As part of an ongoing effort to distill facts from the marketing hype surrounding Microsoft's NT Server, Novell produced the "Do You Know?" kit in the fall of 1995. This kit contains a collection of white papers, marketing briefs, sales briefs, and presentations on the differences and advantages of NetWare compared to NT. In response, Microsoft has posted the document "Novell's Comparison of NetWare 4.1 and Windows NT Server 3.51 are Inaccurate" which lists several points where Microsoft's cursory analysis differs. This document points out the inaccuracies in Microsoft's evaluation.
While there are some markets where NetWare 4.1 and Windows NT Server 3.51 compete directly to provide the same service, there are many other areas where NT and NetWare will be used in conjunction with each other. Novell's vision (and current application) is to provide the network infrastructure on which all network resources will be connected, accessed, and managed. Through NetWare Directory Services (NDS), users will be able to manage users, groups, servers, routers, hubs, printers, embedded devices, office equipment, and applications that will be running on other operating systems such as NT, Unix, and OS/2. NDS and NetWare will embrace and enhance application servers to provide powerful access, use, and management.
Assume a company has three functional departments (Accounting, Manufacturing, Sales) with Sales located in a distant city. John Smith in Manufacturing has the need to access information from the Sales database and the Accounting database. With NT, there would most likely be three separate domains one for each department and a WAN link to Sales. This would minimize authenticating over remote links and help maximize performance. Before John could access information or resources from other departments the following must be done:
a) administrator in Manufacturing must create trust relationships with:
b) administrators in Sales and Accounting must do the same
c) once trust relationships established, user must be given permissions to specific resources through group memberships such as printers, databases, communication servers, etc.
Now suppose that John takes a new position as a Sales Support Engineer. To move a user from domain to domain requires the following:
a) Access user via "User Manager" program write down or copy pertinent information -
properties b) *** Delete user from
Manufacturing domain ***
- check boxes (must change PW, cannot change PW, PW never expires, Account disabled, account lock out)
- profile or profile path
- login hours
- groups belonged to
- workstations user can access
- account expiration and account type
c) Choose User/Select Domain.../Domain B
d) Create NEW user John Smith
- change Check boxes if necessary (must change PW, cannot change PW, PW never
expires, Account disabled, account lock out) e) Add John Smith to all global groups required
- add profile if necessary (may need to change profile)
- modify login hours
- modify workstations user can access
- modify account expiration and account type
f) Add John Smith to any new local groups required
With NetWare using NDS, at least 17 of the preceding management steps can be avoided. To move a user from OU (organizational unit) to OU requires the following steps:
a) Run NWAdmin
b) Click on user - drag and drop from old OU to new OU
Group membership equivalents and access is inherited from the OU object and all specific resource rights are maintained.
NT's limitations when moving resources from domain to domain stem from the use of a Computer Identification number (CID). With the creation of a new primary domain controller (PDC), a CID is generated that is keyed to every resource associated with that domain. Moving resources from domain to domain can't take place without regenerating a new association for the PDC CID which can only occur at creation. This is the reason that a domain can't be renamed without reinstalling the server OS and starting over. Moving users or resources from domain to domain requires deletion and recreation.
Single login to network resources. Microsoft's attempt here is to minimize the value of a directory. Single login with NetWare to network resources means that using NDS as a central user object repository, all desired authentication can take place without using multiple user databases. NDS can be used as the MS Mail directory, a SQL database authentication directory, the Notes or cc:Mail directory. Changes made to a user object or attribute can be effective for all applications on the network. In addition, access to all network resources (printers, fax, files, directories, printers, applications, etc.) can be managed through NDS.
With NT, you can access file and print services but other services such as SQL, SNA, Exchange, require special effort and directories to provide authentication.
2) X.500 Interoperability
Novell has never claimed that NDS is fully interoperable and compatible with X.500. NDS is hierarchial, partitioned, distributed, replicated, and extensible according to the X.500 specification; NT domains are not. NDS provides for access controls and schema extension according to X.500 convention; domains do not have this capability. X.500 is an evolving standard that will encompass all types of network resources. NDS is a superset of the current standard with additional proprietary tools for administration and management. As X.500 matures to a full directory standard, the common foundation structure now available in NDS will provide full interoperability plus additional functionality.
