Directory Service Slugfest

Networking heavyweights Novell and Microsoft square off. At stake may be domination of corporate networks in the next century.

by , / December 31, 1998 0
For years, Novell Netware, a popular local area network operating system developed by Novell Corporation, has dominated the PC networking landscape. But with the introduction of Windows NT several years ago, Microsoft drove a stake in the ground and has been dedicated to taking away Novell's networking operating system business ever since. While less publicized than Microsoft's conflict with Netscape over Internet browser software, the war over network operating systems may be more important in the long run. When the dust settles, one company could have control of the basic platform for network computing, allowing it to dictate the face of enterprise networking for years to come.

One of the pivotal battle lines is formed along a front called "directory services." Novell currently leads the way with NDS (Novell Directory Service), which first became available in Netware 4.0 and is also offered in the most recent version of its software, Netware 5.0. Microsoft is hoping to weigh in with its Active Directory service, to be made commercially available with the release of NT 5.0, currently only available as Beta test software.

What's in a Name?

Network operating systems bring together resources made available to users who have rights to access the network. Resources include such things as printers, files, applications or other computers. A directory service could be thought of as a central network database containing information specific to the network and its resources.

A directory service manages network resources to make them transparently available to users. It helps synchronize user information between multiple servers. A true directory service goes well beyond what are commonly known as "name services" -- relatively unadorned software that often provide services to a single application. For example, UNIX-based applications that require a user name and password to gain access may rely on a name service specific to that application. When a new user needs access to the application, an administrator must establish a user account that defines the user and privileges for that application only. Users are often required to log in to each application they need to access.

In our networked world, in which many users need access to many applications on many servers, the overhead of maintaining user accounts can get quite expensive. Directory services aim to alleviate that problem by providing what Ari Kaplan and Morten Strunge Nielsen, in their book NT 5: The Next Revolution, describe as a "physically distributed, logically centralized storage place for data that is used to administer the entire computer environment."

A directory service should make it easier to administer large numbers of servers, users and network resources in an enterprise environment. It should also provide users with the ability to easily locate network resources, including other users. Because of the explosive growth in networks and their increasing importance to core agency and business processes, many experts believe that directory services will be the next big thing in network computing.

X.500: Standard Issue

Most discussions of directory services at least mention the X.500 standard. Originally approved by the International Telecommunications Union in 1988, it defines a set of protocols and standards for global distributed directory services. However, like the Open Systems Interconnect model for network communications, X.500 has become more useful as a reference for describing or forming the conceptual basis for directory services than for actual implementation.

X.500 envisions a worldwide hierarchical directory structure that can include users, data, hardware and applications. Some have criticized X.500 as being too complex for implementation. At least partially in response to those criticisms, the University of Michigan developed the Lightweight Directory Access Protocol (LDAP) to implement one of X.500's protocols, but in a simpler way, optimized for ease of use and accommodating Internet requirements. Initially, the LDAP was designed primarily to allow users to query directories.
However, the LDAP itself has begun
to evolve into a more full-featured directory service that includes security and administration components. It has garnered increasing support from vendors and the Internet community at large.

NT Domains and Directory Service

As Microsoft has made its bid to make Window's NT the dominant corporate network operating system, it has encountered some criticism from network managers centered around NT's domain-oriented structure and what some see as shortcomings of the existing NT Directory Services. An NT domain is a logical grouping of network resources such as workstations, printers, servers or users.

The current problem, which Microsoft hopes to fix with the release of NT 5.0 and Active Directory, is that NT's domain model isn't really a full-service directory service. Not only is the information stored in the NT directory service limited, much of it is only available to network administrators. While some Microsoft NT add-on products, such as Exchange (messaging system) and SQL Server (database system), provide integration with the NT directory for sharing authentication resources, NT's implementation falls short of Novell's NDS and modern network directory service expectations.

Enter Active Directory

Another issue within large enterprises is that there may be several different directories in place. Network operating systems, e-mail systems, and "groupware" products may have their own directories. The ideal directory service would transparently provide network users a single integrated access to these disparate resources. Microsoft's solution to this problem, and its entry into full-service directory services, is "Active Directory" technology.

To be released with NT 5.0, Microsoft's Active Directory Service Interface (ADSI) is designed to provide a consistent, open set of interfaces for managing and using multiple directories.

