Contents

NT Namespace
Complex Trust Relationships
NIS+ Namespace
Administration
NIS+
Remote Administration
Security
NT
NIS+
C2-level Security
Reliability
NIS+
TCP/IP and the Internet
NT Requires DHCP and WINS to run TCP/IP
NT Requires separate DNS server to connect with Internet
Enterprise Naming Services
Domain Partitioning
Extensible directory
XFN/API support
Remote Authentication
Summary

We know that NT doesn't have an enterprise naming service, but if you listen to Microsoft, you'll hear that NT maintains the same type of data sets and performs the majority of functions expected of an enterprise naming service; it just doesn't do it with a single, structured database.

This paper looks at how NT Directory Services [1]) stack up against NIS+. You'll see how the namespaces differ between NT and NIS+ environments and discover many of NT's shortcomings with large, enterprise network environments.

You should be familiar with NIS+ and enterprise naming services in general. A glossary defining some of the terms used appears at the end of this paper.

Windows NT--What Is it?

Windows NT was designed as an all-things-in-one product - desktop operating system, dedicated application server, peer-to-peer server and network server. One product cannot do everything well and this unclear positioning has created problems for Microsoft in communicating Windows NT's role to its customers.

In September of 1994, Microsoft announced Windows NT 3.5, the first major upgrade to the Windows NT product line. It comes in two versions: Windows NT Workstation and Windows NT Server.

Windows NT Server was added to address some major weaknesses in the original NT environment but it still does not provide the new services or features customers need for networking in the 1990s. Modeled after UNIX and OS/2, NT Server provides a general-purpose server platform for use as an application server and a basic file and print server. It falls short, however, where a high-performance server architecture is needed for client-server computing and advanced network services such as a distributed directory, fault tolerance and integrated messaging.

Microsoft is making another significant change to the NT architecture, code- named Cairo. As Microsoft's fourth attempt at networking architectures, Cairo is supposed to offer the advanced enterprise naming services and the other necessary network services that Solaris and NIS+ have today. Cairo -- not expected until 1997 -- probably will not be stable enough for business-critical tasks for at least a year after its release while the inevitable bugs are worked out and people figure out how to transition to yet another major network architectural change.

NIS+ is already four years ahead of Cairo and gaining. The ability to provide Solaris customers evolutionary growth is directly attributed to the advanced design of NIS+. It was designed specifically to support network services and to provide optimal performance in an enterprise-wide, client/server environment.

NT Namespace

NT domains are autonomous entities within the enterprise. While you can create separate domains for each organizational unit in the enterprise, NT doesn't have a way to relate the domains to each other beyond a simple one-to- one trust relationship. You could build a series of trusts down the org chart to reach the small division at the bottom, but since trusts are not inherited, the best you would achieve is a rigid chain of command where subordinates are only known to their immediate superiors. Since NT domains use a simple flat database [2]) to maintain user account records, it is not possible to set up a hierarchy within a single domain either.

Complex Trust Relationships

While there is no reason why a single NT domain can't span multiple locations, once a WAN is introduced or the number of users gets very large [3]), dividing the network into multiple domains is required.

When multiple domains exist in the enterprise, trust relationships are set up to make it possible for a user to access files, printers and other resources throughout the enterprise where trusts are established and permissions exist. Microsoft recommends the complete trust model for large organizations that don't maintain a central IS function. Other NT domain models are single, master and multiple master.

The number of trust relationships that need to be established grows quadratically as each new domain is added. A network with n domains can have up to n(n-1) trust relationships. For example, a network with 10 domains can have 90 trust relationships, a network with 20 domains can have 380 trust relationships, and a network with 30 domains can have 870 trust relationships.

Limited to users and devices

NT directory services track only two types of network objects - users and devices. NT's domain directory cannot contain more than IDs, passwords and basic security profile information.

Non-hierarchical

The best NT can be configured to reflect any type of organizational hierarchy is through a two-tier structure using a master or multiple master trust model. But this still isn't a hierarchy since the two trusting domains never form a parent/child relationship - they always remain peers. Consequently, NT is best suited for a highly autonomous organizational structure where there is no need to match the network to the dynamic organization.

NIS+ Namespace

NIS+ provides an easy way to map the entire enterprise network to the global organization. Depending upon the desires of the individual business units, any number of administrative domains can be created along the lines of the org chart. Directories, tables and groups within the domain make it possible to refine the hierarchy into even greater detail, This gives administrators control over local resources and user accounts yet makes it possible for users and resources operate seamless across the entire enterprise.

