Windows 2000: A Threat to Internet Diversity and Open Standars? David Chadwick, University of Salford.
Active Directory is another example of incomplete support for Internet standards. AD is meant to be a directory server that conforms to the Lightweight Directory Access Protocol, competing with established LDAP directories from Netscape/ Sun, , IBM, and Lotus. AD is tightly integrated into Windows 2000, and no standard LDAP server can replace it. This is because many of the operating system calls to AD use proprietary dynamic link libraries (DLLs), not an open LDAP interface. RFC 1823 already specifies an open application programming interface defined for LDAP version 2 directory services. And the IETF's LDAPExt working group has nearly finished specifying an LDAP version 3 C API and a Java API.
But Microsoft hasn't used the IETF specified APIs as the preferred means of open external access to AD (and viceversa). Microsoft instead created its own proprietary API: the Active Directory Service Interfaces. They advertise ADSI as "a single, consistent, open set of interfaces for managing and using multiple directories" so that "applications can be developed with no need to understand vendor-specific directory APIs" (PBS Web Team, "Microsoft Active Directory Service Interfaces: ADSI Open Interfaces for Managing and Using Directory Services", Microsoft Corp., Redmond, Wash., 1999). Microsoft fails to mention that other directory vendors will need to build an ADSI interface to their directory service if they want newly developed ADSI directory-enabled applications to access them. This forces other directory vendors to support a Microsoft proprietary API in addition to, and perhaps in preference to, an open standards-based LDAP API.
Many organizations have already spent millions of dollars installing their existing LDAP-based directory services, with Novell's NDS and eDirectory having the largest installed base. When Microsoft released Windows NT 4.0 with its internal directory and registry, Novell cleverly rewrote the DLL used to access the Microsoft registry so that it accessed NDS instead. An organization could then add its NT 4.0 servers to its Novell network and directory service, while the operating system continued working as though it was still accessing the local registry.
Microsoft put a stop to this in Windows 2000, which checks all the DLLs present. If it finds a non-Microsoft DLL, Windows 2000 deletes and replaces it with the Microsoft DLL. At a recent presentation I attended, the Microsoft speaker stated that they made this change because non-Microsoft written DLLs were causing the NT 4.0 operating system to become unstable. And since Windows 2000 had to be very stable (operating 24 hours per day, 365 days a year), it could not tolerate foreign DLLs that might compromise its stability. The speaker then added that Novell was experiencing difficulty overcoming this feature as they attempted to help organizations replace AD with eDirectory.
MORE LDAP MISCHIEF
Microsoft has also played more mischief with LDAD. LDAP directories have a standard schema - the set of rules that govern how the directory structures its data. Various RFCs and IS0/ITU-T standards (like X.520, , RFC 2218, RFC 2252, RFC 2256 and RFC 2587) specify standard schema definitions. However, Microsoft purposefully changed some of the standard schema definitions, and it does not support others that are currently being standardized.
For example, one of the most popular directory attributes, the Internet RFC 822 e-mail address (specified as early as 1991 in RFC 1274), boasts support from all existing LDAP - and X.500-based products. However, Microsoft used the same syntax as standard definition but gave the schema element a new Microsoft-derived object identifier. (Each schema element has a globally unique object identifier to ensure that different implementations can determine when they are referring to the same data object).
In addition, Microsoft redefined the ISO/ ITU-T standard definition of object class top (from which all other object classes are derived) by adding more than 60 Microsoft-specific attribute types. Microsoft then still used the same ISO/ITU-T object identifier to uniquely identify its proprietary definition. This will clearly cause internetworking problems for replicating data between AD and other LDAP directories. I understand that Microsoft has agreed to reverse this decision in a future release of AD and to reinstate the ISO/ITU-T standard definition.
Despite these obstructions to a truly ubiquitous existence, Windows 2000 has many good features, and it is undoubtedly an improvement over NT 4.0 for many reasons I do not discuss here. However, will Windows 2000 compromise the Internet's diversity and the ability of thousands of different suppliers' systems to interoperate? Given that Windows 2000 seems to drive organizations to replace their existing DNS and LDAP servers with Microsoft products, Microsoft clearly intends to dominate the Internet server market as much as it has the desktop. However, too many systems using the same supplier's software and hardware is dangerous - witness the havoc recently wrought by the Love Bug virus exploiting features in Outlook. Imagine what one virus could do to a human race cloned from one individual.
Diversity must be one of the Internet's main strengths, just as it is for the human race. It will be interesting to see whether the Internet becomes a Microsoft-dominated network, using Microsoft-controlled "open" standards, or whether diversity and consensual open standards will continue to retain the upper hand.
David Chadwick is a senior lecturer at the University of Salford and an active participant in IETF standardization activities. Contact him at D.W.Chadwick@salford.ac.uk.