[ Go to March 1997 Table of Contents ]|
-- by Martin Heller
All roads lead to Cairo. On Microsoft's map of the world-with its distinctive NT perspective-that's where we're all heading. Cairo is the not-so-secret code name of the next Windows NT version, the one that will have all the features of the current versions of Windows 95 and NT, along with an object-oriented file system, distributed services and complete scalability from a single desktop to a large enterprise.
Cairo has been bouncing around long enough that it has found its way into NT aficionados' lingo, while adding to Microsoft's reputation for preannouncing operating systems-a tradition that stretches all the way back to Windows 1.0, which slipped two years from its original target date. But now, finally, we have a "technology preview" of Cairo-which, we are told, will ship sometime next winter as Windows NT 5.0.
The preview we saw dealt mostly with distributed services. Aptly dubbed Distributed Services Technology Preview, it is an add-on to Windows NT Server 4.0 and must be installed on a Primary Domain Controller, the computer that maintains the master list of users and computers on a network. However, previewers were warned not to install it on a production server, because the preview is slow, unstable and uses considerable memory. Those conditions made it clear we needed to set up a test domain for the preview (which is why the domain name "Test" appears on the screenshots accompanying this story)
Under the Hood
Microsoft's basic pitch about distributed services promises organizations without boundaries, greater economy of scale, flexible administrative control, and a flexible computing and data model. Employing some marketing finesse, Microsoft has attempted to make its multifaceted distributed solution appear simpler by calling the components "Active"-Active Directory, Active Directory Interfaces (also known as OLE-DS), ActiveX, Active Desktop, Active Server, Active Platform. Components that don't earn an "Active" moniker are labeled "Distributed"-Distributed COM, Distributed File System and Distributed Security.
The Component Object Model (COM) is Microsoft's standard way to make software "components" talk to each other; it underpins OLE and ActiveX Controls. Technically, any control or widget that talks to other software using COM is considered an ActiveX Control. Any program that can use COM components is considered an ActiveX Container.
Distributed COM, or DCOM, is a way to make COM components work together over a network. DCOM is already included in shipping Windows NT 4.0 systems. Win95 and Solaris versions of DCOM are currently in the testing phase.
The umbrella term Active Platform includes Active Desktop and Active Server. Active Desktop embraces client-side HTML browsing, scripting, components and system services. Active Server includes server-side HTML delivery, scripting, components and system services. The NT 5.0 preview comprises both client and server pieces, but we'll focus on the server side, particularly directory, storage, security and management services. The preview also includes significant pieces for programmers, as described in the sidebar "Distributed Programming: The Next Generation."
Exploring Active Directory
Active Directory, despite its name, is more than an administrative service or a way to organize files on a disk-it tries to be a complete information service for administrators and users by dealing with different kinds of information spanning many "name spaces." Browse an Active Directory, and you'll find out about domain users, groups, services and printers in addition to traditional file hierarchies.
Even those file hierarchies can be heterogeneous. The core protocol for Active Directory is the Lightweight Directory Access Protocol (LDAP), which is part of the X.500 standard. But Active Directory also directly supports Internet mail names (RFC822) in the familiar email@example.com format, HTTP URL names like http://www.winmag.com/people/mheller/default.htm, and UNC (universal naming convention) names such as \\Mozart\Papageno\winnts\dsadmin\default.asp. UNIX, Novell NetWare, Banyan StreetTalk and other network servers appear to be part of the Active Directory through Active Directory Interfaces.
Microsoft says Active Directory "combines the best parts of X.500 and DNS." That may be a nice way of saying that Active Directory only supports a subset of the X.500 protocols. The X.500 protocols are the international standard for "white pages" directory services. Active Directory supports LDAP versions 2 and 3, Directory Access Protocol (DAP), Directory System Protocol (DSP) and Directory Information Sharing Protocol (DISP)
The Internet Domain Name System (DNS) is the location service used on the Internet and most TCP/IP intranets to translate between domain names (for example, winmag.com) and IP addresses (220.127.116.11). Active Directory uses DNS as its location service: Windows NT Domain Names are DNS names. So WINDOWS Magazine, which has already registered its winmag.com DNS domain, could use the same name for its Windows NT domain and automatically have all the resources of the Windows NT domain locatable through DNS.
