Printer Friendly

WIN2K Will Win Big.

Active Directory Will Profit Resellers

Microsoft is positioning Windows 2000, the operating system formerly known as Windows NT 5.0, as the OS for all applications, stressing increased reliability, availability, and scalability; lower TCO through ease of administration; and adherence to open Internet and IP standards. The Microsoft marketing message aims Windows 2000 squarely at the higher reaches of enterprise computing where these capabilities are of paramount performance.

In addition, to a large extent, managers and IT professionals are buying the Windows 2000 story, as revealed by the Windows 2000 Adoption Survey recently released by (formerly World Research, Based on responses from over 1300 IT professionals and managers who intend to implement Windows 2000, the survey reveals widespread and rapid adoption of the OS. By January 1,2001, over 90% of the desktops in all organizations will be running some modem variant of Windows; over 40% will be running Windows 2000 Professional (Fig 1). By the same date, 81% of the servers in all organizations will be running either Windows NT 4.0 Server or Windows 2000 Server (Fig 2). Widespread implementation will begin by the second quarter of 2000; however, large companies will lag significantly, giving VARs and integrators who serve that market segment a longer window of opportunity.

Yet despite this overwhelming vote of confidence, there are eddies and whirlpools in the Redmond flood tide. The most notable of these involves Active Directory, Microsoft's new directory structure. The survey reveals that, although Active Directory is the foundation of many, if not most, of Windows 2000's benefits, especially its promised lower total cost of ownership through easier management, and improved security, most respondents rank it fairly low--behind the very features and capabilities it makes possible!

In addition, only about one-fourth of the organizations surveyed have developed an Active Directory design, although about 70% are assessing their current network as part of their Windows 2000 upgrade plan in apparent response to the sweeping changes in logical network structure demanded by Active Directory. Less than half of the organizations responding have yet decided how to make the transition to Active Directory and this percentage is significantly lower for large organizations.

So there is widespread FUD about Active Directory at all levels of corporate computing. This, of course, portends profit opportunities for VARs and systems integrators serving this market who can deliver Active Directory expertise and guide their customers through the difficult transition from Windows domains to the Active Directory promised land. A brief survey of the features and capabilities of Active Directory may serve to illuminate some of the business opportunities offered by this facet of Windows 2000.

A Place For Everything

Active Directory is a distributed, peer-to-peer system with a great deal of redundancy and represents, among other things, Microsoft's response to the threat of the Novell Directory Service (NDS), which has a considerable lead in development time and installed base over Active Directory. It sweeps away the old, enterprise-unfriendly Windows Domain structure and replaces it with an X.500-based, LDAP-compliant distributed directory system that can interoperate with NDS and other LDAP-compliant directories.

AD can also manage mixed networks of Windows 2000 and earlier versions of Windows (Windows 95 and 98 will be updated to become AD aware, but not NT Workstation), but its full benefits are realized only in an end-to-end Windows 2000 network. Active Directory gives administrators a central repository for managing information on users, computers, applications, and network resources (including network hardware) with an extremely high degree of granularity. Every aspect of the operating system uses Active Directory to keep track of network resources and enable them to work together.

Active Directory delivers a number of important benefits, including:

* Improved manageability

* Improved security

* Quality of Service (QoS) capabilities

* Improved data availability

A brief look at the way Active Directory organizes a Windows 2000 network will set the stage for a closer look at these benefits.

And Everything In Its Place

Active Directory organizes a Windows 2000 network into a hierarchical structure using five logical units.

* Domains. Domains are the basis of replication in Active Directory. Unlike Windows NT, in Windows 2000, the relationship between domain controllers is multi-mastered, delivering faster and more reliable replication of critical information throughout the network. Because the objects in each domain are not replicated across the network, Active Directory maintains a Global Catalog that points to a subset of object properties that is useful for the entire network, such as a user's log-on name.

Windows 2000 domains can store millions of objects and the AD domain schema, which specifies the types of objects stored, is extensible, enabling it to store objects and properties unique to a company. In addition, Windows 2000 domain names are DNS names (e.g.,, which simplifies administration.

* Organizational Units. Organizational Units (OUs) enable administrators to group users, file shares, printers, and the like within a domain into a hierarchy more closely matching organizational realities, giving them far more granular control over controlling administrative rights. For instance, a domain might be divided into Sales, Marketing, and Finance OUs.

