|
|
Windows 2000's Active Directory at the University of Oregon
The Computing Center is still continuing to monitor, test, and evaluate Active Directory (See Selected References below)
By Joe St Sauver
joe@oregon.uoregon.edu
Because a number of users or departments have asked about the Computing Center's plans vis-`a-vis Microsoft Windows 2000's Active Directory, we wanted to let everyone know that while we will continue to monitor, test, and evaluate Active Directory and other network directory solutions, we don't believe the time is ripe for an organization-wide roll-out of production Active Directory services.
Active Directory is not just a simple online phonebook, although it does use LDAP as part of its underpinnings. If you want to learn more about the nuances, there are several online resources you may peruse:
1. Microsoft's "Active Directory Overview" - http://www.microsoft.com/windows2000/guide/server/features/dirlist.asp
2. PC Magazine (UK)'s May 2000 "First Look Shoot-Out on Directory Services" (a more accessible and pragmatically focused discussion than Microsoft's) - http://www.zdnet.co.uk/pcmag/ne/shoot-out/2000/05/01.html
3. The USA version of PC Magazine - http://www.zdnet.com/pcmag/stories/reviews/0,6755,2426097,00.html
The latter describes directory services generically as "... nothing more than orderly ways of classifying and managing resources on a network, be they users, printers, servers or security parameters," and goes on to say that, "Directories become the points of reference for applications and user services. They help find a printer in a field office, locate a user and direct an e-mail, or verify that a user has access rights to a particular file. They also provide single sign-on, which gives a user access to the whole network from a single log-on." Described that way, directory services sound fairly innocuous. In reality, however, directory services are quite profound. As Scott Berinato of eWEEK states, "As IT departments consider how Windows 2000 and its Active Directory will affect their operations, some are finding that they are not just picking a directory, they're espousing a network philosophy." (http://www.zdnet.com/eweek/stories/general/0,11011,2433130,00.html) Berinato is correct. Directory services are potentially the very heart of an organization's networking, and need to be deployed in a sound, scalable, and supportable fashion if they are deployed at all.
There are many reasons for not deploying Active Directory at this time, including:
1. Other solutions are available. Active Directory isn't the only available network directory solution. If we need and want network directory services, another product (such as Novell's NDS) might well be the preferred alternative.
2. Active Directory is currently very Microsoft-centric. As Active Directory matures, it will likely be ported to and supported on a wider range of platforms, but clean solutions for non-Microsoft products aren't there today. Availability of top-notch cross-platform solutions is a critical consideration in an open standards-based environment such as ours, where Microsoft's operating systems represent only one of several different systems in widespread use. To quote Microsoft (http://www.microsoft.com/Windows2000/news/bulletins/novellpart3.asp): "... Microsoft believes that a cross-platform directory is less important to customers who are looking for an enterprise identity management solution than is a directory solution that is fully interoperable with other directories and includes native LDAP support."
3. Bugs. Microsoft's Active Directory represents a great deal of new code. Like all new code, it will undoubtedly have bugs and security vulnerabilities. Several major problems have already been detected and fixed (see Selected References on page 25), but it's quite likely there will be other issues as well. Eventually these will be identified and eliminated, resulting in a more stable and secure product appropriate for mission-critical production networking environments.
4. Active Directory is tightly coupled with DNS (Domain Name Service), and requires support for RFC 2052 Service Resource Records/RFC 2136 Dynamic Update Protocol. Because DNS is such a core component of Internet access, any service which interacts with or changes the operation of the UO's DNS has potentially profound operational and security implications for the campus. Moreover, it's clear that Active Directory would work best in an environment where the enterprise's core DNS services are hosted on a Windows 2000 system, while in the UO's case, as with most universities, core DNS services are delivered using BIND under Unix.
5. There are dramatically different ways that Active Directory can be deployed, and selection of the correct method is partially a matter of reconciling organizational responsibilities and authorities. This is particularly tricky in a largely decentralized university environment. Oxford University has done an excellent job of outlining some of the possible options, although it's worth noting that Oxford, like the UO, is currently deferring deployment of Active Directory.
6. Active Directory domains cannot be renamed nor moved, nor can you merge Active Directory domain trees. This means that there are effectively some irreversible decisions associated with deploying Active Directory. Implementation of irreversible decisions obviously merit very careful study and deliberate action.
7. Some Microsoft Active Directory interoperability products require use of non-TCP/IP protocols. For example, Microsoft's Gateway Services for NetWare and File and Print Services for Netware require IPX, although Microsoft says, "If NetWare 5 and the use of TCP/IP in NetWare-based networks garner more customer interest than has so far been the case, Microsoft will certainly consider TCP/IP support for its other NetWare interoperability tools and services." (http://www.microsoft.com/Windows2000/news/bulletins/novellpart5.asp) As a campus, we are beginning to work to reduce and eventually eliminate routing of non-TCP/IP protocols, so it would not be in our best interest to install a product that currently requires us to take steps in the opposite direction.
For all the reasons outlined above--and more--we're not rushing to deploy Active Directory. This is not to say that the UO will never deploy Active Directory, nor do we mean to imply that it has no advantages, because clearly it does facilitate certain activities. It is simply that right now, for the UO, there's no compelling mission-critical requirement that we push ahead with Active Directory until its problems are resolved.
Active Directory Overview (Microsoft) http://www.microsoft.com/windows2000/guide/server/features/dirlist.asp
PC Magazine First Looks: SHOOT-OUT DIRECTORY SERVICES http://www.zdnet.co.uk/pcmag/ne/shoot-out/2000/05/01.html
Active Directory forces IT into tough choices http://www.zdnet.com/eweek/stories/general/0,11011,2433130,00.html
Novell NDS for NT Facts http://www.shi.com/Global/Content/Vendors/Novell/nds/nds_facts.html
Microsoft's Perspective on Novell's Active Directory Claims (Five Parts) http://www.microsoft.com/windows2000/news/bulletins/novell.asp
Windows 2000 Active Directory in the University of Oxford http://www.oucs.ox.ac.uk/micros/oss/win2k/background.html
A flaw in Active Directory? http://www.nwfusion.com/archive/1999b/0816kearns.html
Active Directory: For Now, Try to Live Without It http://www.computerworld.com/cwi/story/frame/0,1213,NAV47-81_STO40718,00.html
Microsoft to patch Active Directory - February 25, 2000 http://www.cnn.com/2000/TECH/computing/02/25/patch.active.idg/
Bug knocks Active Directory for a loop http://www.idgnet.com/crd_active_163777.html
Gartner Group's Windows 2000 Professional Migration Model http://www.microsoft.com/windows2000/news/bulletins/gartner.asp
Exchange 2000: Active Directory Ties That Bind http://www1.zdnet.com/products/stories/reviews/0,4161,2347836,00.html