What directories are and how they work Take these steps to achieve an enterprise directory Microsoft's Active Directory Services may lighten your load Enterprise directory investments pay off Metadirectories are the kings of consolidation Related links: Directory Economics: Consolidate, Simplify, and Unify Your Directory Systems... Presentation by Rapport Communication. 223K PDF file. Rapport Reviews Zoomit VIA Requires free registration. Novell's NDS Web site Product overviews, chat area, reaction to Microsoft and Cisco's directory work, LDAP info. No quick relief How users are dealing with directory quagmires. IntraNet, 5/19/97. New role for directories When it comes to managing networks of the future, directory services may prove to be the key integrating agent. Network World, 7/21/97. Rowe and Blum are principals at Rapport Communication, Inc., an industry consulting company specializing in directories, messaging and groupware. They can be contacted at www.rapport .com.

By Gary Rowe and Daniel Blum
Network World, 9/15/97

With Microsoft Corp.'s Active Directory Services (ADS) becoming closer to reality, it's time to assess your directory strategy. There's lots at stake, given that directories are becoming an ever more important network linchpin, weaving their tentacles into everything from e-mail systems to net management tools.

With proper planning, the next generation of standards-based directories could significantly ease your administrative burden.

The directories of the future will benefit end users, too. Along with enabling file and print services, these rich information repositories will allow users to access "white pages,'' departmental views of employees, or browse for information about resources such as printers, scanners or conference rooms. Workers will be able to use public-key certificates contained in the directory to handle encrypted or digitally signed documents in e-mail, browsers and groupware or workflow applications.

The tough part will be integrating an enterprise directory with your heterogeneous network. Both Microsoft and Novell, Inc. are promising to deliver tools that integrate their respective directories with either Intranet-Ware or NT LANs, not to mention the rest of your enterprise. There's likewise a crew of third-party vendors hawking metadirectories - software that integrates multiple directories.

NDS comes closest to meeting directory services needs because it already supports multiple server views, multiple data types, multiple operating system platforms and the Lightweight Directory Access Protocol (LDAP). NT directories are quite limited, however, by a cumbersome access control approach based on a flat domain namespace, lack of support for LDAP, a limited set of data types and an inability to operate across platforms. ADS will eventually provide similar capabilities to NDS, but Microsoft only plans to implement it on NT.

Of course, ADS and NDS aren't alone on the playing field. Many third-party developers are joining the fray by providing metadirectories or enterprise directory services that leverage existing network operating system (NOS) directories. Whatever you choose, remember that it can be risky to rely on a sole vendor. Reduce that risk by continuing to demand standards support.

NT Server of today and tomorrow

Administrators create, delete and update domain user IDs and resource entries with a limited set of fields via NT User Manager. Servers replicate their directories, or registries, to create a browse list for the domain. Administrators designate one server as the primary domain controller and another as the secondary domain controller. Whenever users or applications access an NT server-based resource, such as a printer, the NT Security Access Manager (SAM) consults a domain controller to see if that access is allowed.

Cross-domain trust relationships let one domain controller talk to a controller in another domain. Through trust relationships, for example, a user in Domain 1 could obtain rights to access resources in Domain 2. However, that user would first have to be configured in Domain 2. If multiple Domain 1 users were given Domain 2 access, they could be collected in a "global group'' and added to the list of authorized users for Domain 2.

The NT server directory doesn't span domains, so there's no single point of administration for the enterprise as a whole. However, you can implement a single NT network logon for the enterprise if you set up trust relationships among all your NT domains.

"The domain relationships in NT are a nightmare as soon as you go into a multiserver environment,'' says Chris Meyers, a senior systems analyst at James Moore and Co., a technology consulting company in Gainesville, Fla.

It's been tough to implement enterprise networks with NT directories, but Microsoft aims to ease the process with ADS. Scheduled for beta release to selected partners and independent software vendors at the Microsoft Professional Developer's Conference in San Diego this month, ADS will be contained in NT 5.0 when it ships next year.

The key development objectives for ADS are to provide a single point of administration across an enterprise, single network logon to any network service and directory integration with server applications. This release will be particularly important to NT users because ADS is Microsoft's first enterprise-class directory service.

"The Active Directory will deliver support for millions of objects and a very efficient multimaster replication model for replicating data,'' says Jeff Price, Microsoft's NT Server product manager in Redmond, Wash.

Narrowing in on NDS

NDS is evolving from its proprietary background to embrace standards. For instance, the schema supports a hierarchical, server-spanning namespace based on the X.500 model. Novell also recently added LDAP support to NDS.

Multiple server supports allow the NDS directory to be partitioned across multiple servers but appear to be a single enterprise directory tree. Managers can replicate the partitions from server to server to improve performance and availability. Users and administrators can access the enterprise directory from any client workstation as long as they have the appropriate rights.

