Directory will be able to grab the market away. Many questions about Active Directory will remain unanswered until the release of Windows 2000.