Microsoft eases directory work

REDMOND, WASH. – Microsoft is preparing for a major evolution of Active Directory this summer that will allow it to play catch-up with competitors and provide companies the ability to more easily use the software to support Web-based and other applications.

Microsoft last week released the first public beta version of Active Directory/Application Mode (AD/AM), a simple Lightweight Directory Access Protocol (LDAP)-based directory to support applications. AD/AM is a stand-alone version of the directory that operates on Windows, but does not require integration with a corporation’s Active Directory infrastructure.

AD/AM can be dedicated to one application to isolate data specific to that application, such as policies or management information. AD/AM prevents the core Active Directory from getting bogged down with the type of information that would foster changes to the directory’s schema, which defines its structure and content. Directory-enabled applications almost always require schema changes, which add data to the directory and complexity to its operation.

While AD/AM serves as an independent data repository, it can rely on Active Directory as a user authentication engine, meaning companies don’t have to replicate that information to AD/AM.

“AD/AM is very interesting,” says a directory administrator for a large multinational company who asked not to be identified. “It represents a maturity for [Active Directory]. For people who understand directories this perks up their ears because they know it can ease support problems and reduce replication traffic.”

The administrator says his company has more than 10G bytes of data in its Active Directory, which creates a lot of replication traffic. “We have divisions that want to use the directory to support their applications, but that would change our schema and add to our replication problem.”

He says it would be nice for those divisions to have a dedicated directory, especially one his staff is trained to support.

“AD/AM opens up an opportunity for Microsoft to do something in the enterprise and e-business roles that they were restricted from doing,” says Mike Neuenschwander, an analyst with Burton Group.

The restrictions came because Active Directory, which is the only directory baked into an operating system, is complicated to deploy. The directory must sit on its own server, called a domain controller, and must be run with other operating system services such as Kerberos and the DNS. That can create a lot of cost, security and support issues for companies that need an LDAP-based directory.

In contrast, AD/AM does not have to sit on a domain controller, and multiple copies of the directory can run on one box to service multiple applications. AD/AM runs as an independent service on a network as opposed to a network operating system service such as Active Directory.

“Microsoft coded themselves into a hole and now they have gotten themselves out, but we shouldn’t get overly excited because they are late to the game,” Neuenschwander says.

Other vendors are providing these kinds of general-purpose LDAP directories, most notably Novell with its eDirectory and Sun with Sun One Directory Server. Neuenschwander says AD/AM should put the most pressure on Sun, which has yet to cement its multimaster replication technology.

The two Microsoft competitors have each used their LDAP-based directories to build a base of more than a billion users, according to Gartner.

“Microsoft is looking at that with its little 70 million or so users and they want a piece of that action,” says John Enck, an analyst with Gartner. “The target for Microsoft is that LDAP market.”

Microsoft plans to ship AD/AM before July, according to Jackson Shaw, technical product manager for directory services at Microsoft. Shaw says Microsoft has not announced pricing but that it should be about the same as its Active Directory Internet Connector, which is priced at $2,000.

AD/AM will run on Windows Server 2003, which ships later this month, and Windows XP, so developers can run a directory on their desktop for testing applications.