Microsoft adding critical function to Active Directory
To answer IT executives' demands for advanced features in Active Directory, Microsoft is enhancing its single highest administrative privilege so users can better manage the directory.
With the Beta 3 version of Windows 2002 Server, set for release later this year, Microsoft will introduce the ability to delete schemas from the directory. The feature, called Schema Delete, is not in Beta 2, released in March, but is scheduled to be included in Windows 2002 when it ships early next year.
The news comes on the heels of Microsoft's announcement that it is starting to enable Active Directory for use on the Web. (Microsoft pumping up directory for Web use)
IT executives have been clamoring for the ability to delete schemas, to eliminate clutter from the directory and make it possible to completely uninstall directory-enabled applications. "We're trying to keep our directory data as clean as possible, and when schema delete is available we'll use it to clean up even further," said a directory administrator from a Fortune 500 company who requested anonymity.
Schemas are the heart of the directory. They define the objects in Active Directory and the attributes associated with those objects. Objects represent users and applications, and they are made up of a set of attributes, such as user name, address and phone number.
But modifying the schemas can be tricky. It is the most guarded administrative privilege in the directory -- because if done incorrectly it can disable a server or an entire network.
"Schema delete has become the poster child for why Active Directory is not as good as Novell," says John Enck, an analyst with the Gartner Group. "Most of us will say it should have been in there in the first place." But Enck says it is better late than never.
Novell's eDirectory and IPlanet's Directory Server 5.0, which shipped Thursday, allow users to delete schemas.
The ability to eliminate irrelevant schemas is important as more applications become directory-enabled.
Each time an application is added to the directory, it potentially can modify schemas. For example, Microsoft's Exchange 2000 messaging server makes some 1,200 schema modifications when it is installed.
But when applications are uninstalled, their schema modifications remain in the directory as excess baggage and can lead to potential problems. The leftover schema can clog replication and lead to crippling problems.
Active Directory currently allows users to retire schemas, which means they are not replicated, but remain in the directory.
"Once you add schemas you are stuck with them," says Jamie Lewis, president of The Burton Group. "You don't want to have a lot of schemas to wade through. If you replace a schema for a user, for instance, you don't want developers using the old schema that is not supported."
Lewis says it is all about "managing, keeping things clean and not having to live with schema changes the rest of your life."
Changing a schema is a task best left to the most experienced administrators. But Microsoft says it is a task with value.
"Customers were saying once they added an application to Active Directory they could not roll back," says Peter Houston, groupp program manager for Active Directory. "There was a fear factor about adding schemas, and some customers were delaying rollouts of new applications."
Microsoft is adding another feature in Active Directory that also should help with management. Windows 2002 will features Cross-Forest Trust, which allows separate directory forests to talk to one another. For example, a user authenticated in one forest can be authorized to use resources from another forest. Previously, forests could not communicate, and Microsoft recommended users deploy only a single forest.
"Users with good centralized control will use a single forest, but decentralized corporations might look to multiple forests as a boundary for administration," Houston says.
But he warned that the feature is not a license to create 30 forests. "The goal is to minimize the number, but it's not just one anymore. You don't need to beat your head against the wall to get to one," Houston says.
In addition, shortly after Windows 2002 ships, Microsoft will launch Version 3.0 of Microsoft Meta-directory Services (MMS), which will replace the Zoomit Directory with Active Directory.
MMS is the descendant of technology Microsoft purchased from Zoomit in 1999. The Active Directory store will allow enterprises to have a single repository for their enterprise directory and metadirectory.