Choosing a Direction with Directory Services

• 05/10/2000

With the release of Windows 2000 earlier this year, the issue of directory services moved toward the top of the list of concerns for many companies. No longer in the plan-and-promise phase, Microsoft Corp. is now actively competing with its chief rival for directory dominance, Novell Inc.

To get a sense of some of the specific issues facing network designers and administrators in choosing which directory service to implement, ENT and TesCom Ltd. (www.tescom-intl.com) worked with the currently shipping versions of Microsoft’s (www.microsoft.com) Active Directory and Novell’s (www.novell.com) renamed NDS eDirectory. We found that in most cases the decision among the services is likely to be driven not by the merits of the directories themselves, but by wider decisions about which operating platforms an enterprise will adopt.

For this examination, we operated the products on a network with a mixture of operating systems. An IBM Netfinity 5500 hosted Windows 2000 server running as a domain controller; a second Netfinity ran Windows NT 4.0 as a standalone server. Windows 2000 Professional ran on a Dell 2200 and Windows NT 4.0 Workstation was hosted on an HP Kayak. A second Kayak ran version 6.3 of Red Hat Linux. The systems shared a common Ethernet 10Base-T network.

The first, and ultimately very important, decision may be out of an administrator’s hands. If an organization decides to use NetWare, you will be deploying an NDS structure of some sort. Similarly, if an organization plans to use Windows 2000 servers as Domain Controllers in your network, you are going to deploy Active Directory to some degree. These are givens because of the nature of the operating systems in question. Windows 2000 relies on Active Directory as its domain information underpinning in much the same fashion that NetWare has relied upon NDS for the past several years.

For most mixed networks, the decision will not be whether NDS or Active Directory will exist in the network, but which directory will be used to support various other services and applications.

Both products provide general access to directory information through LDAP version 3. Information can be retrieved from either directory through any standard LDAP client, such as an e-mail package search function. Application developers can use standard query and update techniques to retrieve information from and update information in a consolidated directory.

Microsoft also provides an Active Directory Services Interface (ADSI), based on COM that is intended to streamline development of directory-enabled applications.

It is true that Windows 2000 domains imply Active Directory and NetWare Servers imply NDS, but the reverse is not necessarily true. In the case of Active Directory and Windows 2000, the tie in works both ways -- if you want Active Directory, you will be using Windows 2000, and vice versa. Novell, however, has taken the step of disconnecting NDS from NetWare. The directory product, now called NDS eDirectory to emphasize Novell’s positioning for use in e-commerce environments, runs on several platforms, including Windows NT, Windows 2000, Solaris, Linux, and of course NetWare.

Additionally, Novell split NDS into two pieces: the NDS eDirectory and a separate application called NDS Corporate Edition. Corporate Edition is a network management tool for administering resources on the various platforms that uses the underlying NDS eDirectory.

In our tests, we installed the Novell product on both Windows NT and Linux. The Microsoft product was, as required, installed on Windows 2000 only.

When comparing the two directory products, it is important to understand the role that the directory is intended to play, both in the short term and in the more distant future. The promise of directory services is the ability to bring consolidation to resource management. With the growing complexity of networks, users become more numerous and applications become more integrated into daily operations. The consolidation of that information into a single directory, rather than in the separate specialized directories used today by applications such as mail servers, accounting applications, and the like, can significantly reduce administration costs and increase availability and productivity.

Those goals, however, may lie in direct opposition to the needs of the organization in implementing specific applications. For example, a service provider may field an e-mail application for a large number of outside customers, for whom directory information must be maintained. But that information probably does not belong in the same directory as the one used to allow control access to the company’s infrastructure. Similarly, an e-commerce application may use directory services to store profile information for each of thousands of customers. That information must be shielded from examination by large segments of the company’s internal business users.

Active Directory, with its tight integration into the Windows 2000 operating system, supports infrastructure management requirements handily, especially in homogeneous networks. NDS eDirectory more readily supports separating directory information from the infrastructure. NDS also supports optional infrastructure management of multiple operating systems through NDS Corporate Edition.

As noted, Active Directory runs only on Windows 2000 servers, while NDS eDirectory may be run on several different platforms, with or without a NetWare server in the environment. Both directories, however, do provide cross-platform access through the use of LDAP. An application running on a non-Windows 2000 platform could still make use of either directory product for its underlying support. Whether such directory access across a network was desirable depends on the network structure and the application.

One major consideration for choosing a directory service could be the costs of training administrators, or perhaps the costs of not training.

Even for experienced Windows NT administrators and planners, Active Directory is a significantly new approach to managing network resources. The management tools provided with Windows 2000 are streamlined, and not entirely alien to administrators accustomed to the Microsoft Management Console that was introduced later in the NT 4.0 lifecycle. Easy to use migration tools are provided, as well. For planners of moderately complex networks, however, that may be a curse more than a blessing, especially as it may lull some into a false sense of simplicity.

