[an error occurred while processing this directive]


jargon busters mainJargon Busters -
Inside the Active Directory - (January 2000)
ESOFT Global’s Brian DaBinett delves into the most hyped aspect of Windows 2000: the Active Directory.

Remember when NT 3.5 first emerged against Novell NetWare 3.x? Administrators finally had the ability to centrally manage user accounts and groups across their network from a single server – none of this password synchronisation with an NT Domain.

Meanwhile, Novell wasn’t resting on its laurels and, having looked closely at Banyan, it produced Novell NetWare version 4 with NDS – Novell’s’ Directory Service. Suddenly the ‘ante was upped’ and until the advent of Windows 2000, an NT Domain could not compete with NDS for enterprise manageability and scalability. Why were Novell system managers so keen on a directory service? Using a directory service enabled them to have more users, centrally managed, plus scalability and resilience by using a multi-master model, unlike the NT Domain Single Master model. In an NT Domain, only the Primary Domain Controller (PDC) has a write-enabled copy of the user database, so when the PDC is offline, no Domain management can take place.

One stop shop

Objects such as printers and computers could be placed in the directory and back office applications configured to access the directory; so an email system could use the same data as an organisation’s ‘phone book’. This creates a single location to update information, with changes propagated across the organisation to all ‘directory aware’ applications. In developing Windows 2000, Microsoft is giving its user community the power of a directory service. Based around X.500 and fully LDAP compliant, Windows 2000 Active Directory (AD) provides services that Novell administrators have enjoyed for a number of years, but with several important benefits, such as a single secure sign-on via the Unique Principal Name (UPN).

In a large NT 4 enterprise, there are usually multiple domains to span the political, organic or geographic growth of an enterprise. Domains are created to delegate administration, reduce replication traffic or accommodate company mergers and acquisitions. Now with AD it is possible to rationalise a cumbersome domain structure with a fully relational, hierarchical namespace model (as opposed to the flat NT 3.x/4.x namespace). Using AD, administrators can delegate any amount of departmental responsibility. For example: if Finance users are always forgetting their passwords, delegated administration through AD can allow the Finance Manager to reset his department’s user passwords – without having access to any of the other user attributes. This delegated administration is a direct benefit of the hierarchical namespace.

Sign of the times

Another new AD feature is the single secure sign-on, UPN. Using the NT 4 multiple domain model, if users move from one location to another, they need to change the domain they logon to and then be authenticated against that domain. Using a UPN in Windows 2000, the user can have a single sign-on wherever they logon in the organisation. A UPN looks very similar to an email address (which users always seem to remember – unlike passwords), and comprises of ‘username@admin_defined_suffix’. An administrator can define a number of UPNs for their enterprise. The user enters the UPN into the logon box of their Windows 2000 Professional or Terminal Services client and authentication against their context is set and access to resources defined, without them even knowing about it.

As BackOffice systems such as Lotus Notes, SAP, Peoplesoft and Exchange 2000 take advantage of the directory, administrators of these system will no longer have to manage separate logon IDs, passwords and duplicate usernames. More importantly, if any employee leaves a company, disabling their account in the directory disables them from every system that is aware of the directory, and potentially, even building security systems.

The Active Directory is much more than a place to store username and groups. It is a tool that enables enterprises to integrate systems together, sharing information and resources, setting security, distributing software and maintaining a consistent desktop image via Group Policy.

jargon busters mainBrian DaBinett is a Strategy Manager at ESOFT Global.