Directory Assistance, Please!

At first, it doesn't seem like such a big deal. Companies everywhere are talking about the sort of naming service their network operating system (NOS) supports. But to listen to all the hype, it's not at all clear what's going on. After all, Microsoft points out, Windows NT Server has domain name service, which certainly seems to be a way of keeping users and servers in synch across the network.

Meanwhile, Novell is touting its directory service, called NDS (for NetWare Directory Service) as a notch above the rest. Banyan Systems, vendor of enterprise networking systems, is also talking about a directory service, but theirs is called StreetTalk. IBM, the other big NOS vendor, seems to be avoiding the subject altogether.

Confused? Don't feel bad. The companies involved aren't doing a lot to make things clear, but maybe I can help. Basically, there are three important facts that you need to know about network directory services.

First, a directory service (versus a directory naming service) is defined by international standards, in this case the CCITT X.500 standard. It provides information that, in turn, grants access to users, network servers, and other network resources. The directory information is available to the operating system as well as to users who want to query the service, to applications that need user and resource access information, such as network addresses, and to other resources.

Second, there are a number of providers of directory services in addition to Novell and Banyan, although those two vendors are most common in the LAN business. In fact, directory services can exist on any type of network, including WANs, where they are also used.

Third, the domain naming service used by NT Server isn't a directory service. Right now, in fact, Microsoft doesn't have a directory service for Windows NT, so users must make do with the domain naming service. Eventually, that situation should change, since Microsoft has already announced plans to support NDS.

What Is a Directory Service?
Just because the X.500 directory standard exists doesn't mean that every NOS follows it in the same way. Banyan, for example, claims to be X.500-compliant, while Novell says that NDS is "modeled" on X.500 but has a number of extensions so it's not "compliant." However, both Banyan and Novell say that their naming models meet the requirements of X.500.

To be considered a true directory service, a product must keep its directory information in a distributed hierarchical database that supports decentralized control but allows global access in a single global name space. In other words, the entire enterprise, regardless of the number of networks and servers, exists as a single entity. A true directory service must allow a wide variety of directory objects, including users and servers, and also contain other devices, such as printers, gateways, and communications devices. These objects should be extensible; that is, you should be able to add new objects as needed.

The most debated area is whether a directory service should be standards-based, which, to most network designers, means X.500. In this respect, Banyan is probably the purest of the LAN directory services, although Novell would probably argue that NDS is standards-based as well. The reason that the Microsoft domain service isn't really a directory service is because it fails a couple of the tests. Although the current versions of the domain system, with its trust relationships between domains, enable many of the features of a directory service, in a large enterprise such relationships would become unwieldy.

To further complicate matters, until Microsoft Exchange is released, there isn't much support for applications that need to access a global directory service. Products such as email systems need to maintain their own directories; they don't have any practical way to access a global directory, since there isn't one.

Change Is in the Air
Novell and Banyan, meanwhile, already support NT, although the nature of that support can vary. In June, Novell announced that it was shipping a new version of its NT client software which supports both Windows NT Workstation and NT Server, although it doesn't support server-based directory services for NT yet, just the client services. About the same time, Banyan Systems announced Vines 6.0, which includes an NT client; that client supports the Vines StreetTalk directory service.

These directory services have a number of common characteristics. Both support a single log-in to their networks. Users log onto the network, and their log-in information is authenticated by a distributed directory service. The service then authenticates the users to any resources to which they have access rights.

This single log-in capability also extends to location independence. Users can log on to any server on the enterprise network and have the same access and presence that they would if they logged on through the computer on their desk. Although a domain name service can achieve much the same result by establishing links between a user's home server and others on the network, these links must be established manually and they add to the management complexity of the network.

For a smaller network, the difference between a directory naming service, such as the one that comes with NT Server, and a directory service, such as NDS or StreetTalk, is not a major issue. Although the two are quite different in concept, when there are only a few servers and resources on the network, the job of managing it isn't all that complex, and the differences won't be obvious to most users or administrators.

The differences become obvious when enterprise networks reach a greater complexity and the management of diverse resources and many users becomes a bigger job. Then, the ability to work with a single service and have it propagate changes throughout the network becomes important. With a directory service, for example, you can authenticate users for access to a mainframe gateway, change email account information, establish new permission levels, and change permitted logon locations, all within the directory service. In addition, when new services are added to the network, such as a workgroup product or a network resource, it can pick up the user and resource information that is already present.