Active Directory vs. NDS

• 11/04/1998

For those of you who are working in a pure NT shop, Active Directory's eventual dominance is a foregone conclusion. Creating an NT 5 domain requires deploying it. But if you're in a mixed shop -- maybe, just maybe, you have some other directory services installed -- what should you do? In particular, what if you're one of the 40 million users today who relies on Novell Inc.'s Novell Directory Services (NDS)?

Windows NT 4 doesn't have much in the way of a real directory service, and so many mixed NT/NetWare environments have happily adopted NDS for NT. In this product, Novell installs a DLL on an NT 4 domain controller that intercepts the standard directory calls made by clients and routes them to NDS. NDS takes on the complete function of the simple NT 4 directory.

But with Active Directory, doing this gets much harder. For one thing, Active Directory provides a full-fledged directory service, one that's used for all kinds of things in the NT 5 environment. Novell asserts that NDS is a better technology, and given the years Novell has had to work on it, this claim may well be true. But ripping out and replacing the mortar of Active Directory while leaving all of NT's bricks standing is not an easy task. For NDS to support all the security services, administrative access points, and other externally visible interfaces that Active Directory provides, then to keep current with future Microsoft Corp. releases, is a daunting challenge. While NDS for NT works well in an NT 4 environment, providing the same kind of wholesale replacement in Windows NT 5 will be at best very difficult.

Novell seems to understand this. According to Michael Simpson, director of marketing at Novell, "People will deploy Active Directory. What we want to do is manage as many of the components of NT 5 as is practical." Exactly how this gets done is up for grabs at the moment. Novell has already demonstrated an NDS server running on NT 5, and NDS can certainly synchronize its data with Active Directory by accessing it just like any other client. "I guarantee that we will have consistency of data between Active Directory and NDS," says Simpson, but Novell is as yet making no promises to provide the kind of substitution that NDS for NT offers today.

What does this mean for you? In the short run, nothing at all; widespread Windows NT 5 deployments are still a ways away. But eventually, NDS shops, especially users of NDS for NT, will have to confront this issue. There are (at least) three approaches.

First, you can take this opportunity to migrate entirely to NT. Plenty of organizations are doing this, and in many cases, there's a good argument to be made for getting rid of NetWare. By making integration with NetWare even harder, NT 5 may provide the necessary push.

Alternatively, you can stick with NetWare and hope for the best. Novell will work very hard to effectively integrate NDS with Active Directory; its survival as a company may depend on it. If you're a dyed-in-the-wool NetWare fan, especially one who relegates NT to the role of relatively rare database server, this is your best choice.

Finally, if you plan to retain large installations of both Windows NT 5 and NetWare, you may wind up running parallel directory services -- both NDS and Active Directory -- side by side. While this isn't the most attractive option, it will probably be the only viable one in some organizations. How well it works will depend on Novell's success at providing seamless integration. It's a safe bet that Microsoft won't help Novell do it.

And I guess there's one more approach: You can get really mad at Microsoft for behaving in a way that you don't like by not helping Novell make NDS for NT work on NT 5. I expect this to be a common response, but it's ultimately futile. Microsoft's behavior here is neither evil nor anti-competitive; it's business. Like every other public corporation, Microsoft feels obligated to maximize its profits. Letting your competitors replace a critical part of your product is not generally the best way to do this. --David Chappell is Principal of Chappell & Associates (Minneapolis), an education and consulting firm. Contact him at [email protected].