Issue dated - 04th October 2004

-

Previous Issues
CURRENT ISSUE
INDIA NEWS
REVIEW / GLOBAL
COLUMNS
TECH FORUM

THE C# COLUMN
BETWEEN THE BYTES
TECHNOLOGY
SPECIALS <NEW>
Symantec Report
Security Headquarters
JobsDB
MINDPRINTS
HMA BANKBIZ
EC SERVICES
ARCHIVES/SEARCH
IT APPOINTMENTS
Openings At Jobstreet.com
WRITE TO US
SUBSCRIBE/RENEW
CUSTOMER SERVICE
ADVERTISE
ABOUT US
 Network Sites
  IT People
  Network Magazine
  Business Traveller
  Exp. Hotelier & Caterer
  Exp. Travel & Tourism
  Exp. Pharma Pulse
  Exp. Healthcare Mgmt.
  Express Textile
 Group Sites
  ExpressIndia
  Indian Express
  Financial Express

 
Front Page > TechSpace > Story Print this Page|  Email this page

Active Directory Myths and Reality

Article summary

I have observed that many customers are moving from older directories to Active Directory (AD). However, most customers do not deploy the full power of AD. Things stop at File/Print, User Migration and base profile management. This article explores the concept and practical benefits of AD for the organisation. Later, we will discuss the Developer benefits of AD (which are rarely known/used anyway!).

What Is a Directory Service?

A directory service provides a place to store information about network-based entities, such as applications, files, printers, and people. It provides a consistent way to name, describe, locate, access, manage, and secure information about these individual resources.

Further, a directory service acts as the main switchboard of the network operating system. It is the central authority that manages the identities and brokers the relationships between these distributed resources, enabling them to work together. Because a directory service supplies these fundamental network operating system functions, it must be tightly coupled with the management and security mechanisms of the operating system to ensure the integrity and privacy of the network. It also plays a critical role in an organisation's ability to define and maintain the network infrastructure, perform system administration, and control the overall user experience of a company's information systems.

Why Have a Directory Service?

Directory service offers the following benefits:

  • Makes management of complex and large pool of resources easier Provides a single, consistent point of management for users, applications, and devices.
  • Due to central control and unification of authentication information, security is enhanced.

Provides users with a single sign-on to network resources and provides administrators with powerful and consistent tools to manage security services for internal desktop users, remote dial-up users, and external e-commerce customers.

  • Works with other types of directory services without manual coding or intervention.

Supplies standards-based access to all Active Directory features as well as synchronisation support for popular directories.

What is Active Directory?

In NT 4, we had a domain based architecture. There were many disadvantages of this model.

Active Directory eliminates all the lacunae of NT 4 topology and manages information about network resources and users very effectively. In addition, Active Directory acts as the central authority for network security, letting the operating system readily verify a user's identity and control his or her access to network resources.

Active directory is a tool for users as well as administrators.

Active Directory provides a single point of management for Windows-based user accounts, clients, servers, and applications.

What Are the Benefits of Active Directory?

Totally integrated with Windows 2003 Server, Active Directory gives network administrators, developers, and users access to a directory service that:

  • Simplifies Management

Active Directory allows companies to significantly lower management costs by providing a single place to manage users, groups and network resources, as well as distribute software and manage desktop configurations. For example, Active Directory uses one place for managing both Windows 2000 users and Microsoft Exchange mailbox information. Active Directory helps companies simplify management because it:

Eliminates redundant management tasks:

Provides a single-point of management for Windows user accounts, clients, servers, and applications as well as the ability to synchronise with existing directories.

Reduces trips to the desktop:

Automatically distributes software to users based on their role in the company, reducing or eliminating multiple trips that system administrators need to make for software installation and configuration.

Better maximises IT resources:

Securely delegates administrative functions to all levels of an organisation.

Lowers total cost of ownership (TCO):

Simplifies the management and use of file and print services by making network resources easier to find, configure, and use.

  • Strengthens Security

Strong and consistent security services are essential to corporate networks. Managing user authentication and access control is often tedious and prone to error. Active Directory centralises management and enforces role-based security consistent with an organisation's business processes. For example, support for multiple authentication protocols such as Kerberos, X.509 certificates, and smart cards-combined with a flexible access control model-enables powerful and consistent security services for internal desktop users, remote dial-up users, and external e-commerce customers. The following are some ways in which Active Directory strengthens security:

It improves password security and management:

By providing single sign-on to network resources with integrated, high-powered security services that are transparent to end users.

