Novell Inc. and
Microsoft Corp. would have resellers believe that one
network operating system (NOS) fits all, but technically
speaking, Windows 2000 and NetWare 5 take different
approaches to solve enterprise challenges. Which
techniques are better depend on the application and the
company in question.
The legacy NOS also is important since customers are
unlikely to switch NOSes. This begs the question: How
does upgrading a NOS compare with crossing platforms?
UPGRADING NETWARE
Networks that have not
migrated all servers to NetWare 5 will be unable to use
important improvements included in Novell Directory
Services (NDS) 8. Without full NDS 8 support, sections
of the NDS namespace need to be partitioned for best
performance. Additional partitions require additional
management, increasing maintenance costs.
Since NDS partitions cannot see one another, catalogs
must be established between partitions to expose network
objects. Unfortunately, catalogs are not incrementally
updated; they are recreated from scratch at each
replication interval, wasting CPU time. Also, the
default replication interval is so long it can lead to
inconsistencies between a catalog and its partition.
Surprisingly, objects in catalogs do not carry the
access restrictions they have in their native partition.
Instead, they inherit the restrictions placed on the
catalog.
That complicates management. Consider a partition
that contains objects with a salary attribute that only
a human-resources user group is allowed to see from
within a partition. Anyone with access to a catalog that
contains those objects can view salary attributes,
unless the catalog has restrictions placed on it. The
duplication of effort is compounded when multiple
catalogs must be established to offer different groups
varying levels of access.
Another issue affecting mixed NetWare networks is
that legacy NDS servers do not handle Lightweight
Directory Access Protocol (LDAP) requests natively. In
earlier versions of NDS, LDAP calls had to be converted
to and from NDS format by an LDAP-server software layer.
The translation slows data access.
The weakness of older versions of NDS and NetWare's
inability to use the improvements in NDS 8 in
heterogeneous environments make a strong case for
upgrading. The selection of NetWare 5 or Windows 2000
depends on whether a company can delay implementation
and the match between their needs and the NOS' features.
UPGRADING WINDOWS
By contrast, since Active
Directory Service (ADS) is new, there are no
legacy-namespace concerns.
One major problem with upgrading Windows NT systems
to Windows 2000 is the lack of compatibility between the
naming conventions of Windows NT Domains and Domain Name
Service (DNS). Domains traditionally have allowed
underscores and other characters not supported by
standard DNS conventions. While the DNS server in
Windows 2000 will not have problems with the additional
characters, legacy DNS servers will.
Also, domains using Windows NT 4.0 and Windows 2000
Server lack features supported by a pure Windows 2000
network. The most important improvement that cannot be
used in heterogeneous environments is group nesting: the
ability to arrange users and groups in a hierarchy.
That drawback is particularly notable when comparing
ADS to NDS because group nesting is the only method that
allows ADS users and groups to inherit rights and
privileges from a hierarchy. In NDS, users and groups
can be arranged in a hierarchy composed of
Organizational Units (OUs), which have rights and
privileges that can be inherited by the users, groups
and child OUs they contain. Windows 2000 Server also has
hierarchical OUs, but they are used for the delegation
of network administration and user policies.
The NDS method is suitable for companies where user
rights map to the business-management hierarchy.
Companies where access to data increases with an
employee's position would be an example.
The ADS scheme works better when companies must
spread administrative responsibilities across a
hierarchy. That is especially true when the delegation
hierarchy does not match the hierarchy needed for the
assignment of user and group rights,campus-based schools
and businesses being one example.
MULTIPLATFORM SUPPORT
In a network, it is
common to find not only different NOS version numbers
but entirely different NOSes as well. A robust directory
service must integrate well into such cross-platform
environments for ease of management.
According to Microsoft, Windows 2000 Server will use
connectors, a variant of DirSync and other tools to
share information between directory services. Microsoft
published API standards for the ADS namespace years ago
to muster ISV support.
To date, Microsoft has not supplied the CRN Test
Center with synchronization technology despite being far
enough into the NOS' development to issue a second
release candidate.
After acquiring Zoomit Technology, Microsoft said it
would repackage Zoomit's Via meta-directory software to
allow single-point administration of multiple directory
types. However, the meta-directory software will not be
made available until at least the middle of next year.
That is cold comfort for resellers who must wait at
least six more months for single-point administration of
a heterogeneous networks.
Novell's approach is to build versions of NDS for
each NOS. In addition to NetWare, there are flavors of
NDS for Windows NT and Unix. Deploying NDS across
platforms eliminates directory compatibility issues. On
the downside, if NDS must replace an existing directory
service in the name of uniformity, the applications that
used the old directory service must either be
NDS-friendly, possibly reinstalled or replaced.
Novell promised to release a tool for XML-based
synchronization of differing directories. However,
although XML is supported by Lotus Notes, SAP and
PeopleSoft, the technology is in early stages of
adoption.
NDS has broader client support to date. NDS supports
DOS, Windows 3.x, Windows 95 and 98, Windows NT
Workstation 3.51, Windows NT Workstation 4.0, Windows
2000 Professional, IBM OS/2, Apple MacOS and Caldera
Linux. ADS clients include Windows 3.x, Windows 95 and
98, Windows NT Workstation 3.51, Windows NT Workstation
4.0 and Windows 2000 Professional.
Again, the choice between the NOSes depends on the
legacy environment and if the customer can wait for a
particular technology.
INHERITANCE
The plumbing used to calculate
user privileges is very different in NDS and ADS,
although both allow objects such as users, computers and
OUs to inherit properties from the OUs they occupy.
For NDS, inheritance is dynamic: A server walks
through every OU along the NDS tree between the user and
the root, adding the effect of restrictions at each
level to calculate the user's ability to perform an
operation. The process is repeated every time a resource
is accessed. On the downside, that takes up CPU time and
slows access every time access to an object is
requested. On the other hand, if an administrator makes
a security change at some level in the hierarchy, it is
effective the next time an object is accessed.
ADS inheritance is static: The sum effect of all the
rules of inheritance have been calculated and stored
during the object's creation or the last time it was
administered. When a user logs on, he or she is granted
a token, based on all the groups to which he or she
belongs. When a user accesses a network object, the
token is compared to the security information stored for
that object to determine the user's privileges. No tree
walking is required because the calculations are done in
advance and the result was stored.
Since computations are performed in advance, access
is quicker. Also, since objects are accessed more often
than they are created or administered, CPU utilization
is lower than that needed for servicing the same number
of end users through dynamic inheritance.
One drawback is that more disk space is required to
hold complete inheritance information for each object.
Another is that security changes will not affect a
currently logged-in user until they log off and log back
on, because they already have been offered a token at
last logon that grants them a certain level of access.
Windows 2000 features a command line program called
SecEdit to force users to receive new tokens, but it
does not operate automatically.
Dynamic inheritance is useful in high-security
environments in which quick execution of lockdowns is
more important than the money that could otherwise be
saved by using slower or fewer CPUs. Static inheritance
is useful when immediate lockdown is less of a concern
than the need to use inexpensive disk space in place of
expensive CPU time.
Administrative inheritance across partitions also
distinguishes NDS from ADS. Administrative privileges in
ADS cannot be inherited across domain boundaries. That
creates security boundaries but limits multidomain
administration of Web farms.
For more on Windows 2000, go to:
www.crn.com/thisweek