CIOs and many other corporate executives are interested in gaining insight into the future of directory services because they play an important infrastructure role in modern distributed computing systems. The use of Microsoft's Active Directory (AD) is growing, and questions about the technology are increasing. Gartner talked about the main issues with AD, including application success, common pitfalls, time selection, organizational structure, and technical issues.
Active Directory Overview
Whether centralized or decentralized, touched every corner of the enterprise directory service, and often extends beyond business to business partners and customers. Since the launch of Windows 2000 in February 2000, Microsoft has established itself as a provider of distributed processing for enterprises. Microsoft recognizes the growth of distributed computing based on Internet technology and uses Windows 2000 to modify its directory structure to accommodate a network-oriented world. AD is Microsoft's directory service and a core part of the Windows 2000 system.
AD is an enterprise directory system that automates the control and coordination of user data, security and distributed resources. The hierarchical namespace of AD and the distribution model based on Kerberos authentication are critical for Microsoft to achieve the goal of building Windows servers in distributed computing across the company. From a centralized location, AD can help administrators manage a corporate network, even if the business is across cities, across countries, or across hemispheres.
AD replaces Windows NT's straight, inflexible domain structure with a hierarchical distributed directory service to control resources on the Internet or intranet. AD is based on Internet-oriented standards such as the Lightweight Directory Access Protocol (LDAP) and the Domain Name System (DNS). It is designed to provide global access to a variety of stored information. Through an enterprise interface, AD helps administrators control customers, servers, users, and network resources. Its hierarchical structure provides distributed, multimaster access for the management of elements such as applications, clients, servers and user accounts.
Production and application of AD under Windows 2000
The production application of AD under Windows 2000 is very successful. Some companies have applied AD to accommodate the number of internal users from hundreds to as many as 175,000 in a single, global domain. In fact, Gartner has confirmed that a company uses AD as an extranet (LDAP) directory that manages 3.5 million users. Gartner's overall assessment of AD applications is: So far, not bad.
Common Defects in AD Applications
The most common setbacks encountered by Gartner companies are: Unable to explain the political prospects of AD design and application
The heated debate continues to target organizational units on the merger of domain boundaries, domain-to-forest boundaries, and non-Windows DNS resolution. These debates can cause significant delays in design and application.
Unable to fully analyze AD replication requirements
Lack of complete analysis of AD replication requirements based on existing network bandwidth and domain controller configuration (especially primary domain controllers) malfunction. If the AD cannot reliably complete its replication cycle, it will not function properly.
Organizational units or groups are too nested
Nested organizational units or groups that are too deep can cause excessively complex group policies or poor performance during group policy processing at login. Some companies that have designed very complex group policies have to adjust after application due to poor performance or unpredictable results. Gartner recommends that companies not use more than five levels of nested organizational units.
Time Selection and Features
If a company has not used AD yet, should it wait to use the Windows .NET 2003 version of AD? This decision should be based on time selection and AD functional requirements.
Windows .NET 2003 AD will be released in the second quarter of 2003 (possibility of 0.9)
Gartner believes that AD is directly applicable to small businesses of type B enterprises (mainstream users of technology) 5000 users) application. However, Gartner recommends that Type B enterprises wait 60 days before applying a Windows 2000 domain controller to a Windows .NET 2003 AD domain controller. Gartner also recommends that Type B companies wait 60 days before a medium-sized (up to 25,000 users) application, and wait 90 days before applying a large (more than 25,000 users) Windows .NET 2003 AD environment. Gartner recommends that Type C companies (conservative users of technology) wait six months before applying to any size. This means that for most businesses, the widespread use of Windows .NET 2003 AD should be planned for the second half of 2003.
Windows .NET 2003 includes defect fixes and improvements in AD
Enterprises should evaluate the new features of Windows .NET 2003 AD to determine if they have an AD application for them value. If there is no real value, companies should consider applying Windows 2000 AD and upgrading to Windows .NET AD in the future (as in 2004). Keep in mind that the value of mixing Windows 2000 and Windows .NET 2003 AD domain controllers is limited. The enterprise should reach a stable state of this version or that version.
Using the Org structure to cope with planned change requests
Because the company is far removed from the political structure of the public sector organization, there is no one-size-fits-all answer to this question. Three effective ways to create an AD change control mechanism are: Let the directory team or directory designer handle the changed request
This method is most effective when the directory team and designer are part of a global IS department.
For a multi-domain environment, create a management version
Including domain administrators must agree to any changes without dissent. Obviously, this only works well when the number of domains is limited.
Creating a different representative version
Includes representatives from security, networking, Windows management, help desk and application development. In this case, consistent approval is unnecessary, although this is ideal.
Managing third-party tools for AD
Many companies can use Microsoft tools and appliances (including those found in the Windows 2000 Resource Kit) to manage their AD environment. However, there are some special regional third-party tools that can provide additional value: Security Reporting and Auditing:
Managing Multi-Domain or Multi-forest Implementation Management and Application Group Policy Monitoring AD Health Execution One Task-based management model (relative to AD's hierarchical mode)
Sellers providing tools in this area include Aelita Software, BindView, FullArmor, NetIQ, NetPro and Quest software.
Standardization on AD to meet all catalog needs
Standardization on AD to meet all catalog needs may not be possible. Operating systems and applications are often tied to specific directories. For example, NetWare requires eDirectory, Oracle applications require Oracle Internet directories, Lotus Notes requires Notes directories, and so on. Gartner strongly recommends that companies should integrate directories, rather than trying to "put the application into the directory."
Using AD as an enterprise-wide LDAP directory
Doing this Depends on the application that will access the directory. There are two considerations here.
Although AD supports LDAP v.3, it has many additions, extensions and interpretations to the LDAP specification. Programmers writing applications for directory scanning may choose to apply optional aspects of the specification that are not supported by AD. This issue is not unique to AD. In the current market, directories that are not activated for LDAP are interchangeable. Enterprises must test the compatibility of the application with the target directory.
Even when an application is compatible with AD, the seller may not support it. The biggest lie in the directory world is that a software vendor claims that its products are compatible with "any" LDAP directories. The truth is that every software vendor is prepared to support only a limited number of directories.
Gartner believes that applications that are not supported by software vendors are too risky for most companies. And please note that LDAP's overall support for AD will continue to improve. The Windows .NET 2003 release includes some new LDAP features, and Gartner expects Microsoft to release an enhanced version of AD called Application Mode for independent LDAP support in the second half of 2003.
Bottom Line
The application of AD to the current location is very smooth. As new versions emerge, companies must carefully match their application requirements to the date boundaries of the release of AD in Windows .NET 2003 AD and application models. Companies should also remember that the successful application of AD or any catalog product needs to focus on application compatibility and political structure in the enterprise.