Using NDS Corporate Edition to Manage Windows NT and Windows 2000
Articles and Tips: article
01 Oct 2000
This document describes Novell's approach to managing Windows environments, through NDS Corporate Edition or through our DirXML technology for Windows 2000 deployments. It provides clear examples of the business and technical advantages corporations will receive from deploying Novell Directory Services (NDS) on either the Windows NT or the Windows 2000 platform. This document will also clear up the marketing confusion that Microsoft has released into the marketplace. With NDS Corporate Edition, Novell has a stable, proven, and widely-deployed solution that makes using Windows NT Server and Windows 2000 Server easier and more cost-effective.
With the launch of Microsoft Windows 2000 many companies will be trying to assess whether the new features Microsoft is promising provide sufficient business value to justify an upgrade. Industry analysts across the board have urged caution, because of the expense and complexity of moving an enterprise to the new platform, as well as the traditional instability of Microsoft 1.0 releases. Yet the arguments for directory-enabled network and desktop management--the key benefits offered by Windows 2000--are pretty compelling.
In fact, Novell couldn't agree more. But you do not need Windows 2000 Server to get these benefits. Novell's solutions provide today, in numerous real-world implementations, the very network and desktop management functions that Windows 2000 promises--but on your existing network. That's right, without the expensive and risky network upgrade required in deploying Windows 2000 servers and desktops.
Novell has a long history of making networks work better, regardless of the chosen server platforms. Novell has proven this with NDS for NT. Novell will do the same with Windows 2000 for those companies that choose to buy the latest Microsoft offering. Before making the choice to deploy Windows 2000 Server, consider the information contained in this document. It could save your company a substantial sum of money and some major headaches, and at the same time make your business more competitive--at a fraction of the cost of a Windows 2000 Server deployment.
As with Windows NT Server and NT Workstation, Microsoft wants the industry to believe that you must use the Windows 2000 server and desktop products together. In reality, companies that have implemented Windows NT workstation with Novell's NDS, Workstation Manager, and now ZENworks, have demonstrated more efficient management, higher end user productivity, and superior return on investment than with a pure Microsoft environment.
With Windows 2000, Microsoft is again blurring the distinction between Windows 2000 Professional (workstation), Windows 2000 Server, and Active Directory. It is in their best interest for consumers to believe these technologies are dependent on one another and can not be deployed independently. The reality is Windows 2000 Professional can be deployed at the desktop and does not require Windows 2000 Server or Active Directory.
The Novell Client for Windows 2000 ships in the release of Windows 2000 Professional. With this client and Novell's ZENworks for Desktops, Novell can manage Windows 2000 workstations better than Microsoft. This client will also support NetWare and BorderManager connectivity making enterprise management easy.
Managing Heterogeneous Networks
Novell's NDS eDirectory is the world's leading online directory service. But what is a directory?
Directories are specialized databases that help administrators organize and manage everything on their network. Directories also help end-users find and use these network resources. You are surrounded today by directories and may not even realize it. For example, the telephone book, yellow pages, TV Guide, and shopping catalogs are all directories. These directories organize data in a way that enables you to quickly find what you are looking for. Computer or online directories also organize data and resources to aid in their administration and use. Online directories are dynamic, flexible, secure, and personalized.
Novell has been shipping a directory service since 1993 and has an installed base of more than 70 million users--mostly on NetWare. But today's networks are heterogeneous and require management solutions that can run on multiple server platforms. Now customers can purchase two different packages of Novell directory services solutions--NDS eDirectory and NDS Corporate Edition.
NDS eDirectory is currently available on NetWare, NT Server, Windows 2000 Server, Solaris, and Linux, with more platforms under development. NDS eDirectory provides a cross-platform, 100% Internet-enabled solution for managing the integration of your company's network into the Net economy. Because Novell has made a very strong commitment to this cross-platform strategy with NDS eDirectory, it is the foundation for e-business in the 21st century.
NDS Corporate Edition
NDS Corporate Edition initially came to market in 1998 as NDS for NT, which was sold as a standalone product. In the fall of 1999, based upon customer requests, Novell released new packaging and branding--calling it NDS Corporate Edition. Now, customers no longer have to buy a separate NDS product for each platform. Instead, customers can purchase an NDS license and have the ability to run NDS on any of the supported platforms. This means that NDS for NT is no longer sold as a standalone product, but as a component of a broader and more feature-rich product--all for the same price.
