The pursuit of the single platform is a minefield, yet it cannot be beaten as the
lowest cost of ownership solution. As we all know by now, the most important innovation in
Windows 2000 is the Active Directory. A directory is a database that contains information
about all the resources in a network and is extensible. In other words applications can
store information within the directory by adding new object types or properties. In this
way a directory can be a true data repository for all applications.
The problem is that organisations already have applications with some directory
capabilities. For instance, human resource systems contain information about employees and
their details, the NOS contains details about the users logon ID, the email system
contains information about users. In a mixed environment this now raises the question of
integration or migration. There are several tools that give the ability to affect either
solution. The question of which path to choose is based on the current installation
platform, applications, business processes, the current skill set and the cost of
selecting either path. Each of these solutions and the tools available need to be examined
to allow the choice.
Integration
Integration has several choices, one is to use directory synchronisation and the second is
to use a meta-directory. Novell’s stance has been that everyone has multiple
platforms. The company has completed a version of NDS that can reside on top of a Windows
NT-based system as well as another for the Solaris version of Unix from Sun Microsystems.
It also has plans to integrate with IBM’s OS/390 mainframe software, a Unix version
by HP and a Linux offering from Caldera. The concept is the platform is the
customer’s choice but the management capability comes from NDS. If the customer has
more than one directory then Novell is touting DIRXML as the solution. The Burton Group
which specialises in Meta-directories believes that, "Companies can’t replace
email directories, ERP systems, and other applications and services that include their own
directories overnight, for example. And most companies will never replace some
directories. There will also continue to be geo-political issues in many large enterprises
that make it necessary to operate multiple Network Operating Systems, or to manage
different instances of the same NOS. "
The meta-directory
The meta-directory provides the foundation for interoperable, distributed computing. The
term ‘meta-directory services’ is a label for a class of enterprise directory
tools that integrate existing, or ‘disconnected’, directories by addressing both
the technical and political problems inherent in any large scale directory integration
project. The meta-directory is a central service that automatically collects directory
data from other ‘connected’ directories or from direct entry, integrates all or
part of that information, enables it to be pruned and reshaped, and makes it as accessible
as required. The meta-directory may reside entirely on one server or be distributed over
many servers in many locations, yet still presents a single seamless view of its total
contents to users. The meta-directory and the connected directories are kept synchronised,
with new or revised entries in one directory automatically reflected in the other. The
meta-directory can also keep different connected directories in synchronisation with each
other by disseminating all or any part of its total collected information to a particular
connected directory even if it did not originate there.
Technically, meta-directory services consolidate subsets of the information in multiple
directories, including data on people, groups, roles, Organisational Units, locations, and
other resources. If Internet/intranet, proprietary email, and other directories can
be said to contain information about only "some people somewhere,"
the meta-directory is capable of containing information about "everybody (or
everything) everywhere." This consolidation creates a ‘join’, or
unified view, of the different directories in an organisation. Meta-directory services
also allow specific people and groups within an organisation to maintain ownership of that
information, reducing political as well technical problems. Meta-directory services give
organisations the flexibility to push and pull data to and from a variety of sources,
supporting both centralised and decentralised control within a unified directory
infrastructure.
Every company is different, but a meta-directory scenario in use at many companies today
involves centralised registration of NOS accounts, synchronisation of email addresses,
publication of people data through LDAP servers, and attributing synchronisation with
telephone directories, human resources (HR) systems and access management systems such as
firewalls or authorisation servers. An emerging scenario is one in which a meta-directory
links DEN-compliant (Directory Enabled Networks), policy-based network access and routing
controls with the user account information in a NOS directory, such as NDS or Active
Directory.
The meta-directory can contain much more information about any real-world objects. Those
objects may be:
- physical, such as people or printers
- conceptual, such as organisations or departments
- geographic, such as countries or cities
- data, such as document files – including World Wide Web HTML documents for on-line
viewing
Meta-directories have the benefit of being able manage a variety of directories, taking
data from sources such as Notes, Exchange, and Active Directory and proving a single
management point for all information from these sources.
