I am not entirely surprised by the response. Over the years
I have run into lots of folks coming on site to large companies I have been at
and saying similar things. They often change their opinions fairly quickly once
the see the real world of large enterprises. Large enterprise IT is often very
confusing to those who haven't tasted it in some little bit. In companies that
have more IT and more Shadow IT[1] workers than most companies have employees
the environment is near impossible to tie down to even know who is throwing
directories up, let alone control them. Usually the way centralized IT wins is
by offering the best for the cheapest. This will work for most but there will
still be some who will not like the lack of flexibility [2] or lack of control
[2]. I have a friend who was on the team I was the technical lead of who we
had to let go due to his inability to be on call. In very short order he was
back in the same company (Fortune 5) doing the same job but for a
ShadowIT group. They had their own complete forest that no one I knew of
knew about that was completely run by a sales or marketing
department.
Large companies do not like to change applications simply
because IT wants to try and make a directory look a certain way. Modifying apps
is extremely expensive just in terms of change control and testing.
Additionally you don't even know all of the applications running against
your directory, you may have info on 80% of them if you are lucky. You change
the smallest things and business processes can hit the floor and IT can't do
that to the business any time they want, IT doesn't control the business. The
ill informed response to that is well communicate/cooperate/etc, it isn't a case
of sending out notes to everyone and telling them you are making a change. There
are people using things and have no clue what they are truly dependent on
because some half ass consultant who hasn't stuck around long enough to see long
term results did something and went on to the next gig. There are developers who
found something that works and really have no idea why it works and code
everything around it to work based on that. You catch this when taking domain
controllers down or doing the smallest OU reorganizations, etc. There are
financial apps that can only go one update a year and don't take that update
lightly, it is usually preceded by 6 months of testing at least.
There is no one thing you can key on for a structure that
will remain consistent year after year. You may think so but that
is short sighting thinking of someone who hasn't spent a long time in large
environments. I had ten years of learning in a 200,000+ user environment.
Several of my MCS friends say I am ruined and can't do consulting for smaller
companies and it is probably true because I plan really big picture and look at
things as long term as possible because a plan that could be done in a month or
two in a normal company could take multiple years in a large company and will
have to be in place for 5,10, or more years before it will be
changed. We are talking about mail system migrations that take multiple
years to plan, a year plus to implement everything and that is with the actual
mailbox move process moving 5000 users a night comfortably.
I agree that maintaining multiple directories should
usually mean you should try to make them structured as similar as possible, but
again, that is an IT goal, not necessarily a business goal. If IT decides well,
these directories should look like each other and then tells business that
is going to happen, business looks at it and says, it works fine for us as it is
and we aren't spending the millions to update and test our apps so you have a
happy sense of pretty directories. That change doesn't occur, no matter how much
sense it may make. Personally it was always my goal to eat every other
NOS/directory system that was involved versus syncing. Be it NT, Novell, Vines,
iPlanet, whatever, if it was in the way, it got clobbered and AD was used (or
now AD/AM too). That tended to clean up the structure deltas.
I think Linux is not going to be the powerhouse a lot of
people, especially the SUSE/Novell people want it to be. It has a lot of use
scenarios and actually has been used in big business for years in niche
locations. They have a lot of trouble getting out of those niches and usually
have succeeded mostly at the expense of the UNIX OSes. Look at the numbers. I
have seen multiple attempts by high level managers to push large companies into
using it and I have seen them fail miserably and at the same time creating even
larger pockets of Shadow IT which hurts the company even more. Linux doesn't
have a chance for serious real use in big business until the business, not IT,
decides that that is what they want to use. Again, IT doesn't run the business.
joe
[1] Shadow IT is something that spin up in larger orgs
where there are no specific VPs or directors that can control every aspect of
the company. For instance a declaration of some standard at the top of GM might
be adhered to everywhere in the company, but probably not. It certainly wouldn't
be adhered to in plants unless the plant managers truly agreed. This goes for
any large manufacturer. IT is a tool, it doesn't define what the business is
going to do for technology solutions, though they will certainly try.
[2] The larger the environment, the more inflexible you
have to be with changes and less control you can give out to people to make
native changes to help churn in the environment. Why? Because you are servicing
everyone, not the few groups that want to make the changes. And that is what it
comes down to, some 2-5% or less who want some radical change that helps them
but impacts everyone. A large IT environment can be flexible, but it tends to
require something that most large companies already spending a billion on IT a
year aren't willing to give, more money to manage the change.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Thursday, May 12, 2005 8:31 PM
To: [email protected]
Subject: RE: [ActiveDir] Synching NDS and AD
In
response to Joe's post, Matthew Culver wrote:
" Well, I guess it's good job
security to revolve technologies: you'll get to do it again very soon in some of
those same accounts with Linux :)
Companies changing over the years... change the directory with
it
Different people designing directories... C-O-O-P-E-R-A-T-E and another
odd word in IT: Teamwork
The bottom line is that people don't follow best practice then make every
excuse under the sun for why they didn't. Disparate directory structures = lack of planning,
every other reason is just an excuse to cover up laziness or ineptitude.
