• Project Manager Opportunities
• Senior Project Manager - Multi...
• Project Manager - Telco
• Chief Information Officer
• SALES EXECUTIVE

Directory service coexistence: can we talk here?

Alan Radding, Information Age

25/04/2001 17:11:56

A world with one directory? Forget it. Call it directory diversity. Companies are struggling to maintain a mix of directory services, including Novell Directory Services (NDS), Windows NT, Windows 2000's Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) services. And if that weren't enough, IT managers must contend with a slew of other directory-enabled applications, such as Lotus Notes.

This proliferation creates challenges for IT managers who must plan a coherent directory strategy and for administrators who must wrestle with adding, deleting and modifying users. While the benefits of a single directory - reduced overhead and ease of administration - are clear, IT managers say the likelihood that large organisations will be able to standardise anytime soon is small. For now, your best bet may be to combine directory administration for efficiency.

A slow consolidation

"We're going to move from NDS to AD at some point, but it isn't happening fast," says Mark Thorsen, network services manager at the New York Times Shared Service Center, which provides IT services to The New York Times' business units. Slowing the transition is the usual resistance to change, as well as the time it takes to resolve organisational and technical issues.

For example, the service centre uses MetaFrame from Citrix Systems to give application access to remote and mobile users. Although MetaFrame runs on Windows NT, it writes passwords differently, which complicates the process of integrating those users into NDS and AD, Thorsen says. So the centre must straddle two directory worlds.

Campbell Soup is in a similar situation. Although the company is migrating from NDS to AD, "we are not rushing. We want to see how this works out," says Mike Giresi, director of global communications. In the meantime, the company must administer both NDS and AD, as well as a Lotus Notes infrastructure and human resources software that needs to be tied into whatever corporate directory emerges.

Administering multiple directories is a labour-intensive, tedious chore. "We have a couple of people who do nothing but maintain the directories," Giresi says. Administrators must handle changes manually in the various directories using different tools.

Hellmann Worldwide Logistics, a global freight forwarding company, manually updates its global corporate directory via e-mail. "Right now, the process happens weekly, but we'd like to get out of the address directory distribution business," says Chip DiComo, network manager at Hellman.

For most organisations, the problems revolve around NDS, Windows NT and AD. While all the directories deliver the same services, they approach the task in fundamentally different ways. AD, for example, replicates all the information to every copy of the directory. If a link goes down, users can still run services locally. NDS keeps exclusively local information local but requires the directory to fetch more general information about group privileges and authorisations from a centralised directory across the network, explains Ferguson.

The differences present a challenge to administrators. NDS administrators are accustomed to viewing things hierarchically but being able to grant privileges to any organisational unit. In AD, administrators grant privileges through high-level domains, which don't allow control at the same low level of granularity as NDS.

Although a single directory clearly has operational advantages, it's not likely to materialise.

"We see directories playing three roles, and we have yet to see one product that can play all three roles equally well," says Jamie Lewis, CEO of The Burton Group, a research firm. One role is as the enterprise directory, which provides the global catalogue of corporate resources and the centralised address book. A second role is as the network operating system directory, which manages access to resources on the network. The final role is as the extranet/e-business directory, which supports online portals. Even among network operating system directories such as NDS and AD, where a single directory is clearly preferable, "many companies have multiple directories", Lewis notes.

Peaceful coexistence

Hellmann Worldwide intends to get out of the manual directory distribution business by standardising on NDS and LDAP and synchronising its Lotus Notes directory with NDS through the use of Novell's DirXML product. "We can use DirXML to populate NDS in near real time," explains DiComo. Such synchronisation eliminates the need to enter information into each directory separately.

Hellmann's NDS strategy faces one possible problem: A server farm that handles thin-client Windows applications requires authentication through Windows NT. DiComo says he plans to run Novell's NDS for NT to control Windows NT authentication.

The multiple-directory challenge is coexistence - how to manage and administer the directories. Options include manual synchronisation, LDAP, one-time/one-way migration tools, synchronisation middleware and metadirectories, notes Lewis.

Synchronisation - automatically replicating changes in one directory across all others - is critical, but manual synchronisation, as Giresi notes, is costly, slow and error-prone.

"LDAP is the directory common denominator, but it is the least interoperable and is unwieldy," says Lewis. LDAP defines a set of application programming interfaces that most of the directory products support, including NDS and AD. However, it doesn't perform synchronisation.

The directory vendors and third parties also provide one-way migration tools that will copy and merge an NDS or Windows NT tree into an AD tree. Fairfax County Public Schools, for example, is using DM/Administrator from Fastlane Technologies to migrate Windows NT domains to AD.

"It eliminates the most time-consuming piece and leaves me a way to back out if things don't migrate right," says David Elliott, system software supervisor for the school system. It also gives administrators a single interface through which they can manage both directories until the migration is complete. But it doesn't automatically synchronise changes.

For ongoing synchronisation, IT needs synchronisation middleware such as NetVision's Synchronicity, which automates changes between different directories. New York Times Shared Services is using Synchronicity to automatically synchronise directory changes between NDS and AD, enabling the organisation to live with both directories for an indefinite period. With Synchronicity, a New York Times administrator creates, removes or modifies an account using a familiar NetWare administration tool, and the changes propagate into NT and AD. The company says it will eventually migrate completely to NT/AD.

Minneapolis-based Martin/Williams Advertising runs on NDS but is piloting a terminal server that uses AD. "We're not going to run our business off AD, but we will need to add and delete users and change passwords," says help desk specialist Ryan Helmer.

For NDS/AD synchronisation, Helmer turned to Microsoft Directory Synchronisation Services (MSDSS), part of Microsoft's Services for NetWare. "We don't have a complex tree structure - a handful of organisational structures one level deep - so it works pretty easily," he says.

The metadirectory: a new twist

Metadirectories add another layer that encompasses all the directories. Where synchronisation middleware provides directory-to-directory synchronisation, metadirectories "come in at a higher level and manage NDS, AD and other directories", says Lewis.

Envisioned as a massive directory containing all the other directories within it, the metadirectory has evolved into rules-driven software that joins and exposes information residing in and managed by the individual directories, says Michael Hoch, an analyst at Aberdeen Group.

Farmers Insurance Group of Companies uses metadirectory tools from MaXware to manage its LDAP corporate directory, Lotus Notes directory, Windows NT domains and human resources application files as one giant logical directory. "We are using MaXware to connect applications to the different directories," particularly applications that don't offer an LDAP security interface, says Martin Leitner, manager of architecture and security infrastructure at Farmers Insurance.

Coexistence works well from an operational standpoint once IT puts a strategy for synchronisation in place. After administrators have gotten over the different philosophical approaches of the vendors and become accustomed to the level of control they have, the administrative tasks are handled similarly.

Even the tools are similar. "Microsoft's management console seems to be directly modelled after Novell's NetWare administration tool," he says.

With directories becoming increasingly central to the secure deployment of information resources, large organisations will have to learn how to live with multiple directories. Although it adds work, multiple directories may prove to be a lot easier than trying to impose a single directory standard.