For planners implementing an upgrade from a multidomain environment or one with complex organizational structures, it will be necessary to acquire some hands-on training, plan carefully, and probably perform several trials with possible domain structures.

NetWare administrators and planners, on the other hand, have been dealing with the directory concepts of NDS for six or seven years. EDirectory thus provides no significant new conceptual challenges, assuming of course that the move to eDirectory is being made from an existing NetWare environment. If that is not the case, then everything said about the need for planning, training and testing with Active Directory must be applied equally to NDS eDirectory.

NDS eDirectory and NDS Corporate Edition are available as downloads from Novell's Web site. We retrieved both the Windows NT and the Linux versions of the products, as well as the latest client access drivers for our NT Workstation. Our testers, with a combination of NT and NetWare experience, had more problems successfully completing their first Linux installation than installing eDirectory itself. And when installing eDirectory on Linux, that prior NetWare experience proved necessary. The documentation provided was fairly thin and assumed a high level of familiarity with the directory nomenclature. The installation program for the NT version of the product was a much more user-friendly graphical tool, which hopefully will be ported to the Linux platform soon.

The NDS management tools run only on a Windows platform -- NT in our case -- and require the use of the Novell NetWare client, despite the fact that we did not have a true NetWare server in our environment. This client was available as a download from the Novell site, but at 79 MB it was almost twice the size of the combined eDirectory and Corporate Edition file. Smaller client downloads were available, but it was not immediately clear which had all the required components for use with eDirectory.

For Active Directory, we installed Windows 2000 Server as a new installation on our Netfinity server. We created parallel directory structures with four primary organizational units and four or five sub-units in each of the primary units. Only the tree-name differed between the two structures, to avoid any possible confusion that might have occurred because the two systems shared a common physical network.

Adding information to the directory can be done in one of three ways for either product. The most direct method is through the normal administrative interface. Here the differences between the products are mostly stylistic, though we did observe a few small functional differences.

For example, in the case of NDS, the tools for delegation were a bit more powerful, allowing authority to be delegated to groups, users, organizational units, or organizational roles. With Active Directory, authority can only be delegated to users or groups. Also, while the wizard for assigning delegation under Active Directory was simple to understand and use, it took a fair amount of fumbling to discover that the ability to view the delegations we made was hidden in advanced screens that are not accessible by default.

The second method for adding information to the directory is through the use of LDAP-aware applications.

Finally, information may be added to either product through bulk loading utilities, and it was here that we encountered the greatest frustration. Bulk loading in either case requires the construction of a text file in the LDAP Directory Interchange Format (LDIF), which is a fairly intricate format.

Novell’s NDS documentation provides examples of LDIF content that may be used to load data into the directory. The bulk load utility they provided, however, steadfastly refused to import our test list, reporting a format error, although we carefully followed the example given. We tried about a dozen variations on the format of the offending line without success. We also looked for an export utility, with which we could create an LDIF file for one or more of the users we entered manually, hoping to learn the correct format. But Novell does not appear to supply one, except maybe with their Software Developers Kit, which was not provided for our test.

Microsoft also supplies bulk load capability, but did not provide an example LDIF that we could locate. The import utility also refused to import our test list. Microsoft does provide an export utility, which we used to export information about the directory structure itself. Even when we carefully followed the example instructions, the export utility refused to acknowledge that there were any user records to be exported.

While the debate about the relative merits of NDS eDirectory or Active Directory will rage with an almost religious fervor for some time to come, the decision in most organizations will likely proceed from one or more of three basic factors: size, applications, performance.

For many, if not most, small to medium-sized organizations -- where size may mean either number of systems or complexity of organization -- the decision will be driven by where that company is today. NT shops will likely adopt Windows 2000 and therefore Active Directory, while shops using NetWare will likely extend NDS to their other platforms. Organizations that switch from one platform to the other will probably do so because they want general features of the new operating system, rather than on the basis of the directory alone.

Where certain critical applications are being implemented, it is likely that the choices of the application designers will weigh more heavily than those of the network designers. Software publishers will adopt one or the other directory for development, driving the decision by customers based on the desirability of the application rather than the directory. In-house developers may be more constrained to follow a pre-existing selection of directory, but that selection will almost certainly be driven by one of the other two factors.

With regard to performance, both vendors published figures and explanations touting the benefits of its platform in speed, scalability, accessibility, and more. Except for the comparatively few organizations for which these are crucial factors at the make-or-break level, published statistics are insufficient to tell the tale. As those familiar with the long-term use and abuse of generalized benchmark testing already know, these firms will need to conduct detailed, realistic simulations of their individual planned environments to derive useful numbers upon which to base any sound decision.

For everyone else, the name of the game is still, "Whom do you like?"

For more in the series, also see:

• Spotting the Active Directory Early Birds
  Christopher McConnell
• Why Windows 2000 Will Unify Your World
  David Chappell