NDS Corporate Edition improves the reliability, manageability, security, and scalability of Microsoft servers by installing NDS on the Microsoft servers. It reduces redundant administration across enterprise systems by providing a single-point-of-management for user accounts, profiles, access policies, preferences, and security credentials. NDS Corporate Edition is a proven product. It is in its fifth revision and has an installed base of millions of users. Organizations, large and small, are relying upon NDS Corporate Edition to decrease their costs of deploying and managing Microsoft servers.
Using NDS on an NT Server Today
It is likely that Microsoft server products are, or will be, a part of your overall network. Today NDS can significantly improve the performance and management of those Windows Servers because NDS brings the benefits of a proven directory service to the Windows platform. NDS Corporate edition, formerly known as NDS for NT, allows the Novell technology to be leveraged on the Windows platform as well as the other server platforms within your network.
Increasing the Scalability of NT Domains
Most organizations that have deployed NT Server have multiple domains. Some organizations have deployed multiple domains to provide granularity of administration while other try to control the amount of network traffic that is generated as domain controllers synchronize. In some cases organizations have deployed multiple domains due to the limitations on the number of objects (users, groups, and workstations) that a single domain can hold.
Novell addresses all these concerns with NDS Corporate Edition. Novell has publicly demonstrated domains that contain more than 100,000 objects. This is several times larger than the largest domain that Microsoft will support with NT 4.0. The enhanced scalability comes from storing the domain data in a true directory rather than in the Windows NT registry (Microsoft stores all domain data in a "secure" portion of the registry). With this increased scalability, customers can design and deploy their domains in a way that best suits their business rather than having to design around any limitations in Microsoft's architecture.
NDS Corporate Edition also decreases the amount of bandwidth that is consumed for replication purposes. This means that there is more network bandwidth available for other more important business processes. When NDS Corporate Edition is installed the NT domain controllers no longer have to communicate with each other to synchronize data. All data synchronization is handled through NDS--which is much more efficient.
For example, before NDS for NT is installed and a domain user changes his or her password, the primary domain controller must replicate all the data on the user object (not just the changed password) to every backup domain controller across the world. Once NDS Corporate Edition is installed only the changed password, and not the entire user object, is replicated between servers.
NDS also has utilities that allow administrators to define when replication should occur--leaving precious bandwidth, especially over a WAN, available for business data transfer.
Increasing the Reliability of NT Domains
One of the real dilemmas that NT Server administrators face is the fact that there is a single point of failure in the domain architecture. In an NT domain one of the servers is configured as the Primary Domain Controller (PDC). If the PDC is not available, no administration of any kind can be done--users cannot even change their own passwords. Network administrators do everything possible to avoid single points of failure because things will go wrong, and the costs associated with not being able to administer the network are too high. We believe this is a fundamental flaw in the architecture of domains that has no solution-except by installing NDS Corporate Edition.
NDS Corporate Edition eliminates the single point of failure that is inherent in the domain architecture by removing the reliance on the PDC. Administrative tasks can be accomplished even when any server, including the PDC, is unavailable. The distributed, multi-master, fault tolerant architecture of NDS makes this possible.
Increasing the Security of NT Domains
It is a well-known fact that there are countless utilities that circumvent the security enforced by NT domains. One of most well known of these utilities is named L0PHTCRACK. This utility performs a dictionary attack against NT Servers and systematically discovers every user name and the corresponding password in the domain. This is possible because the domain data is stored in the Windows NT registry rather than in a secure directory.
NDS Corporate Edition stores all user data in a secure directory. Many of the security hack utilities such as L0PHTCRACK no longer function once the data is stored in a true directory and not in the registry.
Another example of the increased security that NDS introduces to the NT world is with respect to intruder detection lockout. Intruder detection lockout is a process that disables user accounts after a specified number of login attempts have been unsuccessfully attempted. Without NDS Corporate Edition, a hacker could attempt to access resources through an account in domain1. When intruder detection locks the account in domain1 the hacker simply moves to domain2 , then domain3, and so on. The problem is that domains do not communicate with each other and when an account is locked in one domain, the accounts in other domains are unaffected.
When NDS locks an account, the account is locked on every platform NDS is managing--NetWare, NT, Windows 2000, Solaris, Linux, or others to come. In the case of NT domains, NDS locks the account for every domain in the network, eliminating the possibility of alternate avenues of attack.
