Windows Active Directory

fullgorgedcutNetworking and Communications

Oct 24, 2013 (3 years and 7 months ago)

67 views

Differences



Windows Active Directory


and


Novell Directory Services

Donnie Hamlett

Technology Specialist

Microsoft


New York

Agenda


Introduction


X.500 Directories, History and
Terminology


X.500 Implemented with AD and NDS


Objects


Networking and Services


LDAP


Directory Design and Partitioning
the Directory


Programming


Summary

Introduction


Purpose of this session is to get a
thorough understanding of the
basic differences between the
Windows 2000 AD and Novell NDS.

X.500 History


X.500 is the standard produced by the ISO/ITU
defining the protocols and information model
for a directory service that is independent of
computing application and network platform


X.509 Authentication Framework is a series of
standards, describes the use of digital certificates and
PKI


X.525 Replication


First released in 1988 and updated in 1993 and
1997


X.500 standard defines a specification for a rich,
distributed directory based on hierarchically
named information objects (directory entries)
that users can browse and search


X.500


Glorified, very logical, electronic yellow
pages for X.400 messaging systems

X.500

Fundamentals


DIB
-

Directory Information Base


The actual database(s) that store(s) the entries in
the directory service


Directory Information Tree


Dictated by the database schema to present a
hierarchical tree objects

DIB

DIT

X.500


Schema


Design of the directory store. Defines objects,
attributes, and system information


Object Classes


Define the kinds of objects that can be instantiated in
the directory


Define the rules for an object


Define the attributes that are intended for the object

DIB

Object

Attribute

X.500


Objects


Specific entries in the directory store


Are comprise of attributes


Attributes


Describe certain aspects of the object


USER OBJECT

Attributes
..
First Name, Last Name,

Phone Number, Address

X.500 Directory Services


DSA
-

Directory System Agent


The actual process client applications bind to to search the directory


Utilizes DSP
-

Directory System Protocol


DUA
-

Directory User Agent


Client Process that binds to a DSA to retrieve information from the
directory


Utilizes the Directory Access Protocol


Access Protocols


DAP


Directory Access Protocol


LDAP


Lightweight Directory Access Protocol, developed because
DAP is bulky and it didn’t lend itself to the internet.

DAP

LDAP

X.500 Directory Services


Hierarchy


Representation of data in the directory.


Is easier to use than flat systems


Defined in X.500


(Root)


DC


Domain Component


C


Country


L
-

Locality


O


Organization


OU


Organizational Unit


CN


Common Name


Distinguished Name


defines the name

and location in the DIT


Relative Distinguished Name


Uses a reference point,

Partial name


O=US, O=Microsoft, OU=Development, CN=Thomas

X.500
Implemented with AD and NDS


No one used the full set of X.500
definitions to design their directory
service.



Everyone has their own proprietary
take on how X.500 is implemented.

Differences


X.500 Names


Both Novell and AD use X.500 name
schemes but they do not implement
all of them.

Active Directory

DC

OU

CN

Novell Directory Service

C

O

OU

CN

Differences


Objects


Windows


Static Inheritance



More weight on directory at creation, write intensive


All Ace's are contained within the object


Larger objects increases the size of the DIB


Rights controlled by groups



Novell


Dynamic Inheritance


When the object is called you must aggregate its
rights by walking the tree


More weight on the directory when read


Rights controlled by OU’s (also groups)


Must Tree Walk


this can go across WAN


bad



Object Access


Access to directory objects is controlled via
Access Control Lists (ACLs)


Fine granularity is provided by Access
Control Entries (ACEs) that apply to specific
attributes

Directory

Object

ACL

Sales Managers

read access

ACE

ACEs can apply to
specific attributes

= Global Catalog


Replica

Global Data Availability
-

Catalogs


Active Directory Catalogs:


Enable efficient cross
-
domain data sharing


Use the same set
-
up tools as replicas


Use same replication mechanisms and the same
interval as domain replicas


Enforce object and attribute level security

asia.acme.com

acme.com

europe.acme.com

Windows 2000 Forest

xyx.com

Catalog

Catalog

Catalog

Dredger

Global Data Availability
-

Catalogs


NDS Catalogs:


Are based on periodic ‘dredging’


Occur only at scheduled 1
-
7 day intervals


Users are granted/denied access to entire
catalog


no attribute/object
-
level security


Are being completely redesigned...

Dredger

Dredger

San Diego

Chicago

Boston

Differences


Networking and Services


Active Directory



Based on TCPIP


DNS Server Resource Records ( MX
-
Record)


LDAP for internal searches, each object has a unique GUID
example on following page


All Domain Controllers are native LDAP Servers


Integrates with DNS



NDS


Originally based on IPX/SPX


Service Advertising Protocol (SAP) to advertise Services


Implemented in TCPIP with


Service Location Protocol (SLIP) also advertisement based


SLIP does not integrate with DNS proprietary


When implemented together reduces network performance
because routers must support RIP that allows for both SLIP
and SAP protocols


Not a native LDAP Server


it has a LDAP interface that
translates LDAP request to native NDAP protocols



com

microsoft

edu

stanford

courses

Domain:

stanford.edu

aVendor

music

students

sarahj

thorj

Vera Kark

MargretJ

Domain :

aVendor.com

Domain :

microsoft.com

Active Directory

Global namespace = DNS + LDAP Directories

Internet Standards Support
-

LDAP

Active Directory vs. NDS


LDAP Search

Better








NDS


Active Directory

LDAP Requests Processed


Translated Natively

Services Published through LDAP

Limited

All



Active Directory is a faster & more interoperable LDAP Server

Differences
-

Design


Active Directory


Partition the directory by Domain


Different Administrative view and Replication
view


Domain


Site


Replication occurs via sites (IP subnets of
good connectivity)


A server can only host one Domain partition


Multi
-
master replication


Uses update Sequence Numbers to prevent corruption


Replication is controlled and easy to
configure


A Domain can efficiently span multiple sites


Replication


What is Replicated ?


only changes are replicated


Directory Information


Configuration


Schema


There are two forms of replication


Intrasite Replication


Intersite Replication


Knowledge Consistency Checker


Automatically configures and checks topology for
the most efficient replication


Tools


Sites and Services MMC snap
-
in


Replmon



Sites


A Site separates networks physical topology from the Active
Directories logical view of the Network



Site is a area of “good connectivity”



A Site is a collection of subnets



All directory replication is controlled via Sites



A Site can be composed of multiple Domains




Clients discover their site based on the subnet mask received
from DHCP (or hand
-
configured)



Basis for locality
-
based resource discovery


Intrasite Replication


Automatically Configured for you


Replication occurs whenever there is a
directory change or a interval of ~ 7
minutes


Not Compressed


Not easily controllable

Intrasite Replication

Intra
-
Site

Replication

Domain

Controller

Domain

Controller

Domain

Controller

Domain

Controller

Domain

Controller

Intersite Replication


Compressed 10
-
1


Configurable


Scheduled (15 minutes


3hours)


RPC or SMTP


Site Links


Site Bridges

Intersite Replication

Site 2

Inter
-
Site

Replication

Site

1

Domain

Controller

Domain

Controller

Domain

Controller

Domain

Controller

Domain

Controller

Domain

Controller

Domain

Controller

Domain

Controller

Domain

Controller

Domain

Controller

Site Links


Represents the Priority of Replication Traffic

Between the Sites Identified in the Site Link


Higher Cost Numbers Represent Lower Priority Replication
Paths


Control Topology by Setting the Costs on Site Links


Control the Replication Frequency by Setting the Number of
Minutes Between Replication Attempts


Control Link Availability Using the Schedule on

Site Links


Can Link multiple site to create a controlled path of
replication called a Site Bridge


Site Links and Bridges

Site Z

Site Y

Site X

Site Link XY

Site Link YZ

Site Link Bridge

XYZ

R1 USN:5

R2 USN:305

R1 USN:5

R2 USN:305

R3 USN:62

R2 USN:305

R3 USN:62

Architecture

Replication


After replication

R1

R2

R3

HR

Sales

MSNA

Europe

MSHQ1

MSHQ2

MSHQ3

HR1

HR2

Sales1

Sales2

Sales3

MSNA1

MSNA2

EURO1

EURO2

MSHQ1

HR1

Sales1

MSNA1

EURO1

MSHQ2

HR2

Sales2

MSHQ3

MSNA2

Sales3

EURO2

Site Redmond

Site Seattle

Site Paris

Sites and the AD

Microsoft

Operation Masters


These Roles are


Recoverable


Recovery Console


Transferable


Command Line


These are the following Roles


RID Master



one per domain, controls relative id’s


PDC Emulator



one per domain, allows password updates
and backwards compatibility with NT 4.0 BDC’s


Infrastructure Master



one per domain, updates group and
user information when changes are made


Schema Master



one per forest, controls schema updates


Domain Naming Master



one per forest, controls all
additions and removals of domains

Differences
-

Design


NDS


Partition the directory by OU


OU’s are tied to physical locations


Multimaster replication


A server can host multiple partitions


Replication occurs via time stamps


Replication is very difficult to configure and
is not controllable


It is not recommended to have OU’s span
physical boundaries


AD Replica

Boston


San Diego

Chicago

San Diego

AD Replica

Boston


Boston

Chicago

San Diego

Global Data Availability
-

Searches


Active Directory:


Partitions map to Windows 2000 domains


Partitions can span many sites and WAN links


Optimizes replication automatically between sites and
over slow network links


Impact: Faster and more complete searches

Replication

Replication

Windows 2000 Domain

Find:

‘All

Bobs’

Answer

AD Replica

Boston


Chicago

Chicago

San Diego

Global Data Availability
-

Searches


NDS Version 8:


Partitions cannot span WAN links . . .easily


Replication does not occur on an inter
-
site basis


Cross
-
location searches must ‘tree walk’


Impact: Slower and less complete searches; more
network traffic

NDS Server

Boston


San Diego

Chicago

San Diego

NDS Server


Boston

Chicago

NDS Server


Chicago

NDS Tree

Boston

San Diego

San Diego

WAN

WAN

Find:

‘All

Bobs’

Boston

Chicago

Answer

Global Data Availability
-

Replication


Active Directory

WAN

Site 1 Site 2



NDS: 90 Connections; 25 WAN crossings



Active Directory: 13 Connections; 1 WAN crossing

R

B

Replica

Bridgehead Server

Connection

NDS

WAN

Site 1

Site 2

Windows

2000

File

System

Kerberos

Smart Card

X.509/PKI

Certificates

Authentication

Authorization

Active Directory

Internet Standards Support
-

PKI


Active Directory Advantages:


Better PKI Management


integrated key recovery mechanism and revocable certificates


web
-
based access and management


integrated client
-
side distribution of keys


Comprehensive OS Integration (IIS, EFS, IPSec)


Application Integration (CryptoAPI)

Internet Standards Support
-

Summary


Active Directory


Native LDAP server


Full namespace integration with DNS


Integrated support for PKI technologies


NDS


LDAP requests are translated


No Namespace Integration with DNS


Limited Integration with PKI

Application Integration


Active Directory Services Interface


Provides a consistent, simple way for COM
-
enabled
apps to access directory services


Usable for any LDAP server (including NDS)


Leverages COM Windows Development tools


Greatly simplifies development of directory
-
enabled
applications

Active

Directory

Application

NT
-
DS

LDAP

NDS

A

D

S

I

O

L

E

D

B

Databases

Application

Application

A

D

O

Application Integration


Active Directory enables powerful
directory
-
enabled applications


Group Policy Integration


Service Publication


Directory Object Extension


ADSI Extension Model


Active Directory Class Sore


AD
-
enabled Applications


Baan, J.D. Edwards, SAP, Cisco & others


BackOffice 2000, MSMQ, MTS and most

others

Application Integration
-

Summary


Windows 2000 & Active Directory


COM, ADSI, Logo programs


LDAP
-
based access to all features


Rich Development Environment (VB,C++,Java)


Supports Distributed Applications over WANs


Large ISV Support: 8,000+ Windows Applications


NetWare & NDS


ADSI support not available on NetWare


Incomplete LDAP
-
based access to NDS features


Java
-
only development environment


Partitions limit application functionality


Poor ISV Support
-

GroupWise not even NDS
-
enabled



Active Directory vs. NDS










Active


NDS

Comparison





Directory

Version 8


Storage technology




Indexed


Indexed

Max objects/partition



Millions


Millions

Partition Boundary




Geo/Political

WAN

Partition
-
spanning groups?


Yes



Not Advised

Same store for catalogs?



Yes



No

Catalog update interval



Continuous

Scheduled

Attribute security in catalog?


Yes



No


Native LDAP support?



Yes



No

Global change LDAP interface?


Yes



No


DNS naming integration



Yes



No

Integrated PKI support?



Yes



No

ADSI provider support?



Yes



Yes*


Java Support





Yes (JADSI)

Yes (JNDI)

VB, C, C++ Support




Yes



No


Interoperability Tools



Yes



No

* Not available to NetWare applications



This document is for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.



© 2000 Microsoft Corporation. All rights reserved.





Microsoft, Active Directory, Where do you want to go today?, Windows, the
Windows logo and Windows NT

are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other
countries.



The names of actual companies and products mentioned herein may be the
trademarks of their respective owners.