Slashdot Mirror
Windows 2000 Name Services - What do you think?
ianna asks: "I read the description about the new win2k implementazion of name services at Lucent. It speaks about IETF compatibility, Dynamic DNS, SRV, LDAP and about removing NetBIOS and WINS (finaly!) I have the impression that this time Microsoft did things in the right way. Is it true? I'm an Opensource software advocate, but more that everything I always look for the best solution... This time I'm wondering: do we have something similar (or better) or shall we follow the Microsoft this time?" Interesting thought. Did Microsoft get it right this time, or is there a better solution?
Of course, everyone has their own opinion on this - and so here's mine...
I honestly think it's a step in the right direction, but overall no I don't think Microsoft "[got] it right this time". To start with, you now must fundamentally trust any Win2K box running Active Directory to make arbitrary changes to your production DNS; this might be fine in an all Windows shop, but when you have an existing DNS with other platforms included.. well, would you trust WinNT 4 to do this now, and if not why would you trust Win2K any differently?
Besides, why use SRV records anyway when use of multicasted SLP (service location protocol) could do the job even better (ie., you wouldn't even need to know who/where the DNS servers were in the first place)? Sun and Novell are using SLP, why couldn't Microsoft?
I flat-out refuse to accept the restriction that you need to tie your DNS hierarchy to your Active Directory tree structure - if I want one DNS tree and a different directory tree, pure LDAP products and Novell NDS will let me do it, why not Microsoft Active Directory?
I don't know if they've fixed this one, but a year or so ago it was discovered that Active Directory uses certain attributes for naming, and mandates those attributes to be "single-valued" (as opposed to "multi-valued") - this made Active Directory incompatible with X.500, LDAP and even the DEN (Directory Enabled Networks) initiative that Microsoft co-founded! Insane...
Hell no - IBM had DDNS products (incl. OS/2) shipping in the marketplace years ago. DDNS is supported in BINDv8. Even other commercial DNS services for UNIX (such as Cisco Network Registrar) all support DDNS - it ain't new, Microsoft's playing catch-up. Microsoft uses DDNS for making dynamic changes to the SRV records in the DNS in order to satisfy Active Directory's naming/locator service - that's what shits me; if they used SLP, there'd be no need for DDNS nor SRV records (both of which BINDv8 supports anyway).
Hell no! Again, LDAP ain't new; LDAP directory products have been around for years and Novell definitely beat Microsoft to market with LDAP support for NDS.
Just because you may work in a backwater doesn't mean the rest of the world is likewise held back - there are many sites today that are using LDAP (for example) quite heavily in production environments (even with Novell NetWare acting as the LDAP server). This is very real.
Novell has commented on some of W2k's DNS oddities at their 'The Novell Advantage' site: http://www.novell.com/advantage/
.pdf: http://www.novell.com/advantage/tech- eval.pdf
There is more specific information on Windows 2000 at http://www.novell.com/advantage/w2k.html
Specific DNS-related comments can be found at the following URLs:
http://www.novell.com/advantage/w2k_dyk7.html - this one refers to a scenario where a W2k client can crash a BIND 8.1.1 DNS server (8.1.2 & above are OK)
http://www.novell.com/advantage/w2k_dyk8.html - this one discusses W2k's use of SRV RRs to refer to dynamic services. Stale SRV RRs can cause a variety of problems.
The whole series of 'Did You Know?' web pages has been re-posted as a
(Obvious) Disclaimer: Novell is a big competitor of Microsoft, especially in the area of enterprise networking and enterprise directory services. I do not work for either Novell or Microsoft, but I do use Novell & NDS extensively in my day job.