Your network security is only as strong as the weakest link. NDS Corporate Edition increases the security of NT server, which increases the overall security for your entire network. The bottom line here is that NDS makes NT Server more secure.
Easing the Management of NT Domains
As Novell was interviewing administrators to identify the problems they had administering NT Servers, two complaints were universal: the overhead associated with administering trust relationships, and the inability to delegate administrative rights.
As previously noted, most organizations have more than a single domain. One of the customers that Novell interviewed had 100,000 employees and 80 domains. In order to guarantee that every user in the organization could access resources in any of the domains, the administrative team had two choices: Either create 100,000 user accounts in all 80 domains (8,000,000 user accounts) or establish 6,320 bi-directional trust relationships. Neither of these is really a viable solution.
Trust relationships are NT Server's solution to granting rights to resources in a domain other than where the user account exists. There are two main problems with trust relationships: (1) They are difficult to establish since they cannot be automated; and (2) They can only be established on a domain-wide basis. Because there is no granularity, it is an all or nothing proposition. You can either grant every user in domain1 access to resources in domain2, or no users.
NDS Corporate Edition reduces the need to configure trust relationships, thereby reducing the costs of administering NT Server. Through NDS Corporate Edition administrators can give users access to resources in multiple domains without having to create and manage trust relationships. NDS Corporate Edition accomplishes this in a way that also provides administrators the granularity they desire. The administrator can grant rights to resources in separate domains to a single user, a group of users, or to the entire domain. It is also important to realize that trust relationships work with NDS Corporate Edition for the cases in which Microsoft has hard-coded their products to look for trust relationships.
Granularity of administration is another area where NT Server does not offer a solution. The scope of authority for granting administrative rights is the entire domain. For example, it is impossible in an NT domain to give a help desk employee the rights to only change the password of user accounts, making them a "password administrator", or the ability to only modify a specific group of user accounts, making them a "department administrator." If you want to grant administrative rights to someone, you can only grant all rights over all user accounts in the entire domain. This is another reason organizations want to create multiple domains.
NDS Corporate Edition allows for very finite delegation of authority. With NDS Corporate Edition, a help desk employee can be given the specific rights to modify only the password on user accounts, or the rights to modify properties on only a selected group of user accounts. Delegation of authority is critical in managing the security of any organization, and NDS brings this ability to the NT platform.
Easing the management of NT Server and domains is only a portion of the overall management that network administrators face today. There are other platforms that need to be administered, such as Solaris and Linux. There are also applications that need to be managed, such as Notes, Peoplesoft, SAP, Exchange, and on and on. Novell has already integrated the management of the server platforms such as Solaris and Linux and is shipping solutions for Peoplesoft, Notes and Exchange today. This is possible because Novell has a cross-platform directory.
As customers look to Active Directory on Windows 2000, they will find a single-platform solution. If the entire network consists of Windows 2000 servers, Microsoft may provide a solution that allows management of that network. But few networks will be made up entirely of Windows 2000, and most organizations will need a directory that runs on multiple platforms and integrate the entire network, not just the pieces from Microsoft.
Enabling LDAP on NT Servers
LDAP stands for Lightweight Directory Access Protocol and is the industry standard, ratified by the IETF, for accessing directory information. Developers are making wide use of the LDAP protocol since it enables then to run with any directory that supports LDAP instead of tying their applications to a single vendor. This is a tremendous win for consumers because they can take any LDAP application and run it against any directory supporting LDAP.
Windows NT 4.0 does not provide an LDAP solution. Customers cannot select from any of the rapidly growing number of LDAP applications and effectively run them on NT Server--unless they install NDS eDirectory or Corporate Edition on their NT Servers. NDS brings NT server into the Internet standards world by enabling LDAP. LDAP support on NT server makes NT Server and Microsoft's Internet Information Server (IIS) a much more powerful solution--and NDS enables that solution.
Enabling Effective Desktop Management
Because Windows workstations, including NT 4.0, need to be customized for individual users, a large amount of administration is required to satisfy end user needs. This specialized administration is not only very expensive and difficult to provide, but it can be the source of user frustration when it is not performed in a timely manner.
