NT 5.0's Directories In Action
We're getting closer to the release of Windows NT 5.0. Currently, the speculation isthat the software will be released in the second half of 1999. As we get closer, I'llspend more time discussing the new features and suggesting ways to take advantage of thosefeatures.
Microsoft's Active Directory is an effort to integrate any and all directory servicesinto a single unified system. It's a grand scheme to bring together all possible directoryservices such as e-mail address books, Internet domain names and operating system securitydatabases. Active Directory tries to reduce the amount of time spent creating andmaintaining the various directories on your network and provide a set of tools tocommunicate with other directories. At the heart of Active Directory is the Domain NameService (DNS).
DNS is the Internet's primary directory service, easing communication between connectedcomputers by turning user friendly names such as www.hppro.com into the appropriate TCP/IPaddress. It's a very scalable directory service that is small enough to manage a fewcomputers efficiently, but can (and does) support the entire Internet namespace.
Scaling The Branches
The key to the scalability is a hierarchical tree structure. This structure distributesthe directory service between multiple servers, each responsible for a particular portionof the namespace. This means that the DNS server responsible for hppro.com doesn't have tostore every name and address on the Internet. It only needs to know the address of thecomputers in the hppro.com domain and the location of the DNS servers that can answerquestions about everything else. Those organizations who wish to provide DNS informationto the Internet are required to have two DNS servers This provides redundancy in the caseof a failure of the primary DNS server.
Contrast the DNS model with the domain model currently used by Windows NT. NT domainsare directories primarily used to manage user security. Each domain features a PrimaryDomain Controller (PDC) that saves security information in the Security Accounts Manager(SAM), a database stored as an encrypted flat file. The SAM contains all the informationabout the domain. This includes the basic user information, such as account names,passwords and group memberships, and a list of the computers that are members of thedomain. Having all this information in a single location helps ease management. However,it also means a single point of failure and a potential performance bottleneck.
Backup Domain Controllers (BDCs) alleviate some of these problems by storing backupcopies of the SAM. A computer logging on to the network can be validated by any BDC,easing some of the validation burden. However, the BDC can't perform all PDC functions anddoesn't completely eliminate the risk from a single point of failure. For instance, if thePDC is down, you may not be able to change a user's group memberships. And BDCs do notautomatically become PDCs. If the PDC is down, you must manually promote the BDC to takeover. (This is actually a good idea. Envision a WAN with a PDC in Chicago and BDCs in NewYork and LA. If the WAN goes down, both Chicago and LA would promote themselves. When theWAN comes back up, you have three PDCs and a large mess.) What's worse, if you wish tohave regular member server become a domain controller, you have to reinstall NT.
NT domains are also not particularly scalable. Per Microsoft's guidelines, domains aregenerally limited to 26,000 users and 250 groups. This limitation may require multipledomains for a single large organization, which may require establishing trustrelationships. Using a trust relationship, a trusting domain allows trusted domains accessto it's resources. Trust relationships can become very complicated very quickly, requiringa lot of maintenance. For instance, if you have four domains completely trusting eachother, you need to establish 12 trust relationships.
With Active Directory, the concepts of primary and backup domain controllers and trustrelationships go away. Under Active Directory, there are only domain controllers.
Directory Service, Please
To make an NT Server computer a domain controller, you need only install and start theDirectory Service. Each and every domain controller can be used to update all thedirectory data, eliminating the problems of down PDCs. Domain controllers discover otherdomain controllers on the network and a technique called multimaster replication is usedto propagate changes to the other controllers on the network. Each change in a directoryon the domain controller is given an Update Sequence Number, which is something like atime stamp. If a controller is replicating conflicting data from multiple controllers, itcan use the Update Sequence Number to decide which is the latest data.
Domain controllers have authority over a particular namespace, just like in DNS. ActiveDirectory domain names become like Internet domain names to simplify naming. Currently NTdomain names are limited to 15 alphanumeric characters. Under Active Directory, domainnames can be identical to Internet names. For example, foo.com is a valid Active Directorydomain name. Currently an organization might have several domains such as Sales, Financeand Manufacturing. To share resources, trust relationships would have to be establishedbetween the domains. Under Active Directory, these domains become sales.foo.com,finance.foo.com, etc. The traditional trust relationships are not necessary because thedomains are now within the Active Directory hierarchy.
Finally, Active Directory is just bigger. It can support multiple directory stores in ahierarchy and each store can hold 10 million objects. The data structures are based onExhange Server database structure, specifically designed to minimize the storagerequirements of sparse objects. (Sparse objects may have many, many properties, but fewonly a few properties have actual values.)
Active Directory should offer a lot of possibilities for organizations to simplify themanagement of their users information.
Ryan Maley is a Microsoft Certified Systems Engineer and the information systemsmanager for a Midwestern manufacturing firm.