Where NT 5.0 is headed
Last month, Windows NT Magazine gave you a quick overview of
what Microsoft talked about at its November Professional Developer's Conference
in Long Beach, California. We've now had time to assimilate more of what
Microsoft showed.
Microsoft delivered several big messages at Long Beach. First, Windows
NT 5.0 isn't Cairo. Second, the Internet continues to be the basis of
Microsoft's plan for the future. Third, NT 5.0 will be almost completely
different from 4.0, mainly because of a change in the user interface and an
X.500-like directory service, Active Directory. Fourth, the Internet is
important, really important. Fifth, setting up and maintaining NT on
user machines will be easier. And did I mention the Internet?
Cairo: It's Not a Release--It's a State of Mind
Once upon a time, Cairo was a beta name for a version of NT. This version
was to be a major milestone in NT development. Now the name is a sort of
software gestalt, a kind of catch all phrase.
Think of NT's evolution this way: If you're running a small- to
medium-sized network, NT 4.0 is an excellent answer. The domain structure works
well for a few dozen servers and up to several thousand users, depending on whom
you talk to. NT 4.0's Windows interface means that you can get a network
administrator up to speed in fairly short order. But building a multidomain
network, or building a network whose directory structure includes user-defined
attributes (more on this later), is impossible on NT 4.0.
So, take today's NT. Keep all the things we like--the security, the
stability--and add the tools to create and maintain a globe-spanning network.
The result is Cairo. Some of what Microsoft calls Cairo is already
shipping in the form of NT 4.0's user interface and the Distributed Component
Object Model (DCOM). In fact, you can say that we've already got the "C,"
and still await the "airo." NT 5.0 will be mainly "air,"
with the "o" still to come. (For more information on DCOM, see Keith
Pleas, "DCOM in NT 5.0," )
NT 5.0 Features
NT 5.0 will, according to Microsoft's claims in Long Beach, contain concepts
old and awaited, and new and revolutionary. In roughly decreasing order of
importance, NT 5.0 will probably contain Active Directory; Active Server, a plan
for extending the power of NT-based Web servers; a new Page and Link metaphor
for much of the user interface; Distributed File System (Dfs); Plug and Play;
and Microsoft Management Console. (For more on NT's new management interface,
see Keith Pleas and Dean Porter, "Microsoft Management Console," page
78.) Additionally, BackOffice will grow with the addition of Microsoft Proxy
Server (formerly called Internet Access Server, code-named Catapult) and
Microsoft Transaction Server, previously known as Viper.
This list looks like a lot of new stuff, and it is. Most developers at the
conference walked around with looks on their faces that could be described as a
cross between excitement and bewilderment with a little hope thrown in.
Active Directory
NT 4.0 is better for small- to medium-sized networks than large networks,
for two reasons. The trust relationship problem is the first reason. NT security
and network administration are based on organizational units called domains.
Domains act as authentication areas, groups of machines that all agree
to accept login information from the same source: A computer called a Primary
Domain Controller (PDC), which will disappear from 5.0.
Domains are a convenient way to centrally manage a network of many servers.
But you can't always build your company's network as one big domain, so you must
create multiple domains. The problem with multidomain networks is getting those
domains to talk to each other; you must first set up a trust relationship.
Trust relationships aren't transitive: If A trusts B, and B trusts C, A does not
trust C, unless you create an explicit trust between A and C. As a result, you
can't create hierarchies of domains. For example, if you have 15 domains in your
organization and want each to trust the other, you have to create 15 * 14, or
210, separate trust relationships.
The second reason is the way that NT stores information about people. NT
keeps a database of information about users. This Security Accounts Manager
(SAM) database records your identity, your password, and the user groups you
belong to. But you can't extend the SAM to contain information about how you
like your mail delivered.
Microsoft's answer to both problems is Active Directory. Based on the CCITT
X.500 and Lightweight Directory Access Protocol (LDAP), Active Directory is a
massively extensible database of information on, well, just about anything. It
can maintain information about servers on the network, security relationships in
the network, and most important, the users in the network.
My name in an Active Directory setting might be something like CN=Mark
Minasi,OU=management,O=TTI,C=US. You read this right to left: I'm in the country
(C=) United States, my organization (O=) is TTI, the department or
organizational unit (OU=)in TTI is management, and my common name (CN=) is Mark
Minasi. Get used to seeing such names; they're central to NT 5.0 naming. The
hierarchy includes the country name because, believe it or not, some folks
working on X.500 and LDAP want to use these directory structures as the basis
for a worldwide directory structure.
Active Directory names will benefit NT in several ways. First, they'll
reduce NT's current dependence on 15-character NetBIOS server names. For
example, Active Directory is a major ingredient in another NT 5.0 tool, Dfs. Dfs
with Active Directory can support more flexible universal naming convention
(UNC) names. Today, you must address a share named data on a server
called S1 as \\s1\data--the name of the machine is part of the UNC. If you
rename the machine, or move the share to another, perhaps larger machine (call
it S2), you have to find everyone who uses \\s1\data and tell them to change the
UNC to \\s2\data. But with Active Directory, you can identify a share by the
domain in which it lives. For example, if S1 and S2 are both part of a domain
named servfarm, you can use Dfs and Active Directory to call the share \\servfarm\data. Then you can place the data share on any server in the servfarm
domain without changing the UNC whereby a user accesses the share. (For more
information on the potential for this technology, see Sean Deuby and Tim
Daniels, "Dfs--A Logical View of Physical Resources," December 1996.)
You can have organizational units (OUs) inside organizational units, so you
can build the kind of hierarchy of business units that you couldn't build with
domains. Under NT 5.0, domains still exist, but trust relationships can be
transitive, making hierarchies of domains possible. And the directory is
completely expandable. In addition to the usual name, full name, description,
and similar user information, you can add data fields such as shoe size or "in
case of emergency call."