Microsoft has big plans for Active Directory, which may reap some real benefits for IT managers if the software vendor can really pull it all together.
Active Directory provides the means to manage the identities that make up a network, which is why it is such an integral part of the Windows architecture. The software company this week at the RSA Conference 2006 in San Jose said that starting with Longhorn Server in 2007, Microsoft will begin a process of unifying its directory services. Such services include rights management, certification services and the metadirectory that exists in the Internet Information Services feature pack.
Microsoft currently has three policy models, but by the time Longhorn R2 makes its appearance in 2009, Microsoft expects to have a unified policy model.
The process of connecting Microsoft's identity management components has pros and cons, said Dan Blum, senior vice president at the Burton Group, a Midvale, Utah, consulting firm.
Two sides to every Microsoft story
"Imagine you can administer your directory and put attributes, roles and topologies in the directory, and from that you can federate users in other domains," Blum said.
The disadvantages? Windows security and management is not modular. In fact, it's a monolithic architecture. The only way to make all of this work is to do a major new release of a server and client.
"Customers will have to wait a while for the vision to be realized," Blum said. "Then you have to do a full upgrade, whatever that means."
Some managers agree that there could be some real benefits from a unified management standpoint.
"We use Active Directory and ADAM [Active Directory Application Mode] and they are isolated components," said Jeff Earl, a manager of computer infrastructure services support, at JetBlue Airways Corp., in New York. "Using AD to bring them into the mainstream will be helpful."
For other users, Microsoft's decision is a logical step because they only want from their directory what is available from other directory vendors.
"I don't know why you wouldn't have all of your ID management in one directory," said Paul Edwards, senior systems engineer at PHH Arval, a commercial fleet management company based in Sparks, Md. "Everything Novell does, ID management-wise, gets rolled up into [Novell Inc.'s] eDirectory."
eDirectory does have federation services and ZENworks management today. But Blum said he thinks the directory does not have a good certificate service and rights management service. Other directories are not known to integrate their products quite as tightly as Microsoft may be capable of doing, he said.
At Microsoft, though, the plan is to deepen the integration of the various identity platforms. The company promises there will be no nightmarish shades of Windows 2000 Server, rip and replace scenarios.
"If a customer has an Active Directory domain today and wants to take advantage of Longhorn and rights management, they don't have to redeploy the whole domain architecture," said Michael Stephenson, director for identity and access at Microsoft.
Microsoft has been working up bigger plans for Active Directory for some time. Last year at TechEd 2005, Bob Muglia, senior vice president of Microsoft's server and tools business, observed that Active Directory wasn't built with a broad vision. It was merely a design that would work for a company with one identity.
Microsoft gets active on Active Directory
The fact that companies must exchange identities and credentials across multiple enterprises and consumers means that Active Directory must be reworked to meet those growing needs.
Microsoft hasn't moved very quickly to make improvements to Active Directory. Most likely that's because it's not a revenue bearing product. Experts would like to see Microsoft pick up the pace.
"A lot has happened in terms of where the technology has gone," said Mike Neuenschwander, vice president and research director at Burton Group. "The company takes a wait-and-see approach and then joins in. But this is good news for customers because they will see better integration and support, as well as clarity to some of the disconnected pieces."
As part of the roadmap, Microsoft has renamed several of the capabilities within Active Directory:
* Active Directory Domain Service replaces Active Directory Domain Controller
* Active Directory Lightweight Directory Services replaces Active Directory Application Mode
* Active Directory Rights Management Services was formerly Windows Rights Management Services
* Active Directory Certificate Services was formerly Windows Certificate Services
* Active Directory Metadirectory Services was formerly the Identity Integration Feature Pack