Novell offers a directory-enabled product for desktop management. ZENworks stands for Zero Effort Networks and is the world's leading desktop administration solution. ZENworks gets its power by integrating with NDS to manage the desktop. Administrators can make a single configuration change in NDS and have that change automatically applied to tens of thousands of workstations. At the same time, ZENworks can provide custom configurations based on organizational roles, groups, or individual preferences. An organization can deploy a new application to every workstation in their organization in a couple of minutes using ZENworks. When necessary the application may also be customized to suit each individual, automatically using information from the directory.
International Data Corporation (IDC), a leading IT media, research, and exposition organization, researched the benefits of using ZENworks and published the following:
ZENworks provided the surveyed companies an average three-year return on investment of 525%, and a payback time of less than five months. The average savings per company over a three-year period from deploying ZENworks have a net present value of $328,824. Deployment required as little as 2.2 days and, on average, the companies saved 47.3% in desktop administration time. The average increase in business revenue from reduced downtime totaled $38.73 per employee per month. ("Quantifying the Business Benefits of Directory-Based Desktop Management," Richard Villars and Morris Edwards, IDC, 1999)
As IDC stated, there are significant financial benefits to using ZENworks, and all of the power and savings of ZENworks can be delivered from an NT server running NDS.
Microsoft will bring some desktop management abilities to those networks which are entirely upgraded to Windows 2000. However, ZENworks offers more today. ZENworks offers a solution that enables organizations to manage their desktops through NDS on any Windows platform, not just Windows 2000. You do not have to go through all the expense of upgrading to Windows 2000 (server and workstation) to get the benefits of a directory-enabled desktop management solution. ZENworks has been deployed to millions of workstations through the world and therefore has been tested and proven in real-world implementations. Just as ZENworks is the preferred solution for managing Windows 3.x, 9x and NT workstations, ZENworks and NDS will be the preferred and most complete management solution for Windows 2000 workstations.
Enabling Single Sign-On Solutions
Another challenging problem facing IT organizations today deals with the number of usernames and passwords end-users have to remember. In any typical organization, 10% of the calls to the help desk are password related. Not only is this a tremendous expense to any organization (perhaps 10% of their staffing costs), but the amount of lost productivity due to users forgetting their passwords is enormous.
Although NT represents only part of the overall network, it contributes to the problem. With NDS Corporate Edition, Novell is able to ensure that at all times the NDS and domain passwords are identical. Novell is able to further solve the broader password problem with an NDS-enabled application named Novell Single Sign-On. This solution leverages the directory in a way such that users only have to remember a single username and password: their NDS username and password. Once the user has authenticated to NDS, Novell Single Sign-On enables the user to launch any other application without ever being asked for another username and password. Installing NDS on Windows NT or Windows 2000 Server brings this powerful solution to the Microsoft server platform.
Internet Access Control and Acceleration
As your organization moves further into Internet access and the world of e-business, the need for fast access and reliable Internet security becomes increasingly important. Other directory-enabled products from Novell, such as BorderManager and Internet Caching System, provide these solutions. These products leverage the information from NDS and enhance the use of NT networks when NDS Corporate Edition or NDS eDirectory are installed.
Customer Success with NDS for NT
NDS Corporate Edition has an installed base of millions of users, and countless organizations around the world are currently using NDS to manage their NT servers. These organizations are receiving easily quantifiable benefits and are using NDS to make their organizations successful.
British Telecommunications, one of the world's largest telecommunications companies, has signed a new contract with Novell to deploy NDS Corporate Edition to 90,000 users across the UK(see http://www.novell.com/press/archive/1999/11/pr99136.html).
Alta Vista is using NDS eDirectory to provide a dynamic security service that automatically authenticates users to AltaVista.com (see http://www.novell.com/press/archive/1999/11/pr99143.html). Alta Vista currently houses more than 1 million user accounts on two NT servers running NDS eDirectory. The number of users that Alta Vista will store in NDS eDirectory is expected to expand to 5 million in the near future.
Other key customers and partnerships such as CNN, Compaq, Lucent, and the U.S. Army are documented at http://www.novell.com/lead_stories/1999/dec22/. The following sections detail some specific customer success examples.
Deploying and Managing Exchange
One Fortune 100 company had a division of 10,000 users that in January 1999 decided to deploy Microsoft Exchange. As the technical staff sat down and identified the tasks that would need to be completed before their users could begin to use Exchange they identified a sequence of steps. First was the need to create and populate a 10,000-user domain. Next these users needed to be duplicated in a 10,000-user Exchange database. The applications would next need to be deployed to the client workstations. This entailed installation and configuration of Internet Explorer, the Outlook client, and adjustments to the network client, typically actions that would require a visit to each workstation.
