The rest of the series: Directories branching out The main article. What directories are and how they work Take these steps to achieve an enterprise directory Enterprise directory investments pay off Metadirectories are the kings of consolidation Rowe and Blum are principals at Rapport Communication, Inc., an industry consulting company specializing in directories, messaging and groupware. They can be contacted at www.rapport .com.

By Gary Rowe and Daniel Blum
Network World, 9/15/97

If you're tired of trekking from server to server to administer Windows NT domains, Microsoft Corp.'s Active Directory Services (ADS) promises to give you a break. ADS, to be embedded in the Windows NT 5.0 operating system, will provide a single point of administration across the enterprise, single network logon to any network service and directory integration for server applications.

It also will provide a central repository for most NT administrative information. For example, it will contain records of the "junction points'' that tie together Microsoft's Distributed File System across multiple servers and volumes. And it will lead to better security, acting as a central resource for storing individual user IDs, access controls, public-key and Kerberos cryptographic information.

This new centralized approach is made possible by ADS' hierarchical data model, or schema, which is based on Lightweight Directory Access Protocol's (LDAP) X.500 tree and Domain Name System (DNS) domains. This also allows for support of multimaster replication, meaning changes to any part of the directory can be made on any server, subject only to the administrator's access rights.

All of that makes ADS very different from the NT 3 and 4 Security Access Manager, which it replaces. To-day, NT domains contain many accounts existing in a flat namespace. Domain-to-domain trust has to be configured on a case-by-case basis, while groups and users have to be defined in multiple domains to enable information sharing - a laborious process.

With ADS, the enterprise is a hierarchy of domains, each with an X.500 and DNS name. Domain controllers authenticate each other through Kerberos, so there's no need to manually define trust relationships; trust will be built in. Administrators will create user entries, group entries and access controls just once for the entire enterprise.

ADS' native protocols will be LDAP and DNS, and Microsoft's programmatic interface to the directory is called Active Directory Service Interface (ADSI). ADSI embeds support for the standard LDAP C language API, but also supports ActiveX object interfaces. Additionally, Microsoft will build ADSI into VBScript. That gives developers lots of options for writing applications and other tools that can tie into ADS. Microsoft says several vendors already are writing applications to ADSI, including QuerySoft, NetVision, Inc. and NetMagic Systems, Inc.

ADSI, working with LDAP, also will provide multivendor client-to-directory interoperability. Once an application issues ADSI calls to look up or manipulate directory entries, Microsoft drivers built into Windows NT will enable access to information not only in ADS but also in other LDAP-based directories, and various older directories, such as NT 3, NT 4, and NetWare 3 and 4.

However, in a recent change of positioning, Microsoft is not implementing the full X.500 standards for directory-to-directory interoperability. Instead, Microsoft's server-to-server protocols, replication and access controls will be proprietary. That means Microsoft won't be providing a fully transparent way to manage networks with a mix of directories, such as ADS and Novell, Inc.'s Novell Directory Services (NDS). To do that, you'll need a third-party metadirectory offering.

Support for the LDAP/ X.500 information model also means applications can install new data types in the directory. These could be new attributes in existing user entries or en-tirely new objects. For example, word processors, browsers, e-mail front ends or other applications needing to store user preferences in the directory will be able to easily create a new property, or attri-bute, in the ADS schema at the time of their installation.

To migrate from existing versions of NT, you'll first have to move the data from NT 3 and 4 servers into ADS and upgrade the domain controllers to NT 5 one domain at a time. Then you can link all the domains and their controllers into NT's new enterprise directory structure. After that, Microsoft says ADS will still be backward-compatible with earlier versions of Windows NT Server, providing complete emulation of the Windows NT 3.5X and 4.0 directory services and administrative tools. Also, applications written to the Win32(r) API will continue to work unmodified in ADS environments. Microsoft application directories - such as the Exchange servers - can be moved into the ADS using a migration tool.

Another important ADS feature is support for end-user searching and navigation of the directory. Users will be able to browse the logical network, for example, to find all color printers in Building 10. Administrators will be able to distribute shortcuts to resource entries, containers or saved searches to an entire site, and/or build global "yellow pages'' catalogs of resources.

Of course, you won't be able to do any of this until NT 5.0 ships. Microsoft isn't committing to a specific date, but expects NT 5.0 will be out in the first half of 1998.