You should know about five important directory services: Novell eDirectory, Microsoft’s Windows NT domains, Microsoft’s Active Directory, X.500 Directory Access Protocol, and Lightweight
Trang 1You should know about five important directory services: Novell eDirectory, Microsoft’s Windows NT domains, Microsoft’s Active Directory, X.500 Directory Access Protocol, and Lightweight Directory Access Protocol These are described later in this chapter
Forests, Roots, Trees, and Leaves
One thing common to all directory services is a tree-based organization (with the tree usually depicted upside-down with the root at the top), somewhat similar to the
organization of directories on a hard disk A forest is a collection of trees managed collectively At the top of each directory tree is the root entry, which contains other entries These other entries can be containers or leaves A container object is one that contains other objects, which can also include more containers and leaves A leaf object
represents an actual resource on the network, such as a workstation, printer, shared directory, file, or user account Leaf objects cannot contain other objects Figure 9-1 shows a typical directory tree
Figure 9-1. A typical directory tree
Root
Asia U.S Europe Country (C)
Anyco, Inc Otherco, Ltd Organization (O)
Accounting HR Manufacturing Distribution Organizational Unit (OU)
T Wilson F Thomas
Controller Accounting printer Accounting folder
Common name (CN)
Trang 2All the objects in a directory tree have attributes (sometimes called properties), which
vary depending on the type of object to which the attribute is attached For example,
a printer leaf object might contain attributes that describe the printer, who can administer
the printer, what the printer’s name is on the network, and so forth A user account
leaf object might contain attributes that include the full name of the user account, its
password, and resources that the user can access The details of what attributes attach
to what leaf or container objects vary among all the directory services, although they
generally use similar attributes
Department of Redundancy Department
Keeping directory services running is essential for any network that relies on them
Because they contain all details about accounts, resources, and security, the absence of
directory services means the network won’t work—at all! Since the directory services
become so important to a network, you must protect them with some degree of
redundancy As mentioned earlier, keeping duplicate copies of the directory on multiple
servers provides the necessary redundancy This is done using one of two approaches:
N In the primary/backup model, a single primary database contains the primary
(or “real”) directory on one server, while other servers hold one or more backup
copies If the primary copy stops working for some reason, the backups can
continue to provide directory services to the network without the user even
knowing that the primary copy isn’t available Windows NT domains use a
primary/backup approach
N In the multimaster model, multiple directory servers exist, but they are all peers
to one another If one goes down, the other peers continue to operate normally
The advantage of the multimaster model is that each directory server can fully
participate in doing the work of the directory service Active Directory (in
Windows 2000 Server and later) uses the multimaster approach
Directory servers—whether they use the primary/backup or multimaster
approach—must keep in sync with changes on the network The separate databases
are kept synchronized through a process called replication, in which changes to any of
the individual directory databases are transparently updated to all the other directory
service databases
A potential problem exists with any replication process, though: If two changes are
made to the same leaf object on two different directory servers and the changes
are different, what does the system do when the changes “collide” during replication?
The various directory services handle this problem in slightly different ways In the
case of Novell eDirectory, the timestamps of the changes drive which of two conflicting
changes will win (Because of this, servers running eDirectory must carefully keep
their time synchronized; this synchronization is also handled during replication.)
Microsoft’s Active Directory doesn’t use timestamps, but instead uses sequence
numbers in a clever scheme that avoids the potential problems of a timestamp approach
(Even though eDirectory servers synchronize their time, their time can still become out
of sync between synchronizations.)
