Differences Windows Active Directory and Novell Directory
Download
Report
Transcript Differences Windows Active Directory and Novell Directory
Differences
Windows Active Directory
and
Novell Directory Services
Donnie Hamlett
Technology Specialist
Microsoft – New York
Agenda
Introduction
X.500 Directories, History and
Terminology
X.500 Implemented with AD and NDS
Objects
Networking and Services
LDAP
Directory Design and Partitioning
the Directory
Programming
Summary
Introduction
Purpose of this session is to get a
thorough understanding of the
basic differences between the
Windows 2000 AD and Novell NDS.
X.500 History
X.500 is the standard produced by the ISO/ITU
defining the protocols and information model
for a directory service that is independent of
computing application and network platform
X.509 Authentication Framework is a series of
standards, describes the use of digital certificates and
PKI
X.525 Replication
First released in 1988 and updated in 1993 and
1997
X.500 standard defines a specification for a rich,
distributed directory based on hierarchically
named information objects (directory entries)
that users can browse and search
X.500 – Glorified, very logical, electronic yellow
pages for X.400 messaging systems
X.500
Fundamentals
DIB - Directory Information Base
The actual database(s) that store(s) the entries in
the directory service
Directory Information Tree
Dictated by the database schema to present a
hierarchical tree objects
DIT
DIB
X.500
Schema
Design of the directory store. Defines objects,
attributes, and system information
Object Classes
Define the kinds of objects that can be instantiated in
the directory
Define the rules for an object
Define the attributes that are intended for the object
DIB
Object
Attribute
X.500
Objects
Specific entries in the directory store
Are comprise of attributes
Attributes
Describe certain aspects of the object
USER OBJECT Attributes..First Name, Last Name,
Phone Number, Address
DIB
Object
Attribute
X.500 Directory Services
DSA - Directory System Agent
DUA - Directory User Agent
The actual process client applications bind to to search the directory
Utilizes DSP - Directory System Protocol
Client Process that binds to a DSA to retrieve information from the
directory
Utilizes the Directory Access Protocol
Access Protocols
DAP – Directory Access Protocol
LDAP – Lightweight Directory Access Protocol, developed because
DAP is bulky and it didn’t lend itself to the internet.
DAP
LDAP
X.500 Directory Services
Hierarchy
Defined in X.500
(Root)
DC – Domain Component
C – Country
L - Locality
O – Organization
OU – Organizational Unit
CN – Common Name
Representation of data in the directory.
Is easier to use than flat systems
C = US
O = Microsoft
Distinguished Name
OU = Development
defines the name
and location in the DIT
OU = Sales
Relative Distinguished Name
Uses a reference point,
Partial name
CN = Thomas
CN = Kevin
CN = Mike
O=US, O=Microsoft, OU=Development, CN=Thomas
X.500 Implemented with AD and NDS
No one used the full set of X.500
definitions to design their directory
service.
Everyone has their own proprietary
take on how X.500 is implemented.
Differences – X.500 Names
Both Novell and AD use X.500 name
schemes but they do not implement
all of them.
Active Directory
Novell Directory Service
DC
C
OU
O
CN
OU
CN
Differences – Objects
Windows – Static Inheritance
More weight on directory at creation, write intensive
All Ace's are contained within the object
Larger objects increases the size of the DIB
Rights controlled by groups
Novell – Dynamic Inheritance
When the object is called you must aggregate its
rights by walking the tree
More weight on the directory when read
Rights controlled by OU’s (also groups)
Must Tree Walk – this can go across WAN – bad
Object Access
ACEs can apply to
specific attributes
ACE
ACL
Directory
Object
Sales Managers
read access
Access to directory objects is controlled via
Access Control Lists (ACLs)
Fine granularity is provided by Access
Control Entries (ACEs) that apply to specific
attributes
Global Data Availability - Catalogs
Windows 2000 Forest
acme.com
asia.acme.com
xyx.com
europe.acme.com
= Global Catalog
Replica
Active Directory Catalogs:
Enable efficient cross-domain data sharing
Use the same set-up tools as replicas
Use same replication mechanisms and the same
interval as domain replicas
Enforce object and attribute level security
Global Data Availability - Catalogs
Catalog
Catalog
Catalog
Dredger
Dredger
Dredger
San Diego
Chicago
Boston
NDS Catalogs:
Are based on periodic ‘dredging’
Occur only at scheduled 1-7 day intervals
Users are granted/denied access to entire
catalog – no attribute/object-level security
Are being completely redesigned...
