Centralized management requires a service that stores information about the network and also provides a coherent interface for recording user and resource information on an enterprise basis. To ensure the usability of this system, it must use standard Internet protocols and be integrated into other areas of the services provided by the server network. In addition, it should also be resilient to failures.
The reliance on a single server for authentication and directory information leads to potential problems, as it means there is a potential single point of failure relying on a single server.
Windows 2000 uses Active Directory. This supercedes the old Windows NT Domain system and provides a central resource for all the information about the network, from individual machines and the services they provide to user and group authentication. In place of the old Windows NT 4 Domain model, Active Directory uses Internet Domain Name Service (DNS) as the partitioning scheme.
By using standard Internet domain names to identify objects within the directory, the Active Directory service can provide a directory to internal, external, and public services—all within the same database. When querying or updating the directory, the Active Directory system supports the Internet standard Lightweight Directory Access Protocol (LDAP). However, Active Directory does not use the LDAP system for storing information in the database and is therefore not subject to the same limitations that apply to the referral system offered by traditional LDAP implementations.
The Active Directory system supports the authentication of users across the entire network. Windows 2000 uses a single directory for the entire network; multiple domains are supported within the single directory. The domains become logical, rather than physical boundaries between machines. Each user is provided with access to the resources within each domain and, therefore, only needs to log in to the network once. There is no need to connect to multiple individual domains.
All servers within a Windows 2000 network are peers of each other, and synchronization of the authorization is automatic in both directions across the entire server network. This has the advantage that all servers within the network are aware of the authority available to each user, while also being capable of modifying that authorization information and having it replicated across the network.
Active Directory is also used and made available to other applications including the Web services supported by IIS, Microsoft Exchange and Microsoft SQL Server. The same authentication information is shared by all applications and also controls access to the files and folders on each server. There is no need for a separate authorization scheme under Windows 2000.
Solaris 8 provides a centralized authentication facility through the traditional Network Information Service (NIS/NIS+). The NIS/NIS+ system uses a central server that propagates information to other servers within the network at specific intervals. Authorization to a local machine is, therefore, controlled from a central server, although for speed, clients cache the information. The main disadvantage to the client of this system is that it does not provide a single point of authorization, the user must authorize their connection to each server, even if they all use the NIS/NIS+ system.
For more extensive integration under Solaris 8, you can also use the Sun Directory Service (SDS), which builds on the LDAP standard to provide a centralized directory for user login and contact information. The SDS system supports authentication both at the user login level and also through integration with the Solaris Internet Mail Server and the iPlanet suite for e-mail, Web service, and group collaboration projects.
However, SDS is not an integrated solution to the problem. Users must still log in to servers individually even though they may be using the same LDAP database for authorization. Furthermore, because the Sun Directory Service uses LDAP for its storage mechanism, integration across multiple directories is complex. Each LDAP server must forward requests that it cannot handle to a pre-configured alternative server. There is no automatic referral to another directory.
For individual authentication, both Solaris 8 and Windows 2000 support a variety of systems, from the basic login and password through to smart cards. More extensive authentication is supported under Solaris 8 and Windows 2000 through Kerberos and X.509 certificates as used in many Internet-based authentication systems. Windows 2000 also supports the LAN Manager system, as used by Windows 95/98 and Windows NT. The Active Directory system supports further authentication systems through a modular extension system, providing a method for future support of new technologies such as finger print identification.
A summary of the directory and authentication systems is shown in Table 9 below.
Table 9: Directory and Authentication Comparison
|
Feature
|
Solaris 8
|
Windows 2000
|
Integrated Directory/Authentication Service
|
Y
|
Y
|
Integrated Directory/DNS Service
|
N
|
Y
|
Integrated Directory/File Security Service
|
N
|
Y
|
LDAP Compatibility
|
Y
|
Y
|
Distributed Directory
|
N
|
Y
|
Smart Card Authentication
|
Y
|
Y
|
Kerberos Authentication
|
Y
|
Y
|
X.509 Certificate Authentication
|
Y
|
Y
|
Single Sign-On Capability
|
N
|
Y
| Managing the Desktop
Solaris 8 is not a client-oriented operating system. Native Solaris clients are terminals or X Window devices. Solaris supports more intelligent client machines in terms of providing services such as file sharing, printer sharing and – through the Solaris Internet Mail Server or iPlanet Suite – mail and group collaboration services. But it does not grant any facilities for managing client machines or managing the
information and individual resources that each machine has access to, except through the Network File System and Automounter security settings, which are comparatively rudimentary.
