Novell eDirectory vs.

®
™

Microsoft Active Directory

* *

w w w. n o v e l l . c o m

C O M P E T I T I V E W H I T E PA P E R
 Novell eDirectory vs.
Table of Contents Microsoft Active Directory

2 INTRODUCTION

2 T H E V I TA L R O L E O F
A D I R E C T O RY

3 SELECTING A HIGH-END
D I R E C T O RY S E R V I C E

8 C O M PA R I N G M I C R O S O F T
A C T I V E D I R E C T O RY T O
N O V E L L e D I R E C T O RY

21 S U M M A RY
 Novell eDirectory
vs. Microsoft
Active Directory
2

Introduction
Millions of people unknowingly tap the power of a directory service every day. Directory
services are a foundational technology serving a number of critical functions, yet the
everyday user rarely sees them. Any Web site or application that personalizes its pres-
entation or controls access to its content is almost certainly taking advantage of a
directory. Directories provide the information technology power behind customer
services, citizenry records and white or yellow page indexes. And from small shops to
massive enterprises, people count on directories to allow access to their networks, files,
printers and other resources.

If you are evaluating which Lightweight Directory Access Protocol (LDAP) directory
will best address your business needs, selecting the right one is no trivial task. Given
the numerous offerings available, it can be difficult to determine which directory is best
suited to the unique needs of your organization. This paper will assist you in that evalu-
ation process by clearly outlining what a directory is, why it is necessary and how to
evaluate one that will best fit your organization’s needs—with particular focus on the
differences between Novell eDirectory™ and Microsoft Active Directory*.
®

T H E V I TA L R O L E O F A D I R E C T O R Y profile them and personalize their content.

Directories provide the identity infrastructure Financial institutions securely extend their

for controlling access and authentication, services to customers over the Web by using the

provisioning, personalized content presentation identification and authorization capabilities of

and various other aspects of managing the a directory. Outsourced management firms

relationships between information resources and manage their diverse clientele and the services

the people who use them. As a central repository they need with directories. And directories

of organizational information, a well-applied empower service providers to identify and track a

directory becomes a business component of wide range of devices, from broadband modems

crucial importance. to fleets of automobiles. Governments provide

Today, directories are being applied to manage health care services and manage electronic tax

identities on a scale never before seen. Internet collection systems for entire citizenries—again,

news sites use directories to identify readers, all backed by the power of directories.
 Novell eDirectory
vs. Microsoft
Active Directory
3

Directories address multiple challenges, • Compatibility

the least of which is merely identifying a user or Does it work with our applications? Does it

consumer. Layered on top of that is the ability support directory access standards? Does it

to authorize multiple levels of access to various work on our preferred platforms?

resources, provide a common username for accessing • Reliability

multiple services and act as a foundation for What mechanisms ensure that service is

provisioning services to a user. always available? Can it meet our availability

The diverse roles directories now play within goals? Is it prone to service errors or data

organizations have made them a very common corruption? Does it have well-thought-out

technology type. However, the uses described options for disaster recovery?

above distinctly define the role of a high-end • Manageability

directory service. And this high-end application What tools and services provide proactive

of directory technology requires organizations management and monitoring of the system?

to consider some very specific qualities in the Does it plug into common network

directory they select. management consoles? Do the management

tools adapt to organizational needs?

SELECTING A HIGH-END
D I R E C TO RY S E RV I C E • Securability

Does the system allow you to provide access

Now that we have discussed the diverse
to privileged users while rigorously denying
applications of a directory service and discussed
malicious intruders? Can you provide access
how directories can become mission-critical
through a variety of means? Does it provide
components of an agile organization, we come
a security model flexible enough for
to the question, which high-end directory can
company needs?
best deliver these advantages?
A true high-end directory service will excel
The business criteria for selecting the right
in each of these five areas. In other words,
directory service falls into one or more of the
determining how well a given directory fulfills these
following five categories:
five criteria should ultimately determine its ability
• Scalability
to address your needs and business requirements.
How big is “big”? How scalable does our Most organizations will not put equal weight
system need to be, addressing the needs of on each of the above high-end directory services

today as well as tomorrow? Can it still criteria. It is very much a worthwhile exercise to

perform when scaled into the millions of prioritize your organization’s business requirements

identities and beyond? against these five points before diving into the
 Novell eDirectory
vs. Microsoft
Active Directory
4

minute technical details. When selecting a directory environment. The top priority is almost always

service, questions (such as those listed above) whether a directory offering can work for the

may help to more exactly clarify your goals for immediate business needs to which it will be

deploying a directory, as well as prioritize what applied. But also important to consider is its

criteria matter most to the organization. ability to accommodate the next wave of uses

Let us now examine each of these criteria in your business may need to integrate with the

more detail. selected directory.

Scalability Protocol Standards and

Application Compatibility
Customer-driven organizations know that their
Lightweight Directory Access Protocol, or LDAP,
number of managed identities may range from
forms the common denominator for accessing
hundreds of thousands to millions, or in some
directories. LDAP is not a directory itself—it is
cases, hundreds of millions. In addition, partners,
nothing more than an access protocol used to
supply-chain companies and other stakeholders
communicate with a directory. While there are
who need personalized access continue to push
many, many other directory access protocols
scalability requirements.
available, LDAP dominates; and LDAP compatibility
Scalability goes far beyond how many user or
is the essential starting point for any true high-
device identities can be stored in the directory.
end directory service. Most directories claim
While shear volume is an important factor, so too
LDAP as their protocol common denominator,
are functions that are less obvious. Some vendors
but the implementation of the standard and its
claim scalability as storing vast numbers of objects,
de facto extensions remains an area of concern
without the objects in their tests actually containing
for compatibility.
any real data. Performance metrics for LDAP
The hallmark of a directory’s compliance to
responses per second, the efficiency of replication
the LDAP standard is LDAP Certified status, as set
and how modifications affect the size of the
forth by The Open Group (http://www.opengroup.
datastore must also be considered. Finally, the
org/dif/cert03). LDAP Certified status ensures
directory’s standard management tools must be
that a directory uses LDAP according to the
able to scale as the directory itself scales.
specification and helps to ensure that LDAP-

