/
Plaintiff: Novell
Defendant: Microsoft
FUD factor: (On a scale of one to five, five being a false claim) Three Corporations fear their payroll information may be exposed to the world. Such a scenario is used by Novell to point out an important difference between NetWare and Windows 2000 administrative models and implementations. Novell cites on its Web site that under certain conditions in an Active Directory-based network, it's possible for an administrator to be denied rights to a specific resource, but then be able to subsequently regain accessibility to the resource. Novell says an administrator in this case has been denied rights to a payroll resource in the domain. However, Novell claims because the administrator is a member of the Active Directory Administrator group, he can then regain ownership of the payroll resource. Examples of this methodology are available at Novell's Web site. We duplicated Novell's step-by-step instructions and permitted an administrator to regain ownership over a specifically denied object. This part of Novell's accusation is correct. Active Directory permits administrators comparative carte blanche rights within their appointed domain. Nevertheless, there is a bigger issue here. The obfuscation points to a difference in administrative models between Active Directory and NDS eDirectory. On the surface, this looks like a hideous bug, but this whole scenario is based on a misconception about how Active Directory resources are administrated. In the Novell world, the word "deny" means absolute denial, but in Microsoft terms, administrators are natively exempt from denial. So overriding denial in a Novell network is a more serious breach of security. Novell's directory services authorize directory service administrative control from a root user called Supervisor. Privileges are managed by an access control list for objects by inclusion via the granted-right ability. Privileges can be specifically granted, excluded or inherited in NDS. Active Directory doesn't work that way. Active Directory administrators have carte blanche administrative control over resources within their domain. A domain in NDS eDirectory and one in Active Directory are ideologically similar, but in practical implementation are different from an administrative perspective. Inhibiting a specific administrative group member under Active Directory from gaining access requires creating a separate domain where an individual is not a member of the administrative group. Creating an additional domain takes a few moments; subsequent administration is a matter of cutting and pasting resources once. Novell believes this is extra work compared to NDS administration. True, but it's very little extra work. In NDS Version 8 running on top of NetWare 5.1, administrators can be denied areas of the directory services resources. Ostensibly, a chain of command of administration makes NDS resources more secure and auditable. For example, when the primary supervisor password is lost, only Novell is supposed to be able to offer a new one. Microsoft uses a different philosophy, giving an administrator purview over a domain. Denial simply doesn't work, as a denied resource can become reowned by an administrator. While Novell maintains its method of referential authority is correct, Microsoft (like it or not) chose a different approach. NTBugtraq.com summarizes the differences between the two administrative philosophies quite well: Neither model is immune from root authority hijacks, and neither directory is invulnerable to data theft. Ultimately, making it tough for an administrator to steal information boils down to a matter of trust.
Plaintiff: Novell
Defendant: Microsoft
FUD factor: Five Novell believes NDS eDirectory partitioning is superior to the same function in Active Directory, which Novell claims can fail under routine administrative circumstances. According to Novell's Web site, "Active Directory requires network administrators to power down and reboot entire network segments to add or delete a domain replica. Furthermore, adding or deleting the active directory domain 'replica' from a Windows 2000 server requires reapplying file system rights." We could not find any circumstance where either of these claims was true. We were able to add and delete domain servers without needing to power down and reboot even the servers themselves. While demotion of a domain controller took considerable time, no file system rights changes were needed to accomplish the goal with 5,000 test users, and 10,000 test subdirectories on 16 servers used in the test.
