NDS for NT: Increases Complexity and Cost Without Adding Value

[NOTE: This second version of the NDS for NT paper appeared on Microsoft's web site until 1/22/98.]

On October 7, Novell announced the beta availability of NDS for NT. Novell claims that NDS for NT is an easy and non-intrusive solution for customers. The truth is that NDS for NT forces customers to add complex NetWare technologies which are not integrated with Windows NT Server. NDS for NT also raises some very serious security issues. This bulletin illustrates key deficiencies of Novell's strategy including the fact that NDS for NT:

Is not integrated with the operating system
Offers no applications support
Requires the addition of complex, legacy NetWare technologies
Poses some potentially serious security issues
Is incredibly expensive

All of this raises another important question: Why would a customer undertake the huge task of deploying this mixed infrastructure, which guarantees dependence on legacy NetWare, when Windows NT Server 5.0, which features Active Directory, is already in beta?

If Novell's criticisms of Windows NT Server are correct, why is Windows NT Server so successful? The reason is that customers have found that Windows NT Server suits most of their needs now and they are confident that Microsoft will deliver on other functionality that they need in the near future. Such is the case with directory services.

NDS for NT is not integrated with Windows NT Server

There are currently other solutions like NDS for NT available for Windows NT Server, such as StreetTalk for NT, and none of these has met with great success. Why? For the same reason that NDS for NT is not a good solution: they are not native to the operating system, are redundant to the functionality that Windows NT Server offers and are unintegrated with the operating system.

In a recent survey conducted by Integrity Market Services, more than 80 percent of enterprise customers using the Windows NT Server network operating system said they are using its current integrated Windows NT Directory Services to manage and maintain their networked environments. This is because the Windows NT Directory Services are integrated with the operating system and this integration offers huge benefits to system administrators and applications developers. Windows NT Server 5.0 and Active Directory will take these benefits to the next level, making it easier than ever for system administrators and developers to leverage the native directory services of Windows NT Server. What customers need are solutions that are integrated with their platform not redundant, unintegrated half-steps towards a solution like NDS for NT.

NOS for NT ofters no applications support

Because Windows NT Server offers integrated directory services, applications developers are writing applications that utilize these directory services, building a broad set of solutions for customers. In fact, there are more than 550 applications that are integrated with the Windows NT Directory Services, a number that has grown by 325% since January 1997. How many applications are integrated with NDS? More importantly, how many applications are integrated with NDS for NT? Further, what types of problems arise for customers who have chose [stet] applications that use NDS? As InfoWorld notes in a recent story on NDS for NT, "there is no support for NDS-enabled applications in pure Windows NT Server environments." This is because NDS does not offer a good solution for applications developers who need to use a directory service that is integrated with a robust operating system.

Again, what customers and developers need are solutions that are integrated with their platform not redundant, unintegrated half-steps towards a solution like NDS for NT.

NDS for NT requires complex, legacy NetWare technologies

What NDS for NT purports to do is reduce the complexity of customer's networks. The truth is that NDS for NT has huge dependencies on complex legacy NetWare technologies, forcing customers who want to move away from NetWare and NDS to keep NetWare in their networks, adding complexity to their systems. NDS for NT requires customers to deploy Novell's redirector -- the same used in Novell's client software -- on their Windows NT Server domain controllers. This redirector then redirects calls coming into the Windows NT Directory Service to NDS running on a NetWare server. Novell makes NDS for NT sound as though all a customer needs to do is install this simple component and their management concerns are magically alleviated. In fact, this is not true.

To illustrate, let's look at a very common scenario in which NDS for NT would add a great deal of complexity, not to mention cost, to a customer's network: a remote site at which a customer has Windows NT Server installed as both the applications platform and the file and print engine. To use NDS for NT to manage Windows NT Server user accounts, this customer would first need to install NetWare just to get and store NDS. Once this very significant task was complete, the customer would then have to install the NetWare client software on all client machines as well as on all the Windows NT Server domain controllers. Then the customer would have to replace a critical system component (a dynamic link library or DLL) on all Windows NT Server (SAMSRV.DLL) domain controllers with Novell's version of this DLL and then migrate all user account information from Windows NT Server over to NetWare. What is the value-add to the customer? After going through all of this, the customer's network, which was relative clean in its design, is now much more complex, with software from two vendors, with critical system components replaced by a third party, with client software they did not need and with huge dependencies on NetWare.

This scenario highlights why using NDS for NT offers very linle value-add for customers who have Windows NT Server as their applications platform and network operating system. However, it also highlights the inherent complexity that NDS for NT adds to any network scenario. By replacing critical system OLLs, a practice that customers have repeatedly asked software vendors to avoid, by adding redirectors and by forcing customers to use the legacy NetWare for the sole purpose of storing NDS, Novell is making customer's networks more complex and potentially less reliable. Customers must answer for themselves whether the potential gains are worth the effort.

NDS for NT introduces serious security concerns

Perhaps most troublesome of all are the potential security concerns that NDS for NT raises. For example, let's suppose Enterprise 1 and Enterprise 2 want to share a project. Enterprise 1 has Windows NT Server and Enterprise 2 has NDS for NT. Can a domain in Enterprise 1 trust a domain in Enterprise 2? From Novell's documentation on NDS for NT this is not clear. What is clear is that the NDS for NT documentation makes a big deal out of eliminating trust management. The question is can Enterprise 1 still have trust if it needs it? Does Enterprise 1 even want to trust NDS for NT? Furthermore, a feature of the current Windows NT Directory Service is that a domain is a security boundary which means that customers can partition their businesses in a secure fashion. NDS is a single tree with no internal boundaries. In this scenario in which Enterprise 2 has deployed NDS for NT, how does the Windows NT Server domain -- which resides within NDS for NT -- maintain its partitioned security? Is the potential for this type of security issue worth the risk?

NDS for NT Is Incredibly expensive

Until this point, little mention has been made of cost. However, we would be remiss if we did not also point out that NDS for NT is a very expensive solution, especially for such marginal gains. Novell announced its pricing as follows

Number of Users	Price	Price/user
5	$345	$69
10	$680	$68
25	$1,675	$66
50	$3,300	$66
100	$6,500	$65
250	$16,250	$65

This is incredibly expensive -- nearly twice the cost of a Windows NT Server client access license -- especially when you consider that in some scenarios customers would need to install NetWare itself just to get NDS so they could use NDS for NT. Further, for mixed Windows NT Server and NetWare networks, there are less expensive and less invasive ways of accomplishing the same things that NDS for NT attempts to accomplish. For example, in a recent story, PC Week said the following:

"However, the net effect of using NDS for NT, which is scheduled to ship next month, can also be accomplished with a competing product from NetVision Inc., called Synchronicity, which is less intrusive. Microsoft Corp.'s long-range plans to overhaul NT's directory services further complicate the buying decision."

"NDS for NT isn't cheap. At $50 per user, the product is considerably more expensive than the $1 4-per-user price of Synchronicity."

Clearly, in addition to determining whether the potential gains are worth the effort, customers must also determine whether NDS for NT is worth the cost.

Conclusion

Novell's NDS for NT is fundamentally flawed. Instead of a solution that offers clear advantages for Windows NT Server and is cost-effective and simple, Novell has delivered an expensive and complex solution, one that offers little to no added value to Windows NT Server. Additionally, since Windows NT Server 5.0, featuring Active Directory, is already in beta testing and will be in customers hands in the near future, there is no reason to undertake the significant effort of planning and deploying NDS for NT. Too much is at risk.