Compatibility based applications will work with the LDAP

Because directories act as a hub for all things Certified directory. (Similarly, The Open Group

identity-related, compatibility is a key factor in also maintains the LDAP Ready certification for

selecting a high-end directory service. Compatibility LDAP applications.) At a minimum, a high-end

must be measured with regard to adherence to directory service needs to support LDAP v3 and

standards and compatibility with your existing earn LDAP Certified status.
 Novell eDirectory
vs. Microsoft
Active Directory
5

Web services comprise an emerging set of directory access standards are most important

standards designed to allow applications to use depends on the directory-enabled applications you

Web-based protocols to communicate. The primary plan to deploy and the level of expertise in your

protocol used by Web services is Simple Object organization. For a broader discussion of directory

Access Protocol (SOAP), which is based on access protocols, see Burton Group’s recent

eXtensible Markup Language (XML). SOAP allows research report “Interfacing with Directory Services:

dissimilar applications to interact regardless of Sorting out Options for Directory Access” at

their underlying platform, programming language http://www.burtongroup.com.

or internal application calls. This description also

Platform Compatibility
loosely defines Web services and its promise.
There are few truly homogeneous networks.
The openness that Web services provides
Whether by intent or accident, nearly all
increases the need to manage identities and access
information systems of any size have a mixture
control. Directory Services Markup Language (DSML)
of machines and operating systems for both
addresses this need by providing a mechanism to

encode directory requests within SOAP. DSML allows desktops and servers—including Linux*, Windows*,

Web services-enabled applications to leverage a UNIX* and NetWare . This almost mandates that a
®

directory. This offers a number of benefits, including: selected directory technology must be able to be

hosted from multiple platforms. Managers should

• Organizations can set up relationships with
have the option of choosing an optimal platform
partners, allowing mutual use of identities
based on preferred hardware and operating
through Internet technologies.
systems, reliability expectations, personnel skills
• Organizations with supply chains can manage
and overall manageability. Further, because your
the identities of each supplier to provide
business’ choice of host platform may change over
secure access over the Internet.
time, a multi-platform capability is fundamental
• Organizations can selectively expose parts
to the selection of a high-end directory.
of their directory to be queried by external

entities, as might be the case for a publicly Reliability

published corporate or organizational
Reliability is an essential quality for a high-end
address book.
directory. The more critical the directory’s

Although there are a number of other protocols availability, the more reliable it must be;

and standards for directories, LDAP sets the base so naturally, a high-end directory must provide

standard for directory access, and SOAP/DSML show continuous availability, no matter what. Much like

the most promise in providing integration with Web a financial database, when the directory is down,

services-enabled applications. Prioritizing which the organization is down.

 Novell eDirectory
vs. Microsoft
Active Directory
6
The directory’s ability to self-correct and
prevent minor errors forms a first line of reliability.
The capacity to transparently host writable copies
of the directory across multiple servers—and
possibly wide geographies, to provide central
backup and local data availability—forms another
level of reliability.
Beyond continuity of service, a directory
needs to provide multiple levels of fall back and
recovery—from real-time failover to online, near-
line and offsite backup capabilities. Quick recovery
in the event of catastrophe—whether due to
hardware failures, operating system failures or
natural disasters—is a vital, business-sustaining
requirement for a high-end directory service.
Manageability
With technology, the cost of acquisition is
almost always smaller than the ongoing costs of
management. In selecting a high-end directory,
a key question to ask is how much effort it will
take to maintain.
Directory management breaks down into two
major groups of activities: administration and
maintenance. Administration involves day-to-day
tasks such as setting up groups, assigning access
rights and clearing account lockouts. Maintenance
involves less frequent tasks such as performance-
tuning LDAP services, extending the directory
schema or configuring alerts to report to your
enterprise management console.
In general, manageability depends on the
breadth of tools available. With several of the
directory contenders today, a limited set of tools
not only results in overly complex management,
but also demonstrates the manufacturer’s
inexperience and the consequential immaturity
of the product.
Tools for both directory maintenance and
administration should be securely accessible from
a variety of platforms and devices in order to
ensure immediacy of response to management
tasks both large and small.
To reduce costs and appropriately distribute
management, many organizations require some
form of delegated administration capability.
Delegated administration allows the assignment
of specific administrative tasks—such as changing
passwords or assigning application access—
to the appropriate people based on their roles.
This capability ensures that help desk or customer
support call center personnel can perform
appropriate management tasks without having
excessive system access.
The capability to integrate with enterprise
monitoring tools, such as Tivoli Enterprise Console*,
HP OpenView* and CA Unicenter*, is also important.
These standards-based systems use Simple Network
Management Protocol (SNMP) and other protocols
for monitoring events and directory health in real
time. If you intend to put a directory to high-end
use, support for monitoring through the generic
SNMP and the more directory-specific LDAP event
notifications are essential features.
To be sure, directory management is becoming
increasingly automated through rules-based event
handling and ongoing innovation in the systems that
connect to directories. However, many ongoing
 Novell eDirectory
vs. Microsoft
Active Directory
7

management tasks still require appropriate tools. highly confidential data. Most directories can

The larger the scale and business criticality of your create an identity for use as a simple login, yet

directory service, the more you will rely on its few can use that identity as a comprehensive

management tools to prevent overwhelming your security principal that can be leveraged across

limited IT resources. multiple services and systems.

