Evolution of the Microsoft NOS (Active Directory)
Network operating system, or "NOS", is the term used to describe a networked environment
in which various types of resources, such as user, group, and computer accounts,
are stored in a central repository that is controlled by administrators and accessible to
end users. Typically, a NOS environment is comprised of one or more servers that provide
NOS services, such as authentication, authorization, and account manipulation, and multiple
end users that access those services.
Microsoft's first integrated NOS environment became available in 1990 with the release of
Windows NT 3.0, which combined many features of the LAN Manager protocols and the OS/2
operating system. The NT NOS slowly evolved over the next eight years until Active
Directory was first released in beta form in 1997.
Under Windows NT, the "domain" concept was introduced, providing a way to group resources
based on administrative and security boundaries. NT domains were flat structures limited
to about 40,000 objects (users, groups, and computers). For large organizations, this
limitation imposed superficial boundaries on the design of the domain structure. Often,
domains were geographically limited as well because the replication of data between domain
controllers (i.e., servers providing the NOS services to end users) performed poorly over
high-latency or low-bandwidth links. Another significant problem with the NT NOS was
delegation of administration, which typically tended to be an all-or-nothing matter at the
Microsoft was well aware of these limitations and the need to rearchitect its NOS model
into something that would be much more scalable and flexible. It looked to LDAP-based
directory services as a possible solution.
A Brief History of Directories
In general terms, a directory service is a repository of network, application, or
NOS information that is useful to multiple applications or users. Under this definition,
the Windows NT NOS is a type of directory service. In fact, there are many different
types of directories, including Internet white pages, email systems, and even the
Domain Name System (DNS). Although each of these has characteristics of a directory
service, X.500 and the Lightweight Directory Access Protocol (LDAP) define the standards
for how a true directory service is implemented and accessed.
In 1988, the International Telecommunication Union (ITU) and International Organization
of Standardization (ISO) teamed up to develop a series of standards around directory
services, which has come to be known as X.500. while X.500 proved to be a good model
for structuring a directory and provided a lot of functionality around advanced operations
for security, it was difficult to implement clients that could utilize it. One reason
is that X.500 is based on the Open System Interconnection (OSI) protocol stack instead
of TCP/IP, which had become the standard for the Internet. The X.500 Directory Access
Protocol (DAP) was very complex and implemented many features most clients never needed.
This prevented large-scale adoption. It was for this reason that a group headed by the
University of Michigan started work on a "lightweight" X.500 access protocol that would
make X.500 easier to utilize.
The first version of the Lightweight Directory Access Protocol (LDAP) was released in
1993 as Request for Comments (RFC) 1487 (http://www.ietf.org/rfc/rfc1487.txt), but due
to the absence of many features provided by X.500, it never really took off. It wasn't
until LDAPv2 was released in 1995 as RFC 1777 that LDAP started to gain popularity.
Prior clients would interface with the LDAP gateway, which would translate the requests
and submit them to the X.500 server. The University of Michigan team thought that if
LDAP could provide most of the functionality necessary to most clients, they could
remove the middleman (the gateway) and develop an LDAP-enabled direectory server. This
directory server could use many of the concepts from X.500, including the data model,
but would leave out all the overhead resulting from the numerous features it implemented.
Thus, the first LDAP directory server was released in late 1995 by the University of
Michigan team, and it turned into the basis for many future directory servers.
In 1997, the last major update to the LDAP specification, LDAPv3 was described in
RFC 2251. It provided several new features and made LDAP robust enough and extensible
enough to be suitable for most vendors to implement. Since then, companies such as
Netscape, Sun, Novell, IBM, the OpenLDAP Foundation, and Microsoft have developed
LDAP-based directory servers. Most recently RFC 3377 was released, which lists all
of the major LDAP RFCs. For a Microsoft whitepaper on its LDAPv3 implementation and
conformance, refer to this website (http://bit.ly/11k4B38).