Novell wants to establish NDS as the industry de facto standard for network directory services that can run over NetWare, NT and Unix. The vendor started this initiative by giving away NDS and charging for support.

Michael Simpson, Novell's director of directory services in Provo, Utah, says, "We are in the business of commoditizing directory services because our business is directory-based services - things that are built on top of the directory, just like the NOS was dependent upon a physical network being there.'' One example of a directory-based service, he says, is Novell's new Bor-derManager firewall suite.

Novell is bundling NDS with key operating systems and has already forged relationships with The Santa Cruz Operation, Inc. and IBM. In addition, Novell will bundle NDS with every HP-UX box sold by Hewlett-Packard Co. starting later this year. It also has signed an agreement to put NDS on top of Solaris. A bundling an-nouncement with Fujitsu Ltd. is pending, and Novell has inked a deal with Oracle Corp. to integrate NDS into Oracle databases on the aforementioned platforms, which represent 77% of all shipping Unix servers, according to Novell. This will let mixed NetWare and Unix environments support single logon and reduce administration costs. NDS/NetWare users will be preauthenticated for Oracle database access, and NDS-defined groups can be configured to access specific Oracle databases.

This is accomplished by NWAdmin, which will track an Oracle object and control it the same as it would any other NDS object.

Novell will port NDS to NT with the release of NDS for NT, scheduled to ship by year-end. Native NT support is important because it en-ables NDS to directly support Oracle and other NT-based applications, such as Microsoft Ex-change and SQL Server.

And on the Internet front, Novell will integrate NDS with Netscape Communications Corp.'s SuiteSpot servers and expects to be the first to support the Java Naming and Directory Interface. It also plans to support integration with Microsoft's ADS when it becomes available.

NDS will transform into a true NOS-independent intranet directory when Novell releases its Java-based management console, code-named Houston, in the first half of 1998.

Tying it all together

Microsoft's Client and Gateway Services for NetWare utility was upgraded with NT 4.0 to support browsing of NDS resources, NDS authentication and NDS printing. The vendor also offers Directory Service Manager for NetWare, a tool that provides some central management of NetWare servers using the Windows NT Directory Service. However, this facility only works with the NetWare bindery - that is, NetWare 2.X and 3.X.

Although it offers far less interoperability than the forthcoming NDS for NT port, Novell Administrator for NT tool extends NDS-based administration services to the NT domain and provides a migration path to NDS. Novell Administrator for NetWare is a snap-in for NWAdmin that allows NetWare administrators to centrally manage NT users and groups. The product also includes an integration utility that makes NDS the master repository for all NT SAM user and group information.

Novell's and Microsoft's interoperability products are limited, but provide some cross-vendor integration. The key problem is they both re-quire the prime owner of information to be their respective directory services.

This creates challenges in scalability, management, access control, replication and data integrity when large populations of NDS and NT Directory Services objects are present. Suppose, for example, a company has two large operating units that use NDS and ADS. Neither operating unit wants to

be the subservient directory that passes primary administrative responsibility to the other. Global directory changes can't be easily implemented, nor is all data accessible across the directory environments.

If your environment is primarily based on NT or NetWare, then Microsoft or Novell's integration products will work, but if you have large populations of both NOSes, these tools aren't the best solution. Instead, look to a number of third-party solutions that leverage NDS and NT directory services.

For instance, a small company called Net-Vision, Inc. makes a product called Synchronicity for NT Server 1.1. Synchronicity includes an agent that runs on an NT Server, a NetWare Loadable Module for NetWare and a snap-in for NWAdmin. The net result is a product that supports NT and NDS users. It provides synchronization support for NDS, NT (SAM), Lotus Development Corp.'s Notes Name and Address Book and the NetWare 3.X bindery.

Synchronicity allows an administrator to change, add or delete NT users or groups from the standard Novell NWAdmin utility using NDS as the central repository.

Chad Latimer, NetVision's vice president of sales, says Synchronicity's bidirectional support sets it apart from Microsoft's and Novell's offerings and allows updates to originate on NT or NDS. Key Synchronicity users include Chase Manhattan Corp., Rolex and Knight-Ridder Information, Inc.

Banyan Systems, Inc. is another NOS directory player that has been following a strategy similar to Novell's in championing its Universal Street-Talk directory. StreetTalk for Windows NT can help with the cross-system management of StreetTalk and NT directories.

Netscape has done the most to proactively implement LDAP and other Internet standards for directories. Netscape views the NOS and NOS directories as obsolete concepts that will be supplanted by intranets and LDAP-based directory services. Netscape's LDAP-based Directory Server and Certificate Server products integrate the management of all its SuiteSpot servers, and this consistency is of considerable benefit to heavy Netscape users. However, there's still a lot of "obsolete'' NOS infrastructure around that isn't owned by Netscape. In fact, Netscape isn't positioning itself as a metadirectory vendor that can work with legacy environments. And while Netscape may become an important player in corporate directory environments, it usually won't assume the enterprise directory function. But vendors such as Zoomit Corp. are offering metadirectory and network management products that leverage multiple directories, integrate them to achieve interoperability or consolidate them into a single repository.

