Microsoft spent a lot of effort tuning Active Directory in Windows Server 2003, to improve scalability and speed and to correct key deficiencies. In this sample chapter, you’ll learn what’s new, and how to take advantage of Active Directory’s new features.
Understanding Active Directory Services
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Alright, I started to RTFA, but I got a little confused a short way in. I have no idea what “Active Directory” is or does. I’m sure it’s more than a buzzword I keep hearing. What’s it do? What’s it fix? How’s it great?
Technically… Active Directory = LDAP + KERBEROS
Microsoft is using the LDAP of Active Directory to store things like group policies but thats about the only thing “different” from what Active Directory does that everyone else in the world was doing for a few years before Microsoft started using LDAP.
Active Directory is NOT just Kerberos + LDAP…. AD is more than that.
Thanks! Now I’m off to look up LDAP and Kerberos…
>>>Active Directory is NOT just Kerberos + LDAP…. AD is more than that.
Of course it’s more then that, JoJo.
It’s called “embrace and extend” š
Active Directory was as solid as it could be in Windows 2000, and it really worked when you set it up correctly. The 2003 version of AD is a flawed, broken implementation. Group Policy doesn’t work, there are numerous bugs in software assignment publishing, GPO has a horrible effect on XP workstations (odd that Win2K workstations don’t see these issues) and many, many other problems ranging from minor technical issues to extremely delibitating problems. After extensive testing in our lab, my recommendation to my supervisor and my peers was to avoid XP/2003 at all costs. Sure, it’s pretty, but if you candy-coat a piece of $hit, it’s still a piece of $hit on the inside.
Active Directory is a database driven authentication and cataloging system for networks, and is meant to replace the old NT domain system. In an AD domain, every printer, computer and user is an object. Objects can be dragged and dropped into orginizational units, where security policies and other profiles can be controlled.
There is a lot more to it than that but that’s the gist.
“Replacement for NT Domains” sounds like an excellent idea. The NT implementation seemed, to me, like saying, “there are plenty of ways to do this already, but we’re gonna make up this ugly system and put it in front of average users.” Does Linux have anything roughly comparable, or is it a lot of things I’ve heard about seperately, or is there no such tool?
Linux can use NIS+NFS (Network File System) or Samba+LDAP (Samba is the free software implementantion of the SMB/CIFS protocol) or both.
Samba 3.0 also has integration with Microsoft’s AD.
There are other ways to do this, but the above ones are the most commons.
Linux can also use NDS or eDirectory. We have Novell (netware) boxes that have been doing this for over 8 years! Wow! Our NDS is 8 years old and has beter scalability and speed. Why are people migrating to something that doesn’t work well yet.
Linux can use NIS+NFS (Network File System) or Samba+LDAP (Samba is the free software implementantion of the SMB/CIFS protocol) or both.
Samba 3.0 also has integration with Microsoft’s AD.
There are other ways to do this, but the above ones are the most commons.
You can also use NFS+LDAP and if you are super paranoid, you can pipe it through OpenSSH
Linux can also use NDS or eDirectory. We have Novell (netware) boxes that have been doing this for over 8 years! Wow! Our NDS is 8 years old and has beter scalability and speed. Why are people migrating to something that doesn’t work well yet.
Because there is a large number of managers and fanboys that are more worried about the “Microsoft factor” more than the “does it actually work” factor.
Just look at price of Solaris x86 and their server software. That is cheaper and more reliable than Windows, yet, we have people “upstairs” more concerned with being a “Microsoft shop” than actually getting tools that do the work cheaper and more efficiently.
Btw, these are the same people who wait until the last minute to cut costs in their business rather than doing the more pragmatic thing and be constantly on the war-path for efficient use of money.
Btw, these are the same people who wait until the last minute to cut costs in their business rather than doing the more pragmatic thing and be constantly on the war-path for efficient use of money. SHOULD BE:
Btw, these are the same people who wait until the last minute to cut costs in their business rather than doing the more pragmatic thing would be on the constant war-path for inefficient use of money and finding better way of doing more with less.
