While people have widely divergent views on the origins of life, certain characteristics of it's behavior are readily apparent. From simple beginnings, it has grown into a vast array of life forms that fill every conceivable niche. And these forms keep changing. Some become dominant for a while, before being replaced by a new "top dog." Specific models, such as dinosaurs, are discontinued, but their lineage continues in the smaller form factor of iguanas and horned toads. Units with greater processing power kept replacing earlier models. And through it all, bacteria and viruses keep evolving faster than drugs can be created to combat them. Through all the changes, nature has managed to keep all the species interoperating.
It's the same for the computing. But here the origins are clearer. While the ENIAC for years was considered the first electronic computer, it is now known that British intelligence's top-secret Colossus machines were actually developed in 1943 to decode Nazi communications. But other than that, nature and computing are similar in some ways. The number of different devices expands annually. Different operating systems and hardware have been the leaders before being replaced by a more evolved form. Processing power keeps growing while form factor shrinks. And new viruses come out as soon as the security companies develop a cure for the old ones.
But after that the similarity ends. Biology took 150 million years to go from the Brontosaurus to homo sapiens. Computing went from its dinosaurs to PDAs in a few decades. Cockroaches have thrived for the last 320 million years, but you can't give away a three-year-old PC. The biggest difference, however, is in the area of interoperability. While Nature has this "circle of life" thing down pat, just try setting up a wireless interface for mainframe apps without hiring a systems integrator.
All this rapid evolution does keep our jobs from getting boring, of course, but it has gotten out of hand in terms of the numbers and types of devices, as well as the users and applications that IT staff now must support. With the growth in mobile computing, enterprises now have more than one computer per employee. And this is just counting laptops. Added to this, many employees expect to synch their PDAs to the network and be able to log on from their home computers. Then there are the suppliers who need access to ERP or Supply Chain software, and customers who want to place orders on line. The average help desk now supports over 200 applications, eight times as many as just five years ago.
To make managing all these objects easier, vendors began offering directories which list all the users and what resources they are permitted to access. But this led to its own problems as enterprises then had to manage sometimes as many as 100 proprietary directories and keep them all synchronized. It was time to standardize.
X.500, DAP and LDAP
The first such standard was X.500 Directory Service. X.500 is designed as a global "white pages" of all the people in
an organization. It uses a tree hierarchy consisting of country, organization, organizational unit and person. A
"person" can be a user, but also includes any other type of network resource such as a file, server or printer. Each
organization or group of organizations can create its own X.500 directory, called a Directory System Agent (DSA). The
DSAs can then be linked higher up the tree so that people in other organizations can access the directory. An example
of this is ESnet, the United States Department of Energy's Energy Sciences Network. There one can look
up the personnel who work at any of the national laboratories. Another example is Verio, Inc.'s
Whois domain name database. An X.500 directory is accessed through Directory Access Protocol (DAP), which is part of
the X.500 specification.
But DAP consumed too much of a network's resources, leading to the University of Michigan's creation of the Lightweight Directory Access Protocol (LDAP), which is now used in most directory integration. LDAP has a lower overhead than DAP, but also lacks some of its functions. One of the features initially stripped out was the security function, but this has been put back in. LDAP is used by Netscape Communicator and Microsoft's Active Directory. Novell's NetWare Directory Services (NDS) is not a native LDAP service, but it does interoperate with LDAP. An LDAP directory uses the same four-level hierarchy as X.500. (For more on LDAP see The ABCs of LDAP: How to Install, Run, and Administer LDAP Services.)
Directory Enabled Networking (DEN)
While the above standard makes it simpler to locate people and other network objects, there was still a need to
develop a means of creating a single directory to manage all the users, devices, and other objects that comprise a
network. Vendors were still providing their own proprietary directories, which didn't speak to each other. When a
new employee was hired, this meant having to create that user, his password, and privileges in each of the myriad
directories. This then had to be repeated when the person left the organization, or changed position. When a new
piece of equipment was installed, or an application moved to a different server, that would also have to be changed
for each of the affected users and directories. As networks grew in complexity and the number of users and directories
expanded a simpler solution was needed. One was the creation of metadirectories, a type of middleware that links all
the other directories together. A more elegant proposal was Directory Enabled Networking (DEN).