A final consideration is whether the directory

Securability
in question is supported by sufficient auditing
The system on which your business hinges its
offerings to allow the directory to truly function
identity services must be securable to the level
as the identity hub of your system security.
required by your organization. There is no single

checkbox item to say that a directory is secure. Business Value Comes First
In fact, no directory can claim to actually be Though not exhaustive, these five criteria—
secure, only securable.
scalability, compatibility, reliability, manageability
With directories, securable encompasses a
and securability—form the requirements foundation
myriad of possibilities, not limited to: the operating
for evaluating directory services for your organi-
system on which the directory will be hosted;
zation’s high-end purposes. Understanding your
the granularity of the directory’s permissions and
requirements and priorities in these key areas
enforcement model; how secure data, such as
ensures that your investment in a directory will
passwords, is encrypted and stored; whether strong
fit your needs for both today and tomorrow,
authentication methods (such as biometrics and
and keep cost aligned with benefits.
smart cards) can be used instead of passwords;
Directories that do not fulfill your organization’s
and much more. The nature of security requires
requirements in light of these five fundamental
that some of these capabilities must be built into
values may not be suited for high-end needs,
the directory, rather than added piecemeal.
but may still have an important place in your
Security includes far more than mere
enterprise. Application-specific directories will
authentication (the logging on of users).
often need to be deployed because they are
The directory must proactively enforce access
inseparable from a business-critical application.
control in real time and ensure that the methods

used to gain access to data are suited to the task. (For example, Microsoft Exchange requires Active

As an example, graded authentication might Directory for the purpose of supporting e-mail.)

be configured to allow access only when a user The presence of such a directory does not

has the correct rights or privileges and the user negate the need for a high-end directory service,

has authenticated with multiple credentials nor dictate which directory should be used for

(password plus a biometric, for example). Such an high-end purposes. Ultimately, the directory you

implementation may be desirable for accessing choose must be capable of unifying your various
 Novell eDirectory
vs. Microsoft
Active Directory
8
• Novell eDirectory is the
foundation for many of
the world’s largest identity
management deployments
• Novell is the directory
services pioneer with more
than 10 years of business
and technical experience
• Novell eDirectory is
deployed by more than
30,000 companies
worldwide
• Over 2 billion
eDirectory licenses
have been distributed
• eDirectory is redistributed
by more than 60 ISVs,
including SAP, TIBCO and
many others
• More than 2,000 products
have been developed for
use with eDirectory
• Novell eDirectory is
proven scalable,
compatible, reliable,
manageable and securable
application-specific directories under a single
management umbrella to create a manageable
identity system.
C O M PA R I N G M I C R O S O F T A C T I V E
D I R E C TO RY TO N O V E L L e D I R E C TO RY
Out of the several directory service providers, two
market leaders are Novell eDirectory and Microsoft
Active Directory. The balance of this document
will compare the two and evaluate how each
fulfills the requirements of a high-end directory.
The Offerings
Active Directory is currently in its second version.
Fundamentally, Active Directory is a network
operating system directory, having been created
in support of the Windows server operating system.
In Windows 2003, many of the enhancements
make up for deficiencies inherent in Active
Directory’s original release, showing the relative
inexperience Microsoft brings to its fledgling
directory offering.
Novell has been working in directory services
for 10 years—longer than any other major player
in the industry. Novell eDirectory was built from
previous experience producing Novell Directory
Services (NDS ). NDS was a network operating
® ®
system directory built for NetWare that formed
an important prerequisite to the introduction of
Novell eDirectory. Today, Novell eDirectory leads
the industry as a truly platform-independent,
high-end directory.
Let us now compare the two offerings using
the five business criteria for selecting a high-end
directory service.
Scalability
Scalability has always been questionable in
Active Directory. Though Microsoft claims there
are Active Directory deployments that scale from
10 to 15 million objects, in practice few businesses
operate with that many, or have even attempted to
do so. At such a scale, Active Directory performance
becomes a liability due to data bloat, scaling
limitations of the Active Directory management
tools and the network traffic storms caused
by inefficient replication, thereby defeating
the investment.
In 1999, Novell demonstrated eDirectory
scalability to 1 billion identities. While possibly
seeming outlandish, Novell pushed eDirectory
to handle this size in order to pave the path to
super-massive directory deployments. Novell has
also run extensive LDAP performance tests
on 100 million-object systems to assure that
performance is sustained with very high volumes
of identities.
Multi-master replication in eDirectory allows
LDAP performance to scale linearly simply by
adding more LDAP server interfaces as needed—
even dynamically as conditions require.
Here are some examples of businesses and
governments who base their high-end directory
deployments on Novell eDirectory:
• Direction Générale des Impôts, the French
Tax Authority, uses Novell eDirectory as the
identity repository for taxpayers. Today the
directory hosts several hundred thousand
identities and will grow to accommodate
35 million (encompassing virtually all French
taxpayers) when the project is complete.
 Novell eDirectory
vs. Microsoft
Active Directory
9

• TransUnion, one of the world’s largest credit- by eDirectory and Active Directory, respectively.

reporting agencies, has deployed eDirectory The table in Figure 1 and the graph in Figure 2

to personalize the Web experience for 10 to
12 million customers annually.
• PC maker Gateway has deployed eDirectory
to manage employee, partner and customer
identities in excess of 5 million users.
illustrate that on average Active Directory
consumes twice as much disk space as eDirectory
when hosting the same number of objects. In a
high-end deployment, where millions of identities
and their related objects are stored in a directory,

Scalability and System Requirements this gap could be a substantial obstacle. In addition,

A major factor behind why Novell eDirectory Active Directory’s excessive consumption of disk

scalability far outpaces Active Directory’s is space becomes even more problematic as access

simply the efficient use of hardware resources. controls are applied, as discussed later in the

For example, consider the hard disk space used “Securability” section.

D ATA B A S E S I Z E ( I N M E G A B Y T E S ) Figure 1
OBJECTS (IN THOUSANDS) N O V E L L e D I R E C TO RY 8 . 7 . 3 M I C R O S O F T A C T I V E D I R E C TO RY 2 0 0 3

0 28.57 59.04

10 52.81 100.04

100 159.24 348.04

200 312.13 598.04

300 449.00 872.04

400 543.81 1128.04

500 690.58 1382.04

600 827.16 1660.04

700 939.83 1918.04

800 1084.66 2136.04

900 1213.56 2386.04

1,000 1334.15 2635.04

 Novell eDirectory
vs. Microsoft
Active Directory
10
Figure 2
To achieve anything approaching the scalability
of eDirectory requires significantly more hardware
for Active Directory, without achieving comparable
performance.
Compatibility
Protocol Standards and Application
Compatibility
Previously, we discussed that LDAP is the common
denominator for directory access. To date, The Open
Group lists 22 products as LDAP Certified, including
several entries for Novell eDirectory on various
operating systems. Currently The Open Group lists
no aspect of Active Directory as LDAP Certified.
Without this certification, businesses have no
assurance that non-Microsoft applications and other
directories will interoperate well with Active
Directory. In fact, very little is known on the
state of Active Directory and certification under
the LDAP Certified guidelines. Microsoft has had a
rocky past with LDAP compliance, resulting in many
products that cannot work with Active Directory
using LDAP. Perhaps the best evidence of the gap
between Active Directory and the LDAP standard
is Microsoft’s publication of a document defending
their LDAP support (http://www.microsoft.com/
windowsserver2003/techinfo/overview/ldapcomp.
mspx). And, consistent with their usual vendor
lock-in strategy, Microsoft almost invariably steers
developers to use proprietary Active Directory APIs
(ADSI) rather than LDAP.
In addition to LDAP, Web applications use DSML
to communicate with directories. Both Novell and
Microsoft support DSML.
 Novell eDirectory
vs. Microsoft
Active Directory
11