In addition, such a move makes all the objects in the Active Directory visible to Web browsers. Active Directory works in concert with Microsoft Internet Information Server 3.0's Active Server Pages to translate all HTTP requests for directory objects into HTML pages.
Of course, having all the resources of a corporate domain visible to the Internet-and to the Web in particular-raises some security issues. Most corporate networks aren't about to shut down their firewalls, the computers that isolate private networks from the Internet at large, but the Point to Point Tunneling Protocol (PPTP) support already built into Windows NT 4.0 allows secure access to the private network through the firewall.
Active Directory heightens security even more by offering Kerberos and X.509 v3 Public Key Certificates.
Kerberos is an MIT-developed authentication protocol. As implemented in Active Directory, Kerberos is used for distributed security within a domain tree and is based on passwords and private-key encryption. The Active Directory stores both private-key and public-key security information, replacing Windows NT 4.0's Registry account database.
Public-key security, an extension to the Kerberos protocol, requires an X.509 certificate. You can log in to a Cairo computer just as you do today, using an account on the computer or in a Windows NT domain, or you can use the new Internet log-in, which lets you use a single e-mail name to access resources anywhere in the corporate network.
You can use Public Key Certificates to provide resource access to people outside the organization who can't be traced to internal e-mail names. In this case, security comes from being able to trace a certificate to a trusted authority, which can be a commercial Certificate Authority or the Windows NT Certificate Services on a trusted domain.
For instance, I have a personal certificate identifying me as Martin E. Heller with e-mail ID firstname.lastname@example.org, issued by Verisign and maintained in my copy of Internet Explorer. I'll be able to use that certificate to access resources on Cairo networks from my browser, if the corporate network administrators choose to grant me permission to view files without giving me a domain account.
Picture it: You've got an Exchange post office located on your Olympus computer running Windows NT Server in the Test domain. The server's disk drive has been acting up, and you need to take Olympus down for maintenance. But an entire department relies on connecting to the \\Olympus\wpo share to pick up its e-mail, and taking down the e-mail system would effectively stop your company in its tracks.
Naturally, you set up a backup post office on another computer-let's call it Valhalla. Under current versions of NT, you'd then have to notify the whole department to change its post office location to \\Valhalla\wpo-and you'd probably want to do that by e-mail. When you get Olympus back online, you'd want them to change back. Not a pretty picture.
Enter Distributed File Systems (DFS). The problem with ordinary shares is they depend on the machine name hosting the files. A DFS share can be redirected anywhere on the network (including non-Windows NT hosts), and can be fault tolerant. The DFS share name is independent of the machine hosting the DFS, as well as the volumes hosting the actual files.
For instance, if I create a DFS on the Valhalla computer called Niffelheim and place the wpo underneath it, users in the same domain test could simply access \\Niffelheim\wpo from their mail clients, and users in another domain could access \\Test\Niffelheim\wpo. The actual files might be on Valhalla today or Olympus next week, but the users won't know the difference.
Naturally, you do need to administer a DFS. Fortunately, the DFS administration tool is straightforward once you've created the initial DFS share and rebooted.
Managing Active Directories
For many administrative tasks, you can use the Microsoft Management Console (MMC), which can be thought of as a kind of a container or an Explorer for management snap-ins. MMC differs from the Windows NT Explorer in a couple of significant ways-it uses a multiple document interface, and it supports the special ActiveX interfaces used by snap-ins.
Snap-ins are analogous to a new generation of Control Panel applets, except that they work across the network and can be combined into more powerful tools. In fact, Microsoft is working to migrate many of today's administrative applets (Devices and Services, for example) from standalone operation in the Control Panel to working in concert with other snap-ins in the MMC environment.
There will be times, too, when you want to administer your network remotely. The obvious way to do this is with a Web browsing interface. Directory Service administration through a Web browser relies on the presence of Active Server Pages -in other words, it requires IIS 3.0 or greater.
For a technology preview, this is very encouraging, and the enterprise features are just what the doctor ordered. Once the performance problems are ironed out, Active Directory could turn Windows NT into the premier network operating system.
Senior Contributing Editor Martin Heller is author of WINDOWS Magazine's Programming Windows column. Contact Martin at his Web page at http://www.winmag.com/people/mheller, via e-mail at email@example.com or at the e-mail addresses here.
Copyright (c) 1997 CMP Media Inc.