Computer World –
A world with one directory? Forget it. Call it directory diversity. Companies are struggling to maintain a mix of directory services, including Novell Directory Services (NDS), Windows NT, Windows 2000's Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) services. And if that weren't enough, IT managers must contend with a slew of other directory-enabled applications, such as Lotus Notes.
This proliferation creates challenges for IT managers who must plan a coherent directory strategy and for administrators who must wrestle with adding, deleting and modifying users. While the benefits of a single directory -- reduced overhead and ease of administration -- are clear, IT managers say the likelihood that large organizations will be able to standardize anytime soon is small. For now, your best bet may be to combine directory administration for efficiency.
A Slow Consolidation
"We're going to move from NDS to AD at some point, but it isn't happening fast," says Mark Thorsen, network services manager at the New York Times Shared Service Center in Norfolk, Va., which provides IT services to The New York Times Co.'s business units. Slowing the transition is the usual resistance to change, as well as the time it takes to resolve organizational and technical issues.
For example, the service center uses MetaFrame from Citrix Systems Inc. in Fort Lauderdale, Fla., to give application access to remote and mobile users. Although MetaFrame runs on Windows NT, it writes passwords differently, which complicates the process of integrating those users into NDS and AD, Thorsen says. So the center must straddle two directory worlds.
Campbell Soup Co. in Camden, N.J., is in a similar situation. Although the company is migrating from NDS to AD, "we are not rushing. We want to see how this works out," says Mike Giresi, director of global communications. In the meantime, the company must administer both NDS and AD, as well as a Lotus Notes infrastructure and human resources software that needs to be tied into whatever corporate directory emerges.
Administering multiple directories is a labor-intensive, tedious chore. "We have a couple of people who do nothing but maintain the directories," Giresi says. Administrators must handle changes manually in the various directories using different tools.
Hellmann Worldwide Logistics Inc., a Miami-based global freight forwarding company, manually updates its global corporate directory via e-mail. "Right now, the process happens weekly, but we'd like to get out of the address directory distribution business," says Chip DiComo, network manager at Hellman.
For most organizations, the problems revolve around NDS, Windows NT and AD. While all the directories deliver the same services, they approach the task in fundamentally different ways. AD, for example, replicates all the information to every copy of the directory. If a link goes down, users can still run services locally. NDS keeps exclusively local information local but requires the directory to fetch more general information about group privileges and authorizations from a centralized directory across the network, explains Ferguson.
The differences present a challenge to administrators. NDS administrators are accustomed to viewing things hierarchically but being able to grant privileges to any organizational unit. In AD, administrators grrant privileges through high-level domains, which don't allow control at the same low level of granularity as NDS.
Although a single directory clearly has operational advantages, it's not likely to materialize.
"We see directories playing three roles, and we have yet to see one product that can play all three roles equally well," says Jamie Lewis, CEO of The Burton Group Corp., a Midvale, Utah-based research firm. One role is as the enterprise directory, which provides the global catalog of corporate resources and the centralized address book. A second role is as the network operating system directory, which manages access to resources on the network. The final role is as the extranet/e-business directory, which supports online portals. Even among network operating system directories such as NDS and AD, where a single directory is clearly preferable, "many companies have multiple directories," Lewis notes.
Hellmann Worldwide intends to get out of the manual directory distribution business by standardizing on NDS and LDAP and synchronizing its Lotus Notes directory with NDS through the use of Novell Inc.'s DirXML product. "We can use DirXML to populate NDS in near real time," explains DiComo. Such synchronization eliminates the need to enter information into each directory separately.
Hellmann's NDS strategy faces one possible problem: A server farm that handles thin-client Windows applications requires authentication through Windows NT. DiComo says he plans to run Novell's NDS for NT to control Windows NT authentication.
Peaceful Coexistence
The multiple-directory challenge is coexistence -- how to manage and administer the directories. Options include manual synchronization, LDAP, one-time/one-way migration tools, synchronization middleware and metadirectories, notes Lewis.
Synchronization -- automatically replicating changes in one directory across all others -- is critical, but manual synchronization, as Giresi notes, is costly, slow and error-prone.
"LDAP is the directory common denominator, but it is the least interoperable and is unwieldy," says Lewis. LDAP defines a set of application programming interfaces that most of the directory products support, including NDS and AD. However, it doesn't perform synchronization.
The directory vendors and third parties also provide one-way migration tools that will copy and merge an NDS or Windows NT tree into an AD tree. Fairfax County Public Schools in Alexandria, Va., for example, is using DM/Administrator from Fastlane Technologies Inc. in Halifax, Nova Scotia, to migrate Windows NT domains to AD.
"It eliminates the most time-consuming piece and leaves me a way to back out if things don't migrate right," says David Elliott, system software supervisor for the school system. It also gives administrators a single interface through which they can manage both directories until the migration is complete. But it doesn't automatically synchronize changes.
For ongoing synchronization, IT needs synchronization middleware such as Orem, Utah-based NetVision Inc.'s Synchronicity, which automates changes between different directories. New York Times Shared Services is using Synchronicity to automatically synchronize directory changes between NDS and AD, enabling the organization to live with both directories for an indefinite period. With Synchronicity, a New York Times administrator creates, removes or modifies an account using a familiar NetWare administration tool, and the changes propagate into NT and AD. The company says it will eventually migrate completely to NT/AD.
Minneapolis-based Martin/Williams Advertising Inc. runs on NDS but is piloting a terminal server that uses AD. "We're not going to run our business off AD, but we will need to add and delete users and change passwords," says help desk specialist Ryan Helmer.
For NDS/AD synchronization, Helmer turned to Microsoft Directtory Synchronization Services (MSDSS), part of Microsoft Corp.'s Services for NetWare. "We don't have a complex tree structure -- a handful of organizational structures one level deep -- so it works pretty easily," he says.
The Metadirectory: A New Twist
Metadirectories add another layer that encompasses all the directories. Where synchronization middleware provides directory-to-directory synchronization, metadirectories "come in at a higher level and manage NDS, AD and other directories," says Lewis.
Envisioned as a massive directory containing all the other directories within it, the metadirectory has evolved into rules-driven software that joins and exposes information residing in and managed by the individual directories, says Michael Hoch, an analyst at Aberdeen Group Inc. in Boston.
Farmers Insurance Group of Companies in Los Angeles uses metadirectory tools from MaXware Inc. in Freehold, N.J., to manage its LDAP corporate directory, Lotus Notes directory, Windows NT domains and human resources application files as one giant logical directory. "We are using MaXware to connect applications to the different directories," particularly applications that don't offer an LDAP security interface, says Martin Leitner, manager of architecture and security infrastructure at Farmers Insurance.
Coexistence works well from an operational standpoint once IT puts a strategy for synchronization in place. After administrators have gotten over the different philosophical approaches of the vendors and become accustomed to the level of control they have, the administrative tasks are handled similarly.
Even the tools are similar. "Microsoft's management console seems to be directly modeled after Novell's NetWare administration tool," says Chopp.
With directories becoming increasingly central to the secure deployment of information resources, large organizations will have to learn how to live with multiple directories. Although it adds work, multiple directories may prove to be a lot easier than trying to impose a single directory standard.
This story, "Directory Service Coexistence: Can We Talk Here?" was originally published by ITworld.