Trang 3Some directory services also allow a concept called partitioning, in which different
directory servers keep different parts of the entire directory tree In this case, a
controlling directory server usually manages the entire tree (called the global catalog in
Active Directory), and then other directory servers can manage smaller pieces of the total tree Partitioning is important for networks with multiple LANs connected by a wide area network (WAN) In such cases, you want to host a partition that relates to
a particular LAN locally, yet still allow access to the entire tree for resources accessed over the WAN Each LAN hosts its own partition, but can still access the total tree when needed You arrange the partitions (and set the scheduled replication times) to make the best use of the WAN’s performance, which usually is slower than that of a LAN
Learning About Specific Directory Services
Quite a few different directory services are available Choosing one usually goes hand in hand with choosing a main network operating system, although this isn’t always the case Both eDirectory and Active Directory can handle non-Novell and non-Microsoft servers, respectively Consequently, even a network that currently uses mostly Windows servers might still rely on eDirectory for directory services through the use of Novell’s eDirectory for Windows product Using a single directory service with different network operating systems often happens because an organization starts out favoring a particular network operating system and then later finds itself forced to support additional ones, but the organization still wants to maintain a coherent, single directory service to manage the network operating systems
The following are the main directory services:
N Novell eDirectory (previously called Novell Directory Services, or NDS) is the
network directory service that has been available for the longest time eDirectory
runs on NetWare 4.x and later servers, and is also available for other server
operating systems (such as Solaris, Linux, and Windows), enabling you to use eDirectory as a single directory service for managing a multivendor network
N Windows NT domains (introduced with Windows NT 4) are not actually complete
directory services, but they provide some of the features and advantages of directory services
N Microsoft’s Active Directory debuted with the Windows 2000 Server line of
products This is a true directory service, and it brings the full features of a directory service to a network predominantly built using Windows servers
N X.500 Directory Access Protocol (DAP) is an international standard directory
service that is full of features However, X.500 provides so many features that its overhead makes deploying and managing it prohibitive Consequently, X.500 is
in an interesting position: it is an important standard, yet, paradoxically, it is not actually used
Trang 4N The Lightweight Directory Access Protocol (LDAP) was developed by a consortium
of vendors as a subset of X.500 to offer an alternative with less complexity
than X.500 LDAP is in wide use for e-mail directories and is suitable for other
directory service tasks The most recent versions of eDirectory and Active
Directory are compatible with LDAP
These are the predominant directory services that you will encounter, although
others exist For instance, a number of companies offer different software that provides
LDAP-compliant directory services on different platforms
eDirectory
Novell eDirectory has been available since 1993, introduced as NDS as part of
NetWare 4.x This product was a real boon and was rapidly implemented in Novell
networks, particularly in larger organizations that had many NetWare servers and
desperately needed its capabilities eDirectory is a reliable, robust directory service
that has continued to evolve since its introduction Version 8.8 is now available, and it
incorporates the latest directory service features
eDirectory uses a primary/backup approach to directory servers and also allows
partitioning of the tree In addition to running on Novell network operating systems,
eDirectory is also available for Windows, Solaris, AIX, and Linux systems The
product’s compatibility with such a variety of systems makes it a good choice for
managing all these platforms under a single directory structure
You manage the eDirectory tree from a client computer logged in to the network
with administrative privileges You can use a graphical tool designed to manage the
tree, such as Novell Identity Manager, or other tools that mimic the look and feel of the
operating system on which they run and that are also available from Novell
The eDirectory tree contains a number of different object types The standard directory
service types—countries, organizations, and organizational units—are included The
system also has objects to represent NetWare security groups, NetWare servers, and
NetWare server volumes eDirectory can manage more than a billion objects in a tree
Windows NT Domains
The Windows NT domain model breaks an organization into chunks called domains, all
of which are part of an organization The domains are usually organized geographically,
which helps minimize domain-to-domain communication requirements across WAN
links, although you’re free to organize domains as you wish Each domain is controlled
by a primary domain controller (PDC), which might have one or more backup domain
controllers (BDCs) to kick in if the PDC fails.
All changes within the domain are made to the PDC, which then replicates those
changes to any BDCs BDCs are read-only, except for valid updates received from the
PDC In case of a PDC failure, BDCs automatically continue authenticating users To
make administrative changes to a domain that suffers PDC failure, any of the BDCs can
be promoted to PDC Once the PDC is ready to come back online, the promoted BDC can
be demoted back to BDC status.
Trang 5Windows NT domains can be organized into one of four domain models
N Single domain In this model, only one domain contains all network resources
N Master domain The master model usually puts users at the top-level domain and then places network resources, such as shared folders or printers, in
lower-level domains (called resource domains) In this model, the resource
domains trust the master domain
N Multiple master domain This is a slight variation on the master domain model, in which users might exist in multiple master domains, all of which trust one another, and in which resources are located in resource domains, all
of which trust all the master domains
N Complete trust This variation of the single-domain model spreads users and resources across all domains, which all trust each other
You choose an appropriate domain model depending on the physical layout of the network, the number of users to be served, and other factors (If you’re planning a domain model, you should review the white papers on Microsoft’s web site for details
on planning large domains, because the process can be complex.)
Explicit trust relationships must be maintained between domains using the master
or multiple master domain model and must be managed on each domain separately Maintaining these relationships is one of the biggest difficulties in the Windows NT domain structure approach, at least for larger organizations If you have 100 domains, you must manage the 99 possible trust relationships for each domain, for a total of 9,900 trust relationships For smaller numbers of domains (for example, less than 10 domains), management of the trust relationships is less of a problem, although it can still cause difficulties
Active Directory
Windows NT domains work relatively well for smaller networks, but they can become difficult to manage for larger networks Moreover, the system is not nearly
as comprehensive as, for example, eDirectory Microsoft recognized this problem and developed a directory service called Active Directory, which is a comprehensive directory service that runs on Windows 2000 Server and later Active Directory is fully compatible with LDAP (versions 2 and 3) and also with the Domain Name System (DNS) used on the Internet
Active Directory uses a peer approach to domain controllers; all domain controllers are full participants at all times As mentioned earlier in this chapter, this arrangement
is called multimaster because there are many “master” domain controllers but no
backup controllers
Active Directory is built on a structure that allows “trees of trees,” which is called a
forest Each tree is its own domain and has its own domain controllers Within a domain,
separate organizational units are allowed to make administration easier and more logical