Differences Windows Active Directory and Novell Directory Services Donnie Hamlett Technology...

DifferencesDifferences

Windows Active DirectoryWindows Active Directory andand

Novell Directory ServicesNovell Directory Services

Donnie Hamlett

Technology Specialist

Microsoft – New York

AgendaAgenda

IntroductionIntroduction X.500 Directories, History and X.500 Directories, History and

TerminologyTerminology X.500 Implemented with AD and NDSX.500 Implemented with AD and NDS ObjectsObjects Networking and ServicesNetworking and Services LDAPLDAP Directory Design and Partitioning Directory Design and Partitioning

the Directorythe Directory ProgrammingProgramming SummarySummary

IntroductionIntroduction

Purpose of this session is to get a Purpose of this session is to get a thorough understanding of the thorough understanding of the basic differences between the basic differences between the Windows 2000 AD and Novell NDS.Windows 2000 AD and Novell NDS.

X.500 HistoryX.500 History

X.500 is the standard produced by the ISO/ITU X.500 is the standard produced by the ISO/ITU defining the protocols and information model defining the protocols and information model for a directory service that is independent of for a directory service that is independent of computing application and network platformcomputing application and network platform X.509 Authentication Framework is a series of X.509 Authentication Framework is a series of

standards, describes the use of digital certificates standards, describes the use of digital certificates and PKIand PKI

X.525 ReplicationX.525 Replication First released in 1988 and updated in 1993 and First released in 1988 and updated in 1993 and

1997 1997 X.500 standard defines a specification for a rich, X.500 standard defines a specification for a rich,

distributed directory based on hierarchically distributed directory based on hierarchically named information objects (directory entries) named information objects (directory entries) that users can browse and searchthat users can browse and search

X.500 – Glorified, very logical, electronic yellow X.500 – Glorified, very logical, electronic yellow pages for X.400 messaging systemspages for X.400 messaging systems

X.500 X.500 FundamentalsFundamentals

DIB - Directory Information BaseDIB - Directory Information Base The actual database(s) that store(s) the entries in The actual database(s) that store(s) the entries in

the directory servicethe directory service Directory Information TreeDirectory Information Tree

Dictated by the database schema to present a Dictated by the database schema to present a hierarchical tree objectshierarchical tree objects

DIBDIB

DITDIT

X.500X.500 SchemaSchema

Design of the directory store. Defines objects, Design of the directory store. Defines objects, attributes, and system informationattributes, and system information

Object ClassesObject Classes Define the kinds of objects that can be instantiated in Define the kinds of objects that can be instantiated in

the directorythe directory Define the rules for an objectDefine the rules for an object Define the attributes that are intended for the objectDefine the attributes that are intended for the object

DIB

Object

Attribute

X.500X.500 ObjectsObjects

Specific entries in the directory storeSpecific entries in the directory store Are comprise of attributesAre comprise of attributes

AttributesAttributes Describe certain aspects of the objectDescribe certain aspects of the object

USER OBJECTUSER OBJECT AttributesAttributes....First Name, Last Name,First Name, Last Name,Phone Number, AddressPhone Number, Address

DIB

Object

Attribute

X.500 Directory ServicesX.500 Directory Services DSA - Directory System AgentDSA - Directory System Agent

The actual process client applications bind to to search the directoryThe actual process client applications bind to to search the directory Utilizes DSP - Directory System ProtocolUtilizes DSP - Directory System Protocol

DUA - Directory User AgentDUA - Directory User Agent Client Process that binds to a DSA to retrieve information from the Client Process that binds to a DSA to retrieve information from the

directorydirectory Utilizes the Directory Access ProtocolUtilizes the Directory Access Protocol

Access ProtocolsAccess Protocols DAP – Directory Access ProtocolDAP – Directory Access Protocol LDAP – Lightweight Directory Access Protocol, developed because LDAP – Lightweight Directory Access Protocol, developed because

DAP is bulky and it didn’t lend itself to the internet.DAP is bulky and it didn’t lend itself to the internet.