Net management directories

While Unicenter TNG is CA's flagship end-to-end management product, its Cheyenne division product, DS Standard, provides the view into NDS today and ADS in the future. DS Standard for Windows NT provides snapshots of NT directories that can be used to model mass changes, support disaster recovery or verify the tree structure. It also will be compatible with NDS.

Systems management giant Tivoli Systems, Inc., also is jumping into the cross-NOS arena. The Tivoli Management Environment (TME) platform for NT can manage Windows NT registry, NDS and Unix accounts from a single console. It also integrates the management of user information from Oracle, Sybase, Inc., SQL Server and Informix Software, Inc. databases.

Watch for increasing integration between the foundation network vendors and the NOS directory. This trend was recently brought to light by the strategic agreement between Microsoft and Cisco Systems, Inc. Microsoft will extend the ADS schema to accommodate the network components supported by Cisco. The vendors also have agreed upon a replication scheme, and Cisco plans to port ADS to Unix environments.

3Com Corp. plans to build network control software into end systems and routers that will query LDAP directories for access control and policy rulings covering authentication, prioritization and bandwidth reservation. 3Com's TranscendWare will offer tools to set network security policy.

TranscendWare will be designed to work with the Microsoft/Cisco schema or to install schema dynamically using advanced LDAP Version 3 capabilities when they are available. Lionel Gibbons, director of TranscendWare product management in San Diego, says, "We don't dictate to our customers what they have to put in their network, we mean to work with all of them.''

While initial efforts may look remedial, the path being carved by 3Com, Cisco, Microsoft and others is heading in the right direction. The directory will serve as the matchmaker between users, machines, applications and the network. IP addresses issued by Dynamic Host Configuration Protocol servers, user IDs issued by administrators, and resources available to users and applications will all be stored in the same repository. In the world of fully network-enabled computing, the user will not need to know where network services are before assessing them or what's going on behind the scenes to make it all happen.

How to proceed

NT users face multiple dilemmas. Implement-ing NT domains is administratively expensive, but the only alternatives are to deploy a third-party product or hold off on heavy-duty intranet building until NDS for NT or ADS arrive.

NDS is becoming an enterprise-level NOS-based directory and it will run on NT well before ADS is available. Its strong, mature and user-friendly X.500-like hierarchical structure supports multiple object types and attributes. But many NetWare users need NT as an application server, and NDS for NT is unproven. In addition, some users who have not yet migrated to NDS are concerned about the business risks of gambling on Novell given the vendor's recent profitability problems.

While ADS promises to combine much of the functionality of NDS with the marketing power and leverage only Microsoft can provide, those with an immediate need shouldn't bank on an undelivered product. Microsoft hasn't announced a release date; even after it does, remember the company is prone to schedule slips.

You won't be able to deploy ADS without also rolling out all of NT 5.0., says Martin Waterhouse, senior directory technologist at Chevron Corp. in San Ramon, Calif. "We're not as bullish about Microsoft Active Directory [Services] as Microsoft would want us to be. To move to ADS we would need to have a new supporting infrastructure.'' Chevron, a major Microsoft NT and Exchange user, is piloting a metadirectory from Control Data Systems, Inc.

"ADS is very interesting, but we won't move from NDS for at least two years,'' says John Osterman, director of networking technology at BankBoston, N.A.

Despite these cautions, ADS and Microsoft's developer following will make a big impact. ADS may or may not have a future as your enterprise directory, but the odds are it will become an important part of your environment. Be sure to earmark part of your budget for evaluating and testing ADS once the NT 5.0 beta is available.

If you have a strategic commitment to Novell, finish deploying NDS throughout your NetWare environment, pilot Novell's Administrator for NT and be prepared to test-drive NDS for NT once it's available. Use Synchronicity or a similar product to ease the short-term pain, if necessary.

If your company wants to aggressively integrate e-mail, NOS and human resources applications through LDAP, consider a metadirectory product from Control Data Systems, WorldTalk Corp. or Zoomit Corp.

Durwin Sharp, electronic commerce adviser at Exxon Corp. in Houston, characterizes metadirectories as the "bridge to provide NT 5 directories in the current environment.'' Exxon has a growing base of NT systems and multiple legacy directory environments. Although the company is moving toward metadirectories, Sharp also says "Micro-soft's ADS will clearly be a part of anyone's directory that has a major NT server component.'' If your goal is to manage mainframe-based application and client/server Unix applications along with the NOS, then consider using Tivoli Systems, Inc.

Whatever product you choose, plan on sticking with it for a few years. While ADS and other products will have LDAP and an X.500 schema in common, there will still be significant migration issues to address.