Following slow adoption of Active Directory after its release as part of Windows 2000 three years ago, Microsoft Corp. has been actively urging IT managers to deploy its directory services platform through aggressive pricing, detailed deployment road maps and increased support. And with Microsoft releasing a new capability in AD that will enable organizations to run AD as a non-operating system service (meaning it does not require deployment on a domain controller) immediately following the release of its .Net Server 2003, enterprises that were on the fence about deployments may finally find a reason to make the leap.
Although only 36.4 percent of polled corporations deploying AD have enabled all their servers to use and participate in the AD environment, an additional 41 percent are expected to do so within 12 months, according to International Data Corp., of Framingham, Mass. (see chart).
However, according to a separate IDC poll, only 8 percent of IT managers said they were deploying AD because of its role in Microsofts .Net strategy (see chart). These enterprise users were more interested in ADs ability to lower client management expenses.
Microsoft will try to change that mind-set with the release of AD/AM (Active Directory in Application Mode), a key ingredient in the companys efforts to push its directory services platform into the extranet and e-business spaces.
While AD is used for domain administration and is therefore tied to the Windows network operating system, AD/AM runs as a non-operating system service and does not require deployment on a domain controller.
As with pure LDAP directories, administration of a specific AD/AM directory is separate from domain administration. Running as a non- operating system service means an organization can run multiple instances of AD/AM concurrently on a single server, with each instance being independently configurable. For example, a company that wants to store application data that requires high-replication traffic data could use AD/AM rather than AD to avoid straining network resources with high-replication traffic.
AD/AM will be made generally available shortly after the release of Microsofts Windows .Net Server, in the first half of next year, according to Microsoft officials.
Experts say AD/AM is a concession by Microsoft to the failures of the full-blown AD in some markets, particularly with extranets and other complex applications. Microsoft has also acknowledged the huge learning curve IT managers were faced with when AD was first released with Windows 2000.
“When we released Windows 2000 almost three years ago, we knew the adoption curve was going to take some time, particularly for larger companies,” said Michael Stephenson, lead product manager for Windows servers at Microsoft, in Redmond, Wash.
“One thing we found out through Active Directory is there are times when it becomes difficult for a customer to tie all their applications to a single directory,” Stephenson said. “Active Directory in Application Mode will enable customers to have a separate directory that will be closely coupled with Active Directory. Customers will now be able to deploy Active Directory in two modes: a standard mode and a stand-alone LDAP mode.”
Analysts said AD/AM will go a long way toward increasing the use and usefulness of AD. “If Microsoft gets the product out there, promotes it effectively, and provides the [right] kind of tools and documentation for the product, AD/AM will increase the use of Active Directory,” said Dan Blum, an analyst at The Burton Group Corp., in Midvale, Utah. “In particular, itll make Active Directory technology easier to deploy with applications that dont quite fit within the sort of obvious residence of the domain. AD/AM will make Active Directory more accessible.”
: The Bottom Line”>
Facing tight times, however, IT managers have their eyes on the bottom line. Realizing this, Microsoft has made pricing for AD increasingly attractive as a way to lure users of Novell Inc.s eDirectory and Sun Microsystems Inc.s Sun ONE (Open Net Environment) Directory Server (formerly iPlanets) onto AD.
“Right now, cost is a big factor for many organizations, and Microsoft has very attractive e-business directory pricing,” said Blum. “Active Directory is available for $2,000, while Sun and Novell start per-user pricing after you get past 200,000 entries.”
BlueCross BlueShield of South Carolina, which won eight awards when it released a Web portal with customer self-service applications in 1999, migrated from the iPlanet Directory Server to AD earlier this year because of the Microsoft products competitive pricing.
BlueCross BlueShield has almost 1 million customers in South Carolina. In addition, it allows people previously insured by the company to use the Web site to look up their health care information. As the organizations directory grew, so did potential future licensing costs for its iPlanet directory.
In February, Bry Curry, director of BlueCross BlueShield of South Carolinas .Net systems (which, Curry said, has nothing to do with the deployment of Microsofts .Net software), began looking at new options and decided to go with Windows 2000 and AD to cut anticipated future costs.
