 |
|
| Towards 2000
Part 1:�
Introduction What’s in a name? Plenty according to the Microsoft marketing guys. It hasn’t even shipped yet and already NT 5.0 has bitten the dust, to be replaced by the snappily-named Windows 2000 (hence the title of this piece). According to Brad Chase, vice president at Microsoft, "the new naming system eliminates customer confusion about whether 'NT' refers to client or server technology.” Well, that remains to be seen, since the new line includes four products: Windows 2000 Professional – this is the desktop OS formerly known as NT Workstation 5.0. Note that the new name apparently spells the death of the Windows 9x product line, making Win 2000 Pro the desktop OS for everyone from home to corporate users. Windows 2000 Server – this will support new systems with up to two-way SMP and probably equates closest to the Small Business Server version of NT 4.0 Windows 2000 Advanced Server – this is intended as a more powerful departmental and application server, providing network operating system and Internet services. Supporting new systems with up to four-way SMP and large physical memories, this product is designed for database-intensive work. In addition, Windows 2000 Server integrates clustering and load-balancing support. Windows 2000 Datacentre Server – this is intended to take NT beyond what is currently offered by the Enterprise version of NT 4.0. Datacentre Server supports up to 16-way SMP and up to 64GB of physical memory, depending on system architecture. Like Advanced Server, it provides both clustering and load balancing services as standard features, but this has been designed specifically for enterprise-scale applications such as large data warehouses, econometric analysis, large-scale simulations in science and engineering, online transaction processing and server-consolidation projects. According to Jim Allchin, senior vice president at Microsoft,� "the Windows NT kernel will be the basis for all of Microsoft's PC operating systems from consumer products to the highest-performance servers." Active Directory One other thing that is common across all of these, of course, is Microsoft’s response to Novell’s NDS – called Active Directory. Directory services are increasingly important in today’s corporate networks, and Microsoft is finally ready to admit that its offerings to date – namely the archaic flat-file naming system inherited from the old LAN Manager days – is less than adequate for an enterprise network operating system. The main aim of Active Directory is to provide a centralised repository for all network resources such as servers, shared drives, printers and users. Unlike the current Trusted Domain model used by NT 4.0, Active Directory will provide a single hierarchical directory structure across the whole enterprise if required. Just as with NT 4, the Domain is a central piece in the Active Directory puzzle, but this time there are no Primary or Backup Domain Controller designations. Instead, any server can be a Domain Controller, and all DCs participate equally as peers in a multi-master replication scheme which sees domains distributed and replicated across any number of servers in an enterprise. A single domain can span multiple physical locations or sites, and inter-site replication can occur within a domain even if a particular DC is unavailable. The domain itself is the unit of replication, and any change at one site or another within a domain is replicated to the other sites (sites are usually physical divisions of a network, often connected by slower WAN links). Since there is no one “leader of the pack” when it comes to Active Directory domains, changes can be made simultaneously at all of the various sites or controllers within a domain. The Active Directory uses update sequence numbers (USNs) to track changes on a per-attribute basis, though some more serious changes are locked down to a single domain controller at a time (though this can change dynamically). Replication is one of the key areas of Active Directory and is the one factor that could make or break a large, distributed Windows 2000 network. It will be interesting to see how well Active Directory copes with this most difficult task – a task that even Novell struggled mightily with in the early releases of NDS. One major change for Active Directory is the introduction of Organisation Units (OUs) within a domain, each of which can contain other OUs or objects such as users or servers. This allows a meaningful hierarchical structure to be built within a single domain if required, thus providing the means to eliminate trusted domains completely. Access to objects is controlled by Access Control Lists (ACLs) populated with Access Control Entries (ACEs). Thankfully, OUs are also administrative boundaries, and can thus be used for organising user and resource objects into logical administrative groups. Various administrative tasks (such as access rights specification) can then be delegated to the administrator for a specific OU, thereby freeing domain administrators from having to support such changes directly. OUs also provide inheritance of access rights, thus allowing access to resources specific to a particular organisation to be restricted to members of that OU. Within a domain, access permissions are cumulative unless explicitly denied, and administration rights are limited to domain boundaries by default. This all serves to greatly simplify administration of large enterprise networks under Windows 2000. In something that looks suspiciously like the old Trusted Domain model, multiple domains can be linked together in something called a domain tree. In order to participate in a tree, all the domains must form a contiguous namespace and share a common schema, configuration, and global catalogue. A tree must have a distinct name, and this is always the DNS name of the domain at the root of the tree – DNS is actually used as the location service that allows a client to find a directory service containing the desired copy of the directory. Active Directory also provides subsets of the key X.500 protocols� - including Directory Access Protocol (DAP and LDAP), Directory System Protocol (DSP) and Directory Information Shadowing Protocol (DISP) - to enable it to participate in mixed Internet and X.500 environments. The contiguous namespace means that if the root domain is named NSS.COM, then the IT domain below it will be named NSS.IT.COM, the SUPPORT domain below that will be named NSS.IT.SUPPORT.COM, and so on. This is much the same idea as naming OUs within a domain. Renaming the root domain renames the tree and all child domains within it. Domains within a tree do not need explicit trusts to be assigned as in the current trusted domain model. Instead, all domains are linked by transitive trust relationships based on Kerberos authentication. This means that users can access resources in other domains via these automatic trust relationships which are discarded once they are no longer required. However, as at present, the domain remains the scope of administration, meaning that administrative rights are not inherently transitive. Where organisations need to support several completely separate namespaces, trees can be grouped together into a forest, where each tree represents a separate namespace. As with domains in a tree, all trees in a forest share a common schema, configuration, and global catalogue. All trees in a forest trust each other through transitive, hierarchical Kerberos trust relationships, but unlike trees, a forest does not need a distinct name. Trees and forests are thus a refinement of the original domain tree concept, and are designed to provide a multi-domain structure which is much more straightforward and intuitive to use than the current trusted domains model. It does, however, leave Microsoft open to the criticism that Active Directory is not a complete reworking or replacement of the existing domain system, despite assurances to the contrary. Earlier, we mentioned that all domains within a tree (as well as trees within a forest) must share a common global catalogue. This is designed to provide a global search mechanism to simplify the user’s view of the enterprise-wide domain structure in large organisations. The global catalogue (GC) is a partial index of select objects in the domain tree, combined with a search engine. To find a resource in the domain tree, wherever it may be located in the enterprise, a user queries the GC for that resource based on one or more of its attributes (i.e. find all printers that have A3 capability). The GC then returns the location of the desired resource, but only if the user performing the query has the appropriate access rights to that object. Summary Active Directory goes a long way towards rectifying many of the shortcomings inherent in the domain model currently employed by NT Server 4.0. However, it still shows signs of not being as “integrated” as it could be. For instance, when publishing a disk share within the Active Directory, it is first necessary to create that share and set security with Explorer just as you would under NT 4.0. It is thus a two-step operation, one which could and should be reduced to a single step where the publication of a share within AD is all that is required, and security is then set by dragging and dropping user and container objects accordingly. This “ideal situation” is actually similar to how the task would be achieved under NDS, and this is just one example of the sort of inconsistency that provides fodder for the AD sceptics, and goes a long way towards prejudicing corporate IT managers against a new and untried system which still shows signs of not being as complete and polished as it should be.
|
 |
Send mail to webmaster
with questions or�
|