Plaintiff: Numerous
Defendant: Microsoft
FUD factor: Zer Oddly, Novell didn't find this one. Courtesy of BugNet and other reports, this bug can be a real showstopper. This recently reported Active Directory bug (DocFinder: 8622) shows that user access on a domain controller can fail when the 52nd and subsequent IP address is assigned to that domain controller. Our tests confirmed this bug.We also discovered Active Directory cannot synchronize while the inactive condition is present on a domain controller. In the case when a domain controller is also a bridgehead server - Microsoft's suggested connection point between a WAN and an Active Directory site - the site will not replicate Active Directory changes if there is no other WAN route. Other Active Directory servers at the site where changes have been prevented in this way dutifully complained, and changes made both at the site and on the WAN resumed quickly after the bridgehead server is brought back on line - after the number of overall IP addresses assigned to the Domain Controller were reduced to fewer than 52. If an alternate route around the bridgehead server is available, other domain controllers will be correctly updated. A test of Novell's NetWare 5.1 and NDS eDirectory using the same hardware found no limitations on the number of IP addresses (our test used 224 addresses using Class A, B and C). A test of Mandrake Linux 7.0 revealed the same lack of limitations. NDS remained available on NetWare, and NIS+ and Network File System services remained online. A Microsoft spokesperson could not say when a patch would become available, but one is believed to be in the works.
Plaintiff: Novell
Defendant: Microsoft
FUD factor: Four Working DNS servers are key to Active Directory. Active Directory requires DNS - either from Microsoft or another operating system - to function. Novell claims that Active Directory crashes non-Microsoft DNS servers. This Novell claim is partially true. We tested Win 2000 with 11 versions of typically deployed DNS servers from Novell, Sun, IBM, Linux (2.2 distributions and higher), BSD/FreeBSD and The Santa Cruz Operation Unixware, and our tests resulted in no errors, even when 50 updates per second were emulated. We crashed a 1992 Ultrix server running Bind 4.9, as well as an old distribution of Linux. This one's a red herring, though. The Internet Software Consortium recommends moving to BIND Version 8.2.2 for security reasons.
Plaintiff: Newsgroups and industry columnists
Defendant: Microsoft
FUD factor: Three Organizations that either delete user accounts or try to shut down user accounts for security purposes can have a problem when there is a large network geography. The garbage collection services that remove all traces of these deleted objects work differently in Active Directory than in NDS eDirectory. NDS eDirectory removes the traces quickly. Active Directory modifies the objects, and while it propagates the modified object quickly, it doesn't remove them completely. The remaining modified/deleted object still exists for a period within the replicated directory structures until garbage collection removes all traces of it. The existence of the remaining object creates concerns that it might be resurrected and misused. The remaining tombstone entry comes from the following fact: While an account may have been deleted or closed at a user's normal work site, the deletion/closure must propagate quickly to inhibit users from logging on to a network via VPNs or remote-access servers to another site. Link integrity is important in this instance as well. A failed link to a remote site still makes that site vulnerable as deleted users may still be getting rights to resources on distributed servers. When sites are set up correctly, the change associated with a deletion/ closure took an equal amount of time with Novell and Microsoft networks to become effective. We built identically configured hardware networks, then placed NDS eDirectory running on NetWare 5.1 on the network and populated it with 5,000 users. On a Fast Ethernet network, the change took 17 seconds to become effective between two identically configured Compaq 3000 Proliant servers. Similarly configured hardware and user counts with Active Directory running on Win 2000 took 16 seconds for the account to be disabled. What happens to the tombstone? The default garbage collection or the total record change within Novell environment was nearly immediate. In a Microsoft Win 2000 network, the default garbage collection was 60 days and is user-definable. We couldn't find a method for the tombstone to be resurrected. However, it doesn't mean that someone couldn't crack Active Directory security in this manner.
Plaintiff: Novell
Defendant: Microsoft
FUD factor: Tw Novell makes the claim that it's possible for Active Directory to lose administrative entry changes. We found it's possible to do this in normal administration, but there's a simple technique that eliminates the problem. Unlike the Active Directory method in which all domain controllers keep a copy of the Active Directory data, Novell's directory services are ideologically located in one place, even though replicas of the directory contents may exist in different locations for back-up/availability purposes. Novell encourages partitioning directory services by site to reduce Internet traffic. NDS eDirectory is immune from multiple concurrent instances of information, Active Directory is not. In Active Directory, each domain controller contains a copy of all directory service content. The paradox of having two administrators working on the same piece of directory data can occur when two or more administrators make changes to the same group, but do so on different domain controllers. The rule used by domain controllers is to accept changes based on the most recent change. That means changes made locally can overwrite changes made elsewhere. Our testing proved the most-recent-change rule can indeed negate changes. There are two workarounds that permit a correct synchronization: establishing a default domain controller within an organization, and making changes primarily to that copy of the directory. This negates the effect of multiple concurrent instances of directory service database information becoming desynchronized and causes a single propagation of changes. We recommend that the domain controller that's used as the single administrative change server be the bridgehead server for an organization, allowing slightly faster propagation. The other workaround may be a tough pill for some organizations to swallow: Use only one administrator to make changes.