3) NT Server is not Scalable
Scalability exists on several dimensions. For pure scalable performance, NT in current version cannot match NetWare. Integrators installing both systems for file and print or e-mail state that NT can safely handle only about 100 users per server; even Microsoft technical support recommends no more than 250 users per server. With the same load, NetWare can handle 400-500 users. Many large NetWare customers are routinely running 1000-1500 users per server with some having as high as 2000. Tests soon to be released show NetWare SMP outscaling NT in tests using more than 4 processors.
The ability to scale network management is another critical factor. For example in a 25 domain (site) network, the number of trust relationships that would have to managed between administrators (not to mention specifying access to specific resources) would be 25*24=600. With NDS, all 25 sites could be managed and accessed by a single administrator from any workstation in the network.
4) Moving Users
Using the example in item 1 above, moving a user in multiple domains with group memberships requires at least 17 steps with NT and 2 steps with NDS. The NT steps can not be made using a mouse only as new user information must be input, and the number of steps increases significantly.
5) NT Has No Single Point of Administration
Microsoft points out that by using a separate remote utility, administrators can manage users from anywhere in the network. This is only true if the appropriate trust relationships have already been established. Network resources, however, are not limited to users. Managing applications, servers, volumes, printers, groups, PBXs, etc. are not possible through NT's User Manager. NWAdmin (the Windows based NetWare GUI utility) provides a single point of access, management, and control and it can be run from any point on the network without requiring a remote utility.
6) NT Server Offers Limited Fault Tolerance for the Directory
First, NT Domains are not directories (see item 2) even though Microsoft has recently renamed NT domains to Microsoft Directory Services. Recent press quotes regarding Microsoft's claim to a directory are as follows:
7) C2 Certification
NT Server 3.5 is still only C2 certified as a standalone workstation (Orange Book). NetWare is in the process of full network certification (server, workstation, and media connecting them - Red Book) and is expecting certification before Microsoft.
Below is a portion of the latest (as of January 29, 1996) National Computer Security Council (NCSC) Evaluated Products List (EPL) entry on Microsoft Windows NT Version 3.5 dated 31 JULY 1995. The EPL is the only reliable source of public information on how far along any vendor is in the C2 evaluation process.
Two quotes from the attached entry should help answer questions on Microsoft's official status
as of 31 JULY 1995. There is nothing newer than this concerning Microsoft in the EPL as of 29
DSWilson.CPE 08/18/95 1640.0 edt Fri Eval_Announcements
Subject: Microsoft Windows NT Version 3.5 EPL Entry
REPORT No. CSC-EPL-95/003
AS OF DATE: 31 JULY 1995
PRODUCT: Windows NT Workstation and Windows NT Server Version 3.5 with Service Pack 3
VENDOR: Microsoft Corporation
OVERALL EVALUATION CLASS: C2
PRODUCT DESCRIPTION: Microsoft Windows NT Workstation and Windows NT Server Version 3.5 are modern, 32-bit, graphical-oriented operating systems that support popular Windows-based applications, preemptive multitasking, and symmetric multiprocessing (SMP). The Microsoft Windows NT Service Pack 3 for Windows NT Workstation and Windows NT Server must be included to be in the evaluated configuration.......
The security relevant differences between Windows NT Workstation and Windows NT Server in the evaluated configuration are minimal. Because the evaluated configuration does not include a network environment, both products are considered stand-alone workstations. .......
.....Microsoft Corporation intends to add different platforms as well as new processors to the evaluated configuration. A network configuration of the Windows NT platform is currently pending evaluation agreement.
8) Print Features
Several of the print features noted by Novell as missing (out of paper alert, paper-jam, printer offline, etc.) are actually available through the Print Manager utility in NT. Novell admits and regrets the error.