Contains all network resources

Since NIS+ creates a unified, enterprise-wide namespace, it is possible to locate any resource or user by name regardless of their actual location. NIS+ servers cooperate with each other to provide users with the location of the resource they are looking for. Once known, the user can use that address to directly access the resource from anywhere in the enterprise.

Matches dynamic corporate organization

Networks can be organized along flexible, intuitive lines. NIS+ makes it easy for administrators to manage the network from anywhere in the enterprise. Simple procedures let administrators add and relocate resources and users, and create, partition and merge domains to reflect changes in the organization. There is no need to bother with any domains not directly affected by the changes since NIS+ will automatically direct a user to the new location of a resource after its been moved.

Administration

Under NT, servers can be a member of only one domain and cannot be moved without being totally reinstalled. This is because all servers in a domain are also domain controllers sharing a common user account database and security policy. One server functions as the primary domain controller (PDC) while all others are backup domain controllers. The idea here is to improve login performance and have a ready source of backup controllers should the PDC fail. The downside is that all servers including database, file, and print servers, have to give up cycles to handle login requests and domain directory database updates.

NT domains cannot be split or partitioned. To accomplish this you have to create a new domain and move resources one-at-a-time to the new domain.

With the right trust relationships in place, most administrative functions can be performed from anywhere in the enterprise. However, certain set-up functions require direct access making it difficult to maintain an isolated domain in the enterprise. Remote installations require that appropriate trust relationships are in place before an administrator in one domain can setup or access resources in another domain. If the new server is going to be used to create a new domain, however, you should have direct access to the server. This is because a new domain can only be created by installing Windows NT Server on a computer that is not part of another domain.

NIS+

NIS+ servers can handle more than one domain. This is possible since the master server is not a member of the domain it serves. Replicas are members of the domain they service but can also serve as masters of other domains provided the new domains are below the domain the replicas are serving. This scheme sets up NIS+'s hierarchical domain structure by giving each domain a true link to the one above it.

A major strength of NIS+ is the ease with which a domain can be subdivided and partitioned.

NIS+ makes it possible to centralize some network administration tasks while giving domain administrators autonomous control of other parts of the network. For example, the HR department could be responsible for creating, updating and removing user accounts whenever a personnel action so dictates while the local domain administrator controls domain resources and user security functions.

Remote Administration

Both NT and NIS+ provide administrators with remote, dial in capabilities. While NIS+ places no restrictions on what can be done - either via dial in or direct network link, NT places several limits on remote administration.

NT lets administrators perform many operations via a dial in connection; however, a few basic functions require direct access and cannot be done remotely. A special process is required to be set up on the NT server before dial in access in permitted. Because of the way NT handles user authentication, this service carries its own administration requirements and is more restrictive than a normal LAN or WAN link

Security

Under both NT and NIS+, a user only needs to log into the system once to access network resources. Both systems require that a valid user ID and password be entered in this process. Passwords are encrypted to prevent unauthorized access.

NT

NT's validation [4]) process is a one-time check of a user's credentials. This check can take place at the workstation or on any server in the domain. If a user attempts to log into a domain they are not a member of, the domain controller will poll the PDCs of its trusted domains to validate the login. Successful validation produces an access token that is used from that point forward. This is the only practical way NT can handle cross-domain authentication; however, access tokens are not encrypted, can be intercepted, and can be impersonated.

From the user's perspective, file and print service access controls appear to be very similar in either system; however, there are some distinct differences in they way NT handles resource-level security.

Limited to individual files and print services

NT's security is based on an application model where access control to individual files and print services is the goal. Consequently, any valid user is pretty much free to access any server on the domain or trusting domains, viewing its directory and any other public areas. NT's resource-level security kicks in when a user attempts to view, edit, or delete an individual file on the server. This is accomplished through a set of access controls established by the resource owner and based on the credentials contained in the access tokens.

Both NT and NIS+ use group schemes to facilitate setting up and managing access rights. NT has an interesting global group that works with trusted domains in a special way, but otherwise a group is a group.

Password encryption

The first line of defense in NT and NIS+ is the user password. Both services use password encryption, aging and lockout to keep unauthorized users out. Auditing and reporting facilities are provided to monitor the system and track down any security breaches.