Plaintiff: Microsoft
Defendant: Novell
FUD factor: Three Microsoft threw its own grenade at Novell when comparing Win 2000 with NetWare 5.x. Microsoft claims NetWare doesn't use disk mirroring or disk compression. While this isn't a specific directory services claim, it's another example of shots fired in marketing comparisons between the two companies. The answer is a half-truth that's correctly documented by both vendors and has served as the subject of an amazing amount of newsgroup rumor. The source of this particular confusion has to do with an optional feature of NetWare 5.1. Microsoft is referring to Novell's new Novell Storage Services (NSS) option, which doesn't currently support operating system-based disk mirroring but does support hardware-level disk mirroring. NSS is designed to increase file system performance through several techniques, including enhanced caching, reduced volume mount and repair time, and adds support for huge storage objects. Fast mounts for mirrored media and disk compression for large storage objects didn't make it into the first release. If you deploy the optional NSS feature, however, you can't use software-directed disk mirroring until you apply a recently released service pack from Novell. We tested the NetWare 5.1 without the service pack but with NSS and found both features are indeed missing. Novell just posted the update that addressed this issue. Summed up Novell's numerous claims of Active Directory glitches have some truths, but other claims are mired in the different architectural approaches to providing directory services management. Microsoft also conveniently omits details of claims it makes against Novell's directory service and the underlying NetWare 5.1 operating system. These half-truths test both vendors' credibility.
Related links
Articles, primers and lots of useful info on NDS and ADS Browse recent Network World articles about Active Directory
From the past six months, ranked in order of relevancy.
Sparring directories
With both Novell and Microsoft struggling to position their enterprise directories on top, what can you really believe about the negative campaigning?
 
|
|||
 | |||
|
By TOM HENDERSON
Network World, 06/19/00
Duck: The Holy Directory Wars are raging in full force.
The debates at hand
Novell and Microsoft have formulated their attacks in different ways. Novell's claims against Active Directory hone in on specific deployment and technical issues, which we could readily confirm or refute in our test lab environment. A common tactic in Novell's attacks is to describe Microsoft's implementation in Novell's own terms. The problem is the product philosophy behind each directory service is quite different. Novell would prefer we use its own semantics and references to judge Active Directory. To do so does not correctly describe Active Directory and leads to confusion. Microsoft's jabs, on the other hand, are more abstract. The company claims that NDS eDirectory has slow, limited Lightweight Directory Access Protocol support, naming conventions that don't readily map to Domain Name Server (DNS), and weak public-key infrastructure integration. These subjective claims are difficult to test in a lab environment. The directory claims we tested fell into two categories: those that pointed out potential operational flaws and those that raised security concerns. We also checked Microsoft's claims against the disk-mirroring capabilities of Novell's underlying operating system, NetWare 5.1. We did not consider claims regarding scalability as we could not address those in our labs (see user scalability profiles, pages 79 and 83). Because Novell's accusations are more concrete, the bulk of our testing centered on Novell's jabs at Active Directory. Perhaps Microsoft's revered marketing machine knows better than to level criticism that can be closely dissected. However, our testing delved into both sides of the directory argument in most cases. The point here is not to recommend one directory service over another, but to sort out where the facts stop and the FUD starts.Claim #1: Administrative ownership pitfalls
Charge: Administrators can regain specifically denied resources.Plaintiff: Novell
Defendant: Microsoft