Support for additional directory access methods is often not as important as support for LDAP. However,

depending on your current and potential applications, as well as your in-house developer expertise, you

may need to consider various other protocols. The table below offers some summary comparisons:

N O V E L L e D I R E C TO RY
ODBC Novell eDirectory supports ODBC
(Open Database Connectivity) through a client-side driver to allow
directory access for standard reporting
tools (such as Crystal Reports) or
database queries.
M I C R O S O F T A C T I V E D I R E C TO RY Figure 3
There is no ODBC driver for Active
Directory. However, an LDAP/ODBC Driver
exists. Active Directory’s partial LDAP
support may limit this approach.

JDBC* A JDBC Driver allows Java programs Active Directory has no JDBC driver.
(Java* Database Connectivity) (applets, servlets, applications or (However, the Novell LDAP JDBC driver
J2EE* application servers) to access can be used to query AD through LDAP.)
eDirectory data.

JNDI* The Novell JNDI Provider enables The only way to access Active Directory
(Java Naming and Directory access to eDirectory through JNDI. with this protocol is through a JNDI Provider
Integration) (such as the one from Novell), which uses
Active Directory’s limited LDAP support.

JavaBeans* and Enterprise
JavaBeans (EJBs)
Several JavaBeans and EJBs allow the No support other than through LDAP.
use of eDirectory services in Java
applications and J2EE application
servers (such as IBM WebSphere* and
BEA WebLogic*).

ActiveX* Controls Novell provides ActiveX controls to Microsoft has a very rich set of controls
access eDirectory via ASP pages, for use in Visual Basic, RAD tools and
Visual Basic* and Visual Studio embedded HTML.
applications.

ADSI Novell has a client-side ADSI provider Microsoft pushes their proprietary ADSI
(Active Directory Services for eDirectory. for access to Active Directory over
Interface) standards such as LDAP.

Platform Compatibility Microsoft recently introduced a version of

Active Directory supports only the Windows Active Directory that is somewhat less operating

server platform, starting with Windows 2000. system dependent, called Active Directory

In addition, many enhancements to Active Application Mode, or AD/AM. AD/AM is useful for

Directory in Windows 2003 are not backward testing and deploying identity-enabled applications

compatible to Windows 2000/Active Directory. and can help alleviate some of the inflexibility

This compromises the value of key features such inherent in an enterprise Active Directory

as the ability to rename and reorganize the implementation. Once deployed, AD/AM can be

directory. Further, this tight coupling with the used to pass authentication credentials to an

Windows server operating system indicates that existing Active Directory deployment; however,

new features in each version of Active Directory richer integration requires the use of Microsoft’s

will come with the high cost of operating system— meta-directory product (and an additional fee

and possibly hardware—upgrades. for both product and consulting time).

 Novell eDirectory
vs. Microsoft
Active Directory
12

While AD/AM seems to address the necessary plague even the most recent release of Active

decoupling from the Windows operating system, Directory. To be sure, Microsoft Windows is seldom

it still does not constitute an effective replacement equated with reliability. And with no option to

for a high-end directory service. Rather, AD/AM select a more robust platform such as Linux or any

helps to remove some of the pain of deploying of the high-end UNIX platforms—coupled with the

Active Directory for application-specific needs; fact that Active Directory cannot be clustered—

and it simplifies the development or deployment Active Directory reliability suffers from the

of applications that rely on Active Directory. reliability of Windows itself.

Also, even though AD/AM has been decoupled In contrast, because Novell pioneered the

from Windows, it can still only be deployed on directory services market, it has the industry’s

Windows 2003 or XP Professional. most extensive experience at providing high-end

A key strength of eDirectory is compatibility directory services. Novell eDirectory meets the

with various platforms. This capability allows an reliability challenge with top-to-bottom

organization to select the best platform to meet guarantors of reliability.

security and reliability requirements, and to take To examine how each offering stacks up,

advantage of the organization’s platform expertise. let’s compare the two directory platforms using

Novell eDirectory can be hosted from Linux, four criteria: self-maintenance, service continuity,

Windows, HP-UX*, IBM AIX*, Solaris* and NetWare. maintenance tools and disaster recovery.

Novell eDirectory distinctly avoids entanglement

Automated Self-Maintenance
with any specific network operating system.
Day-to-day directory operations should be largely
While eDirectory can in fact aid in the management
self-policing to prevent service interruptions.
of network operating systems such as Linux,
Automated self-maintenance simply means that
Windows and NetWare, much of the flexibility,
the directory has been designed to groom itself in
scalability and manageability of eDirectory result
order to prevent data corruption and other problems
from its independence of any specific platform.
that are routine within very large, active datasets.

Reliability Novell eDirectory catches and corrects typical

Because they play such a critical role in so many minor errors with no administrator intervention,

businesses, directories are required to provide thereby reducing the frequency of reliance on more

“dial-tone” reliability. powerful maintenance tools.