* Trees. A Tree is a hierarchy of Windows 2000 domains, which allows a certain amount of inheritance from parent to child to ease administration. For instance, a child domain inherits its parent's schema.

* Forests. Trees can be grouped into Forests, which establish a transitive trust relationship between the two trees, which allows all the domains in the Forest to share resources if they have the appropriate security permissions.

* Sites. Sites identify areas of high-bandwidth network connectivity: one with at least 5l2Kbit/sec between subnets. This enables Active Directory to replicate itself across low-bandwidth WAN links without swamping other traffic. More importantly, it makes any other services dependent on Active Directory, such as the file system, also bandwidth-aware and capable of intelligent wide-area operation.

Managing Desktops With Active Directory

Perhaps, the most important advance in management in Windows 2000 is offered by Intellimirror, an Active Directory-dependent capability that automates the management of user documents, user settings, and software installation. Intellimirror can restore a user's computer from virtually any disaster, complete with all applications, documents, settings, shortcuts, and other personal settings.

Intellimirror can mirror user data automatically, so that critical data is always replicated and also supports client-side caching, which enables users to continue working on so-called offline folders when the network is not available. When network connectivity is reestablished, the local cache and the network share are automatically synchronized. This is of particular importance for mobile computing.

Intellimirror also helps administrators maintain and control user desktop settings, both for roaming and stationary users. As well, Intellimirror enables administrators to assign and publish applications via the Application Management Services so that they are automatically installed for users at log-on. Such applications can be installed entirely automatically, optionally (appearing in the Add/Remove Programs applet in the Computer Management console), or upon document activation.

Finally, Active Directory also supports the Remote Installation (RI) service, a boot server that can automate the installation of the operating system in client. Users see a welcome screen with several options for installation. ISVs and OEMS can customize the RI service.

Security And Active Directory

Active Directory is the foundation of security in Windows 2000, which is considerably advanced over that offered in Windows NT 4.0. Unlike its predecessor, Windows 2000 can support transitive trust relationships, which greatly ease administration of users and resources. Trust is what enables objects in one domain to access or use objects in another. In Windows NT 4.0, trusts are one-way and intransitive. This means that to share objects in both directions between two domains, two trust relationships have to be established, which made administration of large collections of domains quite unwieldy. Furthermore, since such trusts are intransitive, a domain cannot "pass along" its permissions in one domain to another.

In Windows 2000, all trusts are by default two-way, although one-way trusts can be established. They are also transitive: if Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A and C can share resources, as well.

The permissions structure of Windows 2000, again based on Active Directory, is also more advanced than earlier versions. Every object in a domain has an Access Control List that defines users and groups that have permissions for that object. There are three types of groups, enabling any combination of users from single or multiple domains to be granted permissions to a given object. In addition, permissions can be granted to an object or merely to an object property. This makes possible very fine-grained distribution of administrative rights. For instance, a user could be granted Write privileges to the Members property of a group, but not Delete privileges, enabling them to add, but not remove, users. Some of the more esoteric security capabilities of Windows 2000, including its encrypting file system, Kerberos security, and Microsoft Certificate Services, which establishes a Public Key Infrastructure (PKI), are also dependent on Active Directory for their functioning.

Networking With Active Directory

Windows 2000 has eliminated dependence on the Windows Internet Name Service (WINS), which enables the OS to locate network resources by name. It has been replaced with the Dynamic Domain Name Service (DDNS), which enables a Dynamic Host Configuration Protocol (DHCP) Server, which assigns IP addresses to clients dynamically to update the DNS server on-the-fly. The former inability of DNS to support dynamic updates was why Microsoft created WINS. The new IETF DNS standard supports dynamic updates. The combination of DHCP and DDNS makes administering IP addresses much simpler.

Active Directory also enables Windows 2000 to support a form of QoS technology based on the IETF Subnet Bandwidth Management (SBM) platform and the Directory-Enabled Networking (DEN) specification, which defines ways to represent information about network devices and associated management policies in directories. With Active Directory, IT managers can assign priorities to network traffic based on business rules, theoretically making the network far more efficient and giving them more bang for their network infrastructure dollars.