FUD factor: (On a scale of one to five, five being a false claim) Three Corporations fear their payroll information may be exposed to the world. Such a scenario is used by Novell to point out an important difference between NetWare and Windows 2000 administrative models and implementations. Novell cites on its Web site that under certain conditions in an Active Directory-based network, it's possible for an administrator to be denied rights to a specific resource, but then be able to subsequently regain accessibility to the resource. Novell says an administrator in this case has been denied rights to a payroll resource in the domain. However, Novell claims because the administrator is a member of the Active Directory Administrator group, he can then regain ownership of the payroll resource. Examples of this methodology are available at Novell's Web site. We duplicated Novell's step-by-step instructions and permitted an administrator to regain ownership over a specifically denied object. This part of Novell's accusation is correct. Active Directory permits administrators comparative carte blanche rights within their appointed domain. Nevertheless, there is a bigger issue here. The obfuscation points to a difference in administrative models between Active Directory and NDS eDirectory. On the surface, this looks like a hideous bug, but this whole scenario is based on a misconception about how Active Directory resources are administrated. In the Novell world, the word "deny" means absolute denial, but in Microsoft terms, administrators are natively exempt from denial. So overriding denial in a Novell network is a more serious breach of security. Novell's directory services authorize directory service administrative control from a root user called Supervisor. Privileges are managed by an access control list for objects by inclusion via the granted-right ability. Privileges can be specifically granted, excluded or inherited in NDS. Active Directory doesn't work that way. Active Directory administrators have carte blanche administrative control over resources within their domain. A domain in NDS eDirectory and one in Active Directory are ideologically similar, but in practical implementation are different from an administrative perspective. Inhibiting a specific administrative group member under Active Directory from gaining access requires creating a separate domain where an individual is not a member of the administrative group. Creating an additional domain takes a few moments; subsequent administration is a matter of cutting and pasting resources once. Novell believes this is extra work compared to NDS administration. True, but it's very little extra work. In NDS Version 8 running on top of NetWare 5.1, administrators can be denied areas of the directory services resources. Ostensibly, a chain of command of administration makes NDS resources more secure and auditable. For example, when the primary supervisor password is lost, only Novell is supposed to be able to offer a new one. Microsoft uses a different philosophy, giving an administrator purview over a domain. Denial simply doesn't work, as a denied resource can become reowned by an administrator. While Novell maintains its method of referential authority is correct, Microsoft (like it or not) chose a different approach. NTBugtraq.com summarizes the differences between the two administrative philosophies quite well: Neither model is immune from root authority hijacks, and neither directory is invulnerable to data theft. Ultimately, making it tough for an administrator to steal information boils down to a matter of trust.
Claim No. 2: Active Directory partitioning causes Win 2000 outages
Charge: Active Directory fails under routine administration scenarios.Plaintiff: Novell
Defendant: Microsoft
FUD factor: Five Novell believes NDS eDirectory partitioning is superior to the same function in Active Directory, which Novell claims can fail under routine administrative circumstances. According to Novell's Web site, "Active Directory requires network administrators to power down and reboot entire network segments to add or delete a domain replica. Furthermore, adding or deleting the active directory domain 'replica' from a Windows 2000 server requires reapplying file system rights." We could not find any circumstance where either of these claims was true. We were able to add and delete domain servers without needing to power down and reboot even the servers themselves. While demotion of a domain controller took considerable time, no file system rights changes were needed to accomplish the goal with 5,000 test users, and 10,000 test subdirectories on 16 servers used in the test.