Windows 2000 builds on the features provided by the Zero Administration Kit (ZAK) technology. The Windows 2000 system, called IntelliMirror management technologies, allows the administrator to set up a user profile that defines the data to which the user has access, where the information they use should be stored, and what applications they have access to—either published or through a subscription.
The IntelliMirror system uses the user profile information to set up a user’s machine when the user logs on to the network. Any machine within the network can potentially be used by any user—IntelliMirror will automatically set up the machine according to the user’s profile with exactly the same storage facilities and applications. This reduces the need for individual machines for each user within the network. Instead users can “hot-desk” and work at any machine without being restricted in their abilities.
For further resilience, and because most users use the same machine each day, IntelliMirror keeps a copy of users’ files on their current desktop machine as well as the server. Even in the event of a server failure, a user’s files will still be accessible. If users move to a different machine then the information ‘follows’ them to the new desktop.
The IntelliMirror system also allows you to define applications for users. And IntelliMirror dynamically installs and configures the applications if the user moves to a new machine. If the user applies for access to another application while still logged on, that application would also be installed on the machine, in real-time, or loaded from the server. As administrator, you can modify the application availability on a per-user, group, or machine basis. This allows you to deploy a single application across the entire network without visiting each machine.
By centralizing the process of storing user-specific data and the applications required by each user, you eliminate many of the problems of supporting a user within a network. Users are no longer restricted to which machine they use. Because users cannot make changes to the configuration, it is impossible for them to break their machines and this helps reduce the number of help desk calls, lowering the total cost of ownership.
Table 10 below summarizes the Desktop Support offered by each platform.
Table 10: Desktop Support Comparison
|
Feature
|
Solaris 8
|
Windows 2000
|
User Data Management
|
Limited
|
Y
|
Desktop Application Management
|
Limited
|
Y
|
User Settings Management
|
N
|
Y
|
Roaming User Support
|
N
|
Y
| System Deployment
On SPARC hardware Solaris supports remote booting capabilities. This enables any SPARC-based machine to be booted from a central server without the need for any form of local storage. Supporting a centralized boot process makes software and driver installation easy—once installed onto the remote boot system, all machines that reboot remotely use the new version of the operating system and any software supported by the server.
Under Solaris for Intel platforms, remote booting is not supported, but the platform does allow for the sharing of applications across the network using the normal file sharing tools. Sharing can be supported for multiple platform types on a single server, allowing both SPARC and Intel versions to reside on the same central location.
Windows 2000 does not support remote booting, but it does support a system that allows for remote installation of the Windows 2000 Professional client software onto a machine over the network. An extension of IntelliMirror, the Remote Installation Service allows you to login to a Windows 2000-based server from a remote machine and have the operating system automatically installed.
Furthermore, IntelliMirror makes it easy to provide a core set of applications for each desktop machine according to the user, rather than the machine needs. The installation, update, and control of the applications configured for each user is centrally managed. This reduces the management cost and time taken to install applications or install or upgrade a new machine to Windows 2000.
Manageability Summary
Solaris 8 provides few management tools. Most of the configuration of the Solaris system is done via the command line interface or a number of highly focused applications that are disparate and not integrated into the operating system. Although Solaris 8 does provide remote management abilities through a Telnet interface or various Web-based tools, it lacks a coherent system for managing the machine either locally or remotely. In its favor, Solaris 8 does provide remote booting capability for all SPARC-based Solaris clients.
Windows 2000 provides a simple and consistent management interface, both to the local machine and to remote services through the Microsoft Management Console. For authentication and directory management, Windows 2000 includes Active Directory, which provides a central location for all of the resources on the network. The information is shared, and therefore available to all servers enabling a user to log in once to the network and never have to enter a password to access a networked resource.