The version of Active Directory which shipped As an example, consider the directory schema,

with Windows 2003 introduced tools that have which defines the possible objects and attributes

eased some past manageability problems. However, that can be stored in the directory. Both Novell

scalability, reliability and security concerns still eDirectory and Microsoft Active Directory allow
 Novell eDirectory
vs. Microsoft
Active Directory
13

administrators to extend their respective directory technology or an LDAP proxy, multi-master

schemas to accommodate new object types and replication provides reliability that is limited

attributes. However, only eDirectory allows schema only by the underlying directory’s architecture.

extensions to be removed. When an obsolete or In 1994, Novell introduced unlimited multi-

erroneous extension is removed from the eDirectory master directory replication. Today, Novell eDirectory

schema, the associated data on existing objects continues to lead the industry in this capability—

is then automatically removed as well. a difficult-to-engineer yet absolutely critical

In contrast, Active Directory does not allow the feature that ensures continuous availability and

removal of schema extensions. In fact, when an forms one of the compelling advantages that

administrator tries to extend the Active Directory eDirectory has over any other directory service.

schema, before he can proceed, he receives While Active Directory has multi-master

this warning: “WARNING: Creating schema replication, there are implementation weaknesses

objects in the directory is a permanent operation. to be aware of. An Active Directory implementation

While these objects may be disabled to prevent relies on designated “operations master” servers.

their usage, they cannot be deleted and will Operations masters police one of five key functions

become a permanent part of your enterprise within the Active Directory system: the schema

installation.” This limitation is a prime example master manages the schema; the domain naming

of the immature state of Active Directory. master enforces domain interaction rules; the RID

If someone without proper permissions bypasses master ensures uniqueness of object identifiers;

change control procedures (perhaps in the process the infrastructure master maintains interdomain

of deploying a departmental application) and references between objects; and the PDC emulator

processes password changes and synchronizes time

extends the Active Directory schema, those new
among domain controllers. Microsoft introduced
object classes or attributes are now a permanent
the operations master roles as one of the elements
addition to the directory infrastructure. Even when
to help bring the Windows domain system into a
the deletion of schema objects makes sense to
directory model.
reduce administrative clutter—such as when a
Of these operations master servers, the PDC
line of business application that required schema
emulator is one of the most vital, because time
extensions is no longer in use—Active Directory
synchronization is essential for many directory
cannot accommodate the change.
processes to work. The PDC emulator operations
Continuous Service master role can be assigned to only one domain

In directory services, multi-master replication forms controller in each domain. This single point for

the foundation for horizontal scalability and service critical operations presents a significant weakness

continuity. Coupled with layer four switching in Active Directory’s reliable.

 Novell eDirectory
vs. Microsoft
Active Directory
14
__________
1
See http://www.microsoft.com/
resources/documentation/
WindowsServ/2003/standard/
proddocs/en-us/Default.asp?
url=/resources/documentation
/windowsserv/2003/standard/
proddocs/en-us/sag_ADrespond
FSMOfailures.asp
While it is true that a standby operations
master server can be brought online in the event of
an outage, bringing that standby server online is a
manual process. What's more, Active Directory
offers little warning in the event of an operations
master server failure. Microsoft’s own product
documentation states: “Generally, you will notice
that a single master operations role holder is
unavailable when you try to perform some function
1
controlled by the particular operations master.”
Clearly this approach is not sufficient for a high-
end directory deployment.
Novell eDirectory was designed from the
ground up for multi-master replication and does
not suffer the Active Directory architectural issues
inherited from retrofitting Windows NT* domains
as a directory.
Live Maintenance Tools
With critical services like directories, businesses
require the ability to immediately bring the system
back to full service when problems occur. Ideally,
a manager should be able to diagnose and manage
directory problems remotely, without the need to
bring down the hosting server—and certainly not
the entire directory.
Novell eDirectory addresses this issue with
maintenance tools that can do much of their
work on a live directory server. These tools give
a manager the ability to remotely repair errors
within the directory, and are optimized to take the
directory service offline only during those parts
of the repair that require exclusive data access.
The family of eDirectory live maintenance
tools includes:
• DSRepair provides real-time maintenance
of the directory database. DSRepair can be
run against replicas on one server or against
multiple servers for tree-wide maintenance.
The amount of data to repair can also be
scaled from the whole directory down to a
single partition, and even a single object.
DSRepair runs natively on all supported
platforms and is also remotely hosted
through the eDirectory administration
interface in Novell iManager.
• iMonitor helps to diagnose and troubleshoot
core directory functions, such as replication,
through the individual directory server.
This Web-based tool requires only a browser,
so management can be accomplished from
any platform.
The live maintenance tools in Novell eDirectory,
coupled with its self-maintenance processes,
ensure a level of reliability unmatched by any
other directory vendor.
Active Directory repairs frequently entail
dispatching technicians directly to the host
Windows server, and then taking the server
offline. Many Active Directory repair processes are
only available by rebooting the server in “Directory
Services Restore Mode.” Whether local or remote,
the process of taking directory servers offline for
repairs, then restarting those servers, can create
much lengthier service disruptions. This may be
regarded as an unacceptable option for a piece of
infrastructure technology as vital as a directory.
To expedite the repair process (and save network
managers undue travel), Microsoft recommends
 Novell eDirectory
vs. Microsoft
Active Directory
15

purchasing specialized hardware that enables Manageability

remote management of offline Windows 200x Regardless of the scale of deployment, the

servers (sometimes called “headless” operation). management tools for eDirectory excel in both

Certainly it is the unreliability of Window servers administration and maintenance, providing several

that drives Microsoft to make this recommendation, mechanisms for proactive and reactive management.

but it also furthers the uncertainty around Active Creating and maintaining an Active Directory

Directory’s ability to play a high-end role. service is a time- and human resource-intensive

operation. As an Active Directory deployment

Disaster Recovery
grows larger, trees become “forests,” and the
Recovering a directory should be an absolute last
issue of managing trusts—the old Achilles’ heel
resort, but must be an extremely reliable process
of Windows NT domains—becomes more and
for a high-end directory service.
more troublesome. Microsoft has automated the
Both Novell eDirectory and Microsoft Active
manual creation of trusts, making Active Directory
Directory provide traditional backup and restore
domains function together more seamlessly,
capabilities to various media types, allowing you to
but these trusts still assume specific relationship
choose a backup plan that suits your organization.
rules that must be understood in addition to your
However, your high-end directory may require
implementation of rights for directory security.
recovery that does better than simply setting
Additionally, the utilities for managing Active
you back to the data you had the night before,
Directory reflect a lack of sensitivity to large-scale
or whenever your last backup was conducted.
management needs and a clear slant toward having
Novell eDirectory offers an essential additional
a homogeneous network.
backup capability. Hot Continuous Backup not

only creates a complete backup of your directory Adapting to Change

dataset, but it also functions as a live journaling Directories change. Organizations or departments

service, continuously recording all directory sometimes change names; customer bases may need

data changes from the time you declare a new to merge; subsidiaries are spun out. For large-scale

backup period should begin. This approach business identity systems, directory flexibility is

ensures you have an up-to-the-last-second backup the key to allowing a high-end directory service

of your directory data. Should an immediate to adapt to change.