Claim No. 3: 52 No pick up
Charge: Reasonable configurations can stop Active Directory access.Plaintiff: Numerous
Defendant: Microsoft
FUD factor: Zer Oddly, Novell didn't find this one. Courtesy of BugNet and other reports, this bug can be a real showstopper. This recently reported Active Directory bug (DocFinder: 8622) shows that user access on a domain controller can fail when the 52nd and subsequent IP address is assigned to that domain controller. Our tests confirmed this bug.We also discovered Active Directory cannot synchronize while the inactive condition is present on a domain controller. In the case when a domain controller is also a bridgehead server - Microsoft's suggested connection point between a WAN and an Active Directory site - the site will not replicate Active Directory changes if there is no other WAN route. Other Active Directory servers at the site where changes have been prevented in this way dutifully complained, and changes made both at the site and on the WAN resumed quickly after the bridgehead server is brought back on line - after the number of overall IP addresses assigned to the Domain Controller were reduced to fewer than 52. If an alternate route around the bridgehead server is available, other domain controllers will be correctly updated. A test of Novell's NetWare 5.1 and NDS eDirectory using the same hardware found no limitations on the number of IP addresses (our test used 224 addresses using Class A, B and C). A test of Mandrake Linux 7.0 revealed the same lack of limitations. NDS remained available on NetWare, and NIS+ and Network File System services remained online. A Microsoft spokesperson could not say when a patch would become available, but one is believed to be in the works.
Claim No. 4: Crash and burn DNS
Charge: Win 2000 dynamic DNS crashes non-Microsoft DNS servers.Plaintiff: Novell
Defendant: Microsoft
FUD factor: Four Working DNS servers are key to Active Directory. Active Directory requires DNS - either from Microsoft or another operating system - to function. Novell claims that Active Directory crashes non-Microsoft DNS servers. This Novell claim is partially true. We tested Win 2000 with 11 versions of typically deployed DNS servers from Novell, Sun, IBM, Linux (2.2 distributions and higher), BSD/FreeBSD and The Santa Cruz Operation Unixware, and our tests resulted in no errors, even when 50 updates per second were emulated. We crashed a 1992 Ultrix server running Bind 4.9, as well as an old distribution of Linux. This one's a red herring, though. The Internet Software Consortium recommends moving to BIND Version 8.2.2 for security reasons.
Claim No. 5: Tombstones could cause zombies
Charge: Retaining deleted user entries compromises Active Directory security.Plaintiff: Newsgroups and industry columnists
Defendant: Microsoft
FUD factor: Three Organizations that either delete user accounts or try to shut down user accounts for security purposes can have a problem when there is a large network geography. The garbage collection services that remove all traces of these deleted objects work differently in Active Directory than in NDS eDirectory. NDS eDirectory removes the traces quickly. Active Directory modifies the objects, and while it propagates the modified object quickly, it doesn't remove them completely. The remaining modified/deleted object still exists for a period within the replicated directory structures until garbage collection removes all traces of it. The existence of the remaining object creates concerns that it might be resurrected and misused. The remaining tombstone entry comes from the following fact: While an account may have been deleted or closed at a user's normal work site, the deletion/closure must propagate quickly to inhibit users from logging on to a network via VPNs or remote-access servers to another site. Link integrity is important in this instance as well. A failed link to a remote site still makes that site vulnerable as deleted users may still be getting rights to resources on distributed servers. When sites are set up correctly, the change associated with a deletion/ closure took an equal amount of time with Novell and Microsoft networks to become effective. We built identically configured hardware networks, then placed NDS eDirectory running on NetWare 5.1 on the network and populated it with 5,000 users. On a Fast Ethernet network, the change took 17 seconds to become effective between two identically configured Compaq 3000 Proliant servers. Similarly configured hardware and user counts with Active Directory running on Win 2000 took 16 seconds for the account to be disabled. What happens to the tombstone? The default garbage collection or the total record change within Novell environment was nearly immediate. In a Microsoft Win 2000 network, the default garbage collection was 60 days and is user-definable. We couldn't find a method for the tombstone to be resurrected. However, it doesn't mean that someone couldn't crack Active Directory security in this manner.