"Directory Enabled Networking is really a set of standards to enable what the Distributed Management Task Force (DMTF) is calling holistic management," says Winston Bumpus, Director of Open Technologies and Standards at Novell, and current DMTF President. "This initiative was born from the need to manage the network as a whole as it has become too complex and too interdependent to be able to manage it on a component-by-component basis any longer."
DEN was first put forth by Cisco and Microsoft in 1997 and later joined by hundreds of other hardware and software firms. The concept behind DEN is that an enterprise eliminates all the proprietary databases and metadirectories and replaces them with one centralized directory that describes all network objects including persons, computers, applications, switches, routers, etc. The objects speak a common language so that they can be managed as a unit without having to write APIs or install middleware. All applications and devices within the network then consult that directory for configuration, security, QoS and other issues. Once the system has been set up, adding or changing users and equipment is simply a matter of dragging and dropping a predefined object into its new location.
Setting the Standard
While DEN is simple to describe, getting it implemented is something else. Many of the pieces are there, but not
the entire puzzle. "Today, DEN is still at a formative stage," says Daniel Blum, Research Director for The Burton
Group. "Policy work is still going on at the Internet Engineering Task Force (IETF) and data modeling work is
still going on at the Distributed Management Task Force (DMTF). Network infrastructure vendors have built parts of
DEN into policy-based routing and other architectures, but as yet there is little plug and play interoperability
between multi-vendor routers, policy servers, and directories."
The first action is to create the standards. This was originally being done by the specially created Directory Enabled Networking Initiative, but the task was passed over to the DMTF to develop. DEN uses the DMTF's Common Information Model (CIM) standards and then creates LDAP mappings from CIM to X.500. The standards allow vendors to share common definitions of a device, application, or service, for interoperability. But the formats are also extensible in order to utilize the specific features of different products.
CIM is designed to facilitate the exchange of management information between management systems and applications. It consists of two parts, a specification and a schema. The CIM Specification details the language and mapping techniques to exchange information with other management models including Simple Nework Management Protocol's Management Information Base descriptions of network objects as well as the DMTF's own Management Information Format, which is used to describe hardware and software components, primarily in Windows systems.
The CIM Schema defines the terms used to express the CIM model. It is divided into three layers. The Core Schema captures notions that are applicable to all areas of management. The Common Schema gives the notions that are common to five particular management areas (systems, applications, databases, networks and devices) but which are independent of a particular technology or implementation. Extension Schemas are technology-specific extensions of the Common Schema.
The DMTF has been issuing schema for several years. The first five covered systems, applications, networks (LAN), devices and physical. CIM 2.5, which was released in July 2001, added a standardized capability to publish and subscribe to events in a managed environment, and included DEN schema for Core, Physical, Network, System, Device, Core Policy, QoS Policy, and IPSec. CIM 2.6, which has not yet been finalized, includes mapping for Unix-based systems, the first time the DMTF has developed a mapping for any operating system besides Windows. (For more on CIM see Using Web-Based Enteprise Management.)
Creating the Directory
Although the standards are still being developed, ISVs have already begun building DEN functionality into their products. The biggest step was taken by Microsoft, one of the original proponents of the DEN initiative, by building Active Directory around DEN standards.
"With the release of Windows 2000 and Active Directory," says Perry Anton, Microsoft's Product Manager for Active Directory, "Microsoft provided customers the framework for implementing DEN solutions. This framework can serve as a basis for network equipment vendors, network management software vendors, and service providers to develop components specifically designed for distributed networking in a Windows 2000 environment."
