Remember when NT 3.5 first emerged against Novell
NetWare 3.x? Administrators finally had the ability to centrally manage user accounts and
groups across their network from a single server – none of this password
synchronisation with an NT Domain.
Meanwhile, Novell wasn’t resting on its laurels and, having looked closely at Banyan,
it produced Novell NetWare version 4 with NDS – Novell’s’ Directory
Service. Suddenly the ‘ante was upped’ and until the advent of Windows 2000, an
NT Domain could not compete with NDS for enterprise manageability and scalability. Why
were Novell system managers so keen on a directory service? Using a directory service
enabled them to have more users, centrally managed, plus scalability and resilience by
using a multi-master model, unlike the NT Domain Single Master model. In an NT Domain,
only the Primary Domain Controller (PDC) has a write-enabled copy of the user database, so
when the PDC is offline, no Domain management can take place.
One stop shop
Objects such as printers and computers could be placed in the directory and back office
applications configured to access the directory; so an email system could use the same
data as an organisation’s ‘phone book’. This creates a single location to
update information, with changes propagated across the organisation to all ‘directory
aware’ applications. In developing Windows 2000, Microsoft is giving its user
community the power of a directory service. Based around X.500 and fully LDAP compliant,
Windows 2000 Active Directory (AD) provides services that Novell administrators have
enjoyed for a number of years, but with several important benefits, such as a single
secure sign-on via the Unique Principal Name (UPN).
In a large NT 4 enterprise, there are usually multiple domains to span the political,
organic or geographic growth of an enterprise. Domains are created to delegate
administration, reduce replication traffic or accommodate company mergers and
acquisitions. Now with AD it is possible to rationalise a cumbersome domain structure with
a fully relational, hierarchical namespace model (as opposed to the flat NT 3.x/4.x
namespace). Using AD, administrators can delegate any amount of departmental
responsibility. For example: if Finance users are always forgetting their passwords,
delegated administration through AD can allow the Finance Manager to reset his
department’s user passwords – without having access to any of the other user
attributes. This delegated administration is a direct benefit of the hierarchical
namespace.
Sign of the times
Another new AD feature is the single secure sign-on, UPN. Using the NT 4 multiple domain
model, if users move from one location to another, they need to change the domain they
logon to and then be authenticated against that domain. Using a UPN in Windows 2000, the
user can have a single sign-on wherever they logon in the organisation. A UPN looks very
similar to an email address (which users always seem to remember – unlike passwords),
and comprises of ‘username@admin_defined_suffix’. An administrator can
define a number of UPNs for their enterprise. The user enters the UPN into the logon box
of their Windows 2000 Professional or Terminal Services client and authentication against
their context is set and access to resources defined, without them even knowing about it.
As BackOffice systems such as Lotus Notes, SAP, Peoplesoft and Exchange 2000 take
advantage of the directory, administrators of these system will no longer have to manage
separate logon IDs, passwords and duplicate usernames. More importantly, if any employee
leaves a company, disabling their account in the directory disables them from every system
that is aware of the directory, and potentially, even building security systems.
The Active Directory is much more than a place to store username and groups. It is a tool
that enables enterprises to integrate systems together, sharing information and resources,
setting security, distributing software and maintaining a consistent desktop image via
Group Policy.
