Remember the NOS wars of the last decade: LAN Manager vs. NetWare? Fast-forward to today, and substitute directory services as the object of desire. The hype is coming fast and furious. Novell demonstrates a billion objects in a directory and claims scalability superiority. Microsoft benchmarks the fastest directory search times and decrees the arrival of the universal directory panacea. Same song, different words.
Why the brouhaha? At issue is the control and management of your network, not to mention that of your partners and their partners. Novell won the first round in the local-area-network competition a while back, but that was when the brass ring was merely file-and-print services on departmental networks. Today, the stakes are much, much higher. Directory services ultimately will control all objects on corporate intranets, and even the Internet itself.
Authenticating users and managing permissions to applications and file systems across the Internet is no small challenge. You've got to worry about (potentially) millions of users and thousands of files. And that's just at your site.For years, Novell has been asserting that the only way to manage all of these objects is via a directory.
In 1993, the company released NetWare 4.0, which included the first iteration of NetWare Directory Services (the product since has been recast as Novell Directory Services).
NDS was the first directory integrated into a network operating system managing users, files, printers and other network objects. NDS has, over time, evolved into a product in its own right.
Now called eDirectory, Novell chose to "go wide" with the product and provide native cross-platform implementations. EDirectory has been ported to NT, Solaris and Linux. Novell claims that support for Compaq's Tru64 Unix is imminent.
NDS certainly is powerful, but it lacks application support. Certainly, Novell's BorderManager and GroupWise, Oracle's database, and IBM's WebSphere are NDS-enabled—but just on the NetWare platform. And NetWare is hardly an ideal application server. It wasn't until NDS became accessible to applications utilizing Lightweight Directory Access Protocol (LDAP) that things have begun to look up. Applications now can access the directory for information far more easily than before.
Still, Novell failed to make NDS a de facto directory standard, leaving the door open for Microsoft's long-delayed Active Directory (AD), which is part of Windows 2000's plumbing. All of Microsoft's next-generation .Net server applications—from SQL Server to Exchange Server—will be tied to AD for user authentication and access permissions. And that's just the opening salvo. It's a compelling story, if you believe everything Microsoft CEO Steve Ballmer is saying about features, scalability, reliability, scalability, reliability and management. The caveat, of course, is that everything—both clients and servers—has to run some variant of Windows 2000.
At first glance, choosing a directory is fairly easy. Either go for broad platform support (NDS) or broad application support (AD). Actually, the choice isn't as cut-and-dried as that, because both the folks in Provo and in Redmond have agreed to play nice, at least for a while. Indeed, both companies are developing directory synchronization tools that allow NDS and AD to coexist on a network.From what we can tell, all of the solutions are full duplex, meaning information entered in one directory will be faithfully replicated in the other. So it appears that you can use whichever directory you want and have some degree of confidence that additions, deletions and changes will show up in the other.
At the most basic level, Microsoft's Directory Synchronization Service (MSDSS) handles either uni-directional or bidirectional updating of the most frequently changed objects. Typically, these objects are users, groups, organizational units, containers and their associated attributes. MSDSS synchronizes a variety of changes to these objects, such as adds, deletes, renames, moves and modifies. Microsoft cautions, however, that this service should be used for "user account information and not much more." MSDSS also can read from (but not write to) NetWare 3.x binderies. MSDSS is included on the Services for NetWare version 5 CD, available through normal Microsoft Authorized Distributors.
Stepping up a notch in functionality and connectivity, the Microsoft Metadirectory Service (MMS) is the company's recommended way to synchronize between AD and other directories, or when more than user account information is necessary (see chart at right). MMS is based upon metadirectory technology from Zoomit, which Microsoft acquired in 1999. MMS uses a classic metadirectory model to translate the changes from one directory or data source to another. MMS is available either by engaging Microsoft Consulting Services or MMS partners like ePresence (formerly Banyan Systems), Deloitte Consulting, Lucent NetCare, NetConnect, Unisys and Valinor. Members of the MCSP program also can become trained in delivering MMS-based solutions. More information can be found at www.microsoft.com/windows2000/news/bulletins/mmsfaq.asp.
Novell is approaching directory synchronization from a different perspective. Instead of using a metadirectory, it is building connectors or "drivers" between eDirectory and other data sources (including AD), using its DirXML technology. Dir XML shipped in September, and, like MMS, is available only through engagements with Novell Consulting Services or Novell Authorized Consulting Services Integrator partners Deloitte & Touche, Computer Sciences Corp., MarchFirst and Perot Systems.
Over time, a shrink-wrapped version will be available with a limited number of connectors for specific environments and applications, according to Mark Greer, Novell product manager for DirXML and eDirectory. "We're doing a phased release of the product to our integration partners, then to our channel partners, and then the retail version," he notes.
The initial release of DirXML contains connectors to Lotus Notes, AD, Exchange, eDirectory and iPlanet's Directory Server. Novell claims additional drivers for NT domains and PeopleSoft will be available on the Internet sometime this month..To some, it may seem a battle royale, but making these (and other) directories talk quickly and cleanly is a monumental systems-integration opportunity.
With most of the directories speaking LDAP v.3 these days, you can use either of the products we've been concentrating on here, or any of a number of other products, such as IBM's SecureWay, Oracle's Internet Directory or CA's eTrust.
It probably wouldn't hurt to bone up on your metadirectory skills, or partner with someone who brings that core competency to the party. With the large number of products and relatively stable technology, you don't need to put all of your eggs in one basket.
Instead, leverage the strengths of each vendor you choose and turn directory hell into one hell of a directory opportunity.