recovery be necessary, an administrator can Active Directory relies on a fairly static,

restore everything to the last logged transaction. inflexible naming scheme—a legacy combination

Complementing its already extensive reliability of NetBIOS and Windows Domain Name System

arsenal, only Novell eDirectory provides this moved to a DNS paradigm—that precludes any

maximum level of recoverability. organizational change without serious forethought.

 Novell eDirectory
vs. Microsoft
Active Directory
16
Within an Active Directory forest (the name of a
deployed directory system conforming to common
schema and naming rules) there are domains and
servers. These derive their naming based on a DNS
naming structure, which is established when the
first servers are installed and the directory is
first provisioned.
If your naming convention remains static
forever, all is well. However, should a time come
that you must make structural changes to the
directory, Active Directory domain boundaries and
naming constraints can present significant barriers.
Microsoft’s support material strongly discourages
such procedures.2
Why does Microsoft discourage domain
operations? Consider: Just one hierarchy change
means manually contacting every domain controller
in the tree, rebooting those servers plus two reboots
of non-domain servers connected to the domain.
An incomplete operation can result in domain
controllers and servers unable to communicate
with the rest of the network, leaving those parts
of the system compromised and unavailable.
Furthermore, this operation is only available
in an all-Windows 2003 network. Active Directory
deployments involving Windows 2000 domain
controllers do not have this option. Additionally,
with Microsoft Exchange 2000 involved, changing
domain hierarchy is not possible. Therefore,
once you have deployed Active Directory, you must
be sure to make all changes before an Exchange
implementation. Once completed, there is
no supported way to change the hierarchy in
__________
either Windows 2000 or Windows 2003 Active
2
See Domain-Rename-Intro.doc
hosted on Microsoft.com Directory deployments.
In contrast, since its inception, eDirectory has
been extremely flexible. Novell eDirectory allows
the flexibility to change partition boundaries
as design needs change. Further, the ability of
eDirectory to house multiple partitions on a single
server provides several advantages, including
the ability to easily decommission servers and
consolidate directory data. Other options taken
for granted by eDirectory managers include:
• Renaming any organizational level of the
directory
• Moving entire sub-branches of a directory
• Merging two trees
• Using identity criteria to automatically
provision access (dynamic groups).‡
‡
This LDAP feature automatically grants group membership
to an identity based on attribute values, such as when a value
indicates that a user is a manager or is in the sales department.
Simplicity of Design
Novell eDirectory can be designed for optimal
performance for almost any business scenario.
The data in an eDirectory system can be custom
segmented into partitions and then replicated as
needed, which allows tuning for performance and
reliability. Should your business needs change,
partitioning and replication scenarios can be
rearranged accordingly.
Much of the deployment planning for Active
Directory revolves around placement of domains
and the Global Catalog.
The smallest unit of replication in Active
Directory is a domain. In order to host directory
data, a Windows server must be a domain
controller. A domain controller can only host a

single domain. Domains cannot be sub-segmented
or consolidated easily. This results in a rigid
directory system requiring much more up-front
planning to future-proof the deployment.
Many of the Active Directory fixes introduced
with Windows 2003 address design flaws with
domains and the Global Catalog due to customer
complaints. The Global Catalog functions much like
a directory on top of a directory—it collects and
stores a subset of the directory information from
the entire directory system (forest). While Microsoft
no longer requires a Global Catalog server at each
site, inter-domain access still requires the Global
Catalog’s availability, thereby introducing a failure
point to design around.
Directory Management Tools
Various tools exist for managing and maintaining
Novell eDirectory. Each platform offers utilities
that are consistent with the look and feel of that
host operating system (such as Windows, Linux and
UNIX). However, the primary tool for eDirectory
administration is Novell iManager, providing secure,
browser-based directory management.
Novell iManager provides various management
views, depending on what aspect of the directory
is being managed. For example, for help desk or
customer support personnel, iManager can present
a task-oriented view and show only the tasks
assigned to the logged-on user. For more global
administrators, iManager can present a navigable
view of the directory tree, allowing fast access
to general management of one or multiple
directory objects.
Novell eDirectory
vs. Microsoft
Active Directory
17
To complement iManager, Novell also provides
iMonitor, a browser-based maintenance tool for
performing diagnostics on your eDirectory servers.
The Microsoft Management Console (MMC)
provides a shell application for the management
of many Windows features, including Active
Directory. Microsoft supplies numerous Active
Directory tools and plug-ins for MMC, but these
tools are fairly disjointed and most are aimed
at per-server administration. For example,
repairing the directory requires rebooting the
potentially damaged server and running the Active
Directory repair tool. Rather than take a holistic
approach to repair, the tools force you to perform
the repair one server at a time. Management
through a directory-wide view (versus per server)
requires additional tools from Microsoft or third
parties. The condition of Microsoft’s directory
management tools presents yet another example
of how Active Directory was produced for
managing Windows, rather than as a high-end
directory service.
Delegated Administration
Any management task available in Novell iManager
can be delegated out, including custom-made
management tasks.
Active Directory offers an integrated wizard
to delegate administrative tasks, but that tool
can only be used for a few, limited administrative
functions. For example, you can delegate password
management to help desk personnel, but delegating
the ability to change other user data (such as a
phone number) requires much deeper knowledge
of the rights and permissions involved, which is a
 Novell eDirectory
vs. Microsoft
Active Directory
18

generally a more time-consuming process reserved against attackers. Since Active Directory runs

for skilled administrators. only on Windows, the Windows platform largely

determines Active Directory’s securability.