The LDAP-native Active Directory is also a major driver for enterprises to switch to Windows 2000. According to a study of 232 IT professionals responsible for networks containing 500 to 5000 desktops released by Enterprise Management Associates (Boulder, CO) last year, the reason most often cited for wanting to migrate from NT 4.0 to 2000 was to get Active Directory. While Windows NT 4.0 had a limit of 40,000 users and machines, Windows 2000 supports millions of objects in a single directory, and can replicate these objects between servers, even over WAN connections. It uses the Internet-standard Domain Naming Service (DNS) to specify network objects. The size of the directory, coupled with its use of internet standards LDAP, DNS and PKI make it possible to integrate with other entities outside the enterprise.
While directory services are new for Microsoft, others have been doing it for years and have managed to work out many of the bugs that occur with any 1.0 release. One of these companies, Novell, has split out its directory function from its NetWare network operating system. So, while Active Directory is limited to Windows 2000, Novell Directory Service (NDS) eDirectory operates on networks running on Windows 2000, Windows NT, Solaris, Linux and Compaq Tru64 UNIX platforms. eDirectory manages both internal and external objects, breaking down the barriers between Internet, intranet and extranet resources, so that enterprises can share resources such as inventory information with their suppliers and customers. It supports a greater number of objects that Active Directory (1 billion) and is designed to be used with automated business-relationship management, supply-chain management and electronic storefronts. The system can use either Novell's proprietary NDS naming system or, to provide greater interoperability, the Internet-standard DNS format can be used.
Hardware and Software
Once the directory is in place, there is still the matter of using it. This requires creating network devices and software that look to the central directory for their marching orders. Bit by bit this is happening.
Microsoft's Windows 2000 was designed to work with Active Directory, as is Exchange Server. Other products such as SQL Server, Microsoft Office and Microsoft Site Server will also take advantage of the directory. Novell's directory-enabled products include its GroupWise, ZENworks for Desktops and Net Publisher. Both firms are also encouraging ISVs to develop products which utilize their directories. Bowstreet Web Automation Factory, Network Associates' Zero Administration Client Suite and PeopleSoft ERP systems all use Novell's eDirectory. Microsoft, meanwhile, made Active Directory compatibility a part of its Windows 2000 Server Logo certification program and programs such as Baan ERP 5.0, IBM DB2 and Veritas Backup Exec have passed the test.
Hardware vendors are also joining in. 3Com is partnering with Novell on providing servers that utilize the eDirectory system; Sun and Netscape are working on iPlanet and SunONE directoris. Cisco, which joined Microsoft in initially proposing the DEN standard has created its Cisco Networking Services, which runs on Windows 2000 or Sun Solaris Networks. "Traditional management solutions manage network components and services individually with little or no interoperability or data sharing," said Anson Chen, general manager of Cisco's Intelligent Network Business Unit. "Our customers want intelligent networks that function and are managed as complete systems. CNS delivers DEN, and the robust, scalable infrastructure elements needed to build programmable intelligent networks."
Assembling the Pieces
Slowly all the pieces are coming together to create directory-enabled networks. The standards are being created. Vendors are producing more of the software and hardware to utilize the concept. Enterprises are establishing their directories.
It's not an easy job. To roll out a directory can take 18 months. But in the end it is worth the effort. International Data Corporation reports that companies which implement Novell's NDS can expect a three-year ROI of 210 . "The biggest problem is the initial sale to internal development staffs," says Chip DiComo, Manager of Global Information Services for Hellmann Worldwide Logistics, which implemented Novell's eDirectory. "But once they realize it can cut down on the coding that needs to be done they get real excited." They implemented the system because they wanted the ability to centrally manage and control the network from any one place with very little staff, which could only be done with a directory-enabled network. "We are reaping the benefits each day and the dollar and efficiency savings continue to grow," continues DiComo. "Directory enabled e-mail services has already saved us over $6million."