DAP

LDAP

X.500 Directory ServicesX.500 Directory Services HierarchyHierarchy

Representation of data in the directory.Representation of data in the directory. Is easier to use than flat systemsIs easier to use than flat systems

Defined in X.500Defined in X.500 (Root)(Root) DC – Domain ComponentDC – Domain Component C – CountryC – Country L - LocalityL - Locality O – OrganizationO – Organization OU – Organizational UnitOU – Organizational Unit CN – Common NameCN – Common Name

Distinguished NameDistinguished Name defines the name defines the name

and location in the DITand location in the DIT Relative Distinguished NameRelative Distinguished Name

Uses a reference point,Uses a reference point,

Partial namePartial name

C = US

O = Microsoft

CN = Kevin

OU = Development

CN = Mike

OU = Sales

CN = Thomas

O=US, O=Microsoft, OU=Development, CN=Thomas

X.500 X.500 Implemented with AD and NDSImplemented with AD and NDS

No one used the full set of X.500 No one used the full set of X.500 definitions to design their directory definitions to design their directory service. service.

Everyone has their own proprietary Everyone has their own proprietary take on how X.500 is implemented.take on how X.500 is implemented.

Differences – Differences – X.500 NamesX.500 Names

Both Novell and AD use X.500 name Both Novell and AD use X.500 name schemes but they do not implement schemes but they do not implement all of them.all of them.

Active DirectoryActive Directory

DCDC

OUOU

CNCN

Novell Directory ServiceNovell Directory Service

CC

OO

OUOU

CNCN

Differences – Differences – ObjectsObjects

Windows – Static InheritanceWindows – Static Inheritance More weight on directory at creation, write intensiveMore weight on directory at creation, write intensive All Ace's are contained within the objectAll Ace's are contained within the object Larger objects increases the size of the DIBLarger objects increases the size of the DIB Rights controlled by groupsRights controlled by groups

Novell – Dynamic InheritanceNovell – Dynamic Inheritance When the object is called you must aggregate its When the object is called you must aggregate its

rights by walking the treerights by walking the tree More weight on the directory when readMore weight on the directory when read Rights controlled by OU’s (also groups)Rights controlled by OU’s (also groups) Must Tree Walk – this can go across WAN – badMust Tree Walk – this can go across WAN – bad

Object AccessObject Access

Access to directory objects is controlled via Access to directory objects is controlled via Access Control Lists (ACLs)Access Control Lists (ACLs)

Fine granularity is provided by Access Fine granularity is provided by Access Control Entries (ACEs) that apply to specific Control Entries (ACEs) that apply to specific attributesattributes

DirectoryObject

DirectoryObject

ACL

Sales Managersread access

Sales Managersread access

ACE

ACEs can apply to specific attributes

= Global Catalog= Global Catalog Replica Replica

Global Data Availability - CatalogsGlobal Data Availability - Catalogs

Active Directory Catalogs: Active Directory Catalogs: Enable efficient cross-domain data sharingEnable efficient cross-domain data sharing Use the same set-up tools as replicasUse the same set-up tools as replicas Use same replication mechanisms and the same Use same replication mechanisms and the same

interval as domain replicasinterval as domain replicas Enforce object and attribute level securityEnforce object and attribute level security

asia.acme.comasia.acme.comasia.acme.comasia.acme.com

acme.comacme.comacme.comacme.com

europe.acme.comeurope.acme.comeurope.acme.comeurope.acme.com

Windows 2000 ForestWindows 2000 Forest

xyx.comxyx.comxyx.comxyx.com

CatalogCatalog CatalogCatalog CatalogCatalog

DredgerDredgerDredgerDredger

Global Data Availability - CatalogsGlobal Data Availability - Catalogs

NDS Catalogs:NDS Catalogs: Are based on periodic ‘dredging’Are based on periodic ‘dredging’ Occur only at scheduled 1-7 day intervalsOccur only at scheduled 1-7 day intervals Users are granted/denied access to entire Users are granted/denied access to entire

catalog – no attribute/object-level securitycatalog – no attribute/object-level security Are being completely redesigned...Are being completely redesigned...