The quick and dirty answer to your inquiry is NO. I would not follow Microsoft's "lead." It's not really a lead anyway. Yeah, a dynamic DNS system may be a good thing, and it certainly might ease administration if implemented in an intelligent fashion, but the rest of the IT world usually finds a better way. There may already be a better implementation. I have to admit that M$ is making a positive move by ditching (more or less) WINS and NetBIOS. Now they'll catch up to where the rest of us (not necessarily Novell) have been for years. But, and this is a big but, if Windows 2000 is supposed to be the platform of the future, what's gonna happen when we start the move to IPv6? Maybe I just missed it in that white paper, but I haven't seen or heard anything about what's gonna when the nature of IP addressing undergoes a fundamental shift. This question is relevant for other platforms, too, but I have little doubt that the various Unices and their relations will be able to make the change successfully when the time comes. In summary, I again laud M$ for doing something it should have done years ago, migrate towards a sensible name resolution platform. I would just urge you to remember that Microsoft has not gotten where they are today by being the big innovators. They have almost always just knocked off what someone else has done before them and changed it just enough to call it their own. The similarities between the current DNS question and the other little Microsoftian gimmicks is just a bit disturbing to me.
Windows is going the way of phlogiston...
Just how old are these standards that M$ is co-opting? And all this wonderful new stuff only works fully with other W2K machines. It requires bigger hardware than 4.0. Novell, on the other hand, can integrate W2K with other platforms. Novell may benefit hugely from companies who are hesitant about becoming totally locked into a W2K system. W2K hardware compatibility compares favorably with Linux of several years back, say RH4.0. By 2001 it should a real kickass system. The improvements are vast, but outweighed by the deliberate incompatibilties. 40% technology, 60% corporate maneuvering. Don't forget UCITA. Do you honestly believe that the remote disabling hooks are not in place in W2K? Are they utterly safe against crackers? Trust Bill. Trust Him with your livelihood. Trust Him with your life. "If I have seen further than other men it is because I have stood on the shoulders of giants." -Isaac Newton "If I have made more money than other men it is because I have stood on the shoulders of giants while my legal team imprisoned and castrated them." -Bill Hank Gate$ III
Go back and look at the latest RFC's for DNS. Underscore is now valid. In fact, nearly any character is. I'm pretty sure I saw that in there...
Slightly off-topic, but I'm planning to stay as far away from AD as his humanly possible... If I need a directory service, it's gonna be NDS. Recent stories comparing NDS and AD are rather interesting...
www.novell.com/advantage is a good place to start. Somewhere on that site is a very good web page, smashing M$'s claim that AD is much faster than NDS (NDS can perform the search "Pa*" 1250 times faster than AD! With the same search with 100 clients, AD didn't return a result within a minute!)
:-)
Ross
Yup, that's it - I had read the Novell site one time, and I remembered that somewhere in the cruft of my mind... Thanks
"It's tough to be bilingual when you get hit in the head."
>this one refers to a scenario where a W2k client
>can crash a BIND 8.1.1 DNS server (8.1.2 & above
>are OK)
This is not surprising, Microsoft said (at Teched 99) that Win2k will not work with a 3rd party DNS server unless it is BIND 8.1.2 (or above) compatible, meaning among other things that it implements SRV records (RFC 2052), and Dynamic Updates (RFC 2136).
If you follow those Novell URL's its obvious that NDS is a very evolved product. Novell is unfortunately facing a loosing battle that stems from the fact that their overall suite of applications is poor. For those organisations using NDS comparing Groupwise vs. Exchange has lead many of them choose Exchange server for their messaging.
It is these same organisations that have NDS and Exchange that will be changing to Windows 2000 and Active Directory, as the next version of Exchange will REQUIRE it. As in the past, it seems Microsoft will use their dominance in one area to leverage its way into other areas. This is what is causing them to have so much trouble with the DOJ lately.
Anyhow, thats the way it seems to me.
Jamz.
Most of the talk was about the Windows 2000 DNS system beeing incompatible with most other OSes (Windows 2000 using dynamic DNS) and the fear that IT departments would probably soon "be forced" to use the Windows 2000 DNS system.
GNU/Linux. The Freshmaker.
Well, Slash incorrectly anonymized my first attempt. This is a re-post under my own name.
