.

Grab a free Comcat catalogue today, covering RAS, FAX, CTI and KVM.  Catalogues that educate and help you evaluate.

 


Features - March 2000 - United front
Sushi Nair explains how to create integration rather than disintegration and illustrates the tools and choices available.
.

house
[an error occurred while processing this directive]

The pursuit of the single platform is a minefield, yet it cannot be beaten as the lowest cost of ownership solution. As we all know by now, the most important innovation in Windows 2000 is the Active Directory. A directory is a database that contains information about all the resources in a network and is extensible. In other words applications can store information within the directory by adding new object types or properties. In this way a directory can be a true data repository for all applications.

The problem is that organisations already have applications with some directory capabilities. For instance, human resource systems contain information about employees and their details, the NOS contains details about the users logon ID, the email system contains information about users. In a mixed environment this now raises the question of integration or migration. There are several tools that give the ability to affect either solution. The question of which path to choose is based on the current installation platform, applications, business processes, the current skill set and the cost of selecting either path. Each of these solutions and the tools available need to be examined to allow the choice.

Integration


Integration has several choices, one is to use directory synchronisation and the second is to use a meta-directory. Novell’s stance has been that everyone has multiple platforms. The company has completed a version of NDS that can reside on top of a Windows NT-based system as well as another for the Solaris version of Unix from Sun Microsystems. It also has plans to integrate with IBM’s OS/390 mainframe software, a Unix version by HP and a Linux offering from Caldera. The concept is the platform is the customer’s choice but the management capability comes from NDS. If the customer has more than one directory then Novell is touting DIRXML as the solution. The Burton Group which specialises in Meta-directories believes that, "Companies can’t replace email directories, ERP systems, and other applications and services that include their own directories overnight, for example. And most companies will never replace some directories. There will also continue to be geo-political issues in many large enterprises that make it necessary to operate multiple Network Operating Systems, or to manage different instances of the same NOS. "

The meta-directory

The meta-directory provides the foundation for interoperable, distributed computing. The term ‘meta-directory services’ is a label for a class of enterprise directory tools that integrate existing, or ‘disconnected’, directories by addressing both the technical and political problems inherent in any large scale directory integration project. The meta-directory is a central service that automatically collects directory data from other ‘connected’ directories or from direct entry, integrates all or part of that information, enables it to be pruned and reshaped, and makes it as accessible as required. The meta-directory may reside entirely on one server or be distributed over many servers in many locations, yet still presents a single seamless view of its total contents to users. The meta-directory and the connected directories are kept synchronised, with new or revised entries in one directory automatically reflected in the other. The meta-directory can also keep different connected directories in synchronisation with each other by disseminating all or any part of its total collected information to a particular connected directory even if it did not originate there.

Technically, meta-directory services consolidate subsets of the information in multiple directories, including data on people, groups, roles, Organisational Units, locations, and other resources. If Internet/intranet, proprietary email, and other directories can be said to contain information about only "some people somewhere," the meta-directory is capable of containing information about "everybody (or everything) everywhere." This consolidation creates a ‘join’, or unified view, of the different directories in an organisation. Meta-directory services also allow specific people and groups within an organisation to maintain ownership of that information, reducing political as well technical problems. Meta-directory services give organisations the flexibility to push and pull data to and from a variety of sources, supporting both centralised and decentralised control within a unified directory infrastructure.

Every company is different, but a meta-directory scenario in use at many companies today involves centralised registration of NOS accounts, synchronisation of email addresses, publication of people data through LDAP servers, and attributing synchronisation with telephone directories, human resources (HR) systems and access management systems such as firewalls or authorisation servers. An emerging scenario is one in which a meta-directory links DEN-compliant (Directory Enabled Networks), policy-based network access and routing controls with the user account information in a NOS directory, such as NDS or Active Directory.

