March 22, 2001, 4:51 PM — Microsoft's first attempt at providing true domain services similar to those in NDS is finally available. Released in Windows 2000, Active Directory replaces the Windows NT domain system. Although the path to upgrading to Active Directory (AD) may be difficult, all indications show that it would be a worthwhile one.
Directory services are important to any network administrator because they allow vast networks to be centrally managed. By adding directory services to networks, the cost of administration can be greatly reduced.
Administrators will like AD because it provides one interface for all administrative tasks. IT departments will spend less money on administration, especially if they already have multiple NT domains. And because of AD's capability of serving all of Microsoft's clients as well as coexisting with current NT and NetWare servers, AD can be added without overhauling every server. Because AD replaces the current NT domain system, larger enterprises will find great relief from the costs involved in maintaining many domains using trust relationships.
In the beginning...
Years before Active Directory, Novell released NDS, which benefited cross-platform shops, but NT-only shops continued to rely on the antiquated NT domain system. The domain system does not scale well with thousands of users, making it necessary in large enterprises to set up many trust relationships.
Microsoft set out to match NDS for NT-only shops with its own directory services. AD is designed to serve the enterprise needs, including controlling vast numbers of users, allowing granular control over security and administrative tasks, and solving other shortcomings in NT's domain model.
If you continue to use NetWare, you will still use NDS, but if you upgrade to Windows 2000, you might consider subordinating Novell's product to Microsoft's rather than the other way around.
The laws of the forest
Similar to NDS, Active Directory uses a hierarchical model described by metaphors. A "forest" denotes parts of a network, whereby a "tree" can share information with other trees if it is a member of the same forest.
At the root of each tree is a domain, and in each domain an administrator can add more domains, such as OUs (organizational units) and objects, the most granular items in AD. Each object is given a global unique identifier that is used as a permanent reference to that object; this identifier allows the object to be renamed or moved without causing any problems.
Fault tolerance provided
To provide fault tolerance, AD uses domain controllers. Unlike NT's domain controllers, AD's domain controllers are not grouped into primary or backup categories.