This Fortune 100 company was able to accomplish the above tasks in hours rather than months or years using NDS and NDS solutions. Since all the users already existed in this organization's NDS tree, the administrative team was able to automate the creation of the 10,000 domain user accounts through NDS for NT. The 10,000 were created in minutes leveraging NDS for NT without having to manually create a single user account. Using a popular third-party tool, the administrative team then exported the user account information from NDS into the Exchange database-thereby creating the 10,000 user accounts in Exchange. The customer then used Novell's desktop management solution ZENworks to automatically update the 10,000 workstations.
Because this organization used NDS to manage the deployment of their NT Servers and Exchange, they did not have to manually create a single domain or user account, nor did they have to physically visit a single workstation. When all was said and done, this organization determined that using NDS to deploy Exchange saved them more than 10,000 man-hours or five man-years in labor. This equated to almost $1 million is savings.
Providing LDAP Functionality and Enhancing IIS
Another Fortune 500 company had the business problem of how to securely disseminate real-time business data to the managers of their 7,000 stores across North America. This organization was looking for a solution that would enable them to securely distribute daily sales information to their store and regional managers and only require an Internet browser on the workstation. They had standardized on Microsoft's Internet Information Server (IIS) as their internal web server and needed a solution that LDAP-enabled the NT 4.0 server--which does not natively support internet standards like LDAP authentication. LDAP was a requirement since they needed to enforce security by requiring the store and regional managers to authenticate with a username and password from the browser. This authentication was required so that the managers would only see the data that was relevant to them and a generic authentication would not provide this level of security.
NDS for NT provided the required solution. In order to support the potential 30,000 employees that could be accessing the data on the IIS servers, this organization deployed 40 NT servers running IIS. NDS for NT was installed on two of those servers--literally in minutes. NDS for NT made the deployment easy. First, no domain user accounts were manually created. NDS automated the creation of the domain user accounts. Second, NDS for NT provided an LDAP solution on NT server, which enabled the managers across North America to authenticate to NDS by entering their username and password within the browser from any PC. The user was then authenticated to NDS running on the NT server using the Internet standard LDAP.
For further security, this organization deployed a third-party NDS-enabled solution that manages access to files on the NT Server based upon a users' NDS identity. This solution stores policies in NDS that associate NDS groups with rights to files and directories on NT Servers. Using this solution, store managers are now only able to see data concerning the store they manage, and regional managers are only allowed to see the data on the stores in their region.
This customer has received tremendous benefits from deploying NDS for NT. First, they have not had to manually create any domain user accounts. Second, NDS for NT is enabling this organization to build a very large domain that would not be possible without NDS for NT. Third, NDS for NT has provided an LDAP solution on NT Server that would not be possible without NDS for NT. Fourth and most important, this organization now has a solution that allows them to securely disseminate daily sales information using only Internet protocols.
For more NDS and NDS for NT customer success stories, visit http://www.novell.com/showcase.
Clarifying Some Microsoft Comments
NDS for NT Breaks NT Security
The truth is NDS for NT actually makes NT Server more secure. As previously described, NDS for NT prevents many of the common password hack utilities such as L0PHTCRACK from working. Still, this is a tactic that Microsoft has commonly used. In a interview with GigaGroup's Laura DiDio, Peter Houston, Microsoft's lead product manager for the Windows 2000 server line, summed up Microsoft's position by saying:
"A year ago, there were statements made from Microsoft that NDS for NT broke NT DLLs, but we quickly revised our position to a more customer-centric one. With respect to breaking the NT security model or any lack of desire on our part to support users, I want to categorically state that those are not arguments that Microsoft will use to advise customers against the product."
Houston then pledged that if Microsoft were to determine that its sales and marketing force continue to use either of the aforementioned arguments against customers using NDS for NT, "we will act quickly to halt it. I haven't heard from anyone here using that sales tactic in the last six months." ("NDS for NT: Microsoft Stops the FUD and Adopts Detente," Laura Didio, GigaGroup, May 12, 1999, p. 1)
No Third-Parties Support NDS
In reality there is very broad support for NDS. The following is a partial list of the third-parties that have made commitments to NDS:
Deloitte and Touche
Alteon Web Systems
and many more . . .