DredgerDredgerDredgerDredger DredgerDredgerDredgerDredger

San DiegoSan Diego ChicagoChicago BostonBoston

Differences – Differences – Networking and ServicesNetworking and Services

Active DirectoryActive Directory Based on TCPIPBased on TCPIP DNS Server Resource Records ( MX-Record)DNS Server Resource Records ( MX-Record) LDAP for internal searches, each object has a unique GUID LDAP for internal searches, each object has a unique GUID

example on following pageexample on following page All Domain Controllers are native LDAP ServersAll Domain Controllers are native LDAP Servers Integrates with DNSIntegrates with DNS

NDSNDS Originally based on IPX/SPXOriginally based on IPX/SPX

Service Advertising Protocol (SAP) to advertise ServicesService Advertising Protocol (SAP) to advertise Services Implemented in TCPIP with Implemented in TCPIP with

Service Location Protocol (SLIP) also advertisement basedService Location Protocol (SLIP) also advertisement based SLIP does not integrate with DNS proprietarySLIP does not integrate with DNS proprietary

When implemented together reduces network performance When implemented together reduces network performance because routers must support RIP that allows for both SLIP because routers must support RIP that allows for both SLIP and SAP protocolsand SAP protocols

Not a native LDAP Server – it has a LDAP interface that Not a native LDAP Server – it has a LDAP interface that translates LDAP request to native NDAP protocolstranslates LDAP request to native NDAP protocols

comcom

microsoftmicrosoft

eduedu

stanfordstanford

coursescourses

Domain:Domain:stanford.edu stanford.edu

aVendoraVendor

musicmusic

studentsstudents

sarahjsarahjthorjthorj

Vera KarkVera KarkMargretJMargretJ

Domain :Domain :aVendor.comaVendor.com

Domain :Domain :microsoft.commicrosoft.com

Active DirectoryActive DirectoryGlobal namespace = DNS + LDAP DirectoriesGlobal namespace = DNS + LDAP Directories

Internet Standards Support - LDAP Internet Standards Support - LDAP Active Directory vs. NDS – LDAP SearchActive Directory vs. NDS – LDAP Search

578

1,162

608

2,047

608

3,676

0

1,000

2,000

3,000

4,000

LD

AP

Sea

rch

es/S

eco

nd

UP 2P 4P

Processors

Base Search

NDS 8 on NetwareActive Directory

Better

Better

NDSNDS Active Active DirectoryDirectory

LDAP Requests ProcessedLDAP Requests Processed Translated NativelyTranslated NativelyServices Published through LDAPServices Published through LDAP LimitedLimited All All• Active Directory is a faster & more interoperable LDAP ServerActive Directory is a faster & more interoperable LDAP Server

Differences - Differences - DesignDesign

Active DirectoryActive Directory Partition the directory by DomainPartition the directory by Domain Different Administrative view and Replication Different Administrative view and Replication

viewview DomainDomain SiteSite

Replication occurs via sites (IP subnets of Replication occurs via sites (IP subnets of good connectivity)good connectivity)

A server can only host one Domain partitionA server can only host one Domain partition Multi-master replicationMulti-master replication

Uses update Sequence Numbers to prevent corruptionUses update Sequence Numbers to prevent corruption Replication is controlled and easy to Replication is controlled and easy to

configureconfigure A Domain can efficiently span multiple sitesA Domain can efficiently span multiple sites

ReplicationReplication

What is Replicated ? – What is Replicated ? – only changes are replicatedonly changes are replicated Directory InformationDirectory Information ConfigurationConfiguration Schema Schema

There are two forms of replicationThere are two forms of replication Intrasite ReplicationIntrasite Replication Intersite ReplicationIntersite Replication

Knowledge Consistency CheckerKnowledge Consistency Checker Automatically configures and checks topology for Automatically configures and checks topology for

the most efficient replicationthe most efficient replication

ToolsTools Sites and Services MMC snap-inSites and Services MMC snap-in ReplmonReplmon

SitesSites

A Site separates networks physical topology from the Active A Site separates networks physical topology from the Active Directories logical view of the NetworkDirectories logical view of the Network

Site is a area of “good connectivity”Site is a area of “good connectivity”

A Site is a collection of subnetsA Site is a collection of subnets

All directory replication is controlled via SitesAll directory replication is controlled via Sites

A Site can be composed of multiple Domains A Site can be composed of multiple Domains

Clients discover their site based on the subnet mask received Clients discover their site based on the subnet mask received from DHCP (or hand-configured)from DHCP (or hand-configured)

