Whatever Happened to ... Active Directory?
This is the first of several articles that will look at software once considered evolutionary and now viewed as either a standard IT infrastructure component or technologically stagnating while popularity wanes.The first of several articles that will look at software once considered revolutionary examines Active Directory -- from its origins to where it is going.
Although the typical user may scratch her head if asked about Microsoft Active Directory (AD), many IT administrators have a long and storied relationship with it. Support for AD is now spreading beyond the Windows platform, introducing AD to a new wave of administrators. For new and old admins, alike, it is important to understand where AD's origins and where it is going.
The 411 on Directory Services
Generally speaking, directory services exist to centrally manage and authenticate users or other network objects, such as workstations and printers. Directory services can manage a large number of objects and replicate these databases across multiple locations. Administrators can assign privileges and policies to users and groups, potentially based on hierarchies, and run queries against the directory to produce reports, such as user activity or password freshness.
Although all directory services support some permutation of these functions, their performance, sophistication and scalability can vary. In the days of Windows NT 4, Microsoft introduced NT Directory Services in an effort to play catch-up to the established Novell Directory Services, a part of the NetWare networking suite. Administrators found NT Directory Services wanting, particularly in comparison to the sophistication for the time that Novell's product offered. NT, for example, scaled poorly and quickly became cumbersome under the weight of a midsize organization's needs. NT also suffered from a single point of failure vulnerability, which included a limited set of directory objects that were not extendable, lacked hierarchies and was unable to provide granular levels of authority.
Enter Active Directory
With the release of Windows 2000, Microsoft addressed most of NT's shortcomings with the re-branded Active Directory. This first release of AD laid the foundation for most of AD's key features.
AD's data is stored in its own robust database. This is in contrast to NT, which heaped directory services into the general Windows registry, resulting in poor scalability. Also unlike NT, AD domain controllers can replicate changes across each other, removing the master/slave dependency that led NT to be vulnerable to directory server outages.
AD is extensible. With NT, administrators were stuck with built-in directory objects. Want to add a mobile phone number or home page URL for a user account? No can do. But with AD, not only do built-in objects include many more useful properties, but administrators can also customize the directory schema to add support for any needed properties.
NT was limited in its ability to support complex relationships between objects it lacked the ability to represent organizational hierarchies and offered only a simplistic approach to trust and authority within and across domains. Once again, Active Directory improved on all these limitations, allowing administrators, particularly at large organizations, to build a directory that more closely mirrors real-word relationship structures.
With its major facelift over NT and widespread adoption of Windows 2000 in back-end operations, Active Directory quickly became the new standard for directory services until IT demands grew more demanding and security threats became more widespread and more critical.
Active Directory 2003
With the release of Windows Server 2003, Microsoft unveiled Active Directory's next evolution, sensibly called Active Directory 2003. Although less of a radical departure from its predecessor than AD was from NT, Microsoft addressed several shortcomings and added more beef to directory security.
Most notable among its security improvements is the way Active Directory 2003 enhances policy management. Policies in general are a core backbone in a directory service. Administrators define the access privileges allowed to a directory object, but policies quickly become complex because they are hierarchical and cascade; a policy might apply at a domain, group, or local level (among others), and objects below it can inherit it. One result can be that an administrator, when looking at a particular directory object, may not see all policies that object inherits vs. those directly applied to it.
To lessen the confusion, Active Directory 2003 includes a new object task called "Resultant Set of Policy" (clearly not named by the marketing department). This task analyzes the directory hierarchy and summarizes all policies that trickle down and apply to a select object.
AD 2003 makes it easy for administrators to create policies that restrict or allow end-user application installs. Install policies can be defined as either whitelists or blacklists, blocking or allowing all software installations paired with a list of excepted applications (to allow or deny).
Besides security, Active Directory 2003 offers improved management functionality in several respects. Domains can be easily renamed, and AD 2003 can essentially import users from an NT domain to improve migration. Also, while AD 2000 introduced the ability to customize directory objects, these customizations were permanent modifications to the database and could not be reversed. With AD 2003, object schemas can be removed or redefined, removing this limitation.
Also improving extensibility is AD 2003 Support Application mode. Previously, if an external application needed access to Active Directory it had to run on the domain controller. Now, such applications can run on member servers, and multiple applications can access Active Directory in parallel.
Although Active Directory is not an industry standard directory service, many enterprises have come to rely on it. As a result, Linux users who must interface with Windows-based servers have had to play along.
Both open source and commercial vendors are bridging the AD gap between Linux and Windows. Among open source solutions, varying degrees of support for AD can be achieved using Kerberos, Winbind, Samba 3 and, now, Samba 4, which supports the most sophisticated open source integration between Linux and Active Directory.
Commercial solutions include Centrify DirectControl Suite, which integrates Active Directory across not just Linux but also Unix, Mac, Java (J2EE) and Web-based applications. Another commercial product, Centeris Likewise Identity, extends cross-platform managements and group policy support to both Linux and Windows platforms.
Active Directory: The Next Generation
One promise that has evolved only partially in the Active Directory life cycle is that of single-sign-on support. With single sign-on, users need only authenticate one time to gain access to a variety of applications and services. Both AD 2000 and AD 2003 provide varying degrees of single-sign-on functionality, but complete integration across the platform remains elusive.
Microsoft's plans for the future of AD focus on this very issue. Now mature as a directory service, AD is set to evolve further into an identity platform. As planned core component of Microsoft's Identity Metasystem, future versions of AD will support the broad strategy to enable users to carry one identity with them across both applications and networks.
Technically, the migration toward becoming an identity provider involves shifting AD from a pull service to a push service. In this model, rather than relying on applications to poll AD for credentials, security tokens will be seeded from AD to the local level, theoretically providing for ubiquitous identity.
It promises that perhaps someday we will be free from that little black book with 20 different passwords.