NT uses DES encryption for passwords. After initial login validation, the password is not needed again thereby minimizing the number of times it has to be transmitted across the network. In fact with SAM database caching on local workstations, it is possible to set up an NT network where sending the password across the network is the exception rather than the rule. Strangely, NT permits the use of blank passwords and the storing of passwords in login scripts making it fairly easy for users to bypass this primary security feature.

NT uses encryption only with passwords. Encrypting other directory or registry data requires the use of a third party product.

NIS+

NIS+'s authentication process puts more burden on the NIS+ servers but ensures that each request is properly authenticated before proceeding. Caching at the local server speeds up this process so that performance actually improves over time.

NIS+'s directory-based authorization controls provide a greater degree of control over all resources in the enterprise. Security is handled in one place making it easier to maintain and control.

C2-level Security

The U.S. Department of Defense (DoD) criteria for C2-level security [5]) is a popular model used to establish minimum requirements for a secure operating system. While C2 security is a requirement of many U.S. government installations, its value extends to any organization concerned about the security of its information.

NT was designed from the ground up with C2-level security in mind. Microsoft received C2-level certification for the NT workstation and NT server in July 1995. C2-level certification for NT network is expected this year.

Solaris 2.x with NIS+ is C2-level compliant. Equivalent ITSEC certification (E2/FC2) for Solaris/NIS+ is expected this year.

Reliability

Both NT and NIS+ provide a way to create and maintain active duplicates of the domain directory. The philosophy is the same but implementations differ greatly.

Under NT, all servers in the domain maintain a copy of the domain directory. Every 5 minutes, the PDC sends a copy of all directory records that have been changed to all the other servers in the domain. The frequency can be changed by the administrator, but every server will get a frequent, periodic messages from the PDC with changes including "no changes" as long as the PDC is functioning. The administrator can manually force a replication to resync all servers should a failure occur.

Manual Recovery

Whenever the PDC fails, any server on the domain can be promoted to PDC. The process is not automatic, requiring manual intervention by a network administrator.

NIS+

Under NIS+, only designated "replica" servers are involved in the update process. As changes to the domain directory occur, the master server sends a copy of the change transaction to the replica servers. Since many changes involve only a minor modification to an existing directory record, sending only the change transaction can cut down on network traffic and improve performance significantly over record or directory based replication schemes.

Automatic Recovery

If either the master or a replica goes off line, it will automatically request updates after it comes back on line. Manual intervention is not required but is available to force synchronization.

TCP/IP and the Internet

NT was designed around IPX/SPX and NetBEUI network protocols. It supports NWLINK, DLC, and TCP/IP via special services that have to be run in addition to the standard NT domain services.

NT Requires DHCP and WINS to run TCP/IP

Microsoft wanted a system that could handle 250,000 people moving their laptops around from office to office without dealing with a local administrator. TCP/IP held the answer but they viewed that standard DNS implementations had some drawback especially since NT directory services was not configured to handle this type of naming. The solution was to add a Dynamic Host Configuration Protocol (DHCP) server to the NT network to handle the assignment of IP addresses and a Windows Internet Naming Service (WINS) [6]) to handle dynamic mapping names to IP addresses.

DHCP

The DHCP server maintains a collection of addresses and assigns them to users based on three allocation policies: manual, automatic, and dynamic. Manual assignment requires that an administrator make the assignment. Automatic assignment makes the assignment without operator intervention. Both of these result in a permanent mapping of an IP address to a client. Dynamic allocation "leases" an IP address to a client for a specified period and then makes that address available to other clients seeking an IP address.

WINS

WINS provides dynamic name resolution services to NT system users operating a TCP/IP network. As computers are moved about the network, WINS tracks the move and updates the mapping of IP addresses to resource NetBIOS names. After a client receives an IP address from the DHCP server, it sends a copy of this address and its chosen name to the WINS server asking for a listing. If all goes well, the WINS server responds affirmatively and sends along a time limit for the listing. The WINS listing must also be renewed like the DHCP lease.

DHCP and WINS servers are additions to the NT domain, not a replacement for the PDC or backup domain servers. Therefore, running NT under TCP/IP requires management of at least three servers per TCP/IP domain.

NT Requires separate DNS server to connect with Internet

While WINS and DHCP handle all of the TCP/IP naming functions for the NT network, they are not a substitute for a DNS server. DNS is still necessary if you want to provide Internet services to users on an NT network.