Support for Common Network
Management Tools Compromised security on a Windows server may

mean exposure of very confidential data.

Both Microsoft Active Directory and Novell
Novell eDirectory allows flexibility as to where
eDirectory allow maintenance via traditional
the directory can run based on expertise in an
SNMP (Simple Network Management Protocol),
organization and the inherent securability each
allowing established SNMP enterprise tools to
platform provides. With eDirectory, you can choose
manage and monitor a directory deployment.

Active Directory also has been instrumented any platform that meets the security needs of the

for Microsoft Operations Manager, providing organization—Linux, UNIX, NetWare or Windows.

integration with Microsoft’s Windows-specific

Access Control Model
management systems.
Access control, or authorization, deals with who

Securability can do what action to which other objects. This is

An exhaustive security comparison between Novell usually determined by what rights (or privileges)

eDirectory and Microsoft Active Directory is well a security principal has to the resource being

accessed. A security principal is any entity to

beyond the scope of this paper. For our purposes,
which rights can be granted. A security principal
we will consider three aspects to evaluate the
is most commonly a user or a group of users, but it
securability of each. The first is simply the
can also be other object types, such as printers,
platforms on which the directory service can be
services or applications. Rights are the rules
hosted. The second is its access control model
stating what can or cannot be done to a resource
and other security parameters, including how the
represented in the directory. How security
directory takes advantage of security protocols.
principals and rights are administered and
Finally, we will consider the variety and strength
enforced comprises the access control model
of the authentication mechanisms each directory
(or authorization model).
can support.
Novell designed eDirectory to have a
Hosting from a Securable Platform highly flexible internal access control model.

Much can be said of the poor track record Windows Three notable components of the model are,

has earned with respect to security. Basing a first, that any object can access other objects as

high-end directory deployment on Windows is a security principal; second, that access to every

a risky endeavor, because a directory relies on object is secured by an access control list (ACL);

the operating system as its first line of defense and third, that the directory hierarchy forms
 Novell eDirectory
vs. Microsoft
Active Directory
19

the basis for dynamic rights inheritance. These rights change ends up multiplying the directory

components allow eDirectory to easily manage data, directly impacting disk storage and memory

complex security relationships between objects. requirements. It also can generate a flood of

When an identity in eDirectory attempts to replication traffic between servers. Aside from

access another resource in the directory, that resource issues, what happens to security if a

identity’s access rights are dynamically calculated process is interrupted mid-way through writing
and enforced. Appropriate access is derived from such a change to ten thousand objects? And when
rights assigned directly to the identity for the an object is deleted, how intensive a process is it
resource being accessed; from rights assigned to
to clean up rights when rights-related references
the identity’s security equivalences (which include
are so pervasive throughout the directory?
groups and other assignments); and from rights
The Active Directory security model is also
assigned to a container in which the resource
limited to only three security principals: users,
resides (rights inheritance).
groups and computers. Other objects types cannot
Rights inheritance is a powerful capability
be granted rights to Active Directory resources.
for a directory to provide. It both simplifies the
In eDirectory, containers are often granted rights
assignment of rights and prevents from bloating
to a resource, which allows all the identities
the directory with redundant data written to
within the container to have the same access
multiple objects’ access control lists. Among the
rights. Because containers are not one of the
many patents for innovations established in the
Active Directory security principals, this cannot
eDirectory access control model, rights inheritance
be done in Active Directory.
is recognized as one of the major capabilities that
The security principal limitation also reduces
makes Novell eDirectory unique.
the uses to which Active Directory can be applied.
The security model for Active Directory is
While adding new object classes is possible,
derived from that of the Windows file system.
you cannot make the new objects act as security
Every object in Active Directory has an access
principals—that is, securely authenticate and
control list, providing a solid basis for securing

directory resources. access other resources. Therefore, secure uses

However, Microsoft has emulated Novell’s of Active Directory are limited to those that

rights inheritance through the Active Directory do not rely on strong trust models in which

management tools. When assigning rights at the applications and devices securely authenticate

container level, the management tool walks the to the directory, as would be required for digital

sub-tree and writes the access control list change rights management and trusted computing,

on every single subordinate object, potentially for example. This detail illustrates very well

effecting hundreds, thousands or tens of millions how Active Directory was designed solely to

of access control entries. What should be a simple solve Windows management issues.
 Novell eDirectory
vs. Microsoft
Active Directory
20
One final consideration in examining the Active
Directory security model is the hardware needed to
meet even the most basic security requirements.
In a comparative test on a container of 1 million
users, a rights assignment to the parent container
produces staggering results that show how poorly
Active Directory’s security model scales. By granting
a single user or group full access control at the
parent container, the Active Directory data set
swelled by more than 557 megabytes, stamping
each object with roughly 558 bytes per user. In the
test case, this singular rights grant amounted to a
20 percent growth in the Active Directory dataset.
It should also be noted that because the rights
assignment involved a write action to each of
the million objects, the assignment was far from
instantaneous. Though it was difficult to see when
all the modifications were complete (we had to
check by querying effective rights on objects in
the dib), it appeared to be complete after around
10 minutes.
Novell eDirectory uses dynamic inheritance
to apply such a rights modification, and thereby
can limit the write action to a single object.
Active Directory must stamp each object within
the affected container and all its sub-containers.
Even the simplest of security scenarios will
involve more complex rights assignments than
the aforementioned test case, and as such will
drive significant hardware requirements for
Active Directory.
This brings to bear many questions about
using Active Directory for a high-end deployment.
Will your directory require a sophisticated access
control implementation? If not, are you certain
that your security model will remain simplistic
as your business use of the directory matures?
Have you correctly budgeted hardware to scale to
your security needs? Will you be able to withstand
the latency associated with every large-scale
rights assignment, especially those that involve
revoking assignments that have become outdated
when you need to re-design your access control
implementation? Finally, can your network
withstand the replication storms that such
changes would necessarily create?
Authentication
In addition to a directory’s internal security
model and platform options, the authentication
mechanisms a high-end directory supports helps
determine its securability. Authentication is the
process of validating that a security principal is
indeed who or what it claims to be.
For most people, the most familiar type of
authentication is a network or Web site login;
and generally, passwords form the least common
denominator for authentication. Strong authenti-
cation is comprised of non-password methods,
such as biometrics (fingerprint, retina scan and
voice recognition), token cards and proximity
devices, to name a few, as well as whether
authentication requires multiple factors—
perhaps a biometric plus a proximity card. Finally,
graded authentication can be implemented to
ensure that certain tasks require more credentials
than others—for instance, changing a password
might require a user to provide a PIN, biometric
or other additional credential.
 Novell eDirectory
vs. Microsoft
Active Directory
21

