Directories and Windows

What is the single biggest thing that has so far held Windows back from becoming the operating system of choice for large-scale distributed systems? There's no question in my mind that the answer is the lack of a decent directory service. Anyone who has been anywhere with DCOM has found out that in order to use remote components, you had to copy the executable on to your local machine, and then run

DCOMcnfg
to turn the entry in your registry into a remote reference. The end result is that every single remote component is independently registered in every single client registry, so that you have a completely unmanageable mesh. Or mess, even.

What you really need is a mechanism whereby you can make a simple call to some directory service to say, "Can you find me the nearest copy of an object with UUID x?" Maybe it would even instantiate the object and return to you a pointer to the interface you asked for. This would be something pretty close to nirvana. The good news is that it's on its way. But before we talk about that, let's step back a bit and take a look at directory services in general, because it's not just components that we're interested in finding. This is, after all, a book about distributed systems, and we might want to get hold of all sorts of things…

What is the difference between a directory service and a conventional database? To answer this question, I can do no better than to quote from the University of Michigan's Administrator's Guide to SLAPD and SLURPD, which are two of the standard processes that control LDAP (Lightweight Directory Access Protocol) implementations under Unix:

A directory is like a database, but tends to contain more descriptive, attribute-based information. The information in a directory is generally read much more often than it is written. As a consequence, directories don't usually implement the complicated transaction or rollback schemes regular databases use for doing high-volume complex updates. Directory updates are typically simple all-or-nothing changes, if they are allowed at all. Directories are tuned to give quick-response to high-volume lookup or search operations. They may have the ability to replicate information widely in order to increase availability and reliability, while reducing response time. When directory information is replicated, temporary inconsistencies between the replicas may be OK, as long as they get in sync eventually.

Sounds cool? Let's have a look at Active Directory, then.

One word of warning before we dive in, though. This is a very big subject, and we can't hope to cover it all in one chapter. In the very near future, I predict that there will be whole books devoted to the subject, and a substantial number of people charging very high fees for setting up and managing directories on Windows installations. It's also one of those technologies (like the Internet) that Microsoft have chosen to realign considerable parts of Windows around — indeed, recent versions of NT (from 5.0 beta 1 on) fire up with the banner "Windows NT with Active Directory" (my italics).

We're going to start off the chapter by taking a look at the Active Directory Services Interfaces (ADSI), which we'll use to develop a little program to trawl through a directory and see what we find. As we go along, we'll discuss what we find out about the structure of Active Directory. Later in the chapter, we'll take a look at LDAP (Lightweight Directory Access Protocol) and develop a program to search for objects through Active Directory.

The examples shown in the first part of the chapter can be tried under either NT4 or NT5, but if you want to try out the examples in the LDAP sections in the latter part of this chapter, you'll need to get hold of a copy of NT5. The examples here were tested under NT5 beta 1. In order to build the sample applications, you'll also need to have the Windows Platform SDK installed. You can download this from

http://www.microsoft.com
, or alternatively if you're in the MSDN program, it's on one of the CDs.

Active Directory isn't part of the standard Windows NT4 release. However, you can download an NT4-compatible implementation of version 1.0 of it from

http://www.microsoft.com
. This includes all the binaries for accessing it, plus the WinNT provider. It also claims to have an LDAP provider, but, at the time of writing — this is just a dummy.

© 1998 by Wrox Press. All rights reserved.