Microsoft prepping directory upgrade

Microsoft says it is readying synchronization technology that makes it easier and safer for companies to build directory-enabled applications that sit on Windows servers in certain departments or outside corporate firewalls.

Microsoft says it is readying synchronization technology that makes it easier and safer for companies to build directory-enabled applications that sit on Windows servers in certain departments or outside corporate firewalls.

New technology in the works for the next version of Windows Server, code-named R2, would let the applications make use of select data from a corporate Active Directory infrastructure without exposing the internal directory to the Internet. The release is slated for next year.

Microsoft says the technology is designed for companies deploying stand-alone versions of Active Directory called Active Directory Application Mode (ADAM), which can be used to support Web or other applications. The ADAM Synchronizer would let ADAM pull updates from Active Directory, but not vice versa.

“This could cause us to take another look at using the directory for application-level stuff,” says Steve Landis, a software development engineer with Oregon State University College of Business in Corvallis. “In our directory environment we are hesitant to create custom attributes for special uses because that requires schema change in the directory. Anything that has that automatic synchronization feature and could pull information into an [application] directory would be useful at some point.”

Schema modifications increase replication traffic and can destabilize a directory if not done in a tightly controlled fashion.

Microsoft now offers a free synchronization tool called the Identity Integration Feature Pack, but it supports bidirectional synchronization between ADAM and Active Directory. Critics say it can open up a security risk if improperly configured for use with Internet-facing applications.

With ADAM Synchronizer, “Microsoft is putting tools in ADAM that make it a useful part of an entire Active Directory infrastructure,” says Jamie Lewis, president of Burton Group. “The idea is to have a directory and publish subsets of its data outside the [network operating system] environment. ADAM is growing up.”

Active Directory is a NOS directory, which means it is tightly coupled with an operating system to supply authentication and authorization capabilities to an entire network. ADAM, introduced a year ago, is designed for use with a single application and is managed separately from Active Directory.

Microsoft rivals Novell and Sun have general-purpose Lightweight Directory Access Protocol directories that are suited to support Web-based and other applications, a market they dominate.

“The NOS directory is designed to run a network and its authentication services, group policy and object management. It’s not designed for third-level functionality like applications,” says Nelson Ruest, a consultant with Resolutions Enterprises in Victoria, B.C. “If you want to integrate Active Directory [with applications] you need to use ADAM.”

ADAM runs as a user service on top of Windows, as opposed to a system service such as Active Directory. That means the Windows server ADAM runs on is not a domain controller and does not participate in Active Directory replication or activate services such as Kerberos or DNS.

A domain controller is a Windows server that contains an Active Directory partition and serves as a security boundary on a Windows network. Domain controllers replicate data between partitions to create a distributed directory.