The meta-directory can contain much more information about any real-world objects. Those objects may be:

  • physical, such as people or printers
  • conceptual, such as organisations or departments
  • geographic, such as countries or cities
  • data, such as document files – including World Wide Web HTML documents for on-line viewing

Meta-directories have the benefit of being able manage a variety of directories, taking data from sources such as Notes, Exchange, and Active Directory and proving a single management point for all information from these sources.

DirXML


Novell’s DirXML is a solution that uses custom replicas to extend NDS replication to applications, databases, operating systems, or other data stores. For example, a Notes custom replica would serve as the connector between a Lotus Notes database and NDS. This means the application directory has guaranteed delivery of all changes in NDS and changes that are made to the application directories will propagate back to NDS as replication events, providing a fully bi-directional replication solution. This will provide some real advantages for companies with NDS experience; for example, using DirXML companies can populate a variety of databases and applications from a single directory and a single administrative console. Novell DirXML is based on open standards (LDAP, XML, XSL, and DSML), also DirXML, supports other directories and meta-directory solutions-like Zoomit, Isocor and Active Directory.

Microsoft has also joined the meta-directory war, in July 1999 Microsoft acquired ZOOMIT Corporation, one of the industry’s leading provider of meta-directory products. Microsoft intends to integrate ZOOMIT’s technologies with the Microsoft Active Directory service of the Microsoft Windows 2000 Server operating system.

Zoomit


Zoomit VIA currently provides directory synchronisation and integration between Microsoft Exchange and other systems such as Lotus Notes and cc:Mail, Novell NDS and NetWare, Netscape Directory Server, Novell GroupWise, Global MHS, Banyan VINES and more. Zoomit VIA delivers a mechanism to flexibly integrate diverse directories into a single meta-directory. This not only provides unified management and access for directory services, but also security (e.g., single sign-on), account management, services (e.g., DNS), etc.

The meta directoryVIA 2.1, originally expected for release next year, is being made available immediately through Microsoft Consulting Services and other trained Microsoft service providers. One of the criticisms that can be aimed at the Microsoft/Zoomit solution is neither Zoomit nor AD can be run on anything other than Windows. However, that may not be a problem in companies where their only platform is Windows.

Microsoft Directory Synchronisation Services


Microsoft Directory Synchronisation Services (MSDSS) is now in beta, this is a technology which provides for the two-way synchronisation of directory information stored in the Windows 2000 Active Directory and Novell’s Directory Service (NDS). MSDSS also synchronises directory information stored in Active Directory with all versions of Novell bindery directory services on a one-way basis, providing a complete directory interoperability solution between Novell’s NDS and bindery directory services with Windows 2000 Active Directory.

Two-way directory synchronisation means that information stored in one directory is also automatically and identically stored in the other directory – preserving the integrity of data in both directories. Administrators can make password changes in Active Directory and propagate the password change to NDS rather than having to manually change the password in both directories. Customers can synchronise directory information, in either directory, at a timing of their choice to optimise the trade-off between the network traffic caused by synchronisation and update latency.

The final choice may be to simply to standardise on Microsoft everywhere and have only one directory. In which case the choice is migration.

Migration Tools


There are a wide variety of migration tools. There is a migration tool that ships with Windows 2000 which only migrates and consolidates Windows NT to Windows 2000. This tool has been licensed from Mission Critical which supplies a richer feature set in the full product and also a NetWare to Windows 2000 migration tool. Microsoft is working with FastLane to also produce a migration tool but this is currently unavailable and the Mission Critical tool is tried and tested. This utility non-destructively migrates both NetWare binderies and NetWare Domain Services (NDS) into an off-line database, and permits administrators to model the account information before committing it to Active Directory.

Departments can be migrated container by container. The data is first sent to an offline database where changes can be made. A trial migration supports comprehensive error logging so that changes can be made before the real migration takes place. Changes are non-destructive so the NetWare accounts can remain in place.

Sushi Nair works for Advanced Computer Group. She would like to thank David Hooper and Peter Ferry at Microsoft and Brian Green from Novell for their help in compiling this article.

[an error occurred while processing this directive]