DirXML
Novell’s DirXML is a solution that uses custom replicas to extend NDS replication to
applications, databases, operating systems, or other data stores. For example, a Notes
custom replica would serve as the connector between a Lotus Notes database and NDS. This
means the application directory has guaranteed delivery of all changes in NDS and changes
that are made to the application directories will propagate back to NDS as replication
events, providing a fully bi-directional replication solution. This will provide some real
advantages for companies with NDS experience; for example, using DirXML companies can
populate a variety of databases and applications from a single directory and a single
administrative console. Novell DirXML is based on open standards (LDAP, XML, XSL, and
DSML), also DirXML, supports other directories and meta-directory solutions-like Zoomit,
Isocor and Active Directory.
Microsoft has also joined the meta-directory war, in July 1999 Microsoft acquired ZOOMIT
Corporation, one of the industry’s leading provider of meta-directory products.
Microsoft intends to integrate ZOOMIT’s technologies with the Microsoft Active
Directory service of the Microsoft Windows 2000 Server operating system.
Zoomit
Zoomit VIA currently provides directory synchronisation and integration between Microsoft
Exchange and other systems such as Lotus Notes and cc:Mail, Novell NDS and NetWare,
Netscape Directory Server, Novell GroupWise, Global MHS, Banyan VINES and more. Zoomit VIA
delivers a mechanism to flexibly integrate diverse directories into a single
meta-directory. This not only provides unified management and access for directory
services, but also security (e.g., single sign-on), account management, services (e.g.,
DNS), etc.
VIA
2.1, originally expected for release next year, is being made available immediately
through Microsoft Consulting Services and other trained Microsoft service providers. One
of the criticisms that can be aimed at the Microsoft/Zoomit solution is neither Zoomit nor
AD can be run on anything other than Windows. However, that may not be a problem in
companies where their only platform is Windows.
Microsoft Directory Synchronisation Services
Microsoft Directory Synchronisation Services (MSDSS) is now in beta, this is a technology
which provides for the two-way synchronisation of directory information stored in the
Windows 2000 Active Directory and Novell’s Directory Service (NDS). MSDSS also
synchronises directory information stored in Active Directory with all versions of Novell
bindery directory services on a one-way basis, providing a complete directory
interoperability solution between Novell’s NDS and bindery directory services with
Windows 2000 Active Directory.
Two-way directory synchronisation means that information stored in one directory is also
automatically and identically stored in the other directory – preserving the
integrity of data in both directories. Administrators can make password changes in Active
Directory and propagate the password change to NDS rather than having to manually change
the password in both directories. Customers can synchronise directory information, in
either directory, at a timing of their choice to optimise the trade-off between the
network traffic caused by synchronisation and update latency.
The final choice may be to simply to standardise on Microsoft everywhere and have only one
directory. In which case the choice is migration.
Migration Tools
There are a wide variety of migration tools. There is a migration tool that ships with
Windows 2000 which only migrates and consolidates Windows NT to Windows 2000. This tool
has been licensed from Mission Critical which supplies a richer feature set in the full
product and also a NetWare to Windows 2000 migration tool. Microsoft is working with
FastLane to also produce a migration tool but this is currently unavailable and the
Mission Critical tool is tried and tested. This utility non-destructively migrates both
NetWare binderies and NetWare Domain Services (NDS) into an off-line database, and permits
administrators to model the account information before committing it to Active Directory.
Departments can be migrated container by container. The data is first sent to an offline
database where changes can be made. A trial migration supports comprehensive error logging
so that changes can be made before the real migration takes place. Changes are
non-destructive so the NetWare accounts can remain in place.
Sushi Nair works for Advanced Computer Group. She would like to thank David Hooper and
Peter Ferry at Microsoft and Brian Green from Novell for their help in compiling this
article.