Differences – Networking and Services
Active Directory
Based on TCPIP
DNS Server Resource Records ( MX-Record)
LDAP for internal searches, each object has a unique GUID
example on following page
All Domain Controllers are native LDAP Servers
Integrates with DNS
NDS
Originally based on IPX/SPX
Implemented in TCPIP with
Service Advertising Protocol (SAP) to advertise Services
Service Location Protocol (SLIP) also advertisement based
SLIP does not integrate with DNS proprietary
When implemented together reduces network performance
because routers must support RIP that allows for both SLIP
and SAP protocols
Not a native LDAP Server – it has a LDAP interface that
translates LDAP request to native NDAP protocols
Active Directory
Global namespace = DNS + LDAP Directories
com
edu
stanford
microsoft
aVendor
students
courses
Vera Kark
MargretJ
music
Domain :
microsoft.com
sarahj
thorj
Domain:
stanford.edu
Domain :
aVendor.com
Internet Standards Support - LDAP
Active Directory vs. NDS – LDAP Search
3,676
4,000
3,000
NDS 8 on Netware
Active Directory
2,047
Better
LDAP Searches/Second
Base Search
2,000
1,162
1,000
578
608
608
0
UP
2P
Processors
LDAP Requests Processed
Services Published through LDAP
4P
NDS
Active Directory
Translated
Limited
Natively
All
• Active Directory is a faster & more interoperable LDAP Server
Differences - Design
Active Directory
Partition the directory by Domain
Different Administrative view and Replication
view
Replication occurs via sites (IP subnets of
good connectivity)
A server can only host one Domain partition
Multi-master replication
Domain
Site
Uses update Sequence Numbers to prevent corruption
Replication is controlled and easy to
configure
A Domain can efficiently span multiple sites
Replication
What is Replicated ? – only changes are replicated
There are two forms of replication
Intrasite Replication
Intersite Replication
Knowledge Consistency Checker
Directory Information
Configuration
Schema
Automatically configures and checks topology for
the most efficient replication
Tools
Sites and Services MMC snap-in
Replmon
Sites
A Site separates networks physical topology from the Active
Directories logical view of the Network
Site is a area of “good connectivity”
A Site is a collection of subnets
All directory replication is controlled via Sites
A Site can be composed of multiple Domains
Clients discover their site based on the subnet mask received
from DHCP (or hand-configured)
Basis for locality-based resource discovery
Intrasite Replication
Automatically Configured for you
Replication occurs whenever there is a
directory change or a interval of ~ 7
minutes
Not Compressed
Not easily controllable
Intrasite Replication
Domain
Controller
Domain
Controller
Domain
Controller
Intra-Site
Replication
Domain
Controller
Domain
Controller
Intersite Replication
Compressed 10-1
Configurable
(15 minutes – 3hours)
RPC or SMTP
Site Links
Site Bridges
Scheduled
Intersite Replication
Domain
Controller
Domain
Controller
Domain
Controller
Inter-Site
Replication
Site 1
Domain
Controller
Domain
Controller
Domain
Controller
Domain
Controller
Site 2
Domain
Controller
Domain
Controller
Domain
Controller
Site Links
Represents the Priority of Replication Traffic
Between the Sites Identified in the Site Link
Higher Cost Numbers Represent Lower Priority Replication
Paths
Control Topology by Setting the Costs on Site Links
Control the Replication Frequency by Setting the Number of
Minutes Between Replication Attempts
Control Link Availability Using the Schedule on
Site Links
Can Link multiple site to create a controlled path of
replication called a Site Bridge
Site Links and Bridges
Site Link Bridge
XYZ
Site X
Site Y
Site Link XY
Site Z
Site Link YZ
Architecture
Replication
After replication
R1 USN:5
R2 USN:305
R1
R2
R1 USN:5
R2 USN:305
R3 USN:62
R2 USN:305
R3 USN:62
R3
Sites and the AD
Microsoft
MSHQ1 MSHQ2 MSHQ3
HR
HR1
Sales
Sales1 Sales2 Sales3
HR2
MSNA
Europe
MSNA1 MSNA2
EURO1EURO2
MSHQ1
HR1
MSNA1
Sales1
MSNA2
Sales2
MSHQ2
EURO1
HR2
Site Seattle
Site Redmond
MSHQ3
Sales3
EURO2
Site Paris
Operation Masters
These Roles are
Recoverable – Recovery Console
Transferable – Command Line
These are the following Roles
RID Master – one per domain, controls relative id’s
PDC Emulator – one per domain, allows password updates
and backwards compatibility with NT 4.0 BDC’s
Infrastructure Master – one per domain, updates group and
