What’s New with the Directory
Changes are afoot to make Active Directory more flexible.
- By Dian Schaffhauser
- February 01, 2002
If you missed our Active Directory Summit in Philadelphia a few weeks
ago, let me share some of what we learned. Two of the most compelling
presentations focused on coming changes to AD in the .NET Server timeframe—important
stuff for anybody implementing Windows networks. Stuart Kwan runs the
development team working on that effort in Redmond. Charles Oppermann,
retired after a lengthy career with Microsoft, wrote Microsoft Windows
2000 Active Directory Programming
; he understands the insides of the
technology as only a programmer can.
Microsoft has three primary goals, according to Kwan, in its .NET rendition
of AD: 1) impose no requirement to redesign currently working implementations;
2) increase the ability of AD as a programmatic platform and ease porting
from Sun and Netscape’s iPlanet Directory Server; and 3) enhance performance
and provide 64-bit support.
Among the gems he shared: The next version of AD will support domain
renaming, handy for divestiture scenarios. Currently, if the root domain
structure changes, you could face the prospect of tearing down your whole
enterprise to restructure it. Of course, the new world won’t be perfect.
Every domain controller in the forest will need to be updated and rebooted,
every machine joined to the renamed domain will need to be rebooted, and
every Windows NT 4.0 machine will need to rejoin the domain. While the
forest root can also be renamed if it’s a .NET-functional forest, the
root role can’t be moved to a different forest.
Also, adding attributes to Global Catalog objects will no longer require
full synchronization among other GCs. Now only the new attributes will
be replicated. If the .NET GC doesn’t find a .NET partner, it’ll do a
Interestingly, what finally drew applause in Kwan’s talk was the simple
fact that the new rev of AD will support drag-and-drop and multi-select
and edit of user objects. We’re a demanding bunch.
As Oppermann explained, a GC will no longer be necessary for login. This
will reduce that sucking sound that happens every morning when 40,000
people in your company crank up their machines. The DC closest to the
user will cache the user’s complete group membership. The cache will populate
at the first login, then subsequent logins will use the cache, which will
get refreshed periodically from the nearest GC.
Another tidbit: You’ll now be able to install replicas from media—a handy
option for deployment efforts. You’ll simply make a backup of the DC’s
system state data; when it’s plugged in at the new site, it asks what’s
changed and replicates only those changes.
Come July in Seattle, we’ll be hosting a summit on Windows security.
Columnist Roberta Bragg and Senior Editor Keith Ward are currently developing
the program for that and we don’t know what surprises will be revealed.
If you can find a way to join us, I encourage you to be there. Staying
on top of changing technologies is like keeping your head above the waves.
I consider these kinds of conferences the best pair of fins you can buy.
Dian L. Schaffhauser is a freelance writer based in Northern California.