Basis for locality-based resource discovery Basis for locality-based resource discovery

Intrasite ReplicationIntrasite Replication

Automatically Configured for youAutomatically Configured for you Replication occurs whenever there is a Replication occurs whenever there is a

directory change or a interval of ~ 7 directory change or a interval of ~ 7 minutesminutes

Not CompressedNot Compressed Not easily controllable Not easily controllable

Intrasite ReplicationIntrasite Replication

Intra-SiteReplicationIntra-Site

Replication

DomainControllerDomainController





Intersite ReplicationIntersite Replication

Compressed 10-1Compressed 10-1 ConfigurableConfigurable

Scheduled (15 minutes – 3hours)Scheduled (15 minutes – 3hours) RPC or SMTPRPC or SMTP Site LinksSite Links Site BridgesSite Bridges

Intersite ReplicationIntersite Replication

Site 2Site 2

Inter-SiteReplicationSite 1Site 1











Site LinksSite Links

Represents the Priority of Replication Traffic Represents the Priority of Replication Traffic Between the Sites Identified in the Site LinkBetween the Sites Identified in the Site Link

Higher Cost Numbers Represent Lower Priority Replication Higher Cost Numbers Represent Lower Priority Replication PathsPaths

Control Topology by Setting the Costs on Site LinksControl Topology by Setting the Costs on Site Links Control the Replication Frequency by Setting the Number of Control the Replication Frequency by Setting the Number of

Minutes Between Replication AttemptsMinutes Between Replication Attempts Control Link Availability Using the Schedule onControl Link Availability Using the Schedule on

Site LinksSite Links Can Link multiple site to create a controlled path of Can Link multiple site to create a controlled path of

replication called a Site Bridgereplication called a Site Bridge

Site Links and BridgesSite Links and Bridges

Site Z

Site Y

Site X

Site Link XY

Site Link YZ

Site Link BridgeXYZ

Site Link BridgeXYZ

R1 USN:5R1 USN:5R2 USN:305R2 USN:305

R1 USN:5R1 USN:5R2 USN:305R2 USN:305R3 USN:62R3 USN:62

R2 USN:305R2 USN:305R3 USN:62R3 USN:62

Architecture Architecture ReplicationReplication

After replicationAfter replication

R1R1 R2R2

R3R3

HR Sales

MSNA Europe

MSHQ1MSHQ1 MSHQ2MSHQ2 MSHQ3MSHQ3

HR1HR1 HR2HR2 Sales1Sales1 Sales2Sales2 Sales3Sales3

MSNA1MSNA1

MSNA2MSNA2

EURO1EURO1EURO2EURO2

MSHQ1MSHQ1 HR1HR1 Sales1Sales1

MSNA1MSNA1 EURO1EURO1MSHQ2MSHQ2 HR2HR2

Sales2Sales2

MSHQ3MSHQ3

MSNA2MSNA2

Sales3Sales3 EURO2EURO2

Site RedmondSite RedmondSite SeattleSite Seattle

Site ParisSite Paris

Sites and the ADSites and the AD

Microsoft

Operation MastersOperation Masters

These Roles are These Roles are Recoverable – Recovery ConsoleRecoverable – Recovery Console Transferable – Command LineTransferable – Command Line

These are the following RolesThese are the following Roles RID MasterRID Master – one per domain, controls relative id’s – one per domain, controls relative id’s PDC EmulatorPDC Emulator – one per domain, allows password updates – one per domain, allows password updates

and backwards compatibility with NT 4.0 BDC’sand backwards compatibility with NT 4.0 BDC’s Infrastructure MasterInfrastructure Master – one per domain, updates group and – one per domain, updates group and

user information when changes are madeuser information when changes are made Schema MasterSchema Master – one per forest, controls schema updates – one per forest, controls schema updates Domain Naming MasterDomain Naming Master – one per forest, controls all – one per forest, controls all

additions and removals of domainsadditions and removals of domains

Differences - Differences - DesignDesign

NDSNDS Partition the directory by OUPartition the directory by OU OU’s are tied to physical locationsOU’s are tied to physical locations Multimaster replicationMultimaster replication A server can host multiple partitionsA server can host multiple partitions Replication occurs via time stampsReplication occurs via time stamps Replication is very difficult to configure and Replication is very difficult to configure and