NDS for NT Offers Limited TCO Gains
NDS for NT offers significant documented gains in the total cost of ownership (TCO). Neil MacDonald of the GartnerGroup states that NDS for NT will save up to 50% of the administration costs of domains and Exchange. The customer cases covered earlier in this document also very clearly illustrate the significant savings NDS for NT offers customers. Customers should talk with customers that have deployed NDS for NT or should deploy NDS for NT in a testing environment and see first hand what it can do.
NDS for NT Is a Non-Supported Product
There has been concern expressed by some customers concerning support from Microsoft if NDS for NT is deployed. On their Web site at http://support.microsoft.com/support/kb/articles/Q155/4/51.ASP, Microsoft has stated: "Microsoft is committed to providing support for our customers. Any customer who uses NDS for NT can expect full support for Windows NT Server code from Microsoft."
Microsoft and Novell will support their joint customers that deploy NDS for NT/Corporate Edition. There are millions of users using NDS for NT/Corporate Edition today that are receiving the necessary support.
NDS for NT Presents Significant Planning Risks
Microsoft has suggested that companies that expect to use the next release of Microsoft Exchange Server and other future Microsoft product will run a serious deployment risk. However, NDS for NT will actually help customers ease the pain and costs of migrating to Windows 2000. Since Novell will provide solutions that enable NDS to share information with Active Directory and NT 4.0 domains, NDS can be used to integrate the management of domains and Active Directory. Organizations can build their business policies into NDS so that when a user account is created in NDS, an NT 4.0 domain, or in Active Directory, the user is added to all three. Novell will also provide migration solutions enable customers using NDS for NT today to easily migrate to Windows 2000.
NDS for NT Requires NetWare Servers to Be Installed
NetWare servers are not required when NDS for NT is installed. Microsoft often refers to older releases of NDS for NT instead or current technology, and often bases their documentation on outdated information. For example, Microsoft refers to TID2938313 on Novell's Support site for general design guidelines in deploying NDS. The information in TID2938313 is accurate for versions of NDS prior to NDS 8 and does not reflect current Novell products.
Issues of Windows 2000 Performance
One would expect an upgrade to provide enhanced performance. However, the data suggests companies expecting improved performance from Windows 2000 will be disappointed. Microsoft recently published to their Web site:
The Windows 2000 Professional operating system performs significantly better than Windows 95 and Windows 98, and is comparable to Windows NT 4.0 in tests running the most popular business applications, according to ZD Labs, an independent testing service.(http://www.microsoft.com/windows2000/guide/platform/performance/ zdlabs.asp)
If you actually take the time to read the ZD Labs report that is published at the same URL, you discover that Windows 2000 Server is only faster than Windows NT on servers that contain 32 Megabytes of RAM or less. If you read further into the article, you will find the following statement:
On average, however, we found that Windows NT 4.0 provided slightly better performance than Windows 2000 when running with 64 MB and 128 MB of RAM. Although the performance difference at 64 MB was small, we found that the performance difference between the two operating systems grew when we added more memory. With 128 MB of RAM, Windows 2000 was 3 percent slower than Windows NT 4.0.
Since there will be few, if any, Windows 2000 Servers in production that contain only 32 megabytes of RAM, your Windows 2000 servers will actually be slower than the Windows NT servers you just upgraded from.
Customers today are looking for solutions that reduce the amount of manual administration that must be done. Customers are asking for solutions that enable them to manage their diverse networks using as few interfaces as possible. As a result Novell's goal is to make it easier and less expensive for customers to manage their networks, regardless of which network they have. Novell will continue to deliver NDS solutions on the platforms customers have deployed and will deploy in the future. This is Novell's vision of the future of networking and how our strategy ensures your company has the technology you need to be competitive.
This is the critical difference between the Novell and Microsoft strategies. Novell is delivering a cross-platform directory that enables you to integrate your entire network, whereas Microsoft is delivering a solution that only runs on one platform (Windows 2000). With Active Directory Microsoft has solved some of the problems that existed in NT 4.0 domains, but there are a whole set of problems they have not addressed. One significant issue is how to integrate the other applications and platforms in the enterprise. Microsoft claims to have a strategy for this integration based on its recent acquisition of the Zoomit metadirectory technology, but the Zoomit solution today only runs on Windows NT 4.0. It will take time for Microsoft to enable the Zoomit solutions on Windows 2000--and even then it will not help manage the entire network because it only runs on Microsoft platforms. To manage the entire network, the solution must be cross-platform, like NDS.
