Microsoft Corp. is poised to provide new tools to join multiple implementations of Active Directory, but the company still strongly recommends against the practice because it can create unnecessary and problematic complexity.
The mixed message has network executives scratching their heads as they try to reconcile the need to build directories that recognize organizational security boundaries with this cautionary advice from Microsoft.
The confusion is coming to the forefront as Microsoft is introducing a feature with Windows.Net Server – due for release by year-end – that supports complex deployments of Active Directory.
The feature, called cross-forest trust, lets users tie together, or federate, multiple directory “forests,” which are collections of domains that house information about users, computers and other resources.
Companies can use the forests to create walls of administrative security between business units or intranets and extranets but still let users sign on in one forest and access approved resources in another. Federating multiple forests also can ease mergers and acquisitions in that companies don’t have to construct all-new directories. Governments and the military also see a use for isolating sensitive agencies with multiple forests.
When Microsoft first introduced Active Directory two years ago, it urged users not to deploy multiple forests because they were complex to administer and tools to ease that complexity were not available.
“I thought .Net was the way to go but now I’m not going anywhere until someone figures out multiple forests,” says one network executive at a government agency who requested anonymity. He had hoped to deploy multiple forests to separate distinct government agencies. “The whole idea of federation is a good concept because we are a decentralized organization.”
He says Microsoft officials told him a single forest was “preferred” unless he had “very significant security requirements” and that Microsoft could support multiple forests, but that “it may be a little more difficult to resolve his issues.”
“I read statements like that and it sends chills down my spine,” the executive says. “If it’s that much of a nightmare to support multiple forests, why are we seeing these tools?”
Microsoft officials say they realize some corporations have a need for multiple forests for such things as mergers and acquisitions or development labs and they need to support those users, but they stress that the .Net Server feature is not an endorsement for multiple forests.
“This is not a license to create 300 forests,” says Jackson Shaw, lead product manager for Active Directory. “We have always recommended a single forest but that doesn’t mean customers have always deployed a single forest, so we are working to minimize the complexity using .Net Server.”
Addressing complexity
In other cases, such as when it first introduced its metadirectory, Microsoft has made tools available only through integrators when it thought they were so complex that end users might get in trouble going it alone.
Analysts agree that single forests are less complex to administer. They concede, however, that multiple forests are needed in some cases to create security boundaries but that the message about multiple forests has become mixed.
Adding to the confusion is Microsoft’s acknowledgement late last year that directory domains cannot be considered secure entities within a forest, which it said previously was the case. Microsoft said domains weren’t security boundaries because anyone with physical access to machines that run Active Directory could in theory take over the machine, inject malicious code and compromise the security of every directory domain.
Given that fact, many network executives who were angling for establishing security boundaries using domains turned their thinking to multiple forests. And many say they believed that new tools to support multiple forests reinforced that notion.
“A year ago the security argument in a company would have been about separate domains; now it is about separate forests,” says John Enck, a Gartner Inc. analyst. “The issue over domains and forests has become messy. For customers, it’s a political fight now and Microsoft has created more ammo for those that want multiple forests. A lot of government accounts are feeling this pain.”
One network executive from a large company who requested anonymity says his organization has multiple forests that keep the intranet, extranet and development environments as distinct units.
“For the intranet, a single forest is a lot less complex than multiple forests,” the executive says. “But we were driven to multiple forests given the need for security surrounding the extranet. We didn’t want to expose the extranet to our intranet. That design has some things that Microsoft does not like and our support arrangement is complex, but we have to have this security boundary.”
Minimizing problems
The top reason for staying with a single forest is to minimize complexity.
Proof of this is seen with Microsoft Exchange, the company’s collaboration and e-mail software. A single implementation of Exchange cannot be supported in a multiple forest because a single Global Address List for all users can’t be created and it fosters significant data sharing, routing, trust and reorganization issues. Microsoft Metadirectory Services can be used to mask some of the issues, but that also adds complexity.
“Our recommendation remains that companies have as few forests as possible, given support issues and complexity,” says Daniel Blum, senior vice president of the Burton Group and a Network World columnist. “With multiple forests, if you have sharing of data and applications you can get into the need for multiple user accounts, multiple group memberships and then you may have to add a metadirectory. It gets complex.”
Blum says a majority of customers opt for a single forest on the intranet, but, he adds, the Burton Group strongly recommends users put their extranets in a separate forest.
It all boils down to the evolution of Active Directory and user needs, Microsoft’s Shaw says.
“We are trying to mature the directory by making multiple forests easier to manage,” he says. “But we still think it is a small subset of users that need that capability.”