Microsoft provides a DNS for NT servers. This version looks and behaves in all respects like a conventional Internet Domain Name Service and is also capable of referring name lookups to the WINS server. In this way dynamic updates appearing on the WINS server will also appear on the DNS server. You can also set up a separate UNIX-based DNS server on the NT network and WINS will treat it like any other NT network resource.

Microsoft Network (MSN)

MSN is not required for Internet access. MSN is Microsoft's browser for their commercial service which happens to includes Internet access for users running Windows NT Workstation or Windows 95. NT Servers can function as Internet servers without the presence of MSN.

Enterprise Naming Services

Enterprise naming services provide global access to all network resources regardless of where the resources are physically located, forming a single information system for users, applications, and other network resources. It is the foundation upon which the distributed computing environment of tomorrow can evolve.

Cairo

Microsoft is currently developing a new directory service system with functions and features strikingly similar to NIS+. What better admission of the inadequacy of NT Directory Services. However, the new functions will not be available until the release of Cairo in 1997 or later. This version will incorporate a totally new directory service to satisfy the needs of large scale enterprise networks.

The NT domain directory will be combined with the file system to give NT a unified namespace and a single database for all network resource information. The database will be extensible, able to store anything that can be stored in a file system today. Full query capabilities will also be provided. [7])

Not much more is available regarding how Microsoft intends to implement Cairo's new directory services. Until then, NT users will have to settle for a primitive naming service and a whole slew of applets providing stopgap fixes. But why wait for Cairo? Solaris and NIS+ do it all today!

Some of the features and functions of a robust enterprise naming service that are currently available with NIS+ and only promised for NT include:

Domain Partitioning

Domains can neither be merged nor divided under NT. The only way to handle a split is to create a new domain, establish the appropriate trust relationships, and then populate the new domain with users and resources from the old domain. Since there is no way to batch the moves, each add and delete has to be accomplished manually.

Extensible directory

A problem facing any large enterprise today is the plethora of directories that crop up to handle email, groupware, and client/server applications. By making it possible to add email aliases, phone numbers, personal profile information, or any other data they'd like to the naming service database, organizations can consolidate the various directories currently being maintained into a centrally managed NIS+ directory.

NT's domain directory is a fixed, flat file system. The registry offers NT users a hierarchical database with lots of extensibility; however, this database is not centralized and contains no internal security controls to make it useful as an enterprise naming service. NT users need to wait for Cairo to get an extensible naming service.

XFN/API support

Organizations wanting to operate lean and capitalize on emerging technologies need an enterprise naming server that supports a variety of applications including the new three-level client/server workgroup systems that are starting to appear. While administrators have grumbled about the command- level operation of NIS+, this foundation has created a rich API for this naming service. Coupling the API with an extensible directory, NIS+ can support a full spectrum of applications coming on-line today.

Federated naming with NIS+ provides integrated and consistent support of multivendor naming systems, including global and enterprise naming services supporting hosts, users, and specialized naming systems for mail, PIMs, and other groupware.

GUI = Easy to use but sacrifice power

Microsoft wanted to make NT very easy to maintain and designed the entire operating system to be run via the Windows GUI. NT does have a set of macro commands to facilitate remote administration, however, these are not designed to be run by applications outside of the operating system. For application interface support, Microsoft wants to make OLE the standard for all Windows systems. Unfortunately, creating OLE objects that link applications to NT domain directory information has not been a big success. OLE links to the registry are available; however, the Registry is only good for running start-up scripts and providing information about the hardware and software configuration of a specific platform.

Remote Authentication

Remote authentication is a much requested feature of enterprise naming services. Among other things, this function facilitates single login is a distributed environment

Summary

Enterprise naming services are evolving beyond the old parameters - they're more scalable, they offer extensive security features, they're more reliable, and they improve interoperability.

NT has long been thought of as only a departmental network operating system. But Microsoft had visions of larger networks when they design NT and has begun a concerted push to let the world know that they intend to be the leader in Wintel enterprise networking. Microsoft is offering a number of new applets and interim solutions to give NT Server 3.5.x the features and functions available in the leading enterprise naming services. Advance word about the next major upgrade to NT, code named Cairo, indicates that Microsoft has listened to the market and plans to reengineer their domain directory service to make it a true enterprise naming service.

But why wait for Cairo? Until it ships, we won't know how Microsoft intends to handle such items at mapping the network to the hierarchical organization, or providing continuous authentication and authorization security services, or having a seamless integration with TCP/IP networks, or being fully extensible, or having a robust naming service API - everything NIS+ provides today.