Through IntelliMirror, Windows 2000 provides the next best thing to remote booting: the ability to dynamically reproduce a user’s environment on any machine in the network including desktop settings, file availability, and applications.
CONCLUSIONS
Solaris provides some advanced reliability and scalability facilities that are aimed squarely at the data center market, including SMP and clustering, support. For Intel hardware, the only clustering option is Windows 2000. Considering the lack of certain features in the Solaris 8 operating system, the Solaris solution is an expensive choice in terms of cost of ownership and management time.
Solaris 8 requires UNIX experts for management as well as additional software to provide even the basic functionality provided by Windows 2000. The Sun Directory Service and the iPlanet suite are layered products that go some of the way to solving the Internet solution for Solaris, and the incorporation of Java into the Solaris 8 kernel shows that Sun is committed to supporting an Internet-focused operating system.
Solaris 8 concentrates its abilities on expensive, single-system solutions such as the E10000 Starfire server, at times used in the data center. Although this enforces a centralized solution, it also limits the effective reliability across the entire network. The lack of a distributed solution such as that offered by Windows 2000 means that Solaris 8 is vulnerable to failures at multiple, single points. There is no network-level resilience—a single machine failure within a Solaris 8 network could make the entire network unusable.
In contrast, the Active Directory service forms a core part of the Windows 2000 strategy. By controlling all aspects of the resource management process, Active Directory ensures consistency right across the network – from access to the network as a whole and to the individual authorization of shared folders and other network resources. Sun’s Directory Service addresses some of these problems, but the technology is restricted to authentication on a single, rather than network resource basis.
With particular respect to the data center, Windows offers the most cost-effective solution to the problems of reliability. The Windows Datacenter Program will ensure that any hardware solution, once tested and approved, will easily be able to keep to its 99.9% availability guarantee. Because it is the full hardware and software system – including the core operating system, backup systems and software – that is tested and approved, the customer can be confident that the system they purchase will provide the maximum level of availability. Furthermore, the backup of a coherent support system by the Joint Support Team will ensure that any problems are resolved within the required availability constraints.
Windows 2000 supports many of the high-availability facilities Solaris 8 offers. Windows 2000 Advanced and Datacenter servers support up to 32 processor SMP systems, and two- and four-way clustering. Already, the advances in Intel hardware and the improvements supported by the Windows 2000 architecture mean that performance for many applications—particularly in the data center and e-Commerce arena—may exceed those offered by Solaris on either Intel or UltraSPARC hardware. The upcoming release of the Intel Itanium processor will provide another
significant advancement in performance, and Microsoft has been working hard with Intel to ensure the maximum operating system performance from the new processor.
The wide range of Windows 2000-supported hardware enables you to deploy future-proof solutions across your network without worrying about the scalability of your existing hardware or software platforms. Clustering on Windows 2000 is handled using standard off-the-shelf components, and is therefore possible on a much wider variety of hardware at a much lower cost.
For deploying applications to the public over the Internet, Windows 2000 also demonstrates a clear advantage. With built-in support for the major Internet protocols, Windows 2000 can be used out of the box to provide Web applications and services. By using Active Server Pages, COM+, and Java, it is possible to deploy distributed Internet applications with ease.
The management support provided by Windows 2000 lowers the total cost of ownership for the entire network. By centralizing the management process, the normal overheads associated with supporting a distributed client-server network are reduced significantly.
In addition, because Windows 2000 provides a network-oriented solution, it inherently offers a much more resilient solution to the problem of providing network resources. By offering clustering, network load balancing, and distributed storage facilities built in to the operating system, you can safely deploy a Windows 2000 network without having to worry about the future scalability of the network.
For More Information
For the latest information on Windows 2000 Server, check out our Web site at http://www.microsoft.com/windows2000 and the Windows 2000/NT Forum at http://computingcentral.msn.com/topics/windowsnt.
For additional enterprise management services see: http://www.microsoft.com/smsmgmt/
For more information about the technical differences between the two directory services, see “Microsoft Active Directory vs. Sun Microsystems’s Sun Directory Service 3.1” at http://www.microsoft.com/WINDOWS2000/guide/server/compare/ADandSDS.asp
| 