Why Active Directory?

Every day we expe­ri­ence the power of direc­tory ser­vice.  Even though it does not directly vis­i­ble for the end user, lot of appli­ca­tions run on a direc­tory ser­vice plat­form. We can’t think a net­work with­out active direc­tory. The influ­ence of active direc­tory is that big. But the ques­tion is a lit­tle bit dif­fer­ent… Why can’t we use other technologies/alternatives instead of active direc­tory? Why do we still use active direc­tory? Have you ever thought of that? Have you ever thought of an alter­na­tive for AD?

I had thought of this many times when I was work­ing in the crit­i­cal role of an active direc­tory enter­prise admin of Asia’s Largest Soft­ware and IT Com­pany. I am very keen to find out open source alter­na­tives for licensed soft­ware. A sim­ple search in Google for the alter­na­tives returned a dozen of them including:

  • Novel e Directory
  • Red hat/Fedora Direc­tory Server
  • Open Direc­tory
  • Apache Direc­tory
  • Ora­cle inter­net directory
  • IBM Tivoli Direc­tory Server
  • CP direc­tory Server
  • Open LDAP

But none of these can actu­ally ‘replace’ active direc­tory. It is a triv­ial task to find out the best LDAP direc­tory ser­vice from the above list if you just require the basic func­tion­al­i­ties like Cen­tral­ized Authen­ti­ca­tion. With all my expe­ri­ence I can eas­ily pick the bet­ter alter­na­tive from this list and that is def­i­nitely the Nov­ell E Direc­tory. E direc­tory and Active direc­tory are the lead­ing direc­tory ser­vices. Nov­ell is there in the direc­tory ser­vice mar­ket from early 90s. Cur­rently it is in 8th gen­er­a­tion. Active direc­tory is also there from 90s but in its top form from the release of Win­dows 2000 server.

You would con­sider Scal­a­bil­ity, Com­pat­i­bil­ity, Reli­a­bil­ity, Man­age­abil­ity and Secu­rity to rate a direc­tory ser­vice. I installed and com­pared E direc­tory and Active direc­tory based on the above categories.

Microsoft itself says a limit for the num­ber objects in active direc­tory. Nov­ell had tested their direc­tory with more than a bil­lion objects in last cen­tury. If the num­ber of objects is really mas­sive, no need to think… its e directory.

E direc­tory multi mas­ter oper­a­tion makes it really scal­able and reli­able. Multi mas­ter repli­ca­tion is there in active direc­tory but the FSMO roles make it weaker. When the crit­i­cal a role like PDC is down, admin­is­tra­tor effort is required to seize or trans­fer the unavail­able role. Oth­er­wise the direc­tory func­tion­ing will be in trou­ble. In active direc­tory we can­not have mul­ti­ple servers with same FSMO role. In E direc­tory there is no FSMO sin­gle mas­ter con­cept. This elim­i­nates the crit­i­cal­ity of a role holder server.

E Direc­tory uses hier­ar­chi­cal data­base while active direc­tory uses flat data­base, there­fore, no two entity can be same name in active direc­tory, but it is pos­si­ble in e Direc­tory, search­ing speed is more and reli­able in e Direc­tory than Active Direc­tory because of hier­ar­chi­cal archi­tec­ture of e Directory.

For most of the active direc­tory data­base oper­a­tion we need to make the server offline and need to bring it into DSRM to per­form the recov­ery oper­a­tions. In e direc­tory we can do most of the data­base oper­a­tions with­out bring­ing the server down.

If you want to restore an active direc­tory server for any rea­sons you could restore it to the last avail­able backup and that may be the last week or last night or as per you backup con­fig­u­ra­tion.  The e direc­tory hot con­tin­u­ous backup fea­ture will let you restore the direc­tory to the last moment before the failure.

e direc­tory has some more advan­tages like, Dynamic Inher­i­tance, Cus­tomiz­able Objects and Secu­rity Prin­ci­ples etc. In Active Direc­tory you can­not have a secu­rity prin­ci­pal other than a User, Com­puter or a group. But in E direc­tory, a Con­tainer is also con­sid­ered as a secu­rity principal.

The dynamic inher­i­tance in e direc­tory makes the large scale right assign­ments eas­ier. When you assign a set­ting to a con­tainer with a mil­lion objects there are chances of a crash in Active direc­tory as it will write down the changes to the ACLs of indi­vid­ual objects.

Because of the dynamic inher­i­tance, hier­ar­chi­cal man­ner etc the e direc­tory data­base will really small when you com­pare it with an active direc­tory data­base with same num­ber of objects.

Oh, I missed out the point about inter­op­er­abil­ity and com­pat­i­bil­ity… You can host e direc­tory in a vari­ety of oper­at­ing sys­tems like Win­dows, Linux and Unix etc. You can have mul­ti­ple client oper­at­ing sys­tems as well.

When we check the authen­ti­ca­tion, the e direc­tory can have mul­ti­ple authen­ti­ca­tion meth­ods. We can also con­fig­ure mul­ti­ple authen­ti­ca­tion lev­els accord­ing to the secu­rity requirements.

If you do a micro com­par­i­son you can find out more and more points to add. But most of them will be in favor of Nov­ell E direc­tory. Nov­ell calls the E direc­tory as the High End direc­tory ser­vice and that is true. From the above points we can note that E direc­tory is far bet­ter than active direc­tory when you con­sider the following:

  • Scal­a­bil­ity: Suit­able for huge num­ber of objects and large organizations
  • Com­pat­i­bil­ity: Mul­ti­pro­to­col, Multiplatform
  • Reli­a­bil­ity: Multi mas­ter, self repair­ing direc­tory ser­vice. Live main­te­nance tools available
  • Man­age­abil­ity: We based multi plat­form man­age­ment and mon­i­tor­ing tools available
  • Secu­rity: Mul­ti­ple authen­ti­ca­tion lev­els, mul­ti­ple plat­forms and Advanced Secu­rity Principals.

Now what do you think? Which one is bet­ter? The ques­tion is still unan­swered. Why we are still using Active directory?

It’s only because of the Wide usage of Win­dows in cor­po­rate world. More than 90 % of the oper­at­ing sys­tem mar­ket share is for win­dows. I would per­son­ally like to work in active direc­tory rather than e direc­tory because of the friendly envi­ron­ment. Most of us have Win­dows servers in our office and there is no extra cost required to pur­chase Win­dows AD if you have a win­dows Server License… Then why do you need to pur­chase another direc­tory ser­vice for some extra rupees?

But if your require­ment is really a seri­ous and huge one you need think twice