In May, with help from the DirectorySmart identity management system from OpenNetwork Technologies Inc., BlueCross BlueShield began the conversion. Work was completed by the end of June, and now BlueCross BlueShield of South Carolinas AD is accessed by the companys iPlanet Web servers whenever a user logs on to the Web site.
In addition to cost, compliance with LDAP 3.0 was a reason for moving to AD, said Curry, in Columbia. She added that AD/AMs ability to reside without being tied to the network operating system is compelling, but that Microsoft hasnt been persuasive. She is not looking into the use of Microsofts .Net server products at all right now.
Microsofts own licensing agreements may, in fact, stop some organizations from moving to .Net and AD/AM—at least for the time being.
At Edmunds.com Inc., in Santa Monica, Calif., Oscar Mejia, manager of network engineering, completed a deployment of AD (as Edmunds.coms NOS-based directory) and Microsofts Exchange 2000 in March.
The migration, which took about six weeks, was aided mainly by documentation from Microsoft and the use of NetIQ Corp.s Domain Migration Administrator, Mejia said. The company is using AD for its LAN and has plans to use the LDAP features in Exchange 2000 to authenticate users on its intranet. Since Edmunds. com uses user name and nonencrypted passwords to enable log-on to its intranet, the authentication process will be further secured with Secure Sockets Layer encryption.
Mejia said he has no plans to move to .Net Server 2003 or to use AD/AM any time soon because Edmunds.com recently paid licensing fees for Windows 2000 under Microsofts Software Assurance licensing plan. Edmunds. com is running .Net Server in a test environment but will continue to run Windows 2000 for two more years under its current licensing plan.
“We recently finished our migration to Active Directory and Exchange 2000 in March, and its not financially acceptable under our licensing terms to move to .Net Server,” Mejia said. “Id also like people to test the products first.”
So how fast should managers who waited on AD in the past move on to the platform once Windows .Net Server is released? Experts say the schedule should be determined by how aggressively an organization is moving forward with its deployment of .Net Server and other products that rely on AD, such as Exchange 2000 and other upcoming .Net offerings including Exchange 2003.
: Packers Tackle AD”>
AD deployment is picking up speed at some organizations that are moving ahead with deployments of Exchange 2000. Two years into the three-year renovation of 43-year-old Lambeau Field, including its technology infrastructure, IT managers for the National Football Leagues Green Bay Packers are planning a deployment of AD because of an upcoming move to the Exchange 2000 platform.
The Packers technology deployments are often based on the technology used by the NFLs corporate offices because the football teams systems need to be interoperable with those of the NFL. Last year, the NFL announced it would begin an implementation of AD in preparation for Microsofts .Net Framework. This meant that every team—including the Packers—had to decide whether it wanted to use the NFLs AD forests or build their own to replicate with the NFLs in the future.
Currently, the entire league runs on the Exchange 5.5 environment and has a global catalog in which every employee of the NFL and its 32 football teams can be cross-referenced in public folders. By deploying Exchange 2000 and AD, the NFL hopes to replicate a similar environment and features on a broader scope, said Wayne Wichlacz, director of IS for the Packers, in Green Bay, Wis.
Wichlacz, who is currently using Windows NT 4.0 domain controllers, said single sign-on and authentication are features he is considering as part of his AD deployment. While hed like to enable single sign-on for all network operating system applications, Wichlacz said he is unsure if hell incorporate the NFLs intranet into his single-sign-on plans.
“Ultimately, IT has to service our customers, and sometimes you do what you need to do to help your end users versus whats easier for us IT people to manage,” he said. “If single sign-on for intranet and network applications is important, then we will consider Active Directory to manage the authentication of both.”
Wichlacz conceded that deployment will not be easy but said that Microsoft has provided enough documentation and support to provide a fairly good idea of how his deployment will work.
The fact that AD has been available for three years now also means the technology is mature enough for organizations that are loath to be early adopters, experts say. Although Wichlacz will look at AD/AM as an option when it is released, he said he will wait until after he has finished deploying AD before deploying AD/AM-based directories.
“Well be moving to Active Directory because if you buy into the direction from Microsoft, you have to keep up with them,” Wichlacz said. “Its not realistic in the business world to migrate every time a new product is released, but the most you can be is one step behind.”
Senior Writer Anne Chen can be reached at [email protected]