9) Windows NT Server Directory Services Are Not Flexible
This market bulletin has shown through several examples that while many things that Microsoft claims are possible can be done, the effort required to accomplish the same simple tasks in NDS is immense with NT domains. Creating two-way trust relationships between every domain, directly specifying access for specific users, and then tracking the relationships affected when changes are made is much more difficult than with NDS. In addition, NT domains manage users and groups; no capability is built in for managing applications, peripherals, network components or modifying the structure to accommodate these resources. Management, especially in geographically or functionally dispersed networks, is difficult and requires additional routers and backup domain controllers.
|Service/Feature||NetWare 4.1||Windows NT Server: MS's Version||Windows NT Server: THE FACTS|
|Directory Service - Have one?||Yes||Yes||No - modified flat structure with trust relationships. (See note 6.)|
|Single login to services||Yes||Yes||Limited - Only if trust relationships have previously been established and specific access in multiple domains granted.|
|Location independent login||Yes||Yes||Limited - Only if trust relationships have previously been established and specific access in multiple domains granted.|
|X.500 interoperability |
|No||No - Domains are flat tables of addresses and users names. They are not structured and distributed like X.500; NDS is.|
|Moving a user||one step drag and drop||point and click||Limited - see note 1|
|Single point of administration||Yes||Yes||Limited - see note 5|
|Fault tolerant||Yes||Yes||No - see note 6|
|Flexibility||Yes||Yes||Limited - see note 9|
In the same document, Microsoft made several additional comparisons to NetWare that are not completely correct.
1) TCP/IP support - NetWare is not limited to 5 users. NetWare/IP is included with NetWare and users have the option of running IP, IPX or both at no extra charge.
2) Windows95 integration - NetWare's Client32 for Windows95 is shipping and has been very favorably reviewed by the major networking trade magazines.
3) Symmetric Multiprocessing - NetWare SMP is now available through OEM partners and in preliminary testing is scaling and performing better than NT.
4) Management from Server Console - NWAdmin (the Windows based NetWare administration utility) can be run from any workstation on the network. The Rconsole utility can manage the server from any workstation as well. Having the server provide dual function as a server and workstation is advantageous in some situations but is generally considered a performance or security risk.
5) Services for Macintosh - The Novell Macintosh client recently shipped and has been very favorably reviewed by trade publications and well received by customers. Native Macintosh name spaces have always been integrated with NetWare. The new Mac client connects directly and efficiently using IPX and provides access to NDS.
6) Automatic Client Install - Client32 for Win95 installation is a simple one step process. This process can be automated and made available to every user on the network using the new Application Launcher utility that is included with the client software and only available on NetWare.
A recent Forrester Report compared NT and NetWare as Networking Operating Systems as follows:
|File/print||2||5||NT has NetWare 3.x-like file/print with diminished performance. NetWare offers fast distributed file/print with native support for DOS/Win, Mac, OS/2, UNIX, and OSI.|
|Directory||2||4||NT's current naming scheme is limited, future relies on "Cairo". NDS is scalable, tried technology, but difficult to extend.|
|Security||2||3||NT's Kerberos-based strategy misses public-key/private-key standard. NetWare is RSA-based, being adopted by HP for DCE. Both lack third-party use.|
|Systems/network management||2||4||Microsoft takes a utilities approach with little support for SNMP and DMI. NetWare integrates management across product lines, and supports SNMP, RMON, and DMI.|
|Administration||3||4||NT's advantage is ease-of-installation at the low end. NDS enables enterprise-wide add, move, and delete with changes transparent to the user.|
|Object||3||3||Microsoft's strength is local machine OLE, which will be extended in network OLE. NDS is an object-oriented data store. Novell supports both OLE and CORBA.|
|Transaction||2||4||Microsoft promises transaction services based on distributed OLE and OLE DB. Novell's Tuxedo is first-class and will be integrated with NetWare.|
Source: Forrester Research, Inc. NetWare Or NT? - H. Waverly Deutsch, Jon Oltsik, George F. Colony - Volume Thirteen, Number Two, November 7, 1995