News

What’s New with the Directory

Changes are afoot to make Active Directory more flexible.

• By Dian Schaffhauser
• February 01, 2002

If you missed our Active Directory Summit in Philadelphia a few weeks ago, let me share some of what we learned. Two of the most compelling presentations focused on coming changes to AD in the .NET Server timeframe—important stuff for anybody implementing Windows networks. Stuart Kwan runs the development team working on that effort in Redmond. Charles Oppermann, retired after a lengthy career with Microsoft, wrote Microsoft Windows 2000 Active Directory Programming; he understands the insides of the technology as only a programmer can.

Microsoft has three primary goals, according to Kwan, in its .NET rendition of AD: 1) impose no requirement to redesign currently working implementations; 2) increase the ability of AD as a programmatic platform and ease porting from Sun and Netscape’s iPlanet Directory Server; and 3) enhance performance and provide 64-bit support.

Among the gems he shared: The next version of AD will support domain renaming, handy for divestiture scenarios. Currently, if the root domain structure changes, you could face the prospect of tearing down your whole enterprise to restructure it. Of course, the new world won’t be perfect. Every domain controller in the forest will need to be updated and rebooted, every machine joined to the renamed domain will need to be rebooted, and every Windows NT 4.0 machine will need to rejoin the domain. While the forest root can also be renamed if it’s a .NET-functional forest, the root role can’t be moved to a different forest.

Also, adding attributes to Global Catalog objects will no longer require full synchronization among other GCs. Now only the new attributes will be replicated. If the .NET GC doesn’t find a .NET partner, it’ll do a full sync.

Interestingly, what finally drew applause in Kwan’s talk was the simple fact that the new rev of AD will support drag-and-drop and multi-select and edit of user objects. We’re a demanding bunch.

As Oppermann explained, a GC will no longer be necessary for login. This will reduce that sucking sound that happens every morning when 40,000 people in your company crank up their machines. The DC closest to the user will cache the user’s complete group membership. The cache will populate at the first login, then subsequent logins will use the cache, which will get refreshed periodically from the nearest GC.

Another tidbit: You’ll now be able to install replicas from media—a handy option for deployment efforts. You’ll simply make a backup of the DC’s system state data; when it’s plugged in at the new site, it asks what’s changed and replicates only those changes.

Come July in Seattle, we’ll be hosting a summit on Windows security. Columnist Roberta Bragg and Senior Editor Keith Ward are currently developing the program for that and we don’t know what surprises will be revealed. If you can find a way to join us, I encourage you to be there. Staying on top of changing technologies is like keeping your head above the waves. I consider these kinds of conferences the best pair of fins you can buy.