Just look at SUN, for example, expanding at a rediculous rate during the dot-com days and suddenly realising now that they don’t need 1/2 the “campus’s” they need now.
http://www.vnunet.com/News/1144289
and this article shows you that samba is 2.5 times as fast as windows file server
The reason SAMBA is usually so much faster than windows 2000 or windows 2003 in performance tests is that usually the tests do not involve setting up SAMBA to use ACLs. It only makes sense that files sharing will be a lot faster on a system that does not write and read ACLs with every file access and file write, than a system that must write and read ACLs for every file access.
In my experience, SAMBA file sharing performance is noticeably faster than windows 2000 or 2003 when SAMBA and the underlying file system are not set up to use ACLs. However, when SAMBA is configured to use ACLs, there is no noticeable difference between a Linux system running SAMBA, and a Windows 2000 or 2003 server.
In Re:
Linux can also use NDS or eDirectory. We have Novell (netware) boxes that have been doing this for over 8 years! Wow! Our NDS is 8 years old and has beter scalability and speed. Why are people migrating to something that doesn’t work well yet.
You didn’t specify whether you were talking scale-up or scale-out? And I’d like to know how you think AD does not work well?
NDS has never been more scaleable “out-wise”, AD has customers in production w/ 1000’s of sites. Last time I looked (9 mo. ago) NDS said don’t go above 400 (or maybe it was as low as 100) replicas of the data. And support of high scale-out scenarios in Win2k3 was improved! NDS is probably way behind by now.
I do remember that AD had some scaleability “up-wise” issues in win2k, and we made like a 4x improvement in Win2k on 4P and 8P systems. So old presumptions and old data should probably checked. Also there was a Novell report out some years back, that totally mis-represented search performance.
Also I see nothing wrong, w/ MSFT realizing that they’re behind in a certain game, and making efforts to catch up (and surpase) the previous NOS-Directory leader. I _think_ even Gartner thinks AD has surpassed Novell’s NDS product.
Sincerely,
Brett Shirley
Programmer AD Replication & AD Backup/Restore
(Yes, I’m from MSFT, so really how much can you trust my opinion
I have a 1 PM meeting, feel free to rip on my thoughts while I’m gone, I’ll get back to this later today.
You didn’t specify whether you were talking scale-up or scale-out? And I’d like to know how you think AD does not work well?
NDS has never been more scaleable “out-wise”, AD has customers in production w/ 1000’s of sites. Last time I looked (9 mo. ago) NDS said don’t go above 400 (or maybe it was as low as 100) replicas of the data. And support of high scale-out scenarios in Win2k3 was improved! NDS is probably way behind by now.
I do remember that AD had some scaleability “up-wise” issues in win2k, and we made like a 4x improvement in Win2k on 4P and 8P systems. So old presumptions and old data should probably checked. Also there was a Novell report out some years back, that totally mis-represented search performance.
Also I see nothing wrong, w/ MSFT realizing that they’re behind in a certain game, and making efforts to catch up (and surpase) the previous NOS-Directory leader. I _think_ even Gartner thinks AD has surpassed Novell’s NDS product.
One could argue that using Solaris x86 + Java Enterprise Server System at $100 per user, which includes the SUN One ddirectory server is alot better value than spending that sort of money *JUST* on Windows.
http://wwws.sun.com/software/products/directory_srvr/ds_directory.h…
” * Linear scalability up to 12 CPUs enables customers to take complete advantage of large, multi-CPU systems.
* Protocol-independent design provides open standards support for the Lightweight Directory Access Protocol (LDAP) v3 and Directory Services Markup Language (DSML) v2.
* Four-way, multi-master replication across local-area networks (LANs) and wide-area networks (WANs) enables always-on, highly available directory services.
* High-performance design now optimized to support 64-bit caching on Solaris and HP-UX platforms, allowing access to maximum memory capacity of the system.
* Enables strong security and privacy through attribute encryption, fine-grained password management, and fractional replication.
* Helps simplify password administration between Windows NT/Windows 2000 Active Directory and Sun ONE Directory Server environments through the Sun ONE Identity Synchronization for Windows software product.
“