It ensures desktop functionality:

By locking-down desktop configurations and preventing access to specific client machine operations, such as software installation or registry editing, based on the role of the end user.

It speeds e-business deployment:

By providing built-in support for secure Internet-standard protocols and authentication mechanisms such as Kerberos, public key infrastructure (PKI) and lightweight directory access protocol (LDAP) over secure sockets layer (SSL).

It tightly controls security:

By setting access control privileges on directory objects and the individual data elements that make them up.

  • Extends Interoperability

Many companies have a diverse collection of technologies that must work together. As a result, many corporate networks have an equally diverse collection of disparate directories as part of e-mail servers, applications, network devices, firewalls, e-commerce applications, and more. Active Directory provides a set of standard interfaces for application integration and open synchronisation mechanisms to ensure that Windows can interoperate with a wide variety of applications and devices. Active Directory extends interoperability because it:

-Takes advantage of existing investments and ensures flexibility. Standards-based interfaces to all features make use of investments and ensure flexibility for future applications and infrastructure.

- Consolidates management of multiple application directories. Using open interfaces, connectors, and synchronisation mechanisms, organisations can consolidate directories including Novell's NDS, LDAP, ERP, e-mail, and other mission-critical applications.

- Allows organisations to deploy directory-enabled networking. Network devices from leading vendors such as Cisco and 3COM can use the directory to let

administrators assign quality of service and allocate network bandwidth to users based on their role in the company.

- Allows organisations to develop and deploy directory-enabled applications. Using the fully extensible directory architecture, developers can build applications that deliver functionality tailored to the needs of the end user.

New features = More benefit / less work / both

I have always been mentioning in my articles about how new technology should be imbibed and utilised effectively.

Most techies get enamored with What's New of the latest version. But there is life beyond that. We have to map what is new to what is old and find out what is really useful, quantify and cross check it and then implement it.

Often this entire cycle is not followed to its logical conclusion, leading to partial usage of technology!

Here are some really good things about Windows 2003. Another thing to learn here is how to incrementally enhance a product during its maturation cycle.

  • ADMT (Active Directory Migration Tool)

This tool helps in migrating from NT 4. It copies the older passwords to the AD, among other features. In order to automate complex migration scenarios it offers scripting and COM object model. It also supports all the functionality using a command line interface. So whether you like UI, programmability or command line switches, it is all there. Great example of user focus again.

  • Initial replication using CD / DVD - no wastage of bandwidth

Earlier, the replication of the directory information used to happen over the WAN. This was a time consuming process which often interfered with other applications like LOB apps, messaging, voice and so on.

Now you can take a backup of all the base information which needs to be replicated, copy it to the destination server using tape, CD, DVD and start the restore there. No bandwidth wastage. No delays.

  • Cross forest trust

This is a very useful feature. Earlier it required lots of manual work to trust resources across domains. Now you can trust specific resources across Forests (in reality, different organisations), with very little effort - while maintaining full security.

  • ADAM (Active Directory Application Mode)

This is more useful from the point of view of application authentication integration with AD. This topic is relevant initially to architects and developers of applications, and then to the administrators. I will cover this when we discuss the programmability of AD.

However, in summary this feature allows you to use full features of AD for users which are specific to YOUR application. No extra coding. No manual and contorted management of user tables. Simply use AD as though it was regular Ad. Difference is, these users are restricted to your app only. Managed by Windows. You don't have to worry.

  • Group policy management tool (GPMC)

Group policy as a concept has been there for a long time. But very few customers use it fully. In fact, most are not even aware of the sophistication and centralised control GP can offer the IT team.

GPMC provides a single console for managing everything you will ever need in managing Group Policies. It is powerful and easy to use.

Desktop standardisation, implementing security or other IT policies, software distribution and so on can be easily accomplished using GP.

Next time we will continue exploring the features and benefits of AD.

About the Author:Dr Nitin Paranjape is the Chairman and MD of Maestros (Mediline). He is a consultant with many organisations, covering appropriate technology utilisation, business application of relevant technology, application architecture and audit as well as knowledge transfer. He has authored more than 650 articles on various technology-related subjects. He can be contacted at nitin@mediline.co.in

 
<Back to top>


© Copyright 2003: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in
Mumbai by The Business Publications Division of the Indian Express Group of Newspapers.
Please contact our Webmaster for any queries on this site.