Active Directory barks up the right tree

Microsoft's first attempt at providing true domain services similar to those in NDS is finally available. Released in Windows 2000, Active Directory replaces the Windows NT domain system. Although the path to upgrading to Active Directory (AD) may be difficult, all indications show that it would be a worthwhile one.

Directory services are important to any network administrator because they allow vast networks to be centrally managed. By adding directory services to networks, the cost of administration can be greatly reduced.

Administrators will like AD because it provides one interface for all administrative tasks. IT departments will spend less money on administration, especially if they already have multiple NT domains. And because of AD's capability of serving all of Microsoft's clients as well as coexisting with current NT and NetWare servers, AD can be added without overhauling every server. Because AD replaces the current NT domain system, larger enterprises will find great relief from the costs involved in maintaining many domains using trust relationships.

In the beginning...

Years before Active Directory, Novell released NDS, which benefited cross-platform shops, but NT-only shops continued to rely on the antiquated NT domain system. The domain system does not scale well with thousands of users, making it necessary in large enterprises to set up many trust relationships.

Microsoft set out to match NDS for NT-only shops with its own directory services. AD is designed to serve the enterprise needs, including controlling vast numbers of users, allowing granular control over security and administrative tasks, and solving other shortcomings in NT's domain model.

If you continue to use NetWare, you will still use NDS, but if you upgrade to Windows 2000, you might consider subordinating Novell's product to Microsoft's rather than the other way around.

The laws of the forest

Similar to NDS, Active Directory uses a hierarchical model described by metaphors. A "forest" denotes parts of a network, whereby a "tree" can share information with other trees if it is a member of the same forest.

At the root of each tree is a domain, and in each domain an administrator can add more domains, such as OUs (organizational units) and objects, the most granular items in AD. Each object is given a global unique identifier that is used as a permanent reference to that object; this identifier allows the object to be renamed or moved without causing any problems.

Fault tolerance provided

To provide fault tolerance, AD uses domain controllers. Unlike NT's domain controllers, AD's domain controllers are not grouped into primary or backup categories.

In the NT scheme, changes to the domain can be made only if the PDC (primary domain controller) is currently available, so although users can authenticate, administrative tasks cannot occur if the PDC is offline. Using AD, all servers can receive updates, which are replicated to the other servers in AD. This allows administrators much more flexibility in controlling servers -- no more waiting for late-hour service windows to take down a PDC.

AD is logically broken up into OUs and domains, but physically, an administrator will want at lease one domain controller per site, thus providing redundant access to AD.

Replication between sites is controlled by AD replication services, which can be scheduled and also limited to a certain transfer rate to ensure that replication does not flood slow network links.

All of AD is controlled via the MMC (Microsoft Management Console) interface, which shows signs of Microsoft's efforts to revise its UI design. The MMC is slick and easy to use, providing a quick view into all aspects of a Windows 2000 network. Configuring access to resources is as easy as, for example, locating a printer in the tree and then right-clicking it to choose properties. Using the MMC to configure a network is a great leap past previous methods, which required multiple programs and sometimes physical access to the console.

Exchange testing said it all

The depth of control and integration AD provides was evident in InfoWorld's testing of Exchange 2000 Server, beta (see

All of the administrative tasks were available from the MMC. For example, when you create users and put their full names in the user configuration dialog box, this information becomes instantly available to Exchange. With NT and the previous version of Exchange, you need to go to both the User Manager and the Exchange Administration program to manage this.

In addition, moving a user from one OU to another automatically updated the user's information in Exchange. It is also easy to configure a "tree" to allow certain people to administer just their area of the network.

As previous testing indicates, AD will provide myriad benefits throughout the Windows platform. It is a long-awaited, crucial addition to Windows. For many IT administrators, Microsoft's directory services may be the deciding factor when choosing to move to this platform.

Of course, because AD is new, don't expect a problem-free rollout; a bleeding-edge installation is not a wise idea. If you decide to move forward with AD, be sure to test it in a non-production environment. Also, look for directory modeling software from Microsoft or other vendors to help you design the layout of your trees.

As new products with Active Directory support begin to appear, administrative tasks will be consolidated and made much easier. The ability to easily map rights to resources across domains and trees will give users additional mobility within their organizations. Most of all, users will benefit from Active Directory as much as will network administrators.

This story, "Active Directory barks up the right tree" was originally published by InfoWorld.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon