Microsoft to patch Active Directory

By John Fontana and SHARON GAUDIN
Network World, 02/21/00

SAN FRANCISCO - Less than a week after releasing Windows 2000, Microsoft is already working on a patch for Active Directory that addresses problems with the directory's user administration features.

While Microsoft was engaged in another directory tit-for-tat last week with Novell, company officials acknowledged that at least one fix for Active Directory will be in the first Win 2000 service pack. No date has been set for the shipment of the service pack.

The acknowledgement of the Active Directory flaw came at the Windows 2000 Conference and Expo, which featured packed Active Directory conference sessions and some 200 Microsoft partners who lined up behind the official release of Win 2000.

The patch addresses a problem pointed out by members of Microsoft's Joint Development Program, a group of early adopters and high-level beta testers. Those people pressured the firm to address the issue they say could seriously complicate management of groups of users, according to sources.

The problem centers on Active Directory's requirement that administrators manage user groups as a single entity, or attribute, and not by individual user - a concept called multivalued attributes. Multivalued attributes mean administrators must update the entire attribute, or list, to add or delete even one name. If two administrators make changes to the list, one set of changes can be lost during replication. The result could be that a user deleted from a group membership could inadvertently be added back into the group and regain access rights and permissions associated with the group. Active Directory recognizes the list as one lump and cannot differentiate individual changes.

"This problem with multivalued attributes is only one administrator gets his changes logged in. Whichever administrator clicks last, wins,'' says J.R. Cunningham, lead systems administrator with CBS MarketWatch.com, an online financial news service in San Francisco. "If you have 5,000 end users with e-mail accounts, this is a pretty significant problem.''

"The real issue is that it can be a security risk," says a systems analyst for a large multinational oil and gas company who asked not to be identified. "We're glad Microsoft is addressing it."

The systems analyst said the workaround is to keep administration of group membership lists centralized and not spread it out over geographically distributed replicas of Active Directory.

"In large firms where you depend on replication, multivalued attributes could be a serious problem," says Laura DiDio, an analyst with Giga Information Group, a consultancy in Cambridge, Mass. "An administrator thinks he has something set up, but he doesn't. It could lead to anything from network errors to system crashes. It would be a massive time suck, especially when people are trying to get up to speed on a new operating system."

"The issue is a side effect of multimaster replication, and we are fixing it in the first service pack," says Pete Houston, group product manager for Active Directory. "The directory will go to another level of depth to investigate changes and do conflict resolution within groups." Houston says for now users shouldn't administer user groups from two locations.

Microsoft also recommends that nests of users be created within a single group-membership list to avoid conflicts when changes are made. Each nest can be managed as its own entity. But to support nesting within groups, users will have to update all their domain controllers to Win 2000.