Both Active Directory and eDirectory support full requirements of high-end directory services.

a range of authentication options, such as On the other hand, Novell eDirectory gives

simple passwords (including SHA-1 and MD-5 businesses flexibility in host platform options,

password hashing), PKI, biometrics, smart cards, its internal authorization model and its authenti-

tokens, etc. Novell eDirectory, however, offers a cation capabilities. Once again, eDirectory can be

distinct advantage in the flexibility of its adapted to the needs of your business, rather than

authentication framework. forcing the opposite.

The eDirectory component that facilitates strong

S U M M A RY
authentication is Novell Modular Authentication

Service (NMAS™). Besides supporting virtually any The role of directories in information technology

existing credential type as well as being able to has grown to become a fundamental piece of

be quickly adapted to new authentication methods, infrastructure and the foundation for an

NMAS supports graded authentication. NMAS allows organization’s ability to manage the identities

a user’s access rights to be dependent on the that make business work. A high-end directory

method of authentication or the combination of provides the authoritative source for all identity-

several methods. For example, an accounting driven services; and scalability, compatibility,

employee who uses a simple password to log on to reliability, manageability and securability are

the corporate network may only be granted access the requirements categories for identifying such

to general departmental financial information; a directory.

whereas, logging in with a biometric or a digital Novell eDirectory has grown from a foundation

certificate or both would grant that same employee that is secure, reliable and scalable, while adapting

access to more detailed financial data about to emerging standards and meeting the needs

specific projects or individuals. This capability of developers. From LDAP to SOAP and from a

gives businesses the choice of securing applications, strong and flexible security model to unmatched

network resources and sensitive corporate data scalability, eDirectory is the unparalleled leader

with the method or combination of authentication in the high-end directory space.

that best suits organizational policies and objectives. Active Directory, in its second generation (as

While Microsoft Active Directory offers a breadth opposed to eDirectory in its eighth), struggles to

of authentication options, it does not offer graded simply meet the needs of the network operating

authentication based on multiple factors. system for which it was built. Meeting the needs

To summarize our short examination of the of the high-end directory market is still a far sight

securability of both Active Directory and eDirectory, from the current iteration of Active Directory.

we find once again that Active Directory reveals For many organizations, having Windows

Microsoft’s inability to adequately address the servers for line-of-business applications requires

having Active Directory in some form or other.
While this may be the case, it is important to
recognize that Active Directory is a network
operating system directory and cannot effectively
fill the role of a high-end directory service.
In contrast, Novell eDirectory fills the high-end
need. And through meta-directory technologies such
as Novell Nsure Identity Manager, eDirectory can
integrate an Active Directory deployment with
many other identity-enabled systems, such as
Oracle*, PeopleSoft* and SAP*. Such an approach
assures that Active Directory can be managed
appropriately for the services it provides.
When compared head-to-head with Microsoft
Active Directory, Novell eDirectory:
• Provides unmatched scalability, which has
been demonstrated to 1 billion identities and
backs many of the world’s largest identity
management systems.
• Assures better compatibility with its LDAP
Certified distinction, as well as support for a
variety of other directory access standards.
462-001396-002
• Comprises better reliability, thanks to
automated self-repair, multi-master
replication, live maintenance tools and
disaster recovery tools.
• Excels in manageability—having complete,
well-thought-out management tools, and
allowing organizations to easily tune and
adapt eDirectory to accommodate changing
business requirements.
• Offers much better securability through its
host platforms, access control model and
authentication options.
Novell eDirectory is the industry’s best choice
for large-scale, high-end directory deployments,
providing an identity cornerstone for the enterprise
and the Internet that can grow and adapt to meet
the demands of your business today and tomorrow.
For more information about Novell eDirectory,
go to www.novell.com/edirectory. You can also
contact one of thousands of Novell partners
worldwide or contact Novell directly at 1-888-
321-4CRC (4272).
Novell eDirectory
vs. Microsoft
Active Directory
22
© 2004 Novell, Inc. All rights reserved.
Novell, the Novell logo, NetWare,
NDS and Novell Directory Services are
registered trademarks, and eDirectory,
NMAS and the N logo are trademarks
of Novell, Inc. in the United States
and other countries.
*Active Directory, ActiveX, Microsoft,
Visual Basic, Windows and Windows
NT are registered trademarks of
Microsoft Corporation. Linux is a
registered trademark of Linus Torvalds.
UNIX is a registered trademark of
X/Open, Ltd. AIX, IBM, Tivoli
Enterprise Console and WebSphere
are registered trademarks of IBM
Corporation. HP, HP-UX and
OpenView are registered trademarks of
Hewlett-Packard Company. Unicenter is
a registered trademark of Computer
Associates International, Inc. Java and
Solaris are registered trademarks, and
J2EE, JavaBeans, JDBC and JNDI are
trademarks of Sun Microsystems, Inc.
BEA and WebLogic are registered
trademarks of BEA Systems, Inc.
Oracle is a registered trademark of
Oracle Corporation. PeopleSoft is a
registered trademark of PeopleSoft, Inc.
SAP is a registered trademark of SAP
AG. All other third-party trademarks are
the property of their respective owners.
Novell Product Training
and Support Services
For more information about
Novell’s worldwide product
training, certification programs,
consulting and technical support
services, please visit:
www.novell.com/ngage
For More Information
Contact your local
Novell Solutions Provider,
or visit the Novell Web site at:
www.novell.com
You may also call Novell at:
1 888 321 4272 US/Canada
1 801 861 4272 Worldwide
1 801 861 8473 Facsimile
Novell, Inc.
404 Wyman Street
Waltham, MA 02451 USA
www.novell.com