Claim No. 6: Active Directory administrators can lose changes
Charge: Two administrators making same-object changes can lose them.Plaintiff: Novell
Defendant: Microsoft
FUD factor: Tw Novell makes the claim that it's possible for Active Directory to lose administrative entry changes. We found it's possible to do this in normal administration, but there's a simple technique that eliminates the problem. Unlike the Active Directory method in which all domain controllers keep a copy of the Active Directory data, Novell's directory services are ideologically located in one place, even though replicas of the directory contents may exist in different locations for back-up/availability purposes. Novell encourages partitioning directory services by site to reduce Internet traffic. NDS eDirectory is immune from multiple concurrent instances of information, Active Directory is not. In Active Directory, each domain controller contains a copy of all directory service content. The paradox of having two administrators working on the same piece of directory data can occur when two or more administrators make changes to the same group, but do so on different domain controllers. The rule used by domain controllers is to accept changes based on the most recent change. That means changes made locally can overwrite changes made elsewhere. Our testing proved the most-recent-change rule can indeed negate changes. There are two workarounds that permit a correct synchronization: establishing a default domain controller within an organization, and making changes primarily to that copy of the directory. This negates the effect of multiple concurrent instances of directory service database information becoming desynchronized and causes a single propagation of changes. We recommend that the domain controller that's used as the single administrative change server be the bridgehead server for an organization, allowing slightly faster propagation. The other workaround may be a tough pill for some organizations to swallow: Use only one administrator to make changes.
Claim No. 7: NetWare doesn't use disk mirroring or compression
Charge: Recent NetWare editions lack disk mirroring and compression.Plaintiff: Microsoft
Defendant: Novell
FUD factor: Three Microsoft threw its own grenade at Novell when comparing Win 2000 with NetWare 5.x. Microsoft claims NetWare doesn't use disk mirroring or disk compression. While this isn't a specific directory services claim, it's another example of shots fired in marketing comparisons between the two companies. The answer is a half-truth that's correctly documented by both vendors and has served as the subject of an amazing amount of newsgroup rumor. The source of this particular confusion has to do with an optional feature of NetWare 5.1. Microsoft is referring to Novell's new Novell Storage Services (NSS) option, which doesn't currently support operating system-based disk mirroring but does support hardware-level disk mirroring. NSS is designed to increase file system performance through several techniques, including enhanced caching, reduced volume mount and repair time, and adds support for huge storage objects. Fast mounts for mirrored media and disk compression for large storage objects didn't make it into the first release. If you deploy the optional NSS feature, however, you can't use software-directed disk mirroring until you apply a recently released service pack from Novell. We tested the NetWare 5.1 without the service pack but with NSS and found both features are indeed missing. Novell just posted the update that addressed this issue. Summed up Novell's numerous claims of Active Directory glitches have some truths, but other claims are mired in the different architectural approaches to providing directory services management. Microsoft also conveniently omits details of claims it makes against Novell's directory service and the underlying NetWare 5.1 operating system. These half-truths test both vendors' credibility.
| How we did it |
 We tested some of the charges made against Novell's NDS eDirectory and
Microsoft's Active Directory by evaluating the claims on a Fast Ethernet
network consisting of up to 16 servers running a mix of Novell's NetWare
5.1 on Windows 2000 Advanced Server. The servers were a mix of Compaq
Proliant 3000 servers with dual 550-MHz Pentium II processors and 256M
bytes of RAM, Prosignia 1600 with 400-MHz Pentium processors with 256M
bytes of RAM, and AMD whitebox servers with 600-MHz processors and 256M
bytes of RAM.
We generated 5,000 user entries, and 100 groups for each network operating
system and directory service, and timed results using Perl scripts clocked
at workstations. These workstations were a mix of Hewlett-Packard Pavilions
running Mandrake Linux 7.1, Sony Vaio notebooks running Windows 98 and
Compaq Prosignia portables running Win 2000 Professional with 266-MHz to
650-MHz processors and had memory that ranged from 64M bytes to 256M bytes.
The servers were separated into four domains or directory partitions for
some of the tests to emulate a four-site WAN.
Results and traffic propagation were monitored with the Fluke Network
Inspector and Triticom's LANDecoder32.
|
Related links
Scaling active directory
Toronto school board is pushing Microsoft's directory to accommodate 350,000 users.
Expanding on NDS
True North Communications taps Novell's NDS eDirectory for widespread scalability features.
Newsletter: NDS programming tutorials
Network World, 04/05/00.
Articles, primers and lots of useful info on NDS and ADS Browse recent Network World articles about Active Directory
From the past six months, ranked in order of relevancy.
