Active Directory: For Now,Try to Live Without It

Active Directory - Microsoft's answer to NDS, LDAP and just about every other method of classifying users and resources - hits the streets next month with Windows 2000. Computerworld's Cynthia Morgan asked Win 2K expert John Enck at Gartner Group Inc. for his advice on when (or whether) IT organizations should plan to adopt this most complex of directory services.

After years of promises, we're finally going to see the release of Microsoft Corp.'s Active Directory. Do you think it will live up to the company's claims?

Clearly, the scope of the product has changed. Originally, Microsoft intended it to be more of a metadirectory than it is today. It was going to be the all-encompassing global enterprise directory service that worked across platforms. That's a far cry from what we'll see in Windows 2000.

We're recommending that clients try to live without Active Directory in the short term. There are certainly interesting and useful things you can do with Windows 2000 without migrating your whole environment to Active Directory.

Network directories are still going to happen, but Microsoft may not be the market dominator they wanted to be. That's in part because Novell has done such a good job in getting its own service, NDS [Novell Directory Services], out there. And Active Directory has clearly been held back by the fact that it hasn't been available.

What happened to change Microsoft's plans for Active Directory? Microsoft was simply too operating system-centric in its plans, and that's hurt. Microsoft simply didn't take a good enough look at what network directory needs really were. For example, Active Directory isn't the greatest solution for, say, Internet appliances and other devices. It's too large and too complex to fit that model.

So whose directory service will dominate in large information technology organizations? It's far too soon to call. Directory domination isn't a done deal by any means. Plenty of people have adopted NDS eagerly and it's available on so many other systems, but people aren't really running it unless they have NetWare somewhere. And Active Directory has the same problems as NDS when it comes to anything outside the conventional network space. It still hasn't been tuned well for an Internet appliance. Actually, no directory has managed that.

Microsoft has made a tacit admission that Active Directory isn't all they wanted it to be and that it won't dominate the enterprise in the near future.

That was the compelling reason behind the ZoomIt/Via acquisition. [Microsoft acquired Toronto-based ZoomIt Corp., a developer of metadirectory services, last July]. The ZoomIt/Via product acts as a kind of master directory for multidirectory environments. Its Via metadirectory service will ship as part of the Windows 2000 releases next month.

So should large organizations move to Windows 2000? Consider Windows 2000 on an application-by-application basis and assume you'll be running in mixed mode.

There's no reason you can't have Windows 2000 laptops if that makes sense for your business. Gartner does not, under most circumstances, recommend a wholesale migration to Windows 2000.

Of course, you can play all sorts of what-if games with that. If someone doesn't have any desktop management capabilities at all, and that's hurting them, then Windows 2000 could be a cost-effective way to gain that capability.

IT managers have complained that Windows 2000 and Active Directory are posing huge training problems for technology personnel. Why? Active Directory is much more difficult to learn because it does so much more than the simple authentication performed by NT's trusted domain system. The complexity is far beyond NT 4, or even Novell's NDS.

But the learning curve you're talking about isn't because Microsoft did anything wrong, although I suppose one could argue that they're throwing too much new stuff into a single product. The problem is that what's in Active Directory is where directory services have needed to go anyway. Novell's NDS was a big learning curve for NT administrators for the same reason. And frankly, NDS administrators are going to have a bumpy road bringing their staff up to speed on Active Directory because it does that much more.

The biggest negative to Active Directory is that it is so OS-centric. It's so very tied into Windows that it would be extremely difficult to use it with any other environment. That makes it a boon to developers, who only cope with a single set of requirements, but it's tough on the mixed networks the rest of the world needs. That's very, very much Microsoft protecting its own turf, as it's always done.

When Microsoft first announced Active Directory, it also promised to work to port Active Directory to the most popular flavors of Unix. That's gone by the wayside. Is that also Microsoft protecting its turf? [Laughs.] It's more a case of everyone else protecting their own turf, I think. I can't imagine any Unix vendor enthusiastically adopting Active Directory. Can you?

But seriously, that's why synchronization across directories and metadirectories gets more interesting and becomes so important. Everyone should understand that we'll be living with multiple directory services on the network for some time to come.

Are you working in a Windows 2000 environment? I personally moved my home-use laptop over to Windows 2000, and there were some surprises, especially with application compatibility. Many people don't realize that they're going to have problems running applications under Windows 2000. Gartner's estimated that about 10% to 15% of applications will prove incompatible, especially with Windows 95 and 98 software.

Windows 2000 is a fine operating system if you're planning to buy all new applications. Maybe that's a bit harsh, but if you want all of the cool features Windows 2000 can offer, count on refreshing your applications. That's not welcome news if you're an administrator supporting thousands of users and all kinds of applications.

But what about Microsoft's contention that to gain stability in your operating system, you must be disciplined about the applications you run? In the long term, that's an excellent idea. In the short term, I'd much rather do technology refresh at my leisure.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about GartnerGartnerMicrosoftNDSNovellZoomit

Show Comments