In the early days of Active Directory and other Windows server products, Microsoft seemed to be betting the farm on the idea that enterprise networks would rely solely on Windows-based technologies for all aspects of their infrastructure. This quickly proved to be far from accurate, however, as it became clear that even moderate-sized networks often need to interoperate with non-Microsoft lines of business applications and heterogeneous operating systems on both the server and client side. In order to be considered a viable option for an enterprise network, Active Directory needs to be able to provide a way to integrate and interoperate with a multitude of technologies, both those that run on the Windows platform and those that rely on UNIX, Linux, or other third-party or Open Source operating systems.
Using Active Directory on a non-Windows platform
A common example of this need for interoperability is an organization that wants to deploy Active Directory, but is committed to an existing UNIX BIND DNS infrastructure. While much of the documentation that you'll find on Active Directory assumes that you're working in a pure Windows 2000 or 2003 DNS environment, most of the DNS features that you'll need to support Active Directory installations are available with all modern DNS implementations. As long as you're running a recent version of the BIND DNS software, it'll be a relatively simple matter to integrate your Linux DNS with 2000 or 2003 Active Directory.
Windows Services for Unix
Another component of Windows that improves its interoperability is Windows Services for Unix (SFU), which is freely downloadable from the Microsoft website. (An expanded version of this is built into the upcoming "R2" release of Windows Server 2003.) You can use SFU to allow your Windows clients to access resources on UNIX servers or your UNIX clients to access Windows-based resources, both without needing to install additional software on your UNIX hosts. SFU also allows you to map UNIX usernames to Windows SIDs and vice versa, allowing your users to come closer to the elusive "single sign-on" experience.
Connecting two separate services
You even have the ability to synchronize two completely separate directory services so that user information can be updated seamlessly in multiple locations, whether you're talking about multiple Active Directory forests or synchronizing AD with a third-party application or service, including SAP, PeopleSoft, and Lotus Domino. The Microsoft Identity Integration Server (MIIS) allows you to create connection agreements between many different data stores so that user information and passwords can be maintained across the enterprise. MIIS currently comes in two versions: the Identity Integration Feature Pack (IIFP), which is a free download but can only synchronize information within Active Directory itself, Active Directory Application Mode (ADAM), and Microsoft Exchange 2000 and 2003. If you need to integrate with other data sources, including Exchange 5.5, you'll need the full-blown paid version of MIIS which allows for synchronization with a much wider range of data sources.
Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation, and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valued Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing). You can contact her at firstname.lastname@example.org.