is not controllableis not controllable It is not recommended to have OU’s span It is not recommended to have OU’s span

physical boundariesphysical boundaries

AD ReplicaAD Replica

BostonBoston

San DiegoSan Diego

ChicagoChicago

San DiegoSan Diego


BostonBoston

BostonBoston

ChicagoChicago

San DiegoSan Diego

Global Data Availability - SearchesGlobal Data Availability - Searches

Active Directory:Active Directory: Partitions map to Windows 2000 domainsPartitions map to Windows 2000 domains Partitions can span many sites and WAN linksPartitions can span many sites and WAN links Optimizes replication automatically between sites and Optimizes replication automatically between sites and

over slow network linksover slow network links Impact: Faster and more complete searchesImpact: Faster and more complete searches

ReplicationReplication ReplicationReplication

Windows 2000 DomainWindows 2000 Domain

Find:Find:‘‘All All

Bobs’Bobs’


Bobs’Bobs’

AnswerAnswerAnswerAnswer


BostonBoston

ChicagoChicago

ChicagoChicago

San DiegoSan Diego

Global Data Availability - SearchesGlobal Data Availability - Searches

NDS Version 8:NDS Version 8: Partitions cannot span WAN links . . .easilyPartitions cannot span WAN links . . .easily Replication does not occur on an inter-site basisReplication does not occur on an inter-site basis Cross-location searches must ‘tree walk’Cross-location searches must ‘tree walk’ Impact: Slower and less complete searches; more Impact: Slower and less complete searches; more

network trafficnetwork traffic

NDS ServerNDS Server

BostonBoston

San DiegoSan Diego

ChicagoChicago

San DiegoSan Diego


BostonBoston

ChicagoChicago


ChicagoChicago

NDS TreeNDS Tree

BostonBoston

San DiegoSan Diego San DiegoSan Diego

WANWAN

WANWAN


Bobs’Bobs’


Bobs’Bobs’

BostonBoston

ChicagoChicago

AnswerAnswerAnswerAnswer

Global Data Availability - ReplicationGlobal Data Availability - Replication


WAN

Site 1 Site 2

• NDS: 90 Connections; 25 WAN crossingsNDS: 90 Connections; 25 WAN crossings• Active Directory: 13 Connections; 1 WAN crossingActive Directory: 13 Connections; 1 WAN crossing

R BReplica Bridgehead ServerConnection

NDSNDS

WAN

Site 1 Site 2

WindowsWindows20002000

WindowsWindows20002000

FileFileSystemSystem

FileFileSystemSystem

KerberosKerberos

Smart CardSmart Card

X.509/PKIX.509/PKI

CertificatesCertificates

AuthenticationAuthenticationAuthorizationAuthorization


Internet Standards Support - PKIInternet Standards Support - PKI

Active Directory Advantages: Active Directory Advantages: Better PKI ManagementBetter PKI Management

integrated key recovery mechanism and revocable certificatesintegrated key recovery mechanism and revocable certificates web-based access and managementweb-based access and management integrated client-side distribution of keys integrated client-side distribution of keys

Comprehensive OS Integration (IIS, EFS, IPSec)Comprehensive OS Integration (IIS, EFS, IPSec) Application Integration (CryptoAPI)Application Integration (CryptoAPI)

Internet Standards Support - SummaryInternet Standards Support - Summary

Active DirectoryActive Directory Native LDAP serverNative LDAP server Full namespace integration with DNSFull namespace integration with DNS Integrated support for PKI technologiesIntegrated support for PKI technologies

NDSNDS LDAP requests are translated LDAP requests are translated No Namespace Integration with DNSNo Namespace Integration with DNS Limited Integration with PKILimited Integration with PKI