.pdf: http://www.novell.com/advantage/tech- eval.pdf
Novell has commented on some of W2k's DNS oddities at their 'The Novell Advantage' site: http://www.novell.com/advantage/
There is more specific information on Windows 2000 at http://www.novell.com/advantage/w2k.html
Specific DNS-related comments can be found at the following URLs:
http://www.novell.com/advantage/w2k_d yk7.html - this one refers to a scenario where a W2k client can crash a BIND 8.1.1 DNS server (8.1.2 & above are OK)
http://www.novell.com/advantage/w2k_d yk8.html - this one discusses W2k's use of SRV RRs to refer to dynamic services. Stale SRV RRs can cause a variety of problems.
The whole series of 'Did You Know?' web pages has been re-posted as a
(Obvious) Disclaimer: Novell is a big competitor of Microsoft, especially in the area of enterprise networking and enterprise directory services. I do not work for either Novell or Microsoft, but I do use Novell & NDS extensively in my day job.
The Crystal Wind is the Storm, and the Storm is Data, and the Data is Life
I'm glad lucent mentioned the DNS & Bind book from O'Reilly - a great reference... a standard book for what (hopefully) is a standard implementation. The exit of NetBIOS and WINS is a very Good Thing(TM), and there will be less useless broadcasts cluttering up local nets... of course, you will still have the old client machines that aren't all new and happy yet, but change will come... eventually... really...
I've heard some strange stories about the W2k DNS stuff, such as a W2k PDC having trouble if the DNS server for the 2k domain wasn't another W2k box, but I haven't experienced this personally. I don't like hte way they've integrated the DNS with Active Directory - this causes a lot of problems when upgrading an old NT4 domain (it has the most problems with underscores, which aren't valid DNS characters, but were just fine (and previously preferred) in windows domains... you can work around it, but in a large domain, it can be a lot of work getting everything back up and running happily again.
The SRV records are nothing new, but are rather useful, though many implementations don't rely on them all that much - W2k seems to take advantage of this a little more, and I think they should be applauded for that (I just said something positive about M$?!). However, they use more underscores in the SRV records, and, as the article says, many peeople are concerned about it... there used to be a forum at dnspolicy.com, but I can't seem to access it anymore...
Some good, some bad - mostly (but not all) standard, and Active Directory +DNS = yikes...
"It's tough to be bilingual when you get hit in the head."
Microsoft has been saying for a while that Active Directory was going to be the focal point for Win2000, and to a certain extent, it is. It is the part of win2k that has changed the most from previous versions of NT (4.0 and earlier used the domain model, which is basically identical to the domain model used by NIS -- a collection of computers grouped into a flat (non-hierarchical) group, with one or more master servers (Primary Domain controllers) and zero or more slave servers (Backuck Domain Controllers)). Active Directory is a true hierarchical directory service, similar to Novell's NDS. Active Directory has an LDAP interface, proprietary interfaces for D?COM and the like, as well as a direct API that can be used by VB/C++ programmers.
Yeah, Microsoft is on the leading edge as far as Dynamic DNS is concerned, and LDAP support, and all those lovely wonderful things that no one is implementing for real. All this comes at a price, of course, even assuming that there won't be a huge amount of bugs in Active Directory (this is not a flame or a jibe at microsoft; AD is a 1.0 product, and a huge one at that). When you implement any of these things, you have to implement them all. Because of the radical differences between AD and the NT 4.0 domain model, all of your domains and workgroups need to be replanned and re-implemented (no small feat even for small companies). Are you using DHCP for your windows clients? Ooops, you have to use the AD version of DHCP; the older "outdated" (NT 4.0) version doesn't work with AD.
Another problem that has been plaging AD is the speed issue. AD is written as a part of the win2k OS, naturally; to access it via all these disparate methods (LDAP, the API, etc), which the OS doesn't support natively, there needs to be a compatibility layer. And this compatibility layer is way slow. So slow as to render AD unusable on anything but super boxen (Uber-Boxen?). So, merely upgrading your NT 4.0 servers, whose hardware requirements are modest compared to Win2k, is not a good option here.
Do I think Microsoft did a good thing here? In theory, yes. Having only worked with it a little, and that in passing on another person's box, I can't say authoritatively whether I think they did in actuality do it right. The approach has the outward appearance of being done right, but Microsoft's track record for playing by the rules is not spotless (to say the least). We'll have to wait and see, I guess...
darren
Cthulhu for President!
(darren)