Spotting the Active Directory Early Birds

• 05/10/2000

With the adoption of Active Directory still in its early stages, the market for third-party tools that extend the value of Active Directory is embryonic. Companies such as NetIQ Corp. (www.netiq.com) were approached by Microsoft to create tools for its in-house needs, but there are some vendors that took the bold leap of creating new products for a market that barely exists. Other companies have come to realize that their existing tools could gain by adding Active Directory features.

These tools cover a broad range throughout the industry: Some are focus on security or cross-platform applications, while others add value by easing management of Active Directory information. Administrators already have a number of choices if and when they decide how they want to extend Active Directory.

Open Software Associates Inc. (OSA, www.osa.com) is leveraging Active Directory in a unique way; its NetDeploy Global allows other platforms on a network to use information from the directory. "We take the directory info and publish it as XML files," says Graeme Greenhill, CEO of OSA.

Windows 98, Linux, Unix, and other platforms understand XML, so the permissions and entitlements set in Active Directory can be used by any machine on the network, not just machines running Windows 2000.

Management of heterogeneous networks will benefit from the extended availability. Rather than having to set permissions for each system, NetDeploy Global lets users make a single set of preferences applicable to all machines within an enterprise.

Mobile users and remote offices also will gain from OSA's cross-platform strategy, since it allows virtual private networks and extranets to use the full value of Active Directory.

An obvious use of the tool is allowing clients or customers access certain network data without giving them access to the entire network. Rather than setting these permissions for the point solution or solutions, the external permissions can be managed centrally with other in-house permissions.

XML, is of course an Internet standard, and NetDeploy Global was designed for Internet-based businesses in mind. "Our entire focus was the Internet, and making use of Internet standards," Greenhill says. But he explains that NetDeploy Global is not just an Internet tool. "There’s going to be a mix of people using it," he says. Greenhill points to a variety of organizations using the beta, including banks, retail chains, and the military.

Microsoft Corp. (www.microsoft.com) took particular interest in OSA’s plan to bring Active Directory to the Internet and non-Microsoft platforms. Redmond gave the company support and information to help bring the product to fruition. "We’re getting a lot of support from Microsoft," Greenhill says.

Despite its initial slow rate of acceptance, Greenhill believes Active Directory will eventually gain wide adoption across the industry. "We’re convinced that it will be the de facto standard in the next few years," he says.

NetDeploy Global should be available by the end of this month.

What product does Microsoft use when it wants to extend the value of Active Directory? In the beta stage, Microsoft turned to NetIQ for help managing its new directory.

NetIQ came to Microsoft’s aid by creating an Active Directory module for its AppManager product. AppManager consists of modules for managing and monitoring applications on distributed servers. In addition to the Active Directory module, AppManager is available for use with other applications.

NetIQ focuses entirely on Windows management products, making its developers very familiar with the administation of Windows networks. "We’ve bet the barn on Windows NT," quips Tim Sedlak, technical development manager at NetIQ.

NetIQ's AppManager monitors and manages Active Directory and how network servers keep up with the information, ensuring that information is propagated across the network.

While Active Directory does a good job of centrally maintaining information about users and permissions, the central, hierarchical structure does little to imitate the realities of the business world.

Permissions and entitlements frequently change with the addition of staff, promotions, and special projects. The changing corporate environment also introduced contractors and clients who need to access corporate information. For the system to work properly, each Active Directory-enabled server needs to stay up to date with changes.

Tim Sedlak says AppManager attempts to answer the question, "How are we going to know when this data is going to replicate around?"

AppManager offers a range of customization options and provides information to best set the options. Users can set intervals for propagation to best reflect how often information changes on the network. The trick is setting a happy medium between functional updates and how much bandwidth Active Directory updates eat up.

AppManager relies on agents residing on host machines to feed raw data about how each machine is used. Users customize and configure the agents to provide germane information to the monitor.

Through the Microsoft Management Console (MMC), AppManager provides trending and analysis of the agents’ data. This gives administrators a sense of how applications consume the network. Active Directory is just one important application treated by the product.

The information presented by the MMC is generated by a series of Visual Basic scripts. While users can take the plunge and write their own scripts, the product comes with a profusion of premade options. For Active Directory alone, there are 36 different scripts.

NetPro Computing Inc. (www.netpro.com) also offers a tool for monitoring Active Directory. Its DirectoryAnalyzer provides directory information and management alerts to administrators who want to optimize directory services.

NetPro is partnered with Heroix Corp. (www.heroix.com) to bundle DirectoryAnalyzer with Heroix’ RoboMon monitoring tools.

As its name suggests, Full Armor Corp. (www.fullarmor.com) focuses on security. The company is leveraging Active Directory’s services to provide tight access privileges for data and desktops, preventing users from getting their hands on things they’re not supposed to.

For release 5.5 of its Full Armor Zero Administration (FAZAM) security package, Full Armor integrates Active Directory into the existing functionality. "We’re interested in extending system policy for lockdown on the desktop," says Rich Farrell, CEO of Full Armor.

Users may be interested in locking down desktops within the enterprise for several reasons. In addition to securing information assets, administrators can restrict what kinds of software are installed on machines. "We add capability to Windows management policy," Farrell says.

Games, MP3 players, and other applications that may inhibit productivity are a concern at some organizations. In addition, tools that may threaten the system by permitting Trojan horses and cracker scripts can be banned from desktops.

FAZAM gains flexibility through the use of Active Directory. Some administrators may have a hard time convincing their boss that being unable to install certain files on their machine is a good thing, or some departments, such as finance, may need access to software that should be prohibited to other users. Active Directory allows permissions to be set by user or operating unit, so lockdowns can reflect the organizational environment.

FAZAM also allows administrators to configure the operating system from a central location, automating management of the desktop. This can save the helpdesk the trouble of resetting individual machines botched by either malicious users or benign fiddlers.

FAZAM integrates with MMC, offering an intuitive interface for administrators.

Like other Active Directory products, FAZAM offers a high degree of customization. Alerts and error messages can be customized to reflect the organization or computing environment. The MMC views can also be customized.

Dorian Software Creations Inc. (www.doriansoft.com) offers the ability to view information within Active Directory with its UltraAdmin 2.0. Company officials suggest that it will ease administrators’ learning curves by offering a different interface.

Oblix Inc. (www.oblix.com) offers its Secure User Management Solution for propagating user information across the network. In addition, its Workforce Optimization Solution offers the reverse, putting user information from Active Directory onto every desktop, giving users information about the company.

Active Directory adoption has yet to gain momentum, and so far no product other than Windows 2000 has provided the impetus for administrators to tackle the project of setting up directory services. Active Directory’s killer application, that bit of software tied to Active Directory that no company can do without, might come from Microsoft itself.

Exchange 2000, Microsoft’s latest iteration of its messaging system, will require Active Directory for deployment. Microsoft insists that Active Directory will extend both Exchange and Active Directory’s functionality beyond anyone’s wildest dreams.

Microsoft already rolled out Exchange 2000 Conferencing Server, which integrates teleconferencing and videoconferencing services with Active Directory. With the large amounts of data involved in these applications, having user information integrated spares users and the server the work of connecting users with data.

Microsoft plans to release more flavors of Exchange 2000 server for more traditional Exchange applications, such as e-mail and other messaging. All of the new flavors will require users to migrate to Active Directory, presenting either an obstacle for Exchange 2000 adoption or a catalyst for Active Directory deployment.

So if IT managers soon decide now is the time to begin using Microsoft's Active Directory, there are several tools out there to help with their needs.

[Info Box:]

Available Aids for Active Directory