More Alike than You Might Think

Windows 2000's developers seemingly based Active Directory (AD) on the Exchange Server 5.5 Directory Store's fundamental concepts. (Figure A shows AD's architecture, which contains many similarities to the Directory Store's architecture. Table A compares some AD and Directory Store elements.) AD makes important advances in several technological areas.

Replication. AD replicates object attributes rather than complete objects. Because replication seldom involves more than 5KB of data per object, replicating a complete user object isn't a problem in Exchange Server 5.5. Nevertheless, replicating changes to only the changed attribute or attributes, instead of copying unnecessary data (i.e., the unchanged attributes), is certainly more efficient; efficiency becomes more important as the number of attributes per object increases. AD is the single repository for information about all users in a Win2K environment, so user objects contain more attributes than they do in a simple messaging application such as Exchange Server 5.5.

As in Exchange Server 5.5 directory replication, AD replication compresses data of 50KB or more before sending it between sites. In Exchange Server 5.5, the trade-off between using CPU cycles to compress and decompress data and sending uncompressed data has proved worthwhile and will probably prove to be successful in Win2K as well.

AD also reduces replication by limiting the user-object attributes that it replicates between domains. Many attributes are pertinent only to a specific server or location. Mailbox quotas are a good example: When you give a user an expanded quota, the mailbox's server is the only server that needs this data. Why replicate the information to every server in the forest? AD replicates the data to only the mailbox's server. You can control the attributes that AD replicates to Global Catalog (GC) servers. And in AD, servers use attribute-based replication rather than complete-object replication and therefore exchange a minimal amount of data.

Global Catalog. Exchange Server 5.5 provides one directory for each Exchange Server organization. AD's GC concept lets AD form one directory from many domain trees, each of which is comparable to an Exchange Server organization. However, because Exchange servers replicate configuration information about servers and routing throughout the forest, only one Exchange 2000 Server organization can function inside an AD forest. If you want to operate multiple organizations, you need to create multiple forests. Microsoft often produces utilities (e.g., Exchange Server 5.5's Move Server Wizard) after a product ships, in response to corporate requirements. I expect that over time, Microsoft—or third-party vendors—will offer a way to prune and graft AD forests, thus permitting easier splitting or joining of organizations.

Globally unique IDs. Renamable globally unique IDs (GUIDs) replace distinguished names (DNs) as the key for objects in the directory and let you move objects around AD rather than delete and recreate newly named objects.

Extensible schema. Exchange Server 5.5 provides 15 customizable attributes but only reveals 10 of them (i.e., Custom Attribute 1 through 10) through the Microsoft Exchange Administrator UI (the other 5 are accessible only through code). You can change the default names of these attributes, but you can't customize them in any other way. In addition, attribute changes are valid only within a site, so an enterprise deployment must make the same set of changes on each site before a customized attribute can be truly useful. The AD schema is extensible: You can add new attributes for users and other objects. Exchange 2000 extends the default AD schema by adding attributes required for messaging (e.g., the name of the server where a user's mailbox is located). The schema is unique to a forest; a server called the schema master manages the schema, performing all changes and replicating them to other controllers in all the forest's domains.

DNS. DNS is the locator service for AD. DNS holds domain controller and GC service records that let servers and clients locate a controller for authentication or directory searches. (Exchange Server 5.5 doesn't use DNS for this purpose because each server has a Directory Store, so you don't need to recognize the difference between a domain controller and a GC.)

Lightweight Directory Access Protocol. LDAP is AD's primary access protocol. Exchange Server 5.5 and Exchange Server 5.0 support LDAP, but only as a secondary protocol that POP3, IMAP4, and browser clients use when they need to consult the AD store. Exchange 2000 servers use LDAP to retrieve configuration data from AD. Messaging API (MAPI) clients don't use LDAP; Exchange 2000 proxies MAPI clients' access to AD so that they can continue to use MAPI.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.