ORLANDO, Fla. -- Plenty of IT managers lost more than a few nights' sleep over the complexities of Active Directory years back when Microsoft made the directory services a fundamental part of its Windows 2000 Server architecture.
Now widely in use, Active Directory is poised to become an even more crucial part of Microsoft's management vision for Windows Server as the software company sets its sights on a world where the boundaries of an enterprise are not defined by a firewall, but by security policies.
At TechEd 2005, Microsoft senior vice president Bob Muglia presented IT managers and developers with a vision for Windows Server that pulls together the features of .NET distributed applications, the Dynamic Systems Initiative (DSI) and intelligent storage.
The new server OS concept is a significant shift for IT executives, and there are a lot of pieces that have to fall into place to make it happen, he said.
Muglia listed these technologies as part of his Windows Server vision:
- Federated identity capabilities, such as those coming in Active Directory Federation Services (ADFS), which will be part of the Windows Server 2003 R2 release later this year
- Biometric identity technologies
- Internet Protocol version 6 (IPv6)
- Network Access Protection (NAP), a policy enforcement platform that will be part of Longhorn
- Malware protection
- Anywhere access
The plan places Microsoft's directory services front and center. "[Active Directory] is most important because without a common mechanism of security, user information and getting people logged on, you can't build anything else," Muglia said. "You need a way to get certificates distributed and you need a directory service to do that."
ADFS will let companies work together without creating duplicate sets of credentials -- "a huge security problem," he said.
In today's climate of frequent mergers, companies also find themselves in situations where someone in IT adds a credential for an employee of another company, and that employee may have already been terminated. In such a case, the status of that individual must be reflected immediately.
Streamlining branch-office control
One Windows Server improvement will come by making communication with branch offices more efficient, Muglia said. To this end, another key piece of Microsoft's vision in R2 is remote differential compression, an algorithm that only replicates changes over a wide area network (WAN). The feature was introduced this week. "AD will work more like a read-only cache in branch offices," he said.
Indigo, a technology in Microsoft's next major release of Windows, code-named Longhorn, will be used for writing distributed applications. Cached storage in clients will also be another feature of Longhorn, as will the ability to use smart cards to authenticate an identity, so a username and password are no longer required.
Active Directory wasn't originally envisioned with such broad capabilities. "When we built Active Directory, we just thought of the intranet," Muglia said. "We thought about one company and one identity.
"But now one of the key issues is how do we exchange identities and credentials across multiple companies and between consumers and the stores they go to?" he added.
Intranets, the Internet and Active Directory
The new road map for Windows Server takes into account the idea that enterprises build intranets and connect them in a way that does not necessarily map usage patterns. "Everyone pretends that their intranet is secure from the Internet because they have a firewall between the two," Muglia said.
"Those are necessary, but the world is evolving with devices," he added. "My smartphone has my e-mail, my calendar and all those layers of access. Is it on the Internet or on an intranet? I say both. The key is moving to a world where it's not managed physically but managed by policies."
Building a world of policies is one thing. Managing them is another. This is where the Dynamic Systems Initiative (DSI) and modeling enters the picture. Microsoft is moving toward a world where models describe best practices and customers can choose a model that meets their needs, more or less, "so companies don't have to invent this on their own," he said.
No 'painful' forklift upgrades for the next decade
Muglia said the transition to a policy-based world will not be disruptive to companies because it will occur over time, layering over their existing infrastructures. There will be no repeat of the forklift upgrade that occurred between Windows NT 4.0 and Windows 2000 Server.
"That was painful," he said. "I don't see another one of those in the next 10 years. The core Active Directory is their primary [directory service], so with that basis to build on, it's all just incremental," he said.