The learning curves for both NT domain services and NIS+ are about the same. However, we already know that organizations going with NT will be facing a major network architectural upgrade if Cairo delivers on all promises.

The choice is clear. NIS+ is here today and ready for tomorrow.

Glossary

Access Token Upon authentication of an NT login, an access token is created containing the ID and credentials for the user. This token is then used in lieu of further User ID and password checks to permit access to network resources. Note that only the login process creates access tokens and once issued, they are never challenged

API Application programming interface. The set of routines that an application program uses to request and carry out services performed by the operating system.

DES Data Encryption Standard.

DHCP Dynamic Host Configuration Protocol. This is a special service that dynamically assigns IP addresses to network devices. It is useful when dealing with a large number of mobile devices that need to connect to the network from various locations. NT requires the use of a DHCP and WINS server to run under TCP/IP.

DNS Domain Name Service, the standard TCP/IP naming service used by the Internet.

GUI Graphic User Interface, windows.

MSN Microsoft Network - a commercial service. This should not be confused with NT networks or connecting NT to the Internet.

NT Domain collection of servers that share a common user account and security database. One server in each domain is designated the primary domain controller (PDC) and is responsible for maintaining the master domain directory and keeping copies on all the other servers in the domain in sync. Should the PDC fail or be taken off line, any other server in the domain can automatically be promoted to PDC status.

OLE Object Linking, Embedding. The Microsoft standard API for all Windows environments.

PDC Primary Domain Controller in an NT network.

Registry NT database where almost all configuration and performance information is stored. The registry resides on individual Windows computers. When connected to a network, a copy of the registry can be maintained on a network server to facilitate administration. There is no relationship or link between the registry and the domain directory.

SAM Security Account Management database containing information for all users, workstations, and servers in the domain. It is a flat file listing of user account names, passwords, and security settings. Passwords are encrypted DES to prevent unauthorized viewing.

Trust Models NT support four domain trust models: single, master, multiple master, and complete trust. The single model puts all users and devices into a single domain. Under the master and multiple master models, all users are placed in one set of domains and the devices are put into a different set of domains. Using the appropriate trust relationships, administration of user accounts can be centralized while administration of devices can be departmentalized. The complete trust model put users and devices in all domains with trust links to all other domains. Administration is departmentalized by domain with free access across the entire enterprise.

Trust Relationship Mechanism to make it possible for one domain to log into another domain as a "trusted" user. (They even exchange passwords and ID like any other network user would.) Once the trust is set up, users in the trusted domain can access resources in their domain and in trusting domains without having to reenter their password or user ID.

The number of trust relationships grows quadratically as domains are added to the network. Unfortunately, there is no automatic mechanism for setting them up. Administrators have to set up each trust relationship one-at-a-time. Trusts are not reciprocated, so two sets of transactions are required for each new domain added to the enterprise for a two-way trust to be established.

WINS Windows Internet Naming Service. This is a special server used by NT to map device names to IP addresses. It is used in conjunctions with the DHCP server.

This paper contains competitive information on enterprise naming services available in Microsoft NT Server 3.5. It was drawn from the following published materials available to the general public as of September 1995:

Microsoft Windows NT 3.5 Guidelines for Security, Audit, and Control; Microsoft Corp, 1994

Windows NT Unleased, Second Edition, Robert Cowart, SAMS Publishing, 1995

NT Server: Management and Control, Kenneth L. Spencer, Prentice Hall, 1996

NT Server 3.5, Burton Group Report, February 1995

Microsoft Windows NT Server 3.5 Dynamic Host Configuration Protocol, Windows Internet Naming Service; Windows White Paper, Microsoft Corporation, June 1994

Microsoft Windows NT Server 3.5 Market Bulletin, Microsoft Corp, June 1994

Windows NT Magazine, September 1995

Communications Week, April 10, 1995, May 22, 1995 and June 19, 1995

Information Week, July 24, 1995

Windows Magazine, March 1, 1995 and August 1, 1995

Computer Reseller News, April 24, 1995 and July 17, 1995

VAR Business, February 1, 1995

Byte Magazine, August 1995

Every effort was made to ensure the accuracy of this presentation; however, since this is a changing market, the validity of any information presented can not be guaranteed. Furthermore, this paper represents only one view of the issues discussed and should not be interpreted to represent the official position of Microsoft or Sun Microsystems.