I'd be interested to know why anyone thinks that setting up a AD design with
such a totally different structure to eDir is in anyway good if you are planning
to keep both eDir and AD - after all, this thread is from someone who has
problems partly because of different directory structures making metadirectory
products difficult to use. Q.E.D.
"
As per
Matthew Culver
Sr. Network
Engineer
Novell
Inc.
------------------------------------------------------------------------------------------------------------
BTW: I am
merely a messenger, please don't shoot me: Jose
:-)
--------------------------------------------------------------------------------------------------------------
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joe
Sent: Thursday, May 12, 2005 3:55 PM
To: [email protected]
Subject: RE: [ActiveDir] Synching NDS and AD
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joe
Sent: Thursday, May 12, 2005 3:55 PM
To: [email protected]
Subject: RE: [ActiveDir] Synching NDS and AD
"If you've setup your AD structure so differently to your eDirectory structure within the same company then there's either something wrong with one of the structures or there's something wrong with you "!?!?!?!Because all companies have the same people designing all of their directories.... and.... Because everyone knows companies don't change over the years... and.... If they do change, everyone likes rearranging every directory and correcting all of the apps that depend on those directories to reflect the changes.Having only two completely disseparate directory structures is pretty good in my opinion. When you work on larger accounts it isn't uncommon to see 5 - 10 - 25 large completely differently structured directories scattered across multiple iPlanet's, OpenLdap's, AD's, NDS's, Mainframe X.500's, etc....If this wasn't the rule instead of the exception, there would be little market for metadirectory products whose design is to easily work with all of these disjoint and often very differently designed environments.Luckily the times I have had to work with Novell users there were so few of them (maybe 10-15k users) that it was simply a matter of tossing it out the door and telling people to use the corporate AD structure instead of Novell. Would hate to have to fight with the tools to make it interact.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Thursday, May 12, 2005 5:22 PM
To: [email protected]
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Synching NDS and ADIn response to Stuarts posting," NIM is actually bigger than just eDir and AD Sync, and it's certainly more than just a simple sync with the ability to control the flow of metadata and modify data on the fly through XSLT XML, it also includes the idea of authorative sources at an attribute level - one of the most powerful and flexible metadirectory products on the market today and one which is reasonably mature/robust.If you've setup your AD structure so differently to your eDirectory structure within the same company then there's either something wrong with one of the structures or there's something wrong with you - I have never ever seen a directory structure in AD that I can't apply rules through NIM to sync with eDirectory even in instances of poor design. "As Per Matthew CulverSr Network EngineerNovell Inc.-----------------------------------------------------------------------------------------------------------Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Fuller, Stuart
Sent: Thursday, May 12, 2005 12:27 PM
To: [email protected]
Subject: RE: [ActiveDir] Synching NDS and ADNsure Identity Manager = "Metadirectory" for all disparate NDS (Edir) and AD directories.We are/have been looking at this question, and yes you can do a simple synch between Novell and AD with this product. *BUT* in our case the OU structures between to the two directories are so disparate that a direct sync is relatively impossible. If we end up going with this solution, we will have to project both directories to a third directory that we will write the sync rules for. This ends up being a Metadirectory.*If* your OU structure, account ID's, etc... are fairly or exactly the same, then you can do a direct sync and end up with something "...not the size of an Identity Management Tool like MIIS". If you want a full blown Metadirectory then Novell's Nsure Indentity management is in the same category of directory products as MIIS._Stuart Fuller
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Wednesday, May 11, 2005 3:16 PM
To: [email protected]
Subject: RE: [ActiveDir] Synching NDS and ADHi Jorge,We run Netware NDS 6.5 along with AD 2003 and we have a fulltime Netware Consultant on staff assigned by Novell. I spoke with him about your request and what he would recommend and he gave me this link http://www.novell.com/products/nsureidentitymanager/Regards,Jose Medeiros---------------------------------------------------------------------------------------------------------------Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Jorge de Almeida Pinto
Sent: Wednesday, May 11, 2005 11:07 AM
To: [email protected]
Subject: [ActiveDir] Synching NDS and ADHi,
Does anyone know of a product that can acchieve the following:
* Synching NDS and AD
* 2-way synching
* Automated synching
* Possibility to assign a directory for the first sync
* Synching of user accounts, groups and passwords (although I wonder if the latter is possible because different mechanisms are used for storing pwds)* Not the size of an Identity Management tool like MIIS
Could MS Services for Netware play a role in this?
Cheers
#JORGE#Met vriendelijke groet / Kind regards,
Jorge de Almeida Pinto
Infrastructure Consultant
__________________________________________<<...OLE_Obj...>>
LogicaCMG Nederland B.V. (BU SD/AT)
Division Industry, Distribution and Transport (ID&T)
Kennedyplein 248, 5611 ZT, Eindhoven
. Postbus 7089
5605 JB Eindhoven
( Tel : +31-(0)40-29.57.777
2 Fax : +31-(0)40-29.57.709
( Mobile : +31-(0)6-26.26.62.80
* E-mail : [EMAIL PROTECTED]
" <http://www.logicacmg.com/> - Solutions that matter -
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