According to Microsoft, "ADSI abstracts the capabilities of directory services from different network providers to present a single set of directory-service interfaces for accessing and managing network resources. Administrators and developers can use ADSI services to enumerate and manage resources in a directory service, no matter which network environment contains the resource."

Active Directory is intended to enable users, after logging onto the network from their desktops, to have full access to network resources and information even when such data may be contained in multiple directories. Microsoft also suggests that Active Directory will allow end users to easily locate information within the enterprise by providing searching and querying capabilities.

One big change with Active Directory is that it completes NT's migration from NetBIOS (the Network Basic Input Output System, a network extension of the old DOS operating system) to TCP/IP (Transmission Control Protocol/Internet Protocol, the standard Internet protocol). While this transition will require NT 5.0 Active Directory implementations to be erected on a new protocol set, the move eliminates some restrictions inherent in NetBIOS.

NT Domains haven't entirely disappeared in NT 5.0, but they will be able to be made larger, becoming the equivalent of hierarchical trees with many branches. Also changed is the way relationships between domains (called "trust relationships" under NT 4.0) are handled. These relationships have been reported to be more intelligent and flexible under NT 5.0.

Whether Microsoft's Active Directory technology is a hit with network managers may determine if it can surpass Novell in the war of the network operating systems. The outcome will probably not be apparent for at least another year or two.

NDS Inside

Novell has been in the directory-services business for many years. Netware 3.x, an earlier version of Novell's networking operation system (the current release is Netware 5.x) included the Bindery, a name service on each Netware server. When a new user needed access to a server's resources, an administrator created a user account and associated permissions with that account. If a user needed access to resources on five machines, the administrator was required to set up accounts on all five machines.

With the advent of Netware 4.x, Novell moved forward dramatically in the directory services area with NetWare Directory Services (NDS).

According to Novell, NDS is a "distributed computing infrastructure that stores information about all Internet, intranet, and network resources, enabling comprehensive and secure management of and access to those resources. Within NDS, network resources are represented by objects -- for example, individual users are represented by a user object, and divisions, departments or workgroups are represented by an organizational-unit object. NDS objects may represent any network resource, including physical devices such as printers and fax machines; software, such as database and word processing applications; or volumes in the network file system."

NDS provides authentication and access control services. It also has a distribution scheme that replicates parts of the directory to distributed servers. NDS automates the replication process, placing pieces of the directory ("replicas") on servers near the users most likely to need access. At the same time, administrators can control how many replicas are created and where they are located. NDS also supports the LDAP, making information available to applications that use the non-propriety lightweight protocol.

Novell has aggressively worked to port NDS to other platforms, including Windows NT. The intention seems to be to move NDS away from a required tie to NetWare. This makes sense in the larger scheme of directory services, which by definition should be available on a wide variety of platforms if they intend to rise to the challenge of serving an enterprise role.

Strongly in Novell's favor is that NDS is available now, and has been for four years, whereas NT's Active Directory is mostly an untried product designed for an operating system with no definite release date. By decoupling NDS from NetWare and emphasizing the importance of directory services to successful management of enterprise-wide networks, Novell seems to be trying to capitalize on its presence in the market to encourage users to adopt NDS in addition to NT, not in opposition to it.

The Direction of Directories

Finding phone numbers, looking up train or bus schedules, locating offices in a high-rise office building, finding the address of a favorite retail outlet, choosing what to order at the local restaurant, checking a book out of the local library -- each activity relies on a directory specific for that activity.

Imagine how much more difficult life would be if these directories were not available or were written in different languages. Conversely, imagine how much easier life would be if all the information in all these directories was available from one easily accessible, universally available directory.

In the world of computers, printers, disk space, users and applications, most agencies are stuck with a computer operating environment in which directories are not easily available, are written in different languages or are just plain confusing. Directory services aim at getting rid of that confusion by consolidating all computer-based directories into one global, coordinated view. If vendors can deliver on the promises, life should get much easier for administrator and user alike.

John Stanard and David Aden are senior consultants with webworld studios inc., a Northern Virginia-based Internet consulting and Web application development company. Email
David Aden
David Aden is a writer from Washington, D.C.