Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
/

Microsoft adding critical function to Active Directory

Next version of Active Directory will allow extensions in the schema to be deleted.

Related linksToday's breaking news
Send to a friendFeedback

By John Fontana
Network World Fusion, 05/03/01

To answer IT executives' demands for advanced features in Active Directory, Microsoft is enhancing its single highest administrative privilege so users can better manage the directory.

With the Beta 3 version of Windows 2002 Server, set for release later this year, Microsoft will introduce the ability to delete objects and attributes from the directory. The feature, called Schema Delete, is not in Beta 2, released in March, but is scheduled to be included in Windows 2002 when it ships early next year.

The news comes on the heels of Microsoft's announcement that it is starting to enable Active Directory for use on the Web.

IT executives have been clamoring for the ability to "delete schema" - that is, to delete object definitions from the directory's schema. This would help to eliminate clutter from the directory and make it possible to completely uninstall directory-enabled applications. "We're trying to keep our directory data as clean as possible, and when schema delete is available we'll use it to clean up even further," said a directory administrator from a Fortune 500 company who requested anonymity.

The schema is the heart of the directory. It defines the objects in Active Directory and the attributes associated with those objects. Objects represent users and applications, and they are made up of a set of attributes, such as user name, address and phone number.

But modifying the schema can be tricky. It is the most guarded administrative privilege in the directory - because if done incorrectly it can disable a server or an entire network.

"Schema delete has become the poster child for why Active Directory is not as good as Novell," says John Enck, an analyst with the Gartner Group. "Most of us will say it should have been in there in the first place." But Enck says it is better late than never.

Novell's eDirectory and IPlanet's Directory Server 5.0, which shipped Thursday, allow users to delete schema.

The ability to eliminate irrelevant schema extensions is important as more applications become directory-enabled.

Each time an application is added to the directory, it potentially can modify, or extend, the schema. For example, Microsoft's Exchange 2000 messaging server makes some 1,200 schema modifications when it is installed.

But when applications are uninstalled, their schema modifications remain in the directory as excess baggage and can lead to potential problems. The leftover schema extensions can clog replication and lead to crippling problems.

Active Directory currently allows users to "retire" schema, which means the definitions are not replicated, but remain in the directory.

"Once you add schema you are stuck with them," says Jamie Lewis, president of The Burton Group. "You don't want to have a lot of schema to wade through. If you replace a schema for a user, for instance, you don't want developers using the old schema that is not supported." Lewis says it is all about "managing, keeping things clean and not having to live with schema changes the rest of your life."

Changing the schema is a task best left to the most experienced administrators. But Microsoft says it is a task with value.

"Customers were saying once they added an application to Active Directory they could not roll back," says Peter Houston, group program manager for Active Directory. "There was a fear factor about adding schema [extensions], and some customers were delaying rollouts of new applications."

Microsoft is adding another feature in Active Directory that also should help with management. Windows 2002 will features Cross-Forest Trust, which allows separate directory forests to talk to one another. For example, a user authenticated in one forest can be authorized to use resources from another forest. Previously, forests could not communicate, and Microsoft recommended users deploy only a single forest.

"Users with good centralized control will use a single forest, but decentralized corporations might look to multiple forests as a boundary for administration," Houston says.

But he warned that the feature is not a license to create 30 forests. "The goal is to minimize the number, but it's not just one anymore. You don't need to beat your head against the wall to get to one," Houston says.

In addition, shortly after Windows 2002 ships, Microsoft will launch Version 3.0 of Microsoft Meta-directory Services (MMS), which will replace the Zoomit Directory with Active Directory.

MMS is the descendant of technology Microsoft purchased from Zoomit in 1999. The Active Directory store will allow enterprises to have a single repository for their enterprise directory and metadirectory.

Related Links

Network World on Directories
Sign up for our free e-mail newsletter.

Breaking Active Directory news

 
NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.