Microsoft has tried to cloud the future of NDS Corporate Edition in the minds of customers by making statements that Novell is not improving the NDS Corporate Edition product. This could not be further from the truth. Novell has been working on a number of enhancements to the current product and will shortly release an update to NDS Corporate Edition. Enhancements to the current product will include new functionality such as granularity of administration in User Manager, support for "strong" passwords, and GUI interfaces in the NDS administration utilities to configure the RAS dial-in and Terminal Server properties.
Windows 2000 and Active Directory are first-time releases, and the industry analyst community is recommending that customers not deploy Windows 2000 and Active Directory immediately. In addition, performance data suggests that Windows 2000 is less powerful than NT 4.0 Server, leading one to question what the value-add is from this purported upgrade. In the meantime, NDS Corporate Edition sales have increased as customers look for a proven and stable solution to ease the management of NT Server.
Integration with Windows 2000
For those customers who do begin to deploy Windows 2000 and Active Directory, Novell will provide solutions that integrate Windows 2000 and Active Directory with the entire network and provide the same benefits as we currently provide on NT 4.0. In July 1999, Novell announced a technology called DirXML. DirXML is a technology that uses the Internet standards of XML and LDAP to reduce the costs of administering the heterogeneous networks of today.
The DirXML technology will provide a solution that allows an application or directory to be managed through NDS. DirXML will enable a bi-directional synchronization solution that enables NDS and Active Directory to synchronize common information. The DirXML solution will provide the same benefits for Windows 2000 that NDS for NT has provided for NT 4.0. These include cost-saving functions such as single-point of administration and single sign-on. But it is important to note that DirXML is a much broader solution and will enable directories and applications such as Lotus Notes, Peoplesoft, Exchange, Netscape Directory Services, and Active Directory to all share information-managed through NDS.
The combination of NDS eDirectory and DirXML solves one of the largest problems facing any organization today: how to reduce the number of user accounts that have to managed in a heterogeneous environment. Research shows that many organizations have more than 170 directories and applications where user accounts have to be managed. DirXML will provide the solution to share information across all those applications. This means that organizations will be able to build their business processes into NDS. When a user account is created or deleted in one application NDS will automate the creation or deletion of that user account in all the appropriate directories and applications throughout the organization.
Microsoft has been critical of NDS for NT in the past and has made statements that Novell should develop a bi-directional synchronization solution. For example, on their Web site Microsoft states:
Microsoft encourages Novell to implement an architecture in NDS for NT that is based on strong bi-directional synchronization facilities between Active Directory services and NDS, instead of a redirector architecture. This would enable customers to focus their administrative efforts around one directory, while enabling both Active Directory and NDS to remain well-integrated within their operating system environments.(http://www.microsoft.com/WINDOWS2000/news/bulletins/nds2.asp)
Because this is exactly what Novell has done with the DirXML technology, we anticipate and expect Microsoft's full support of DirXML.
Windows 2000 Professional will provide a workstation environment likely to be deployed in the future. Microsoft suggests that this requires Windows 2000 as the background server environment as well. Before upgrading to Windows 2000 Server customers should ask some serious questions:
What are the benefits that we will receive by upgrading servers to Windows 2000?
What will be the hardware, software, and administrative costs associated with upgrading servers to Windows 2000?
What are the risks associated with upgrading to Windows 2000?
Will the benefits associated with upgrading be worth the costs and risks?
If these questions are researched and answered honestly, we believe the answer will be that the risks and costs are too high for the value received.
Don't be discouraged. Novell has a stable and proven solution that will provide you all the benefits and more that Microsoft promises with Windows 2000 and Active Directory--and at a very small portion of the cost and on proven technology. Today you can run NDS Corporate Edition on your Windows NT 4.0 servers. This provides all of the benefits that have been identified in this document, without the cost and risk of Active Directory deployment.
The next version of Exchange, code-named Platinum requires Active Directory. If you are an Exchange user and are planning to upgrade to Platinum, you will need to deploy Active Directory to support it. But your use of Active Directory does not need to extend past managing Exchange. Novell has the proven and superior solutions for file and print, directory, desktop management, single-sign-on, user account management, and management of network components such as routers and switches.
For Additional Information
For details on NDS eDirectory, see http://www.novell.com/products/nds.
Additional information on NetWare 5.1 features can be found at http://www.novell.com/catalog/bg/bge14101.html.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.