Application IntegrationApplication Integration

Active Directory Services InterfaceActive Directory Services Interface Provides a consistent, simple way for COM-enabled Provides a consistent, simple way for COM-enabled

apps to access directory servicesapps to access directory services Usable for any LDAP server (including NDS)Usable for any LDAP server (including NDS) Leverages COM Windows Development toolsLeverages COM Windows Development tools Greatly simplifies development of directory-enabled Greatly simplifies development of directory-enabled

applicationsapplications

ActiveActiveDirectoryDirectory

ActiveActiveDirectoryDirectory

ApplicationApplicationApplicationApplicationNT-DSNT-DSNT-DSNT-DS

LDAPLDAPLDAPLDAP

NDSNDSNDSNDS

AADDSSII

OOLLEEDDBB

DatabasesDatabasesDatabasesDatabases

ApplicationApplicationApplicationApplication

ApplicationApplicationApplicationApplication

AADDOO

Application IntegrationApplication Integration

Active Directory enables powerful Active Directory enables powerful directory-enabled applications directory-enabled applications Group Policy IntegrationGroup Policy Integration Service PublicationService Publication Directory Object ExtensionDirectory Object Extension ADSI Extension ModelADSI Extension Model Active Directory Class SoreActive Directory Class Sore

AD-enabled ApplicationsAD-enabled Applications Baan, J.D. Edwards, SAP, Cisco & othersBaan, J.D. Edwards, SAP, Cisco & others BackOffice 2000, MSMQ, MTS and mostBackOffice 2000, MSMQ, MTS and most othersothers

Application Integration - SummaryApplication Integration - Summary

Windows 2000 & Active DirectoryWindows 2000 & Active Directory COM, ADSI, Logo programsCOM, ADSI, Logo programs LDAP-based access to all featuresLDAP-based access to all features Rich Development Environment (VB,C++,Java)Rich Development Environment (VB,C++,Java) Supports Distributed Applications over WANsSupports Distributed Applications over WANs Large ISV Support: 8,000+ Windows ApplicationsLarge ISV Support: 8,000+ Windows Applications

NetWare & NDSNetWare & NDS ADSI support not available on NetWareADSI support not available on NetWare Incomplete LDAP-based access to NDS featuresIncomplete LDAP-based access to NDS features Java-only development environmentJava-only development environment Partitions limit application functionalityPartitions limit application functionality Poor ISV Support - GroupWise not even NDS-enabledPoor ISV Support - GroupWise not even NDS-enabled

Active Directory vs. NDSActive Directory vs. NDS

ActiveActive NDS NDS ComparisonComparison DirectoryDirectory Version 8Version 8

Storage technologyStorage technology IndexedIndexed IndexedIndexed

Max objects/partitionMax objects/partition MillionsMillions MillionsMillions

Partition BoundaryPartition Boundary Geo/PoliticalGeo/Political WANWAN

Partition-spanning groups?Partition-spanning groups? YesYes Not AdvisedNot Advised

Same store for catalogs?Same store for catalogs? YesYes NoNo

Catalog update intervalCatalog update interval ContinuousContinuous ScheduledScheduled

Attribute security in catalog?Attribute security in catalog? YesYes NoNo

Native LDAP support?Native LDAP support? YesYes NoNo

Global change LDAP interface?Global change LDAP interface? YesYes NoNo

DNS naming integrationDNS naming integration YesYes NoNo

Integrated PKI support?Integrated PKI support? YesYes NoNo

ADSI provider support?ADSI provider support? YesYes Yes*Yes*

Java SupportJava Support Yes (JADSI)Yes (JADSI) Yes (JNDI)Yes (JNDI)

VB, C, C++ SupportVB, C, C++ Support YesYes NoNo

Interoperability ToolsInteroperability Tools YesYes NoNo* Not available to NetWare applications* Not available to NetWare applications

This document is for informational purposes only. MICROSOFT MAKES NO This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2000 Microsoft Corporation. All rights reserved.© 2000 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Where do you want to go today?, Windows, the Microsoft, Active Directory, Where do you want to go today?, Windows, the Windows logo and Windows NTWindows logo and Windows NT are either registered trademarks or are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other trademarks of Microsoft Corporation in the United States and/or other countries.countries. The names of actual companies and products mentioned herein may be the The names of actual companies and products mentioned herein may be the trademarks of their respective owners.trademarks of their respective owners.

Date post:	31-Mar-2015
Category:	Documents
Upload:	alisha-codd
View:	223 times
Download:	1 times

Differences Windows Active Directory and Novell Directory Services Donnie Hamlett Technology...

Documents