Organizations using Microsoft Exchange as their messaging infrastructure will also benefit from Active Directory. The next version of Exchange (code-named Platinum) will be able to use AD as Exchange's directory store, enabling administrators to manage users in one place.

Data Availability

Active Directory is critical for several aspects of the improved data availability offered by Windows 2000, including clustering, load balancing, various aspects of the files system, and the Distributed File System (DFS).

The Cluster Service in Windows 2000, formerly known as WolfPack, not only offers 8:1 failover (any one of eight CPUs can jump-start an NT process in the event that one fails), but also two-node clustering and rolling upgrades of both Windows NT Enterprise Edition, Windows 2000 Advanced Server, and Windows 2000 Datacenter Server. A rolling upgrade enables administrators to sequentially upgrade the OS without bringing down the cluster. In addition, more OS services such as DHCP and WINS are cluster aware.

The Load Balancing Service in Windows 2000 complements the Cluster Service by clustering TCP/IP services in a way transparent to both server applications and clients. Clients can access the cluster through a single IP address with the LBS automatically balancing TCP/IP traffic between the clustered computers and reconfiguring the cluster if one of the computers in it fails.

Active Directory also delivers Hierarchical Storage Management, which automates the migration of less-used data to less expensive media in a way transparent to users, via the Remote Storage Service (RSS). A migrated file displays in Windows Explorer or any dialog box the same as a normal one, the only difference perceived by the user being a delay in access, which is proportional.

Active Directory is also the foundation of Microsoft's Distributed File System, which gives users a logical view of shared resources on the network in a single, global namespace. A DFS root, which can be represented by a single drive letter for mapping purposes, can contain a whole tree of nodes representing shared resources in different physical locations, so that users see a familiar directory-like structure and do not have to know where any given resource is. For Windows 2000, DFS has been updated with improved replication and fault-tolerance, both via Active Directory. The file system is the same because AD is bandwidth-aware via its Site-based organization, making wide-area file replication possible and manageable.

Migrating To Active Directory

Active Directory is the source of both the majority of benefits and the majority of migration difficulties with the move to Windows 2000. The major difficulty with Active Directory is its "all or nothing" nature: its full benefits can only be realized at the cost of sweeping logical and physical changes in the network, and the adoption of end-to-end Windows 2000--putting it on virtually every desktop and server in the organization.

The fundamental nature of Active Directory makes the method of migration an important decision. Upgrading users in place involves swapping out Windows NT servers with their domain-based user organization and information for Windows 2000 servers and AD. If there are any glitches, the productivity loss from suddenly non-connected users could be staggering. Incremental migration is fundamentally safer, although it requires a longer period of coexistence between Windows NT 4.0 Server and Windows 2000 Server in the network. Given the centrality of this decision to realizing the benefits of AD, migration services and applications are likely to be a profit center for many VARs and integrators in the next few years.

This article is adapted from the Windows 2000 Adoption Survey recently published by The full report is available for $1895, detailing the intentions of IT professionals in eight areas: Windows 2000 Planning, Windows 2000 Implementation and Deployment Plans, Hardware Upgrades and New Hardware Purchase Plans, Windows 2000 OS Migration Plans, The Operating Systems Landscape in 2001, Windows 2000 Server with Terminal service, Windows 2000 Features and Capabilities, and Active Directory Plans and Attitudes. An Executive Summary of the report can be viewed at

Dave Trowbridge, a contributing editor for CTR, is a senior analyst at, a market research firm specializing in data-intensive reports on information technologies, where he monitors operating systems, portals, and various aspects of business intelligence.
COPYRIGHT 1999 West World Productions, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1999, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Product Information; Microsoft's Windows 2000 OS and its Active Directory network directory software component
Author:Trowbridge, Dave
Publication:Computer Technology Review
Date:Sep 1, 1999
Previous Article:Date General Salutes The CLARiiON FC5300.
Next Article:WAP: New Web Whopper.

Related Articles
Security Supplement.
Windows Server 2003-Microsoft viewpoint. (Software Intelligence).
U.S. Army Network Enterprise Technology Command chooses Quest Software.
Active Directory, Third Edition.

Terms of use | Privacy policy | Copyright © 2020 Farlex, Inc. | Feedback | For webmasters