user information when changes are made
Schema Master – one per forest, controls schema updates
Domain Naming Master – one per forest, controls all
additions and removals of domains
Differences - Design
NDS
Partition the directory by OU
OU’s are tied to physical locations
Multimaster replication
A server can host multiple partitions
Replication occurs via time stamps
Replication is very difficult to configure and
is not controllable
It is not recommended to have OU’s span
physical boundaries
Global Data Availability - Searches
Windows 2000 Domain
Find:
‘All
Bobs’
Chicago
Boston
San Diego
San Diego
San Diego
Chicago
Answer
San Diego
Replication
Chicago
Replication
Chicago
Boston
Boston
Boston
AD Replica
AD Replica
AD Replica
Active Directory:
Partitions map to Windows 2000 domains
Partitions can span many sites and WAN links
Optimizes replication automatically between sites and
over slow network links
Impact: Faster and more complete searches
Global Data Availability - Searches
NDS Tree
Find:
‘All
Bobs’
San Diego
Chicago
Boston
San Diego
San Diego
San Diego
Chicago
Chicago
WAN
Chicago
Answer
WAN
Boston
Boston
Boston
NDS Server
NDS Server
NDS Server
NDS Version 8:
Partitions cannot span WAN links . . .easily
Replication does not occur on an inter-site basis
Cross-location searches must ‘tree walk’
Impact: Slower and less complete searches; more
network traffic
Global Data Availability - Replication
Site 1
NDS
Site 2
WAN
R Replica
Active Directory
Site 1
Site 2
WAN
Connection
B Bridgehead Server
• NDS: 90 Connections; 25 WAN crossings
• Active Directory: 13 Connections; 1 WAN crossing
Internet Standards Support - PKI
Authorization
Authentication
Kerberos
File
System
Windows
2000
Smart Card
X.509/PKI
Active Directory
Certificates
Active Directory Advantages:
Better PKI Management
integrated key recovery mechanism and revocable certificates
web-based access and management
integrated client-side distribution of keys
Comprehensive OS Integration (IIS, EFS, IPSec)
Application Integration (CryptoAPI)
Internet Standards Support - Summary
Active Directory
Native LDAP server
Full namespace integration with DNS
Integrated support for PKI technologies
NDS
LDAP requests are translated
No Namespace Integration with DNS
Limited Integration with PKI
Application Integration
NT-DS
Application
Application
Application
O
A L
D E
O D
B
A
D
S
I
Active
Directory
NDS
LDAP
Databases
Active Directory Services Interface
Provides a consistent, simple way for COM-enabled
apps to access directory services
Usable for any LDAP server (including NDS)
Leverages COM Windows Development tools
Greatly simplifies development of directory-enabled
applications
Application Integration
Active Directory enables powerful
directory-enabled applications
Group Policy Integration
Service Publication
Directory Object Extension
ADSI Extension Model
Active Directory Class Sore
AD-enabled Applications
Baan, J.D. Edwards, SAP, Cisco & others
BackOffice 2000, MSMQ, MTS and most others
Application Integration - Summary
Windows 2000 & Active Directory
COM, ADSI, Logo programs
LDAP-based access to all features
Rich Development Environment (VB,C++,Java)
Supports Distributed Applications over WANs
Large ISV Support: 8,000+ Windows Applications
NetWare & NDS
ADSI support not available on NetWare
Incomplete LDAP-based access to NDS features
Java-only development environment
Partitions limit application functionality
Poor ISV Support - GroupWise not even NDS-enabled
Active Directory vs. NDS
Comparison
Active
Directory
NDS
Version 8
Storage technology
Max objects/partition
Partition Boundary
Partition-spanning groups?
Same store for catalogs?
Catalog update interval
Attribute security in catalog?
Native LDAP support?
Global change LDAP interface?
DNS naming integration
Integrated PKI support?
ADSI provider support?
Java Support
VB, C, C++ Support
Interoperability Tools
Indexed
Millions
Geo/Political
Yes
Yes
Continuous
Yes
Yes
Yes
Yes
Yes
Yes
Yes (JADSI)
Yes
Yes
Indexed
Millions
WAN
Not Advised
No
Scheduled
No
No
No
No
No
Yes*
Yes (JNDI)
No
No
* Not available to NetWare applications
This document is for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
© 2000 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Where do you want to go today?, Windows, the
Windows logo and Windows NT are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the
trademarks of their respective owners.